ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
56 lines
No EOL
4.2 KiB
Text
56 lines
No EOL
4.2 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117
|
|
|
|
Failure to initialise pointers in mkvparser::Tracks constructor
|
|
|
|
The constructor mkvparser::Tracks::Tracks() doesn't handle parsing failures correctly.
|
|
|
|
If we look at the function, it makes allocations in two places; the first where it allocates a temporary array, and the second, where we make the allocation of an array of Track* which we will store in the Tracks object. Note that there is no path in the function which can free the second allocation; if the parsing of the Track object fails in the subsequent code these pointers are left uninitialised.
|
|
|
|
Subsequent code will then dereference and use the uninitialised pointers. The results of this obviously depend on the state of the heap prior to parsing of the testcase - a commonly occuring crash where a vtable pointer has been read through the bad pointer during destruction of the Tracks object.
|
|
|
|
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
|
Revision: '11'
|
|
ABI: 'arm'
|
|
pid: 31956, tid: 31904, name: NuPlayerDriver >>> /system/bin/mediaserver <<<
|
|
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xf62c9880
|
|
r0 eee45000 r1 f62e4b60 r2 f62c9880 r3 eb1c08a0
|
|
AM write failed: Broken pipe
|
|
r4 f1859da0 r5 f15ce05c r6 f15ce060 r7 f62c9880
|
|
r8 fffdfc60 r9 efc3f5f4 sl 6175644e fp f6f50c11
|
|
ip eb1c0d18 sp efc3f4c0 lr eb1b19b5 pc f62c9880 cpsr a00f0010
|
|
|
|
backtrace:
|
|
#00 pc 00049880 [anon:libc_malloc]
|
|
#01 pc 0000c9b3 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD1Ev+34)
|
|
#02 pc 0000c9cd /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD0Ev+4)
|
|
#03 pc 0001150d /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7SegmentD1Ev+60)
|
|
#04 pc 0000b015 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorD1Ev+10)
|
|
#05 pc 00009449 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser5CloseEv+24)
|
|
#06 pc 0002739b /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+38)
|
|
#07 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
|
|
#08 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#09 pc 00027481 /system/lib/libLGParserOSAL.so
|
|
#10 pc 000274d9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractor11LGMKVSourceD0Ev+4)
|
|
#11 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#12 pc 000329bd /system/lib/liblgesourceplugin.so (_ZN7android2spINS_3lge20StreamingBufferQueueEED1Ev+18)
|
|
#13 pc 0005997d /system/lib/liblgesourceplugin.so (_ZNK7android6VectorINS_2spINS_11MediaSourceEEEE10do_destroyEPvj+12)
|
|
#14 pc 00010b6d /system/lib/libutils.so (_ZN7android10VectorImpl15release_storageEv+28)
|
|
#15 pc 00010bd9 /system/lib/libutils.so (_ZN7android10VectorImpl13finish_vectorEv+4)
|
|
#16 pc 00058cb7 /system/lib/liblgesourceplugin.so
|
|
#17 pc 0005a695 /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD1Ev+292)
|
|
#18 pc 0005a6d9 /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD0Ev+4)
|
|
#19 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#20 pc 00057f69 /system/lib/liblgesourceplugin.so (_ZN7android12HTTPPDSource4stopEv+72)
|
|
#21 pc 0006bc51 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer12performResetEv+168)
|
|
#22 pc 0006b103 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer22processDeferredActionsEv+90)
|
|
#23 pc 00069ca1 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer17onMessageReceivedERKNS_2spINS_8AMessageEEE+4944)
|
|
#24 pc 0000b309 /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
|
|
#25 pc 0000d2ef /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
|
|
#26 pc 0000bd15 /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
|
|
#27 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
|
#28 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
|
#29 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41982.zip |