bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/39164.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

58 lines
No EOL
5.4 KiB
Text
Raw Blame History

Source: https://code.google.com/p/google-security-research/issues/detail?id=622
The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
--- cut ---
==31710==ERROR: AddressSanitizer: SEGV on unknown address 0x7f53cc100009 (pc 0x0000016fafe2 bp 0x7ffee170d730 sp 0x7ffee170d6b0 T0)
#0 0x16fafe1 in IsFlagSet v8/src/heap/spaces.h:548:13
#1 0x16fafe1 in IsEvacuationCandidate v8/src/heap/spaces.h:689
#2 0x16fafe1 in RecordSlot v8/src/heap/mark-compact-inl.h:62
#3 0x16fafe1 in VisitPointers v8/src/heap/incremental-marking.cc:320
#4 0x16fafe1 in v8::internal::StaticMarkingVisitor<v8::internal::IncrementalMarkingMarkingVisitor>::VisitPropertyCell(v8::internal::Map*, v8::internal::HeapObject*) v8/src/heap/objects-visiting-inl.h:341
#5 0x16ed00a in IterateBody v8/src/heap/objects-visiting.h:355:5
#6 0x16ed00a in VisitObject v8/src/heap/incremental-marking.cc:732
#7 0x16ed00a in ProcessMarkingDeque v8/src/heap/incremental-marking.cc:769
#8 0x16ed00a in v8::internal::IncrementalMarking::Step(long, v8::internal::IncrementalMarking::CompletionAction, v8::internal::IncrementalMarking::ForceMarkingAction, v8::internal::IncrementalMarking::ForceCompletionAction) v8/src/heap/incremental-marking.cc:1098
#9 0x1836243 in InlineAllocationStep v8/src/heap/spaces.h:2537:7
#10 0x1836243 in InlineAllocationStep v8/src/heap/spaces.cc:1636
#11 0x1836243 in v8::internal::NewSpace::EnsureAllocation(int, v8::internal::AllocationAlignment) v8/src/heap/spaces.cc:1597
#12 0x16028a2 in AllocateRawUnaligned v8/src/heap/spaces-inl.h:456:10
#13 0x16028a2 in AllocateRaw v8/src/heap/spaces-inl.h:480
#14 0x16028a2 in v8::internal::Heap::AllocateRaw(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) v8/src/heap/heap-inl.h:215
#15 0x16960d7 in v8::internal::Heap::AllocateFillerObject(int, bool, v8::internal::AllocationSpace) v8/src/heap/heap.cc:2119:35
#16 0x159a4a2 in v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace) v8/src/factory.cc:79:3
#17 0x25834ee in __RT_impl_Runtime_AllocateInTargetSpace v8/src/runtime/runtime-internal.cc:246:11
#18 0x25834ee in v8::internal::Runtime_AllocateInTargetSpace(int, v8::internal::Object**, v8::internal::Isolate*) v8/src/runtime/runtime-internal.cc:236
#7 0x7f53d03063d7 (<unknown module>)
#8 0x7f53d040f273 (<unknown module>)
#9 0x7f53d040ad4d (<unknown module>)
#10 0x7f53d0336da3 (<unknown module>)
#11 0x7f53d031a8e1 (<unknown module>)
#19 0x158a09f in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) v8/src/execution.cc:98:13
#20 0x158882d in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:167:10
#21 0xf6e33e in v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:1743:23
#22 0xebf5cb in FXJS_Execute(v8::Isolate*, IJS_Context*, wchar_t const*, FXJSErr*) third_party/pdfium/fpdfsdk/src/jsapi/fxjs_v8.cpp:384:8
#23 0xe3cc12 in CJS_Runtime::Execute(IJS_Context*, wchar_t const*, CFX_WideString*) third_party/pdfium/fpdfsdk/src/javascript/JS_Runtime.cpp:188:14
#24 0xf54991 in CJS_Context::RunScript(CFX_WideString const&, CFX_WideString*) third_party/pdfium/fpdfsdk/src/javascript/JS_Context.cpp:59:12
#25 0x553134 in CPDFSDK_InterForm::OnFormat(CPDF_FormField*, int&) third_party/pdfium/fpdfsdk/src/fsdk_baseform.cpp:1822:24
#26 0x552b8c in CPDFSDK_Widget::OnFormat(int&) third_party/pdfium/fpdfsdk/src/fsdk_baseform.cpp:330:10
#27 0x584be9 in CPDFSDK_BFAnnotHandler::OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/src/fsdk_annothandler.cpp:593:31
#28 0x57e44a in CPDFSDK_AnnotHandlerMgr::Annot_OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/src/fsdk_annothandler.cpp:94:5
#29 0x574f67 in CPDFSDK_PageView::LoadFXAnnots() third_party/pdfium/fpdfsdk/src/fsdk_mgr.cpp:886:5
#30 0x573c36 in CPDFSDK_Document::GetPageView(CPDF_Page*, int) third_party/pdfium/fpdfsdk/src/fsdk_mgr.cpp:420:3
#31 0x528ec3 in FormHandleToPageView third_party/pdfium/fpdfsdk/src/fpdfformfill.cpp:32:20
#32 0x528ec3 in FORM_OnAfterLoadPage third_party/pdfium/fpdfsdk/src/fpdfformfill.cpp:263
#33 0x4da9c2 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:346:3
#34 0x4dd558 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9
#35 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5
#36 0x7f553e1c4ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (pdfium_test+0x16fafe1)
==31710==ABORTING
--- cut ---
The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554099. Attached is the PDF file which triggers the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39164.zip
Reference in a new issue View git blame Copy permalink