bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/41417.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

83 lines
No EOL
4.6 KiB
Text
Raw Blame History

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=949
Platform: Microsoft Office 2010 on Windows 7 x86
Class: heap memory corruption
The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash appeared to be non-deterministic depending on memory layout and will not reproduce in all instances but the crash demonstrated a high degree of reliability.
Attached files:
2581805226.ppt: fuzzed crashing file
File versions:
mso.dll: 14.0.7173.5000
gfx.dll: 14.0.7104.5000
oart.dll: 14.0.7169.5000
riched20.dll: 14.0.7155.5000
msptls.dll: 14.0.7164.5000
((7ac.a64): Access violation - code c0000005 (first chance)
eax=200bcf3a ebx=1febce30 ecx=1febce2c edx=77cf6b01 esi=1febce34 edi=1febce18
eip=66a19941 esp=0027008c ebp=002700d8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mso!Ordinal5429+0x376:
66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
66a1993c 8b4104 mov eax,dword ptr [ecx+4] ; Length 0x00200122
66a1993f 03c7 add eax,edi
=> 66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
66a19944 894dfc mov dword ptr [ebp-4],ecx
66a19947 8a55fd mov dl,byte ptr [ebp-3]
66a1994a 8855fc mov byte ptr [ebp-4],dl
66a1994d 884dfd mov byte ptr [ebp-3],cl
66a19950 66837dfc04 cmp word ptr [ebp-4],4
66a19955 0f85e0010000 jne mso!Ordinal5429+0x570 (66a19b3b)
66a1995b 8a08 mov cl,byte ptr [eax]
66a1995d 8a5001 mov dl,byte ptr [eax+1]
66a19960 8810 mov byte ptr [eax],dl
66a19962 884801 mov byte ptr [eax+1],cl
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
002700d8 66a19527 20099000 0000c000 2e010b53 mso!Ordinal5429+0x376
002701ac 66a19348 1febefa0 042109c7 042109c7 mso!Ordinal10199+0x2138
002701c8 66a192a9 00270240 042109c7 00000001 mso!Ordinal10199+0x1f59
00270288 66a18c32 042109c7 0027038c 00000004 mso!Ordinal10199+0x1eba
00270474 66a18bb5 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x1843
00270498 6b256c34 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x17c6
002704bc 6b2570e0 042109c7 1feeaff8 00000002 gfx!Ordinal980+0xa2
00270570 6b256bd4 0b558dc8 1feeaff8 00000002 gfx!Ordinal818+0x306
002705bc 67821180 002705fc 1feeaff8 00000002 gfx!Ordinal980+0x42
0027061c 67820b5a 00000002 1ba92e18 1feeaff8 oart!Ordinal2842+0xb6c
00270690 6781fed8 00000000 001f2ff0 00270924 oart!Ordinal2842+0x546
002706e0 61c2000c 00270724 00000000 00000000 oart!Ordinal7653+0x7d3
00270878 61c1f736 002708a8 00000000 00000064 riched20!RichListBoxWndProc+0x50da
002708b0 61c1edb1 00000000 0000ffff 00000000 riched20!RichListBoxWndProc+0x4804
002709a0 61c1e7ba 00000000 00000001 00000000 riched20!RichListBoxWndProc+0x3e7f
002709d4 6aa75d8c 0a7c1c38 00000000 00000000 riched20!RichListBoxWndProc+0x3888
00270a54 6aa6ef12 1f9b4ef8 00000000 00270c2c MSPTLS!LssbFIsSublineEmpty+0x16269
00270c5c 6aa54c98 0a7c3a78 00000000 00004524 MSPTLS!LssbFIsSublineEmpty+0xf3ef
00270c90 61c1c803 0a7c3a78 00000000 00004524 MSPTLS!LsCreateLine+0x23
00270db0 61c1c659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1
00270e08 61c0f36a 00271770 00000003 00000000 riched20!RichListBoxWndProc+0x1727
In this crash eax is pointing to an invalid memory region and is being dereferenced causing an access violation. There is a clear path to an out of bounds memory write shortly after the current crashing instruction. The value in eax came from edi + [ecx+4]. The value in [ecx+4] appears to a length with a single bit flipped, 0x00200122 instead of 0x00000122. The heap chunk allocated for this came from:
0:000> !heap -p -a 0x1febce18
address 1febce18 found in
_DPH_HEAP_ROOT @ 71000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1feb171c: 1febce18 1e2 - 1febc000 2000
6eac8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77d7616e ntdll!RtlDebugAllocateHeap+0x00000030
77d3a08b ntdll!RtlpAllocateHeap+0x000000c4
77d05920 ntdll!RtlAllocateHeap+0x0000023a
6fcdad1a vrfcore!VerifierSetAPIClassName+0x000000aa
6fc816ac vfbasics+0x000116ac
67080c59 mso!Ordinal9770+0x000078e2
66a19527 mso!Ordinal10199+0x00002138
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41417.zip
Reference in a new issue View git blame Copy permalink