bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/windows/local/44169.txt
Offensive Security 7a33f5d0bf DB: 2018-02-23 
15 changes to exploits/shellcodes

NoMachine x86 < 6.0.80 - 'nxfuse' Privilege Escalation
NoMachine x64 < 6.0.80 - 'nxfuse' Privilege Escalation
Armadito Antivirus 0.12.7.2 - Detection Bypass
Joomla! Component CW Tags 2.0.6 - SQL Injection
Joomla! Component Proclaim 9.1.1 - Backup File Download
Joomla! Component PrayerCenter 3.0.2 - 'sessionid' SQL Injection
Joomla! Component Ek Rishta 2.9 - SQL Injection
Joomla! Component Alexandria Book Library 3.1.2 - 'letter' SQL Injection
Joomla! Component CheckList 1.1.1 - SQL Injection
Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload
Joomla! Component OS Property Real Estate 3.12.7 - SQL Injection
Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities
Learning and Examination Management System - Cross-Site Scripting
Alibaba Clone Script 1.0.2 - Cross-Site Scripting
Groupon Clone Script 3.0.2 - Cross-Site Scripting
2018-02-23 05:01:47 +00:00

49 lines
No EOL
1.9 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
Title: Armadito Antivirus - Malware Detection Bypass
Date: 21/02/2018
Author: Souhail Hammou
Author's website: http://rce4fun.blogspot.com
Vendor Homepage: http://www.teclib-edition.com/en/
Version: 0.12.7.2
CVE: CVE-2018-7289
Details:
--------
An issue was discovered in armadito-windows-driver/src/communication.c affecting Armadito 0.12.7.2 and previous versions.
Malware with filenames containing pure UTF-16 characters can bypass detection.
The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to ANSI.
This happens because characters that cannot be converted from Unicode are replaced with the '?' character.
The code responsible for this issue is located in armadito-windows-driver/src/communication.c
========================================================================================================
// Convert unicode string to ansi string for ring 3 process.
ntStatus = RtlUnicodeStringToAnsiString(&AnsiString, (PCUNICODE_STRING)FilePath, TRUE);
if(!NT_SUCCESS(ntStatus)){
DbgPrint("[-] Error :: ArmaditoGuard!SendScanOrder :: RtlUnicodeStringToAnsiString() routine failed !! \n");
__leave;
}
========================================================================================================
The two examples below demonstrate the bug.
In the first case, the filename is in Arabic and in the second, the filename's first letter is the greek M (U+039C).
Original filename:
مرحبا.exe : 0645 0631 062d 0628 0627 002e 0065 0078 0065
Converted to ANSI by Armadito:
?????.exe : 3f 3f 3f 3f 3f 2e 65 78 65
=============================
Original filename:
Μalware.exe : 039c 0061 006c 0077 0061 0072 0065 002e 0065 0078 0065
Converted to ANSI by Armadito:
?alware.exe : 3f 61 6c 77 61 72 65 2e 65 78 65
See: https://github.com/armadito/armadito-windows-driver/issues/5
*/
Reference in a new issue View git blame Copy permalink