bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/37967.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

64 lines
No EOL
2.7 KiB
Text
Raw Blame History

Source: https://code.google.com/p/google-security-research/issues/detail?id=170&can=1
The following access violation was observed in Microsoft Office 2007
(Word document):
(e24.e28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0583a748 ebx=00eb4684 ecx=003ad1a3 edx=00000000 esi=049860bc edi=00122238
eip=7814500a esp=001221e0 ebp=001221e8 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
MSVCR80!memcpy+0x5a:
7814500a f3a5 rep movsd ds:049860bc=???????? es:00122238=3348bcd8
0:000> k
ChildEBP RetAddr
001221e8 31249c0e MSVCR80!memcpy+0x5a
00122204 3126a371 wwlib!FMain+0x565f
00122220 3203de3c wwlib!FMain+0x25dc2
00122268 320dab4c wwlib!DllCanUnloadNow+0x56a6bb
00122280 31fc363f wwlib!DllGetClassObject+0x9c88a
0012229c 31f9acde wwlib!DllCanUnloadNow+0x4efebe
001222b4 31f9b0e5 wwlib!DllCanUnloadNow+0x4c755d
00122308 31bd68c2 wwlib!DllCanUnloadNow+0x4c7964
001223bc 3201a69b wwlib!DllCanUnloadNow+0x103141
00122a68 3129f4eb wwlib!DllCanUnloadNow+0x546f1a
00123b68 3129e8e5 wwlib!FMain+0x5af3c
00123bac 32073906 wwlib!FMain+0x5a336
00126d28 32073627 wwlib!DllGetClassObject+0x35644
0012b14c 32073294 wwlib!DllGetClassObject+0x35365
0012b19c 3209ac20 wwlib!DllGetClassObject+0x34fd2
0012e2f8 3208c781 wwlib!DllGetClassObject+0x5c95e
0012e31c 31314684 wwlib!DllGetClassObject+0x4e4bf
0012f580 320e04b7 wwlib!FMain+0xd00d5
0012f630 320e037f wwlib!DllGetClassObject+0xa21f5
0012f648 32812493 wwlib!DllGetClassObject+0xa20bd
Notes:
- Reproduces on Windows Server 2003 and Windows 7
- The crash occurs due to a memcpy with an invalid source buffer.
- The invalid source buffer is actually indicative of an invalid size
being used in a pointer calculation at 3126A360 (wwlib.dll
12.0.6707.5000). This invalid size can also be seen in ecx at the time
of access violation.
- The large size parameter can result in a stack-based buffer overflow.
- Alternatively, if the copy operation succeeds (by using a size value
large enough to result in an out-of-bounds source buffer, but not so
large to cause an access violation during copy), then it is also
possible to get an arbitrary free from later usage of controlled
pointers in the destination buffer.
- The crashing test case was created using a chunk reordering
strategy, and does not cleanly minimize (106 bit change from original
file).
- Attached files: 86ea4a3c_crash.rtf (crashing file),
86ea4a3c_orig.doc (original file)
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37967.zip
Reference in a new issue View git blame Copy permalink