bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/17163.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

116 lines
No EOL
4 KiB
Text
Raw Blame History

Source: http://aluigi.org/adv/msreader_4-adv.txt
#######################################################################
Luigi Auriemma
Application: Microsoft Reader
http://www.microsoft.com/reader
Versions: <= 2.1.1.3143 (PC version)
<= 2.6.1.7169 (Origami version)
the non-PC versions have not been tested
Platforms: Windows, Windows Mobile, Tablet PC and UMPC devices
Bug: array overflow
Date: 11 Apr 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.
#######################################################################
======
2) Bug
======
Array overflow in the AOLL chunk caused by the usage of more sections
than those available:
0107F59B |. 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14] ; our number
0107F59E |. 8BF1 MOV ESI,ECX
0107F5A0 |. 8BF8 MOV EDI,EAX
0107F5A2 |. 8B8E A4000000 MOV ECX,DWORD PTR DS:[ESI+A4]
0107F5A8 |. C1E7 02 SHL EDI,2
0107F5AB |. 833C39 00 CMP DWORD PTR DS:[ECX+EDI],0 ; check the array, must be != 0
0107F5AF 75 0C JNZ SHORT msreader.0107F5BD
0107F5B1 |. 50 PUSH EAX
0107F5B2 |. 8BCE MOV ECX,ESI
0107F5B4 |. E8 36F5FFFF CALL msreader.0107EAEF ; alternative memory corruption
0107F5B9 |. 85C0 TEST EAX,EAX
0107F5BB |. 7C 34 JL SHORT msreader.0107F5F1
0107F5BD |> 8B86 A4000000 MOV EAX,DWORD PTR DS:[ESI+A4]
0107F5C3 |. 8B3C38 MOV EDI,DWORD PTR DS:[EAX+EDI]
0107F5C6 |. 8D43 20 LEA EAX,DWORD PTR DS:[EBX+20]
0107F5C9 |. 57 PUSH EDI
0107F5CA |. 50 PUSH EAX
0107F5CB |. E8 EAC9FEFF CALL msreader.0106BFBA
...
0106BFBA /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0106BFBE |. FF70 04 PUSH DWORD PTR DS:[EAX+4] ; must point to our data
0106BFC1 |. FF7424 08 PUSH DWORD PTR SS:[ESP+8]
0106BFC5 |. E8 36E8FFFF CALL msreader.0106A800
...
0106A800 /$ 56 PUSH ESI
0106A801 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
0106A805 |> 85F6 /TEST ESI,ESI
0106A807 |. 74 21 |JE SHORT msreader.0106A82A ; must be a valid memory address
0106A809 |. FF76 20 |PUSH DWORD PTR DS:[ESI+20]
0106A80C |. FF7424 0C |PUSH DWORD PTR SS:[ESP+C]
0106A810 |. E8 75180100 |CALL msreader.0107C08A
0106A815 |. 59 |POP ECX
0106A816 |. 85C0 |TEST EAX,EAX
0106A818 |. 59 |POP ECX
0106A819 |. 74 05 |JE SHORT msreader.0106A820 ; EAX must be 0
0106A81B |. 8B76 10 |MOV ESI,DWORD PTR DS:[ESI+10]
0106A81E |.^EB E5 \JMP SHORT msreader.0106A805
0106A820 |> 8B06 MOV EAX,DWORD PTR DS:[ESI]
0106A822 |. 56 PUSH ESI
0106A823 |. FF50 04 CALL DWORD PTR DS:[EAX+4] ; code execution
Modified bytes in the proof-of-concept:
00000744 03 0A ; dynamic 64bit number, any value >= 4 (for this PoC) exploits the bug
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/msreader_4.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17163.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink