bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/android/dos/38614.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

58 lines
No EOL
4.4 KiB
Text
Raw Blame History

Source: https://code.google.com/p/google-security-research/issues/detail?id=495
The attached JPEG file causes memory corruption the DCMProvider service when the file is processed by the media scanner, leading to the following crash:
quaramip.jpg:
I/DEBUG ( 2962): pid: 19350, tid: 19468, name: HEAVY#0 >>> com.samsung.dcm:DCMService <<<
I/DEBUG ( 2962): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8080808080808080
I/DEBUG ( 2962): x0 0000007f97afd000 x1 0000007f98118650 x2 0000007f9811eaa8 x3 0000007f9815a430
I/DEBUG ( 2962): x4 8080808080808080 x5 0000007f9811eaa8 x6 0000000000000000 x7 0000000000000003
I/DEBUG ( 2962): x8 0000000000000050 x9 0000000000000005 x10 0000000000000053 x11 0000007f9815a470
I/DEBUG ( 2962): x12 0000007f97803920 x13 0000007f978ff050 x14 0000007f983fea40 x15 0000000000000001
I/DEBUG ( 2962): x16 0000007faabefae0 x17 0000007faf708880 x18 0000007faf77da40 x19 0000007f97afd000
I/DEBUG ( 2962): x20 00000000ffffffff x21 0000000000000001 x22 0000007f9815a410 x23 0000007f981588f0
I/DEBUG ( 2962): x24 0000007f983feb44 x25 0000007f983feb48 x26 ffffffffffffffe8 x27 0000007f98118600
I/DEBUG ( 2962): x28 0000007f98177800 x29 000000000000001c x30 0000007faabb8ff8
I/DEBUG ( 2962): sp 0000007f983fea50 pc 8080808080808080 pstate 0000000000000000
I/DEBUG ( 2962):
I/DEBUG ( 2962): backtrace:
I/DEBUG ( 2962): #00 pc 8080808080808080 <unknown>
I/DEBUG ( 2962): #01 pc 00000000000000a6 <unknown>
quaramfree.jpg:
I/DEBUG ( 2956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x808080808000d0
I/DEBUG ( 2956): x0 0000000000008080 x1 0000007f89d03720 x2 00000000000fffff x3 8080808080800000
I/DEBUG ( 2956): x4 0000000000000008 x5 0000007f89cf2000 x6 0000007f89d03758 x7 0000000000000002
I/DEBUG ( 2956): x8 0000000000000006 x9 0000000000000012 x10 8080808080800090 x11 0000007f803015d8
I/DEBUG ( 2956): x12 0000000000000013 x13 0000007f89cf2000 x14 0000007f89d00000 x15 00000000000014a4
I/DEBUG ( 2956): x16 0000007f850eec00 x17 0000007f89c4e17c x18 0000007f89d037f8 x19 8080808080808080
I/DEBUG ( 2956): x20 0000007f8031e618 x21 0000007f89cf2000 x22 0000000000000001 x23 0000007f803166d8
I/DEBUG ( 2956): x24 0000007f80331170 x25 0000000000000010 x26 00000000000001f4 x27 fffffffffffffffc
I/DEBUG ( 2956): x28 000000000000007d x29 0000007f84efea60 x30 0000007f89c4e194
I/DEBUG ( 2956): sp 0000007f84efea60 pc 0000007f89cae0b4 pstate 0000000020000000
I/DEBUG ( 2956):
I/DEBUG ( 2956): backtrace:
I/DEBUG ( 2956): #00 pc 00000000000790b4 /system/lib64/libc.so (je_free+92)
I/DEBUG ( 2956): #01 pc 0000000000019190 /system/lib64/libc.so (free+20)
I/DEBUG ( 2956): #02 pc 000000000003e8a0 /system/lib64/libQjpeg.so (WINKJ_DeleteDecoderInfo+1076)
I/DEBUG ( 2956): #03 pc 00000000000427b0 /system/lib64/libQjpeg.so (WINKJ_DecodeImage+2904)
I/DEBUG ( 2956): #04 pc 00000000000428d4 /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG ( 2956): #05 pc 0000000000042a08 /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+276)
I/DEBUG ( 2956): #06 pc 000000000004420c /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+200)
I/DEBUG ( 2956): #07 pc 00000000000a4234 /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG ( 2956): #08 pc 0000000000001b98 /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG ( 2956): #09 pc 0000000000001418 /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
I/DEBUG ( 2956): #10 pc 00000000000018ec /system/framework/arm64/saiv.odex
The pc is set to the value of content of the JPEG file, indicating that this issue could probably be exploited to allow code execution. We believe the issue is caused due to a flaw in libQjpeg.so (third-party Quram Qjpeg library).
To reproduce the issue, download the file and wait for media scanning to occur, or trigger media scanning by calling:
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38614.zip
Reference in a new issue View git blame Copy permalink