As usual, exploitation on SPARC turned out to be much more complicated (and fun) than on Intel. Since the vulnerable program needs to survive one additional function before we can hijack %pc, the classic stack-based buffer overflow approach didn't seem feasible in this case. Therefore, I opted for the format string bug. This is just a proof of concept, 'cause guess what -- on my system it works only when gdb or truss are attached to the target process:( To borrow Neel Mehta's words: 'It's quite common to find an exploit that only works with GDB attached to the process, simply because without the debugger, break register windows aren't flushed to the stack and the overwrite has no effect.' On different hardware configurations this exploit might work if the correct retloc and offset are provided. It might also be possible to force a context switch at the right time that results in registers being flushed to the stack at the right moment. However, this method tends to be unreliable even when the attack is repeatable like in this case. A better way to solve the puzzle would be to overwrite something different, e.g.: Activation records of other functions, such as check_dir() (same issues), Callback to function SortJobs() (nope, address is hardcoded in .text), PLT in the binary (I need a different technique to handle null bytes), PLT (R_SPARC_JMP_SLOT) in libc (no null bytes, this looks promisin'). Here's the exploit.
A format string vulnerability in the 'dtprintinfo' function of Solaris 10 1/13 (Intel) can be exploited to gain local privilege escalation. The plan is to exploit the sprintf at [1], where the attacker controls the format string, to replace the strlen at [2] with a strdup and the sprintf at [3] with a call to the shellcode dynamically allocated in the heap by strdup and pointed to by the local_c variable at [2].
A buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to local root. This one was discovered by Marti Guasch Jimenez, who attended Marco Ivaldi's talk 'A bug's life: story of a Solaris 0day' presented at #INFILTRATE19 on May 2nd, 2019. To trigger this vulnerability, a printer must be present, which can be faked with the lpstat trick. At least one directory must be present in the path pointed by the environment variable TMP_DIR. Finally, REQ_DIR must be set with a value of 0x720 of padding + value to overwrite EBP + value to overwrite EIP.
A vulnerability in WordPress 5.0.0 and <= 4.9.8 allows an attacker to execute arbitrary code by uploading a malicious image and injecting a payload via exiftool. This exploit requires the attacker to have valid credentials to login to the WordPress admin panel.
Klog Server 2.4.1 is vulnerable to authenticated command injection. The “source” parameter is executed via shell_exec() function without input validation in async.php file. An attacker can exploit this vulnerability by sending a malicious payload to the vulnerable parameter.
Roundcube Webmail versions 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2 are vulnerable to a file disclosure vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the web server. This will allow the attacker to read any file on the server.
This application is vulnerable to Stored XSS vulnerability. The vulnerable script is http://localhost/vpms/add-vehicle.php and the vulnerable parameter is 'Owner Name'. The payload used is ()"><script>alert(‘document.cookie’)</script> and the proof of concept is manage-incomingvehicle.php, where the Javascript code is executed.
Login to the application, navigate to Payment Section and Click on Print button. In QuotePrint.aspx, modify the id Parameter to View User details, Address, Payments, Phonenumber and Email of other Users.
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
This plugin allows threads to redirect to a URL with optional custom text. The custom text input is vulnerable to Cross-Site Scripting. Anyone who views the thread will execute payload.
Services By CQR