exploit-db-mirror/exploits/linux/dos/42396.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

96 lines
No EOL
3.5 KiB
Text

DivFix++ denial of service vulnerability
================
Author : qflb.wu
===============
Introduction:
=============
DivFix++ is FREE AVI Video Fix & Preview program.
Affected version:
=====
v0.34
Vulnerability Description:
==========================
the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file.
./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
#1 0x00000000004239d8 in DivFixppCore::avi_header_fix() ()
#2 0x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) ()
#3 0x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) ()
#4 0x0000000000414f6e in DivFixppApp::OnInit() ()
#5 0x0000000000416f4f in wxAppConsoleBase::CallOnInit() ()
#6 0x00007ffff6c6903c in wxEntry(int&, wchar_t**) ()
from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0
#7 0x0000000000411e70 in main ()
(gdb)
-------------------
(gdb) disassemble 0x00000000004239b0,0x00000000004239df
Dump of assembler code from 0x4239b0 to 0x4239df:
0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add %al,(%rax)
0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov %eax,%edi
0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq 0x434eaf <_Z17make_littleendianIiERT_S0_>
0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov -0x138(%rbp),%rdx
0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov 0x38(%rdx),%rdx
0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea 0x10(%rdx),%rcx
0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov $0x4,%edx
0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov %rax,%rsi
0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov %rcx,%rdi
=> 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq 0x40fcc0 <memcpy@plt>
0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov -0x138(%rbp),%rax
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) i r
rax 0x6615286690088
rbx 0x00
rcx 0x1016
rdx 0x44
rsi 0x6615286690088
rdi 0x1016
rbp 0x7fffffffcf100x7fffffffcf10
rsp 0x7fffffffcdd00x7fffffffcdd0
r8 0x8049308407344
r9 0x7ffff7fc1a40140737353882176
r10 0x640000006e429496729710
r11 0x00
r12 0x11
r13 0x11
r14 0x00
r15 0x00
rip 0x4239d30x4239d3 <DivFixppCore::avi_header_fix()+3539>
eflags 0x246[ PF ZF IF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---
gs 0x00
(gdb)
POC:
DivFix++_v0.34_invalid_memory_write.avi
CVE:
CVE-2017-11330
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42396.zip