bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/41654.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

31 lines
No EOL
2.3 KiB
Text
Raw Blame History

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1030
We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!FillAlternatesList function, while trying to request a list of alternate glyphs for a specific glyph in a corrupted font file:
---
(4bfc.c60): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000d ebx=0021006f ecx=00000010 edx=00000018 esi=07b4bfe8 edi=0021f620
eip=75232fe1 esp=0021f550 ebp=0021f5b8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
USP10!FillAlternatesList+0x2d1:
75232fe1 66891c32 mov word ptr [edx+esi],bx ds:002b:07b4c000=????
0:000> kb
ChildEBP RetAddr Args to Child
0021f5b8 7522eb56 09312db6 00000000 00000003 USP10!FillAlternatesList+0x2d1
0021f5ec 75208b38 0021f640 0021f614 746c6161 USP10!GetOtlGlyphAlternates+0x86
0021f770 7520f214 0021f9d8 6e74616c 746c6664 USP10!OtlGetAlternateGlyphList+0x108
0021f7a0 00dc4557 30011a14 00000001 00000000 USP10!ScriptGetFontAlternateGlyphs+0xb4
[...]
---
In our test harness, we set the cMaxAlternates parameter of the ScriptGetFontAlternateGlyphs function to 10, indicating that this is the maximum number of values which can be written to the output pAlternateGlyphs array. However, the API function does not seem to respect the argument and attempts to write more data into the buffer -- in this case, 29 WORDs. The vulnerability can also be confirmed by looking at the output value of pcAlternates, which should never exceed 10 in this case, but is indeed set to 29. As a result, the bug may lead to corruption of various memory areas, including stack, heap, and static memory, depending on the type of pointer passed to the function by its caller.
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled and the output buffer allocated from the heap. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the vulnerable API function.
Attached is a proof of concept malformed font file which triggers the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41654.zip
Reference in a new issue View git blame Copy permalink