Mageia Bugzilla – Attachment 10101 Details for
Bug 22815
ming new security issues CVE-2017-8782, CVE-2017-998[89], CVE-2017-11704, CVE-2017-1172[89], CVE-2017-1173[0-4], CVE-2017-16883, CVE-2017-16898, CVE-2018-5251, CVE-2018-5294, CVE-2018-6315, CVE-2018-6359
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Pre-update PoC tests
pocreport.22815 (text/plain), 5.82 KB, created by
Len Lawrence
on 2018-04-23 12:50:35 CEST
(
hide
)
Description:
Pre-update PoC tests
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2018-04-23 12:50:35 CEST
Size:
5.82 KB
patch
obsolete
>Before updates. > >CVE-2017-9988 >https://github.com/owl337/pocs/blob/master/libswf_POC1.rar >$ listswf POC1 >header indicates a filesize of 237 but filesize is 79 >File version: 6 >File size: 79 >Frame size: (-4926252,-2829100)x(-2829113,16) >Frame rate: 128.000000 / sec. >Total frames: 186 >Segmentation fault (core dumped) >$ ll POC1 >-rw-r--r-- 1 lcl lcl 79 May 19 2017 POC1 > >CVE-2017-9989 >https://github.com/owl337/pocs/blob/master/libswf_POC2.rar >$ listswf POC2 >File version: 6 >File size: 1618 >Frame size: (-4926252,-2829100)x(-4180793,16) >Frame rate: 128.000000 / sec. >Total frames: 186 >................................ > Key (80323238) ConstantPool StringCount 16 <= strIndex 80323238 > Value (166) ConstantPool StringCount 16 <= strIndex 166 > ### Metadata done ### > Metadata [1]: > Name: '' (16) > Key (1) '' (16) > Value (10) Segmentation fault (core dumped) > >CVE-2017-11704 >https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_decompileIF >$ swftocxx heap-buffer-overflow-in_decompileIF out >header indicates a filesize of 2360 but filesize is 2058 >#include <mingpp.h> >main(){ >SWFMovie* m = new SWFMovie(6); >............................. >//Unknown block type 412 >sudden file end: read failed @2033 fileSize 2058, request 47 >extra garbage (i.e., we messed up in main): >0000: 64 65 6e 65 61 72 73 5f 67 72 61 79 5f 6a 70 67 denears_ gray_jpg >0010: 00 40 00 00 00 7c 0b 3d 3f .@...|.= ? > >m->save("out"); >} > >CVE-2017-11728 >https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_OpCode_by_decompileSETMEMBER >$ swftocxx heap-buffer-overflow-in_decompileIF out >header indicates a filesize of 2360 but filesize is 2058 >#include <mingpp.h> >main(){ >SWFMovie* m = new SWFMovie(6); >............................. >//Unknown block type 412 >sudden file end: read failed @2033 fileSize 2058, request 47 >extra garbage (i.e., we messed up in main): >0000: 64 65 6e 65 61 72 73 5f 67 72 61 79 5f 6a 70 67 denears_ gray_jpg >0010: 00 40 00 00 00 7c 0b 3d 3f .@...|.= ? > >m->save("out"); >} > >CVE-2017-11728 >https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_OpCode_by_decompileSETMEMBER >$ swftocxx heap-buffer-overflow-in_OpCode_by_decompileSETMEMBER out >header indicates a filesize of 115474806 but filesize is 131 >#include <mingpp.h> >main(){ >SWFMovie* m = new SWFMovie(26); >Ming_setScale(1.0); >m->setRate(35.105469); >m->setDimension(4269, 111310); >....................................... >//Unknown block type 317 > Stream out of sync after parse of blocktype 14 (SWF_DEFINESOUND). 53 but expecting 52. > >// SWF_DEFINESOUND >SWFSound* character3084 = new SWFSound("FIX_MY_PARAMS"); >truncated file > >CVE-2017-11729 >https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR >$ swftocxx heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR >header indicates a filesize of 18446744072182825106 but filesize is 132 >#include <mingpp.h> >main(){ >SWFMovie* m = new SWFMovie(6); >.......................................... >1.: // *** pop(): INTERNAL STACK ERROR FOUND ***\ >*/\ >") ); >//Unknown block type 325 >//Unknown block type 325 >sudden file end: read failed @122 fileSize 132, request 41 >extra garbage (i.e., we messed up in main): >0000: f1 05 79 e9 60 41 00 6b a0 1d ..y.`A.k .. >m->output(9); >} > >CVE-2017-11730 >https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR_2 >$ swftocxx heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR_2 out >header indicates a filesize of 146 but filesize is 180 >#include <mingpp.h> >.................................... >//Unknown block type 368 >sudden file end: read failed @138 fileSize 180, request 43 >extra garbage (i.e., we messed up in main): >0000: 91 de 00 10 70 81 93 19 68 66 1b 1b 1b 23 03 13 ....p... hf...#.. >0010: 03 03 47 46 86 9b 0e 0c ac 40 13 18 04 44 cc 1b ..GF.... .@...D.. >0020: 1f dc 75 2b 70 91 00 6b a0 1d ..u+p..k .. >m->save("out"); >} > >CVE-2017-11731 >https://github.com/bestshow/p0cs/blob/master/invalid-memory-read-in_OpCode >$ swftocxx invalid-memory-read-in_OpCode out >header indicates a filesize of 146 but filesize is 131 >#include <mingpp.h> >................................... >Failed to find branch target!!! >Looking for: -11719 > Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 31 but expecting 27. >// SWF_DOACTION >m->add(new SWFAction("if( // *** pop(): INTERNAL STACK ERROR FOUND *** ) {\ >}\ >") ); >truncated file > >CVE-2017-11732 >https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_dcputs >$ swftocxx heap-buffer-overflow-in_dcputs >header indicates a filesize of 1618174079 but filesize is 112 > Stream out of sync after parse of blocktype 1 (SWF_SHOWFRAME). 36 but expecting 39. > ><At this point the utility goes into an error loop but eventually crashes out> > > STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND * >........................................... >sudden file end: read failed @53 fileSize 112, request 50533186 >extra garbage (i.e., we messed up in main): > >CVE-2017-11733 >https://github.com/bestshow/p0cs/blob/master/null-ptr-in_stackswap >$ swftocxx null-ptr-in_stackswap out >header indicates a filesize of 146 but filesize is 332 >..................................... >m->setFrames(60738); >// SWF_DOACTION >Segmentation fault (core dumped) > >CVE-2017-11734 >https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_decompileCALLFUNCTION >$ swftocxx heap-buffer-overflow-in_decompileCALLFUNCTION out >header indicates a filesize of 1048722 but filesize is 194 >.......................................... >// SWF_DOACTION >SanityCheck failed in SWF_CALLMETHOD > CALLMETHOD not preceeded by PUSH > >CVE-2017-16883 > >
Before updates. CVE-2017-9988 https://github.com/owl337/pocs/blob/master/libswf_POC1.rar $ listswf POC1 header indicates a filesize of 237 but filesize is 79 File version: 6 File size: 79 Frame size: (-4926252,-2829100)x(-2829113,16) Frame rate: 128.000000 / sec. Total frames: 186 Segmentation fault (core dumped) $ ll POC1 -rw-r--r-- 1 lcl lcl 79 May 19 2017 POC1 CVE-2017-9989 https://github.com/owl337/pocs/blob/master/libswf_POC2.rar $ listswf POC2 File version: 6 File size: 1618 Frame size: (-4926252,-2829100)x(-4180793,16) Frame rate: 128.000000 / sec. Total frames: 186 ................................ Key (80323238) ConstantPool StringCount 16 <= strIndex 80323238 Value (166) ConstantPool StringCount 16 <= strIndex 166 ### Metadata done ### Metadata [1]: Name: '' (16) Key (1) '' (16) Value (10) Segmentation fault (core dumped) CVE-2017-11704 https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_decompileIF $ swftocxx heap-buffer-overflow-in_decompileIF out header indicates a filesize of 2360 but filesize is 2058 #include <mingpp.h> main(){ SWFMovie* m = new SWFMovie(6); ............................. //Unknown block type 412 sudden file end: read failed @2033 fileSize 2058, request 47 extra garbage (i.e., we messed up in main): 0000: 64 65 6e 65 61 72 73 5f 67 72 61 79 5f 6a 70 67 denears_ gray_jpg 0010: 00 40 00 00 00 7c 0b 3d 3f .@...|.= ? m->save("out"); } CVE-2017-11728 https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_OpCode_by_decompileSETMEMBER $ swftocxx heap-buffer-overflow-in_decompileIF out header indicates a filesize of 2360 but filesize is 2058 #include <mingpp.h> main(){ SWFMovie* m = new SWFMovie(6); ............................. //Unknown block type 412 sudden file end: read failed @2033 fileSize 2058, request 47 extra garbage (i.e., we messed up in main): 0000: 64 65 6e 65 61 72 73 5f 67 72 61 79 5f 6a 70 67 denears_ gray_jpg 0010: 00 40 00 00 00 7c 0b 3d 3f .@...|.= ? m->save("out"); } CVE-2017-11728 https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_OpCode_by_decompileSETMEMBER $ swftocxx heap-buffer-overflow-in_OpCode_by_decompileSETMEMBER out header indicates a filesize of 115474806 but filesize is 131 #include <mingpp.h> main(){ SWFMovie* m = new SWFMovie(26); Ming_setScale(1.0); m->setRate(35.105469); m->setDimension(4269, 111310); ....................................... //Unknown block type 317 Stream out of sync after parse of blocktype 14 (SWF_DEFINESOUND). 53 but expecting 52. // SWF_DEFINESOUND SWFSound* character3084 = new SWFSound("FIX_MY_PARAMS"); truncated file CVE-2017-11729 https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR $ swftocxx heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR header indicates a filesize of 18446744072182825106 but filesize is 132 #include <mingpp.h> main(){ SWFMovie* m = new SWFMovie(6); .......................................... 1.: // *** pop(): INTERNAL STACK ERROR FOUND ***\ */\ ") ); //Unknown block type 325 //Unknown block type 325 sudden file end: read failed @122 fileSize 132, request 41 extra garbage (i.e., we messed up in main): 0000: f1 05 79 e9 60 41 00 6b a0 1d ..y.`A.k .. m->output(9); } CVE-2017-11730 https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR_2 $ swftocxx heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR_2 out header indicates a filesize of 146 but filesize is 180 #include <mingpp.h> .................................... //Unknown block type 368 sudden file end: read failed @138 fileSize 180, request 43 extra garbage (i.e., we messed up in main): 0000: 91 de 00 10 70 81 93 19 68 66 1b 1b 1b 23 03 13 ....p... hf...#.. 0010: 03 03 47 46 86 9b 0e 0c ac 40 13 18 04 44 cc 1b ..GF.... .@...D.. 0020: 1f dc 75 2b 70 91 00 6b a0 1d ..u+p..k .. m->save("out"); } CVE-2017-11731 https://github.com/bestshow/p0cs/blob/master/invalid-memory-read-in_OpCode $ swftocxx invalid-memory-read-in_OpCode out header indicates a filesize of 146 but filesize is 131 #include <mingpp.h> ................................... Failed to find branch target!!! Looking for: -11719 Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 31 but expecting 27. // SWF_DOACTION m->add(new SWFAction("if( // *** pop(): INTERNAL STACK ERROR FOUND *** ) {\ }\ ") ); truncated file CVE-2017-11732 https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_dcputs $ swftocxx heap-buffer-overflow-in_dcputs header indicates a filesize of 1618174079 but filesize is 112 Stream out of sync after parse of blocktype 1 (SWF_SHOWFRAME). 36 but expecting 39. <At this point the utility goes into an error loop but eventually crashes out> STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND ***// *** pop(): INTERNAL STACK ERROR FOUND * ........................................... sudden file end: read failed @53 fileSize 112, request 50533186 extra garbage (i.e., we messed up in main): CVE-2017-11733 https://github.com/bestshow/p0cs/blob/master/null-ptr-in_stackswap $ swftocxx null-ptr-in_stackswap out header indicates a filesize of 146 but filesize is 332 ..................................... m->setFrames(60738); // SWF_DOACTION Segmentation fault (core dumped) CVE-2017-11734 https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_decompileCALLFUNCTION $ swftocxx heap-buffer-overflow-in_decompileCALLFUNCTION out header indicates a filesize of 1048722 but filesize is 194 .......................................... // SWF_DOACTION SanityCheck failed in SWF_CALLMETHOD CALLMETHOD not preceeded by PUSH CVE-2017-16883
View Attachment As Raw
Actions:
View
Attachments on
bug 22815
: 10101