Skip to content

Commit 5f28d68

Browse files
author
Offensive Security
committed
DB: 2016-02-25
6 new exploits
1 parent 4ffbeca commit 5f28d68

7 files changed

Lines changed: 498 additions & 0 deletions

File tree

files.csv

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35725,3 +35725,9 @@ id,file,description,date,author,platform,type,port
3572535725
39485,platforms/asp/webapps/39485.txt,"Thru Managed File Transfer Portal 9.0.2 - SQL Injection",2016-02-22,"SySS GmbH",asp,webapps,80
3572635726
39487,platforms/multiple/dos/39487.py,"libquicktime 1.2.4 - Integer Overflow",2016-02-23,"Marco Romano",multiple,dos,0
3572735727
39488,platforms/json/webapps/39488.txt,"Ubiquiti Networks UniFi 3.2.10 - CSRF Vulnerability",2016-02-23,"Julien Ahrens",json,webapps,8443
35728+
39489,platforms/php/webapps/39489.py,"WordPress Extra User Details Plugin 0.4.2 - Privilege Escalation",2016-02-24,"Panagiotis Vagenas",php,webapps,80
35729+
39490,platforms/multiple/dos/39490.txt,"Wireshark - vwr_read_s2_s3_W_rec Heap-Based Buffer Overflow",2016-02-24,"Google Security Research",multiple,dos,0
35730+
39491,platforms/linux/dos/39491.txt,"libxml2 - xmlDictAddString Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
35731+
39492,platforms/linux/dos/39492.txt,"libxml2 - xmlParseEndTag2 Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
35732+
39493,platforms/linux/dos/39493.txt,"libxml2 - xmlParserPrintFileContextInternal Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
35733+
39494,platforms/linux/dos/39494.txt,"libxml2 - htmlCurrentChar Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0

platforms/linux/dos/39491.txt

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
Source: https://code.google.com/p/google-security-research/issues/detail?id=637
2+
3+
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"):
4+
5+
--- cut ---
6+
==25920==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010810 at pc 0x0000004a2f25 bp 0x7ffc81805ae0 sp 0x7ffc81805290
7+
READ of size 73661 at 0x631000010810 thread T0
8+
#0 0x4a2f24 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
9+
#1 0xd026b2 in xmlDictAddString libxml2-2.9.3/dict.c:285:5
10+
#2 0xd009e8 in xmlDictLookup libxml2-2.9.3/dict.c:926:11
11+
#3 0x806e4d in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2517:12
12+
#4 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
13+
#5 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16
14+
#6 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8
15+
#7 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3
16+
#8 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
17+
#9 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
18+
#10 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
19+
#11 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
20+
#12 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
21+
22+
0x631000010810 is located 0 bytes to the right of 65552-byte region [0x631000000800,0x631000010810)
23+
allocated by thread T0 here:
24+
#0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
25+
#1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23
26+
#2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11
27+
#3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9
28+
#4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8
29+
#5 0x8067f4 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2511:6
30+
#6 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
31+
#7 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16
32+
#8 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8
33+
#9 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3
34+
#10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
35+
#11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
36+
#12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
37+
#13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
38+
#14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
39+
40+
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
41+
Shadow bytes around the buggy address:
42+
0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
43+
0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
44+
0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
45+
0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
46+
0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
47+
=>0x0c627fffa100: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
48+
0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
49+
0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
50+
0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
51+
0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
52+
0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
53+
Shadow byte legend (one shadow byte represents 8 application bytes):
54+
Addressable: 00
55+
Partially addressable: 01 02 03 04 05 06 07
56+
Heap left redzone: fa
57+
Heap right redzone: fb
58+
Freed heap region: fd
59+
Stack left redzone: f1
60+
Stack mid redzone: f2
61+
Stack right redzone: f3
62+
Stack partial redzone: f4
63+
Stack after return: f5
64+
Stack use after scope: f8
65+
Global redzone: f9
66+
Global init order: f6
67+
Poisoned by user: f7
68+
Container overflow: fc
69+
Array cookie: ac
70+
Intra object redzone: bb
71+
ASan internal: fe
72+
Left alloca redzone: ca
73+
Right alloca redzone: cb
74+
==25920==ABORTING
75+
--- cut ---
76+
77+
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758605. Attached is an XML file which triggers the crash.
78+
79+
80+
Proof of Concept:
81+
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39491.zip
82+

platforms/linux/dos/39492.txt

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
Source: https://code.google.com/p/google-security-research/issues/detail?id=638
2+
3+
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint /path/to/file"):
4+
5+
--- cut ---
6+
==4588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000049e6 at pc 0x00000062b643 bp 0x7ffffa00f570 sp 0x7ffffa00f568
7+
READ of size 1 at 0x6290000049e6 thread T0
8+
#0 0x62b642 in xmlParseEndTag2 libxml2-2.9.3/parser.c:9828:13
9+
#1 0x61d620 in xmlParseElement libxml2-2.9.3/parser.c:10238:2
10+
#2 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
11+
#3 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
12+
#4 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
13+
#5 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
14+
#6 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
15+
#7 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
16+
#8 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
17+
#9 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
18+
#10 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
19+
20+
0x6290000049e6 is located 2018 bytes to the right of 16388-byte region [0x629000000200,0x629000004204)
21+
allocated by thread T0 here:
22+
#0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
23+
#1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23
24+
#2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11
25+
#3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9
26+
#4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8
27+
#5 0x569d10 in xmlGROW libxml2-2.9.3/parser.c:2081:5
28+
#6 0x68208d in xmlParseNCNameComplex libxml2-2.9.3/parser.c:3499:6
29+
#7 0x68136d in xmlParseNCName libxml2-2.9.3/parser.c:3591:12
30+
#8 0x67d282 in xmlParseQName libxml2-2.9.3/parser.c:8859:9
31+
#9 0x61f04d in xmlParseStartTag2 libxml2-2.9.3/parser.c:9381:17
32+
#10 0x61a626 in xmlParseElement libxml2-2.9.3/parser.c:10129:16
33+
#11 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
34+
#12 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
35+
#13 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
36+
#14 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
37+
#15 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
38+
#16 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
39+
#17 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
40+
#18 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
41+
#19 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
42+
43+
SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/parser.c:9828:13 in xmlParseEndTag2
44+
Shadow bytes around the buggy address:
45+
0x0c527fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
46+
0x0c527fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
47+
0x0c527fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
48+
0x0c527fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
49+
0x0c527fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
50+
=>0x0c527fff8930: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
51+
0x0c527fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
52+
0x0c527fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
53+
0x0c527fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
54+
0x0c527fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
55+
0x0c527fff8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
56+
Shadow byte legend (one shadow byte represents 8 application bytes):
57+
Addressable: 00
58+
Partially addressable: 01 02 03 04 05 06 07
59+
Heap left redzone: fa
60+
Heap right redzone: fb
61+
Freed heap region: fd
62+
Stack left redzone: f1
63+
Stack mid redzone: f2
64+
Stack right redzone: f3
65+
Stack partial redzone: f4
66+
Stack after return: f5
67+
Stack use after scope: f8
68+
Global redzone: f9
69+
Global init order: f6
70+
Poisoned by user: f7
71+
Container overflow: fc
72+
Array cookie: ac
73+
Intra object redzone: bb
74+
ASan internal: fe
75+
Left alloca redzone: ca
76+
Right alloca redzone: cb
77+
==4588==ABORTING
78+
--- cut ---
79+
80+
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758589. Attached is an XML file which triggers the crash.
81+
82+
83+
Proof of Concept:
84+
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39492.zip
85+

platforms/linux/dos/39493.txt

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
Source: https://code.google.com/p/google-security-research/issues/detail?id=639
2+
3+
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint /path/to/file"):
4+
5+
--- cut ---
6+
==4210==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000051ff at pc 0x000000533c8f bp 0x7ffdb38c4830 sp 0x7ffdb38c4828
7+
READ of size 1 at 0x6290000051ff thread T0
8+
#0 0x533c8e in xmlParserPrintFileContextInternal libxml2-2.9.3/error.c:192:6
9+
#1 0x54088a in xmlReportError libxml2-2.9.3/error.c:406:9
10+
#2 0x53884f in __xmlRaiseError libxml2-2.9.3/error.c:633:2
11+
#3 0x56f0ec in xmlFatalErr libxml2-2.9.3/parser.c:540:5
12+
#4 0x569c98 in xmlGROW libxml2-2.9.3/parser.c:2077:9
13+
#5 0x62bcb3 in xmlParseEndTag2 libxml2-2.9.3/parser.c:9846:5
14+
#6 0x61d620 in xmlParseElement libxml2-2.9.3/parser.c:10238:2
15+
#7 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
16+
#8 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
17+
#9 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
18+
#10 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
19+
#11 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
20+
21+
0x6290000051ff is located 1 bytes to the left of 16384-byte region [0x629000005200,0x629000009200)
22+
allocated by thread T0 here:
23+
#0 0x4b8b68 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
24+
#1 0x7f4df5219729 (/lib/x86_64-linux-gnu/libz.so.1+0xf729)
25+
26+
SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/error.c:192:6 in xmlParserPrintFileContextInternal
27+
Shadow bytes around the buggy address:
28+
0x0c527fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
29+
0x0c527fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
30+
0x0c527fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
31+
0x0c527fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
32+
0x0c527fff8a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
33+
=>0x0c527fff8a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
34+
0x0c527fff8a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
35+
0x0c527fff8a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
36+
0x0c527fff8a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
37+
0x0c527fff8a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
38+
0x0c527fff8a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
39+
Shadow byte legend (one shadow byte represents 8 application bytes):
40+
Addressable: 00
41+
Partially addressable: 01 02 03 04 05 06 07
42+
Heap left redzone: fa
43+
Heap right redzone: fb
44+
Freed heap region: fd
45+
Stack left redzone: f1
46+
Stack mid redzone: f2
47+
Stack right redzone: f3
48+
Stack partial redzone: f4
49+
Stack after return: f5
50+
Stack use after scope: f8
51+
Global redzone: f9
52+
Global init order: f6
53+
Poisoned by user: f7
54+
Container overflow: fc
55+
Array cookie: ac
56+
Intra object redzone: bb
57+
ASan internal: fe
58+
Left alloca redzone: ca
59+
Right alloca redzone: cb
60+
==4210==ABORTING
61+
--- cut ---
62+
63+
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758588. Attached is an XML file which triggers the crash.
64+
65+
66+
Proof of Concept:
67+
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39493.zip
68+

platforms/linux/dos/39494.txt

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
Source: https://code.google.com/p/google-security-research/issues/detail?id=636
2+
3+
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"):
4+
5+
--- cut ---
6+
==26202==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c900 at pc 0x0000008073f9 bp 0x7ffd791c7f90 sp 0x7ffd791c7f88
7+
READ of size 1 at 0x62100001c900 thread T0
8+
#0 0x8073f8 in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:439:6
9+
#1 0x80ee62 in htmlParseCharDataInternal libxml2-2.9.3/HTMLparser.c:3011:8
10+
#2 0x821b85 in htmlParseCharData libxml2-2.9.3/HTMLparser.c:3061:5
11+
#3 0x7df875 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4634:3
12+
#4 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
13+
#5 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
14+
#6 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
15+
#7 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
16+
#8 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
17+
18+
0x62100001c900 is located 0 bytes to the right of 4096-byte region [0x62100001b900,0x62100001c900)
19+
allocated by thread T0 here:
20+
#0 0x4b8b68 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
21+
#1 0xa01a0c in xmlBufCreate libxml2-2.9.3/buf.c:137:32
22+
#2 0x550aca in xmlSwitchInputEncodingInt libxml2-2.9.3/parserInternals.c:1205:34
23+
#3 0x54f5ce in xmlSwitchToEncodingInt libxml2-2.9.3/parserInternals.c:1281:12
24+
#4 0x54f278 in xmlSwitchEncoding libxml2-2.9.3/parserInternals.c:1101:11
25+
#5 0x808eea in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:518:13
26+
#6 0x804a38 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2496:9
27+
#7 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
28+
#8 0x7ec211 in htmlParseDocTypeDecl libxml2-2.9.3/HTMLparser.c:3424:12
29+
#9 0x7debf4 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4585:3
30+
#10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
31+
#11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
32+
#12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
33+
#13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
34+
#14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
35+
36+
SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/HTMLparser.c:439:6 in htmlCurrentChar
37+
Shadow bytes around the buggy address:
38+
0x0c427fffb8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
39+
0x0c427fffb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40+
0x0c427fffb8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
41+
0x0c427fffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
42+
0x0c427fffb910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
43+
=>0x0c427fffb920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
44+
0x0c427fffb930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
45+
0x0c427fffb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
46+
0x0c427fffb950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
47+
0x0c427fffb960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
48+
0x0c427fffb970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
49+
Shadow byte legend (one shadow byte represents 8 application bytes):
50+
Addressable: 00
51+
Partially addressable: 01 02 03 04 05 06 07
52+
Heap left redzone: fa
53+
Heap right redzone: fb
54+
Freed heap region: fd
55+
Stack left redzone: f1
56+
Stack mid redzone: f2
57+
Stack right redzone: f3
58+
Stack partial redzone: f4
59+
Stack after return: f5
60+
Stack use after scope: f8
61+
Global redzone: f9
62+
Global init order: f6
63+
Poisoned by user: f7
64+
Container overflow: fc
65+
Array cookie: ac
66+
Intra object redzone: bb
67+
ASan internal: fe
68+
Left alloca redzone: ca
69+
Right alloca redzone: cb
70+
==26202==ABORTING
71+
--- cut ---
72+
73+
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758606. Attached is an XML file which triggers the crash.
74+
75+
76+
Proof of Concept:
77+
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39494.zip
78+

0 commit comments

Comments
 (0)